Skip to content

Docs/CLI help: clarify --enabled-key-data usage (example: rsa,key-value,x509) and add FAQ note#917

Merged
lsh123 merged 11 commits into
lsh123:masterfrom
ignatremizov:doc/clarify-enabled-key-data
May 26, 2025
Merged

Docs/CLI help: clarify --enabled-key-data usage (example: rsa,key-value,x509) and add FAQ note#917
lsh123 merged 11 commits into
lsh123:masterfrom
ignatremizov:doc/clarify-enabled-key-data

Conversation

@ignatremizov

@ignatremizov ignatremizov commented May 25, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Background

While trying to satisfy a bank’s requirement to include both <RSAKeyValue> and <X509Data> inside <KeyInfo>, I first proposed a new --add-key-value flag.
@lsh123 pointed out that the existing command

--enabled-key-data rsa,key-value,x509

already does the trick when the template contains <KeyValue/> (and <X509Data/>).
Because this behaviour is essentially undocumented (a Google search for the exact flag returns no hits) I’ve converted the PR into a documentation-only change.

What changed

Area File(s) Update
CLI help apps/xmlsec.c Expanded --enabled-key-data description with a concrete rsa,key-value,x509 example.
Man page doc/xmlsec-man.html Same wording/example as CLI help.
FAQ doc/faq.html Added a clarifying sentence referencing the same example.
Tests tests/testrun.sh Silenced uname: illegal option -- o noise on macOS by redirecting stderr and falling back to an empty string.
Copyright apps/xmlsec.c, man/xmlsec1.1 Fixed double-period typo (“All Rights Reserved..” → “All Rights Reserved.”).

No functional changes; tests remain green.

Usage reminder

xmlsec1 sign \
  --enabled-key-data rsa,key-value,x509 \
  --lax-key-search \
  --pkcs12 mykey.p12 --pwd secret \
  --output signed.xml template.xml

Template must include both <KeyValue/> and <X509Data/> placeholders.

Why it helps

  • Makes the feature discoverable in --help, the man page, and the FAQ.

  • Prevents future users from spending days hunting for the right flag combo.

  • Leaves default behaviour and security warnings unchanged.

Supersedes #916.

@ignatremizov
Add vscode settings to .gitignore
5466565
@ignatremizov
chore(config.h.in): use apostrophe for 'DIR' in comment
2501d45 
Change comment to use apostrophes instead of backticks for 'DIR'
to match project convention and increase consistency.
No functional changes.
@ignatremizov
feat(cli): add --add-key-value option to inject RSAKeyValue in KeyInfo
7497160 
This patch adds a new command-line option, --add-key-value,
which inserts the <KeyValue> element with the public RSA key
(modulus and exponent) into the <KeyInfo> node during signature generation.

Implementation is compatible with all supported OpenSSL versions,
using provider APIs to retrieve key parameters and ensuring type safety.

No changes to default behavior unless the option is specified.
@ignatremizov
chore: fix typo in copyright notice (double period)
e62ce10 
Correct a minor typo by replacing ".." with "." at the end of the
copyright line in apps/xmlsec.c and man/xmlsec1.1.
No functional changes.
@ignatremizov
test(cli): add integration test for --add-key-value
59518b6 
* tests/testAddKeyValue.sh
  - Runs only when the selected crypto backend is OpenSSL
    (skipped for NSS, GnuTLS, MSCrypto, MSCNG, etc., `--add-key-value` is a no-op stub).
  - Signs an enveloping-SHA256 template with the new
    `--add-key-value` switch and existing `rsakey.p12`.
  - Confirms that `<RSAKeyValue>/<Modulus|Exponent>` were added.
  - Verifies the signature with
    `--lax-key-search --X509-skip-strict-checks`, allowing xmlsec
    to fall back to the injected `<KeyValue>` even though the
    bundled test certificate is self-signed.

* Makefile.am
  - Adds `check-addkeyvalue` target so the test is executed by
    `make check` when the build is configured with OpenSSL.

No changes to production code.
@ignatremizov
build(test): silence “uname: illegal option -- o” on macOS
cc84089 
Mac platforms (Darwin/BSD) do not support `uname -o`, so every test
invocation printed:

    uname: illegal option -- o
    usage: uname [-amnprsv]

This patch keeps the original behaviour on Linux (where `uname -o`
returns “GNU/Linux”) but redirects the error and falls back to an
empty string on systems that lack the flag.

tests/testrun.sh
  • replace
        OS_ARCH=`uname -o`
    with
        OS_ARCH=`uname -o 2>/dev/null || echo ''`

No other logic is touched; the modification eliminates noisy stderr
output during `make check` on macOS.
@ignatremizov
Revert "feat(cli): add --add-key-value option to inject RSAKeyValue i…
500f01c 
…n KeyInfo"

This reverts commit 7497160.
@ignatremizov
Revert "test(cli): add integration test for --add-key-value"
94161d5 
This reverts commit 59518b6.
@ignatremizov
doc(cli): show practical example for --enabled-key-data
a6d3b79 
* apps/xmlsec.c, xmlsec-man.html – add explicit
  "rsa,key-value,x509" example so users see how to add
  <RSAKeyValue> via <KeyValue/> placeholder.
* faq.html – reference the same example in the security note.

Docs only; no code behaviour changes.
lsh123
lsh123 reviewed May 25, 2025
View reviewed changes
Comment thread config.h.in
Comment thread .gitignore Outdated
@lsh123

lsh123 commented May 26, 2025

Copy link
Copy Markdown
Owner

Because this behaviour is essentially undocumented

Technically it is in the FAQ :) but good examples are always appreciated.

@lsh123 lsh123 merged commit e493487 into lsh123:master May 26, 2025
16 checks passed
@ignatremizov ignatremizov deleted the doc/clarify-enabled-key-data branch June 11, 2025 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lsh123 lsh123 lsh123 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ignatremizov @lsh123