Hi Aleksey I am new to xmlsec and have a few questions. I tried to do my home first and went through the documentation and old emails but still have a few question. I will be very grateful if you can find the time to look into this please. I am using x509 certs and I am using the .18 prebuilt windows version
FIRST --------- My first question is very similar to the one posted here http://www.aleksey.com/pipermail/xmlsec/2002/004466.html I basically want to look at the certificate or the chain that actually validated the xml to check the Subject, Issuer, etc. I can’t find the structures mentioned in that thread, I am guessing the code must have changed since then or may be I am looking in the wrong place. Can you please confirm? So then I looked at the command line tool code since it prints out the info that I need. I followed through the code but I cant find any accessible function to pull out the subject/issuer for the certs. I found the xmlSecKeyDataGetIdentifier function but it didnt print anythng for me. It was late and may be I am doing something wrong but I thought I will check with you if I am on the right track ///////////////////////////////////////////////////////////// //key is the signKey from the context if (!xmlSecPtrListIsValid(key->dataList)) { info = "SignKey dataList is not valid"; return false; } // key->dataList->id is the pointer to the xmlSecKeyDataListKlass struct if (!xmlSecPtrListCheckId(key->dataList, xmlSecKeyDataListId)) { info = "SignKey dataList kind is not xmlSecKeyDataListId"; return false; } // "key-data-list" InfoLog << " DATALIST kind [" << (char*)key->dataList->id->name << "] size [" << key->dataList->use << "]" << endl; xmlSecSize pos; for (pos = 0; pos < key->dataList->use; ++pos) { ostringstream ss; ss << pos; xmlSecKeyDataPtr value = (xmlSecKeyDataPtr)key->dataList->data[pos]; if (value == NULL) { info = "SignKey dataList data[" + ss.str() + "] is not valid"; return false; } //key->dataList->id->debugDumpItem(key->dataList->data[pos], stdout); if (!xmlSecKeyDataCheckId(value, xmlSecMSCryptoKeyDataX509Id)) { info = "SignKey dataList data[" + ss.str() + "] kind is not xmlSecMSCryptoKeyDataX509Id"; return false; } InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] kind [" << (char*)value->id->name << "]" << endl; string identifier = (char*)xmlSecKeyDataGetIdentifier(value) ; // this did not print anything InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] identifier [" << identifier.c_str() << "]" << endl; } /* THIS IS THE INFO I AM LOOKING FOR. Is it accessible from outside? xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE* output) { PCCERT_CONTEXT cert; xmlSecSize size, pos; xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecMSCryptoKeyDataX509Id)); fprintf(output, "=== X509 Data:\n"); cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data); if(cert != NULL) { fprintf(output, "==== Key Certificate:\n"); xmlSecMSCryptoX509CertDebugDump(cert, output); } size = xmlSecMSCryptoKeyDataX509GetCertsSize(data); for(pos = 0; pos < size; ++pos) { cert = xmlSecMSCryptoKeyDataX509GetCert(data, pos); if(cert == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), "xmlSecMSCryptoKeyDataX509GetCert", XMLSEC_ERRORS_R_XMLSEC_FAILED, "pos=%d", pos); return; } fprintf(output, "==== Certificate:\n"); xmlSecMSCryptoX509CertDebugDump(cert, output); } */ ///////////////////////////////////////////////////////////// SECOND -------------- In one of your replies (http://www.aleksey.com/pipermail/xmlsec /2011/009076.html) you said**** “I think you can get what you want by using "--enabled-key-data" (and "--list-key-data") command line options for xmlsec utility. Simply disable reading of certs from XML file completely and provide the signature key (not necessarily in a cert) from the command line.” How exactly do I do that? Because –enabled-key-data always expects a parameter. I guess I can just say “hmac” or some other option that doesn’t apply in my case to achieve that, is that right? ** Also the command to list them "xmlsec list-key-data –crypto mscrypto", I didn’t see it documented in the command line help. >From verify4 example, I found the following. What is the corresponding equivalent for the code (to disable reading of certs from xml completely? /* in addition, limit possible key data to valid X509 certificates only */ if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecKeyDataX509Id) < 0) { fprintf(stderr,"Error: failed to limit allowed key data\n"); goto done; } Thanks a lot for your help ** **
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
