To sign a file using X509 certificate, an application need to associate the certificate (or certificates) with the private key using one of the following functions:
xmlSecOpenSSLAppKeyCertLoad - loads certificate from a file and adds to the key;
xmlSecOpenSSLAppPkcs12Load - loads private key and all the certificates associated with it from a PKCS12 file;
xmlSecKeyAdoptData - low level function to add key data (including X509 key data) to the key.
Example 20. Loading private key and X509 certificate.
/* load private key, assuming that there is not password */ key = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL); if(key == NULL) { fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file); goto done; } /* load certificate and add to the key */ if(xmlSecCryptoAppKeyCertLoad(key, cert_file, xmlSecKeyDataFormatPem) < 0) { fprintf(stderr,"Error: failed to load pem certificate \"%s\"\n", cert_file); goto done; }
Next step is to prepare signature template with <dsig:X509Data/> child of the <dsig:KeyInfo/> element. When XML Security Library finds this node in the template, it automaticaly creates <dsig:X509Certificate/> children of the <dsig:X509Data/> element and writes to result XML document all the certificates associated with the signature key.
Example 21. Dynamicaly creating a signature template for signing document using X509 certificate.
/* create signature template for RSA-SHA1 enveloped signature */ signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId, xmlSecTransformRsaSha1Id, NULL); if(signNode == NULL) { fprintf(stderr, "Error: failed to create signature template\n"); goto done; } /* add <dsig:Signature/> node to the doc */ xmlAddChild(xmlDocGetRootElement(doc), signNode); /* add reference */ refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id, NULL, NULL, NULL); if(refNode == NULL) { fprintf(stderr, "Error: failed to add reference to signature template\n"); goto done; } /* add enveloped transform */ if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) { fprintf(stderr, "Error: failed to add enveloped transform to reference\n"); goto done; } /* add <dsig:KeyInfo/> and <dsig:X509Data/> */ keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL); if(keyInfoNode == NULL) { fprintf(stderr, "Error: failed to add key info\n"); goto done; } if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) { fprintf(stderr, "Error: failed to add X509Data node\n"); goto done; }