It works. Thanks again. On 5/22/13 12:52 PM, "Aleksey Sanin" <[email protected]> wrote:
>cert pem format != public key pem format > >Aleksey > >On 5/21/13 9:48 PM, Jeffrey Jin (jefjin) wrote: >> No, just public key in cert. >> >> >> >> On 5/22/13 12:45 PM, "Aleksey Sanin" <[email protected]> wrote: >> >>> Private key in cert/cicert.pem file? Really? >>> >>> Aleksey >>> >>> On 5/21/13 9:41 PM, Jeffrey Jin (jefjin) wrote: >>>> Aleksey, >>>> >>>> The cert in cert/ folder but I got the error as bellows: >>>> >>>> [jabber@localhost xmlsec-demo]$ ./verify1 example/sample-res.xml >>>> cert/cicert.pem >>>> >>>> >>>>func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=263:obj=unknown:subj=PE >>>>M_ >>>> re >>>> ad_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library >>>> function >>>> failed: >>>> >>>> >>>>func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=153:obj=unknown:subj=xmlSe >>>>cO >>>> pe >>>> nSSLAppKeyLoadBIO:error=1:xmlsec library function >>>> failed:filename=cert/cicert.pem;errno=0 >>>> Error: failed to load public pem key from "cert/cicert.pem" >>>> >>>> -Jeffrey >>>> >>>> >>>> >>>> On 5/22/13 12:17 PM, "Aleksey Sanin" <[email protected]> wrote: >>>> >>>>> If you set the key in xmldsigctx then it will never get there anyway. >>>>> >>>>> Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are >>>>>examples >>>>> in the xmlsec1 command line tool source code) >>>>> >>>>> Aleksey >>>>> >>>>> On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote: >>>>>> Thanks Aleksey quick response. I will try it. >>>>>> I have another question: how to disable certificate validation in >>>>>> xmlsec? >>>>>> >>>>>> On 5/22/13 12:10 PM, "Aleksey Sanin" <[email protected]> wrote: >>>>>> >>>>>>> If you know the public key in advance then you can set it in >>>>>>> xmlDsigCtx >>>>>>> >>>>>>> Aleksey >>>>>>> >>>>>>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote: >>>>>>>> Hi All, >>>>>>>> >>>>>>>> We are using XMLSec to handle XML signature and encryption in SAML >>>>>>>> 1.0 >>>>>>>> and 2.0 protocols. We are pre-configed the configuration data such >>>>>>>> as >>>>>>>> IDP certificate using metadata. So even the response include >>>>>>>> "KeyInfo/X509Data", we will ignore it then using local pre-config >>>>>>>> certificate to verify it and we assume SP totally trust this >>>>>>>> certificate. So also we won't use CA certificate to verify the >>>>>>>> pre-config certificate's legitimacy. >>>>>>>> >>>>>>>> I dig into code then find: >>>>>>>> >>>>>>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */ >>>>>>>> /* todo: throw an error if key is set and node != NULL? */ >>>>>>>> if((dsigCtx->signKey == NULL) && >>>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr >>>>>>>> != NULL) >>>>>>>> && >>>>>>>>(dsigCtx->keyInfoReadCtx.keysMngr->getKey >>>>>>>> != >>>>>>>> NULL)) { >>>>>>>> dsigCtx->signKey = >>>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, >>>>>>>> &(dsigCtx->keyInfoReadCtx)); >>>>>>>> } >>>>>>>> >>>>>>>> Does it means I need to set dsigCtx->signKey? And what's meaning >>>>>>>>of >>>>>>>> dsigCtx->signKey? Is it private key from IDP? (we never can get >>>>>>>> private >>>>>>>> key from IDP). How can I meet this requirement by xmlsec? >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Jeffrey >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> xmlsec mailing list >>>>>>>> [email protected] >>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>>>> >>>>>> >>>> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
