cert pem format != public key pem format Aleksey
On 5/21/13 9:48 PM, Jeffrey Jin (jefjin) wrote: > No, just public key in cert. > > > > On 5/22/13 12:45 PM, "Aleksey Sanin" <[email protected]> wrote: > >> Private key in cert/cicert.pem file? Really? >> >> Aleksey >> >> On 5/21/13 9:41 PM, Jeffrey Jin (jefjin) wrote: >>> Aleksey, >>> >>> The cert in cert/ folder but I got the error as bellows: >>> >>> [jabber@localhost xmlsec-demo]$ ./verify1 example/sample-res.xml >>> cert/cicert.pem >>> >>> func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=263:obj=unknown:subj=PEM_ >>> re >>> ad_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library >>> function >>> failed: >>> >>> func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=153:obj=unknown:subj=xmlSecO >>> pe >>> nSSLAppKeyLoadBIO:error=1:xmlsec library function >>> failed:filename=cert/cicert.pem;errno=0 >>> Error: failed to load public pem key from "cert/cicert.pem" >>> >>> -Jeffrey >>> >>> >>> >>> On 5/22/13 12:17 PM, "Aleksey Sanin" <[email protected]> wrote: >>> >>>> If you set the key in xmldsigctx then it will never get there anyway. >>>> >>>> Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are examples >>>> in the xmlsec1 command line tool source code) >>>> >>>> Aleksey >>>> >>>> On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote: >>>>> Thanks Aleksey quick response. I will try it. >>>>> I have another question: how to disable certificate validation in >>>>> xmlsec? >>>>> >>>>> On 5/22/13 12:10 PM, "Aleksey Sanin" <[email protected]> wrote: >>>>> >>>>>> If you know the public key in advance then you can set it in >>>>>> xmlDsigCtx >>>>>> >>>>>> Aleksey >>>>>> >>>>>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote: >>>>>>> Hi All, >>>>>>> >>>>>>> We are using XMLSec to handle XML signature and encryption in SAML >>>>>>> 1.0 >>>>>>> and 2.0 protocols. We are pre-configed the configuration data such >>>>>>> as >>>>>>> IDP certificate using metadata. So even the response include >>>>>>> "KeyInfo/X509Data", we will ignore it then using local pre-config >>>>>>> certificate to verify it and we assume SP totally trust this >>>>>>> certificate. So also we won't use CA certificate to verify the >>>>>>> pre-config certificate's legitimacy. >>>>>>> >>>>>>> I dig into code then find: >>>>>>> >>>>>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */ >>>>>>> /* todo: throw an error if key is set and node != NULL? */ >>>>>>> if((dsigCtx->signKey == NULL) && >>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr >>>>>>> != NULL) >>>>>>> && (dsigCtx->keyInfoReadCtx.keysMngr->getKey >>>>>>> != >>>>>>> NULL)) { >>>>>>> dsigCtx->signKey = >>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, >>>>>>> &(dsigCtx->keyInfoReadCtx)); >>>>>>> } >>>>>>> >>>>>>> Does it means I need to set dsigCtx->signKey? And what's meaning of >>>>>>> dsigCtx->signKey? Is it private key from IDP? (we never can get >>>>>>> private >>>>>>> key from IDP). How can I meet this requirement by xmlsec? >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Jeffrey >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> xmlsec mailing list >>>>>>> [email protected] >>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>>> >>>>> >>> > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
