1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Verifing document signed with X509 certificates.</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79">
<link rel="HOME" title="XML Security Library Reference Manual" href="index.html">
<link rel="UP" title="Using X509 Certificates." href="xmlsec-notes-x509.html">
<link rel="PREVIOUS" title="Signing data with X509 certificate." href="xmlsec-notes-sign-x509.html">
<link rel="NEXT" title="Transforms and transforms chain." href="xmlsec-notes-transforms.html">
<style type="text/css">.synopsis, .classsynopsis {
background: #eeeeee;
border: solid 1px #aaaaaa;
padding: 0.5em;
}
.programlisting {
background: #eeeeff;
border: solid 1px #aaaaff;
padding: 0.5em;
}
.variablelist {
padding: 4px;
margin-left: 3em;
}
.navigation {
background: #ffeeee;
border: solid 1px #ffaaaa;
margin-top: 0.5em;
margin-bottom: 0.5em;
}
.navigation a {
color: #770000;
}
.navigation a:visited {
color: #550000;
}
.navigation .title {
font-size: 200%;
}</style>
</head>
<body><table witdh="100%" valign="top"><tr valign="top">
<td valign="top" align="left" width="210">
<img src="../images/logo.gif" alt="XML Security Library" border="0"><p></p>
<ul>
<li><a href="../index.html">Home</a></li>
<li><a href="../download.html">Download</a></li>
<li><a href="../news.html">News</a></li>
<li><a href="../documentation.html">Documentation</a></li>
<ul>
<li><a href="../faq.html">FAQ</a></li>
<li><a href="../api/xmlsec-notes.html">Tutorial</a></li>
<li><a href="../api/xmlsec-reference.html">API reference</a></li>
<li><a href="../api/xmlsec-examples.html">Examples</a></li>
</ul>
<li><a href="../xmldsig.html">XML Digital Signature</a></li>
<ul><li><a href="http://www.aleksey.com/xmlsec/xmldsig-verifier.html">Online Verifier</a></li></ul>
<li><a href="../xmlenc.html">XML Encryption</a></li>
<li><a href="../c14n.html">XML Canonicalization</a></li>
<li><a href="../bugs.html">Reporting Bugs</a></li>
<li><a href="http://www.aleksey.com/pipermail/xmlsec">Mailing list</a></li>
<li><a href="../related.html">Related</a></li>
<li><a href="../authors.html">Authors</a></li>
</ul>
<table width="100%">
<tr>
<td width="15"></td>
<td><a href="http://xmlsoft.org/"><img src="../images/libxml2-logo.png" alt="LibXML2" border="0"></a></td>
</tr>
<tr>
<td width="15"></td>
<td><a href="http://xmlsoft.org/XSLT"><img src="../images/libxslt-logo.png" alt="LibXSLT" border="0"></a></td>
</tr>
<tr>
<td width="15"></td>
<td><a href="http://www.openssl.org/"><img src="../images/openssl-logo.png" alt="OpenSSL" border="0"></a></td>
</tr>
<!--Links - start--><!--Links - end-->
</table>
</td>
<td valign="top"><table width="100%" valign="top"><tr><td valign="top" align="left" id="xmlsecContent">
<table width="100%" class="navigation" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="xmlsec-notes-sign-x509.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="xmlsec-notes-x509.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">XML Security Library Reference Manual</th>
<td><a accesskey="n" href="xmlsec-notes-transforms.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<br clear="all"><div class="SECT1">
<h1 class="SECT1"><a name="XMLSEC-NOTES-VERIFY-X509">Verifing document signed with X509 certificates.</a></h1>
<p> If the document is signed with an X509 certificate then the signature
verification consist of two steps:
</p>
<p></p>
<ul>
<li><p>Creating and verifing X509 certificates chain.
</p></li>
<li><p>Verifing signature itself using key exrtacted from
a certificate verified on previous step.
</p></li>
</ul>
Certificates chain is constructed from certificates in a way that
each certificate in the chain is signed with previous one:
<div class="FIGURE">
<a name="AEN442"></a><p><b>Figure 1. Certificates chain.</b></p>
<pre class="PROGRAMLISTING">Certificate A (signed with B) <- Certificate B (signed with C) <- ... <- Root Certificate (signed by itself)
</pre>
</div>
At the end of the chain there is a "Root Certificate" which
is signed by itself. There is no way to verify the validity of the
root certificate and application have to "trust" it
(another name for root certificates is "trusted" certificates).
<p> Application can use <a href="xmlsec-app.html#XMLSECCRYPTOAPPKEYSMNGRCERTLOAD">xmlSecCryptoAppKeysMngrCertLoad</a>
function to load both "trusted" and "un-trusted"
certificates. However, the selection of "trusted"
certificates is very sensitive process and this function might be
not implemented for some crypto engines. In this case, the
"trusted" certificates list is loaded during initialization
or specified in crypto engine configuration files.
Check XML Security Library API reference for more details.
</p>
<div class="EXAMPLE">
<a name="AEN447"></a><p><b>Example 3. Loading trusted X509 certificate.</b></p>
<pre class="PROGRAMLISTING">/**
* load_trusted_certs:
* @files: the list of filenames.
* @files_size: the number of filenames in #files.
*
* Creates simple keys manager and load trusted certificates from PEM #files.
* The caller is responsible for destroing returned keys manager using
* @xmlSecKeysMngrDestroy.
*
* Returns the pointer to newly created keys manager or NULL if an error
* occurs.
*/
xmlSecKeysMngrPtr
load_trusted_certs(char** files, int files_size) {
xmlSecKeysMngrPtr mngr;
int i;
assert(files);
assert(files_size > 0);
/* create and initialize keys manager, we use a simple list based
* keys manager, implement your own xmlSecKeysStore klass if you need
* something more sophisticated
*/
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
fprintf(stderr, "Error: failed to create keys manager.\n");
return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
fprintf(stderr, "Error: failed to initialize keys manager.\n");
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
for(i = 0; i < files_size; ++i) {
assert(files[i]);
/* load trusted cert */
if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]);
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
}
return(mngr);
}
</pre>
<p><a href="xmlsec-verify-with-x509.html#XMLSEC-EXAMPLE-VERIFY3">Full program listing</a></p>
</div>
</div>
<table class="navigation" width="100%" summary="Navigation footer" cellpadding="2" cellspacing="2"><tr valign="middle">
<td align="left"><a accesskey="p" href="xmlsec-notes-sign-x509.html"><b><<< Signing data with X509 certificate.</b></a></td>
<td align="right"><a accesskey="n" href="xmlsec-notes-transforms.html"><b>Transforms and transforms chain. >>></b></a></td>
</tr></table>
</td></tr></table></td>
</tr></table></body>
</html>
|
