X509 certificate is one of many possible keys data object that can be associated with a key. Application may read and write X509 data from/to XML file. The X509 certificates management policies significantly vary from one crypto library to another. The examples in this chapter were tested with OpenSSL and they might be broken if anither crypto engine is used. Check API reference documentation for more specific information about your crypto engine. To sign a file using X509 certificate, an application need to associate the certificate (or certificates) with the private key using one of the following functions: xmlSecOpenSSLAppKeyCertLoad - loads certificate from a file and adds to the key; xmlSecOpenSSLAppPkcs12Load - loads private key and all the certificates associated with it from a PKCS12 file; xmlSecKeyAdoptData - low level function to add key data (including X509 key data) to the key. Full program listing Next step is to prepare signature template with <dsig:X509Data/> child of the <dsig:KeyInfo/> element. When XML Security Library finds this node in the template, it automaticaly creates <dsig:X509Certificate/> children of the <dsig:X509Data/> element and writes to result XML document all the certificates associated with the signature key. node to the doc */ xmlAddChild(xmlDocGetRootElement(doc), signNode); /* add reference */ refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id, NULL, NULL, NULL); if(refNode == NULL) { fprintf(stderr, "Error: failed to add reference to signature template\n"); goto done; } /* add enveloped transform */ if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) { fprintf(stderr, "Error: failed to add enveloped transform to reference\n"); goto done; } /* add and */ keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL); if(keyInfoNode == NULL) { fprintf(stderr, "Error: failed to add key info\n"); goto done; } if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) { fprintf(stderr, "Error: failed to add X509Data node\n"); goto done; } ]]> Full program listing If the document is signed with an X509 certificate then the signature verification consist of two steps: Creating and verifing X509 certificates chain. Verifing signature itself using key exrtacted from a certificate verified on previous step. Certificates chain is constructed from certificates in a way that each certificate in the chain is signed with previous one:

Certificate A (signed with B) <- Certificate B (signed with C) <- ... <- Root Certificate (signed by itself)

At the end of the chain there is a "Root Certificate" which is signed by itself. There is no way to verify the validity of the root certificate and application have to "trust" it (another name for root certificates is "trusted" certificates). Application can use xmlSecCryptoAppKeysMngrCertLoad function to load both "trusted" and "un-trusted" certificates. However, the selection of "trusted" certificates is very sensitive process and this function might be not implemented for some crypto engines. In this case, the "trusted" certificates list is loaded during initialization or specified in crypto engine configuration files. Check XML Security Library API reference for more details. 0); /* create and initialize keys manager, we use a simple list based * keys manager, implement your own xmlSecKeysStore klass if you need * something more sophisticated */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { fprintf(stderr, "Error: failed to create keys manager.\n"); return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { fprintf(stderr, "Error: failed to initialize keys manager.\n"); xmlSecKeysMngrDestroy(mngr); return(NULL); } for(i = 0; i < files_size; ++i) { assert(files[i]); /* load trusted cert */ if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]); xmlSecKeysMngrDestroy(mngr); return(NULL); } } return(mngr); } ]]> Full program listing