3 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4 <title>Verifing document signed with X509 certificates.</title>
5 <meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79">
6 <link rel="HOME" title="XML Security Library Reference Manual" href="index.html">
7 <link rel="UP" title="Using X509 Certificates." href="xmlsec-notes-x509.html">
8 <link rel="PREVIOUS" title="Signing data with X509 certificate." href="xmlsec-notes-sign-x509.html">
9 <link rel="NEXT" title="Transforms and transforms chain." href="xmlsec-notes-transforms.html">
10 <style type="text/css">.synopsis, .classsynopsis {
12 border: solid 1px #aaaaaa;
17 border: solid 1px #aaaaff;
26 border: solid 1px #ffaaaa;
33 .navigation a:visited {
40 <body><table witdh="100%" valign="top"><tr valign="top">
41 <td valign="top" align="left" width="210">
42 <img src="../images/logo.gif" alt="XML Security Library" border="0"><p></p>
44 <li><a href="../index.html">Home</a></li>
45 <li><a href="../download.html">Download</a></li>
46 <li><a href="../news.html">News</a></li>
47 <li><a href="../documentation.html">Documentation</a></li>
49 <li><a href="../faq.html">FAQ</a></li>
50 <li><a href="../api/xmlsec-notes.html">Tutorial</a></li>
51 <li><a href="../api/xmlsec-reference.html">API reference</a></li>
52 <li><a href="../api/xmlsec-examples.html">Examples</a></li>
54 <li><a href="../xmldsig.html">XML Digital Signature</a></li>
55 <ul><li><a href="http://www.aleksey.com/xmlsec/xmldsig-verifier.html">Online Verifier</a></li></ul>
56 <li><a href="../xmlenc.html">XML Encryption</a></li>
57 <li><a href="../c14n.html">XML Canonicalization</a></li>
58 <li><a href="../bugs.html">Reporting Bugs</a></li>
59 <li><a href="http://www.aleksey.com/pipermail/xmlsec">Mailing list</a></li>
60 <li><a href="../related.html">Related</a></li>
61 <li><a href="../authors.html">Authors</a></li>
66 <td><a href="http://xmlsoft.org/"><img src="../images/libxml2-logo.png" alt="LibXML2" border="0"></a></td>
70 <td><a href="http://xmlsoft.org/XSLT"><img src="../images/libxslt-logo.png" alt="LibXSLT" border="0"></a></td>
74 <td><a href="http://www.openssl.org/"><img src="../images/openssl-logo.png" alt="OpenSSL" border="0"></a></td>
76 <!--Links - start--><!--Links - end-->
79 <td valign="top"><table width="100%" valign="top"><tr><td valign="top" align="left" id="xmlsecContent">
80 <table width="100%" class="navigation" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
81 <td><a accesskey="p" href="xmlsec-notes-sign-x509.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
82 <td><a accesskey="u" href="xmlsec-notes-x509.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
83 <td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
84 <th width="100%" align="center">XML Security Library Reference Manual</th>
85 <td><a accesskey="n" href="xmlsec-notes-transforms.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
87 <br clear="all"><div class="SECT1">
88 <h1 class="SECT1"><a name="XMLSEC-NOTES-VERIFY-X509">Verifing document signed with X509 certificates.</a></h1>
89 <p> If the document is signed with an X509 certificate then the signature
90 verification consist of two steps:
94 <li><p>Creating and verifing X509 certificates chain.
96 <li><p>Verifing signature itself using key exrtacted from
97 a certificate verified on previous step.
100 Certificates chain is constructed from certificates in a way that
101 each certificate in the chain is signed with previous one:
103 <a name="AEN442"></a><p><b>Figure 1. Certificates chain.</b></p>
104 <pre class="PROGRAMLISTING">Certificate A (signed with B) <- Certificate B (signed with C) <- ... <- Root Certificate (signed by itself)
107 At the end of the chain there is a "Root Certificate" which
108 is signed by itself. There is no way to verify the validity of the
109 root certificate and application have to "trust" it
110 (another name for root certificates is "trusted" certificates).
111 <p> Application can use <a href="xmlsec-app.html#XMLSECCRYPTOAPPKEYSMNGRCERTLOAD">xmlSecCryptoAppKeysMngrCertLoad</a>
112 function to load both "trusted" and "un-trusted"
113 certificates. However, the selection of "trusted"
114 certificates is very sensitive process and this function might be
115 not implemented for some crypto engines. In this case, the
116 "trusted" certificates list is loaded during initialization
117 or specified in crypto engine configuration files.
118 Check XML Security Library API reference for more details.
120 <div class="EXAMPLE">
121 <a name="AEN447"></a><p><b>Example 3. Loading trusted X509 certificate.</b></p>
122 <pre class="PROGRAMLISTING">/**
123 * load_trusted_certs:
124 * @files: the list of filenames.
125 * @files_size: the number of filenames in #files.
127 * Creates simple keys manager and load trusted certificates from PEM #files.
128 * The caller is responsible for destroing returned keys manager using
129 * @xmlSecKeysMngrDestroy.
131 * Returns the pointer to newly created keys manager or NULL if an error
135 load_trusted_certs(char** files, int files_size) {
136 xmlSecKeysMngrPtr mngr;
140 assert(files_size > 0);
142 /* create and initialize keys manager, we use a simple list based
143 * keys manager, implement your own xmlSecKeysStore klass if you need
144 * something more sophisticated
146 mngr = xmlSecKeysMngrCreate();
148 fprintf(stderr, "Error: failed to create keys manager.\n");
151 if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
152 fprintf(stderr, "Error: failed to initialize keys manager.\n");
153 xmlSecKeysMngrDestroy(mngr);
157 for(i = 0; i < files_size; ++i) {
160 /* load trusted cert */
161 if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
162 fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]);
163 xmlSecKeysMngrDestroy(mngr);
171 <p><a href="xmlsec-verify-with-x509.html#XMLSEC-EXAMPLE-VERIFY3">Full program listing</a></p>
174 <table class="navigation" width="100%" summary="Navigation footer" cellpadding="2" cellspacing="2"><tr valign="middle">
175 <td align="left"><a accesskey="p" href="xmlsec-notes-sign-x509.html"><b><<< Signing data with X509 certificate.</b></a></td>
176 <td align="right"><a accesskey="n" href="xmlsec-notes-transforms.html"><b>Transforms and transforms chain. >>></b></a></td>
178 </td></tr></table></td>