RE: [xmlsec] RE: Need urgent help for verify
What do you mean the document is no longer valid ? If it verifies the References covered by the signature are valid. If the DN in the certificate refers to the same certifiacte as the friendly name in the KeyName, the KeyName is redundant. This is what I am doing. I am removing the Keyname for the verify and then putting it back in for consistency. Alternatively you can tell xmlsec which key sources to consult using the enabledKeyData list. I find this a pain and prefer to check the keys in each location myself. If you have created the signature yourself and are subsequently verifying it, you know they are the same. They should rarely differ. In fact I cannot think of an instance where the contents of X509Certificate should get overridden by KeyName in a Verify. Even when including issuer certificates, they end up as more than one X509Certificate. I buy that if X509Certifiate is not there one can consult KeyName, but rarely if ever the reverse. But that is just my opinion. I would like to see an order to the certificate search. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jürgen Heiss Sent: June 1, 2006 2:40 AM To: Aleksey Sanin; [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify Hi everybody, Well you are right, its really the Keyname. So if I remove the Keyname it works. But of course the document isn't anymore valid. Is there a way always to ignore the keyname and use the the certificate by verify a signed document? What is the xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData For? How must I use them? Thanks I advance. Jürgen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: Mittwoch, 31. Mai 2006 22:20 To: [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: Re: [xmlsec] RE: Need urgent help for verify Yes xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData Aleksey [EMAIL PROTECTED] wrote: Yes you are right !!! I forgot about that. You mean the --enabled-key-data list in the command line utility ? Where is this in the API ? in the Ctx ? - Original Message From: Aleksey Sanin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jürgen Heiss [EMAIL PROTECTED]; xmlsec@aleksey.com Sent: Wednesday, May 31, 2006 2:31:14 PM Subject: Re: [xmlsec] RE: Need urgent help for verify Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ? I think, that either signer or verifier should decide if KeyName makes sense for him/her or not. In xmlsec, there is a way to disable KeyName usage for verification, for example. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] RE: Need urgent help for verify
My point exactly !!! If X509Certificate is there, then one can only assume the signer wants you to use it. In xmlsec we are using the KeyName at signing time for convenience. It does stay in the signature though. The problem is KeyName gets in the way when verifying. Again, I would vote for precedence order. Check X509Certificate first. If KeyName is the same (i.e. CN= from X509Certificate is the same as friendly-name in KeyName) DO NOT GO TO MS Cert Store as they are the same and the in-signature certificate is fine. Beside the public cert will not be in the cert store anyway !!! Aleksey ? Ed -Original Message- From: Jürgen Heiss [mailto:[EMAIL PROTECTED] Sent: June 1, 2006 6:53 AM To: [EMAIL PROTECTED]; Aleksey Sanin; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify Ups I think I don't understand something. I call the function if(xmlSecDSigCtxVerify(dsigCtx, data-startNode) 0) And how it look this function look in the KeyName and try to get the certificate from the registry. But of course the certificate isn't registered. So, what if have to do the load the certificate which is In the signed XML-doucument. How I can tell the function xmlSecDSigCtxVerify to get the certificate from the signed xml File and to don't try to look in the registry because there it will be not? So how I can handle this that I always load the certificate with which the document was signed. Thanks Jürgen -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 01. Juni 2006 12:30 To: Jürgen Heiss; 'Aleksey Sanin'; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify What do you mean the document is no longer valid ? If it verifies the References covered by the signature are valid. If the DN in the certificate refers to the same certifiacte as the friendly name in the KeyName, the KeyName is redundant. This is what I am doing. I am removing the Keyname for the verify and then putting it back in for consistency. Alternatively you can tell xmlsec which key sources to consult using the enabledKeyData list. I find this a pain and prefer to check the keys in each location myself. If you have created the signature yourself and are subsequently verifying it, you know they are the same. They should rarely differ. In fact I cannot think of an instance where the contents of X509Certificate should get overridden by KeyName in a Verify. Even when including issuer certificates, they end up as more than one X509Certificate. I buy that if X509Certifiate is not there one can consult KeyName, but rarely if ever the reverse. But that is just my opinion. I would like to see an order to the certificate search. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jürgen Heiss Sent: June 1, 2006 2:40 AM To: Aleksey Sanin; [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify Hi everybody, Well you are right, its really the Keyname. So if I remove the Keyname it works. But of course the document isn't anymore valid. Is there a way always to ignore the keyname and use the the certificate by verify a signed document? What is the xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData For? How must I use them? Thanks I advance. Jürgen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: Mittwoch, 31. Mai 2006 22:20 To: [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: Re: [xmlsec] RE: Need urgent help for verify Yes xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData Aleksey [EMAIL PROTECTED] wrote: Yes you are right !!! I forgot about that. You mean the --enabled-key-data list in the command line utility ? Where is this in the API ? in the Ctx ? - Original Message From: Aleksey Sanin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jürgen Heiss [EMAIL PROTECTED]; xmlsec@aleksey.com Sent: Wednesday, May 31, 2006 2:31:14 PM Subject: Re: [xmlsec] RE: Need urgent help for verify Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ? I think, that either signer or verifier should decide if KeyName makes sense for him/her or not. In xmlsec, there is a way to disable KeyName usage for verification, for example. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com
[xmlsec] Argument count in xmlSecCryptoAppDefaultKeysMngrAdoptKey ?
Hi Aleksey, Why is the function only accepting 1 argument ? Are you experiencing this ? Ed Entering xmlsec ctypes wrap, loading libxml2, libxmlsec, and mscrypto dll's Initializing xmlsec status code 0 Loading dynamic crypto support status code 0 Loading openssl crypto status code 0 CryptoAppInit status code 0 CryptoInit status code 0 CryptoAppDefaultKeysMngrInitstatus code 0 private key loaded from c:/xmlsec/keys/upu/edshallow.p12 with password password at address 10121288 xmlSecKeySetNamestatus code 0 Traceback (most recent call last): File C:\XMLSec\epmctypes\signWithP12NoKeyStore.py, line 242, in ? main() File C:\XMLSec\epmctypes\signWithP12NoKeyStore.py, line 176, in main rc = xmlsec.xmlSecCryptoAppDefaultKeysMngrAdoptKey(keysMngr, privateKey) TypeError: function takes at most 1 argument (2 given) ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
Getting really close to the end now ;) ... Missing lib.exe ??? Not in any of the MS tools I downloaded and installed ? ... Where did you get this exe from ? Ed lib.exe /nologo /OUT:binaries\libxmlsec-openssl_a.lib libxmlsec_openssl_a.int\app.obj libxmlsec_openssl_a.int\bn.obj libx mlsec_openssl_a.int\ciphers.obj libxmlsec_openssl_a.int\crypto.obj libxmlsec_openssl_a.int\digests.obj libxmlsec_openssl_a.int\ evp.obj libxmlsec_openssl_a.int\hmac.obj libxmlsec_openssl_a.int\kt_rsa.obj libxmlsec_openssl_a.int\kw_aes.obj libxmlsec_opens sl_a.int\kw_des.obj libxmlsec_openssl_a.int\signatures.obj libxmlsec_openssl_a.int\strings.obj libxmlsec_openssl_a.int\symkeys. obj libxmlsec_openssl_a.int\x509.obj libxmlsec_openssl_a.int\x509vfy.obj 'lib.exe' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'lib.exe' : return code '0x1' Stop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: May 5, 2006 5:44 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak - Got passed the missing C runtime stuff, now I am failing on openssl-related include's You need to set correct OpenSSL version in the mycfg.bat file. E.g. if you use OpenSSL 0.9.8 then you should have something like this: --crypto=mscrypto,openssl=098 P.S. Are the warnings on xmlsec-ltdl.c below OK ? Yes, I think it is OK. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
OK link.exe /lib works ... finally got it all compiled and linked. Ran into more C runtime problems, but got those resolved as well. I'll write it all up next week, not really that simple when using the free Microsoft downloads ... Now on to tracking down if the memory leak is still there ... Stay tuned ... Thanks again Aleksey, Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: May 6, 2006 1:17 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak This is what google says http://www.codecomments.com/archive292-2004-8-262165.html You might need to tweak makefile a little bit. Search for lib.exe and replace it with link.exe /lib Aleksey Edward Shallow wrote: Getting really close to the end now ;) ... Missing lib.exe ??? Not in any of the MS tools I downloaded and installed ? ... Where did you get this exe from ? Ed lib.exe /nologo /OUT:binaries\libxmlsec-openssl_a.lib libxmlsec_openssl_a.int\app.obj libxmlsec_openssl_a.int\bn.obj libx mlsec_openssl_a.int\ciphers.obj libxmlsec_openssl_a.int\crypto.obj libxmlsec_openssl_a.int\digests.obj libxmlsec_openssl_a.int\ evp.obj libxmlsec_openssl_a.int\hmac.obj libxmlsec_openssl_a.int\kt_rsa.obj libxmlsec_openssl_a.int\kw_aes.obj libxmlsec_opens sl_a.int\kw_des.obj libxmlsec_openssl_a.int\signatures.obj libxmlsec_openssl_a.int\strings.obj libxmlsec_openssl_a.int\symkeys. obj libxmlsec_openssl_a.int\x509.obj libxmlsec_openssl_a.int\x509vfy.obj 'lib.exe' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'lib.exe' : return code '0x1' Stop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: May 5, 2006 5:44 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak - Got passed the missing C runtime stuff, now I am failing on openssl-related include's You need to set correct OpenSSL version in the mycfg.bat file. E.g. if you use OpenSSL 0.9.8 then you should have something like this: --crypto=mscrypto,openssl=098 P.S. Are the warnings on xmlsec-ltdl.c below OK ? Yes, I think it is OK. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
Hi Aleksey, Memory leak seems to have been fixed with your 2nd patch. Strange side affect of the recompile though, my xmlsec command line utility now crashes. Our application works, but the command line utility crashes with the new executables. I'll check further. Ed -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: May 6, 2006 4:41 PM To: 'Aleksey Sanin' Cc: 'xmlsec@aleksey.com' Subject: RE: [xmlsec] FW: Free/Destroy versus Memory Leak OK link.exe /lib works ... finally got it all compiled and linked. Ran into more C runtime problems, but got those resolved as well. I'll write it all up next week, not really that simple when using the free Microsoft downloads ... Now on to tracking down if the memory leak is still there ... Stay tuned ... Thanks again Aleksey, Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: May 6, 2006 1:17 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak This is what google says http://www.codecomments.com/archive292-2004-8-262165.html You might need to tweak makefile a little bit. Search for lib.exe and replace it with link.exe /lib Aleksey Edward Shallow wrote: Getting really close to the end now ;) ... Missing lib.exe ??? Not in any of the MS tools I downloaded and installed ? ... Where did you get this exe from ? Ed lib.exe /nologo /OUT:binaries\libxmlsec-openssl_a.lib libxmlsec_openssl_a.int\app.obj libxmlsec_openssl_a.int\bn.obj libx mlsec_openssl_a.int\ciphers.obj libxmlsec_openssl_a.int\crypto.obj libxmlsec_openssl_a.int\digests.obj libxmlsec_openssl_a.int\ evp.obj libxmlsec_openssl_a.int\hmac.obj libxmlsec_openssl_a.int\kt_rsa.obj libxmlsec_openssl_a.int\kw_aes.obj libxmlsec_opens sl_a.int\kw_des.obj libxmlsec_openssl_a.int\signatures.obj libxmlsec_openssl_a.int\strings.obj libxmlsec_openssl_a.int\symkeys. obj libxmlsec_openssl_a.int\x509.obj libxmlsec_openssl_a.int\x509vfy.obj 'lib.exe' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'lib.exe' : return code '0x1' Stop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: May 5, 2006 5:44 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak - Got passed the missing C runtime stuff, now I am failing on openssl-related include's You need to set correct OpenSSL version in the mycfg.bat file. E.g. if you use OpenSSL 0.9.8 then you should have something like this: --crypto=mscrypto,openssl=098 P.S. Are the warnings on xmlsec-ltdl.c below OK ? Yes, I think it is OK. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
Forgot to mention. It only crashes with mscrypto. -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: May 6, 2006 5:53 PM To: '[EMAIL PROTECTED]'; 'Aleksey Sanin' Cc: 'xmlsec@aleksey.com' Subject: RE: [xmlsec] FW: Free/Destroy versus Memory Leak Hi Aleksey, Memory leak seems to have been fixed with your 2nd patch. Strange side affect of the recompile though, my xmlsec command line utility now crashes. Our application works, but the command line utility crashes with the new executables. I'll check further. Ed -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: May 6, 2006 4:41 PM To: 'Aleksey Sanin' Cc: 'xmlsec@aleksey.com' Subject: RE: [xmlsec] FW: Free/Destroy versus Memory Leak OK link.exe /lib works ... finally got it all compiled and linked. Ran into more C runtime problems, but got those resolved as well. I'll write it all up next week, not really that simple when using the free Microsoft downloads ... Now on to tracking down if the memory leak is still there ... Stay tuned ... Thanks again Aleksey, Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: May 6, 2006 1:17 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak This is what google says http://www.codecomments.com/archive292-2004-8-262165.html You might need to tweak makefile a little bit. Search for lib.exe and replace it with link.exe /lib Aleksey Edward Shallow wrote: Getting really close to the end now ;) ... Missing lib.exe ??? Not in any of the MS tools I downloaded and installed ? ... Where did you get this exe from ? Ed lib.exe /nologo /OUT:binaries\libxmlsec-openssl_a.lib libxmlsec_openssl_a.int\app.obj libxmlsec_openssl_a.int\bn.obj libx mlsec_openssl_a.int\ciphers.obj libxmlsec_openssl_a.int\crypto.obj libxmlsec_openssl_a.int\digests.obj libxmlsec_openssl_a.int\ evp.obj libxmlsec_openssl_a.int\hmac.obj libxmlsec_openssl_a.int\kt_rsa.obj libxmlsec_openssl_a.int\kw_aes.obj libxmlsec_opens sl_a.int\kw_des.obj libxmlsec_openssl_a.int\signatures.obj libxmlsec_openssl_a.int\strings.obj libxmlsec_openssl_a.int\symkeys. obj libxmlsec_openssl_a.int\x509.obj libxmlsec_openssl_a.int\x509vfy.obj 'lib.exe' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'lib.exe' : return code '0x1' Stop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: May 5, 2006 5:44 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak - Got passed the missing C runtime stuff, now I am failing on openssl-related include's You need to set correct OpenSSL version in the mycfg.bat file. E.g. if you use OpenSSL 0.9.8 then you should have something like this: --crypto=mscrypto,openssl=098 P.S. Are the warnings on xmlsec-ltdl.c below OK ? Yes, I think it is OK. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
\x509vfy.c(561) : error C2037: left of 'untrusted' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(570) : error C2037: left of 'crls' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(571) : error C2037: left of 'crls' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(581) : error C2037: left of 'vpm' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(582) : error C2037: left of 'vpm' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(590) : error C2037: left of 'vpm' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(591) : error C2037: left of 'xst' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(591) : error C2037: left of 'vpm' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(609) : error C2037: left of 'xst' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(610) : error C2037: left of 'xst' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(610) : error C2198: 'X509_STORE_free' : too few arguments for call through pointer-to-function ..\src\openssl\x509vfy.c(612) : error C2037: left of 'untrusted' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(613) : error C2037: left of 'untrusted' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(613) : warning C4047: 'function' : 'STACK *' differs in levels of indirection from 'void (__cdecl *)(void *)' ..\src\openssl\x509vfy.c(613) : error C2198: 'sk_pop_free' : too few arguments for call through pointer-to-function ..\src\openssl\x509vfy.c(615) : error C2037: left of 'crls' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(616) : error C2037: left of 'crls' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(616) : warning C4047: 'function' : 'STACK *' differs in levels of indirection from 'void (__cdecl *)(void *)' ..\src\openssl\x509vfy.c(616) : error C2198: 'sk_pop_free' : too few arguments for call through pointer-to-function ..\src\openssl\x509vfy.c(619) : error C2037: left of 'vpm' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(620) : error C2037: left of 'vpm' specifies undefined struct/union '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(624) : error C2027: use of undefined type '_xmlSecOpenSSLX509StoreCtx' ..\src\openssl\x509vfy.c(47) : see declaration of '_xmlSecOpenSSLX509StoreCtx' Generating Code... NMAKE : fatal error U1077: 'cl.exe' : return code '0x2' Stop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: May 3, 2006 12:03 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com; [EMAIL PROTECTED] Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak Edward Shallow wrote: Almost there. Can't find msvcrt.lib Not in MSSDK or VC6 ??? Ed This is MS runtime library... Yet another MS download: http://wiki.tcl.tk/11431 Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
You do not see it with the sign ? Do you think it could be the environment around xmlsec ? Might this not leak on a freshly installed XP machine ? Has the CVS been updated with this patch ? Is it in the daily snapshot ? I will have to wait for Igor to recompile and re-post. Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: May 2, 2006 12:17 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak OK, I believe that the attached patch fixes the memory leak though I don't see it in Purify. Please, let me know if it works for you or not. Thank you in advance! Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
The link to the Visual Studio C++ 2003 Toolkit (free) provided to me by Dmitry (thanks) contains ***NO*** nmake.exe I had a tough time finding this old one. Any suggestions ? Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: May 2, 2006 9:51 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com; [EMAIL PROTECTED] Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak C:\XMLSec\xmlsec1-1.2.9\win32nmake Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. makefile(571) : fatal error U1088: invalid separator '::' on inference rule Stop. The nmake you run is *very* old (version 1.50 from 1994). It is not from MSVC .NET 2003. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
PostScript: I am downloading the Platform SDK. That should do it. I'll ket you know. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Shallow Sent: May 2, 2006 10:47 PM To: 'Aleksey Sanin' Cc: xmlsec@aleksey.com; [EMAIL PROTECTED] Subject: RE: [xmlsec] FW: Free/Destroy versus Memory Leak The link to the Visual Studio C++ 2003 Toolkit (free) provided to me by Dmitry (thanks) contains ***NO*** nmake.exe I had a tough time finding this old one. Any suggestions ? Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: May 2, 2006 9:51 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com; [EMAIL PROTECTED] Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak C:\XMLSec\xmlsec1-1.2.9\win32nmake Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. makefile(571) : fatal error U1088: invalid separator '::' on inference rule Stop. The nmake you run is *very* old (version 1.50 from 1994). It is not from MSVC .NET 2003. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
Almost there. Can't find msvcrt.lib Not in MSSDK or VC6 ??? Ed . . . enveloped.c errors.c io.c keyinfo.c keys.c keysdata.c keysmngr.c list.c membuf.c nodeset.c parser.c soap.c strings.c templates.c Generating Code... Compiling... transforms.c x509.c xkms.c xmldsig.c xmlenc.c xmlsec.c xmltree.c xpath.c xslt.c Generating Code... link.exe /nologo /LIBPATH:binaries /LIBPATH:c:\XMLSec\xmlsec1-1.2.9\lib /DEBUG /DLL /VERSION:1.2 /IMPLIB:binaries\libxmls ec.lib /OUT:binaries\libxmlsec.dll libxmlsec.int\app.obj libxmlsec.int\base64.obj libxmlsec.int\bn.obj libxmlsec.int\buffer.obj libxmlsec.int\c14n.obj libxmlsec.int\dl.obj libxmlsec.int\enveloped.obj libxmlsec.int\errors.obj libxmlsec.int\io.obj libxmls ec.int\keyinfo.obj libxmlsec.int\keys.obj libxmlsec.int\keysdata.obj libxmlsec.int\keysmngr.obj libxmlsec.int\list.obj libxml sec.int\membuf.obj libxmlsec.int\nodeset.obj libxmlsec.int\parser.obj libxmlsec.int\soap.obj libxmlsec.int\strings.obj libxml sec.int\templates.obj libxmlsec.int\transforms.obj libxmlsec.int\x509.obj libxmlsec.int\xkms.obj libxmlsec.int\xmldsig.obj li bxmlsec.int\xmlenc.obj libxmlsec.int\xmlsec.obj libxmlsec.int\xmltree.obj libxmlsec.int\xpath.obj libxmlsec.int\xslt.obj libxm lsec.int\xmlsec-ltdl.obj libxml2.lib libxslt.lib LINK : fatal error LNK1104: cannot open file 'MSVCRT.lib' NMAKE : fatal error U1077: 'link.exe' : return code '0x450' Stop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Shallow Sent: May 2, 2006 11:06 PM To: 'Aleksey Sanin' Cc: xmlsec@aleksey.com; [EMAIL PROTECTED] Subject: RE: [xmlsec] FW: Free/Destroy versus Memory Leak PostScript: I am downloading the Platform SDK. That should do it. I'll ket you know. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Shallow Sent: May 2, 2006 10:47 PM To: 'Aleksey Sanin' Cc: xmlsec@aleksey.com; [EMAIL PROTECTED] Subject: RE: [xmlsec] FW: Free/Destroy versus Memory Leak The link to the Visual Studio C++ 2003 Toolkit (free) provided to me by Dmitry (thanks) contains ***NO*** nmake.exe I had a tough time finding this old one. Any suggestions ? Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: May 2, 2006 9:51 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com; [EMAIL PROTECTED] Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak C:\XMLSec\xmlsec1-1.2.9\win32nmake Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. makefile(571) : fatal error U1088: invalid separator '::' on inference rule Stop. The nmake you run is *very* old (version 1.50 from 1994). It is not from MSVC .NET 2003. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] FW: Free/Destroy versus Memory Leak
Hi Aleksey and Igor and Dmitry, Thanks for the recompiled libxmlsec 1.2.9+ Igor !!! I ran the --repeat test again using the command line utility as follows ... xmlsec verify --crypto mscrypto --repeat 1000 --trusted-der keys/upu-cacert.der inout/edsigned-enveloped.xml The run started off at around 4800K and ended up around 45,000K I changed --repeat to 2000 and I ended up at 86,000K This was observed using Task Manager. Not sure what is going on. Either the February patch (reordering key cleanup calls) does not entirely fix the memory leak, or 1.2.9+ is still not picking up the patch. Can't say for sure. This is on WinXP using Igor's brand new libxmlsec 1.2.9+ binaries dated 14/04/2006. Our python/xmlsec server application exhibits the same memory profile i.e. rapidly growing. I know I am picking up Igor's latest 14/04/2006 .dll's on my path as I renamed them to make sure and they naturally failed. OpenSSL crypto seems fine, no leak, flat memory profile, much faster too !!! Ideas ? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Shallow Sent: April 12, 2006 4:19 PM To: xmlsec@aleksey.com Subject: FW: [xmlsec] FW: Free/Destroy versus Memory Leak Hi Aleksey, I noticed that Igor has recompiled libxmlsec (now at 1.2.9), as well as libxml2, and libxslt. They are now available at his site. We were anxiously awaiting these upgrades. Unfortunately he did not pick up your fix to the memory leak problem in mscrypto that you fixed in February (attached and below) ? And I have no idea which branch/trunk he may have used. As you probably know our project has totally wrapped xmlsec and libxml2 in Python using ctypes and absolutely everything is working fine with many thanks to your excellent support. As such we have no MS VC6 software or anything else MS and simply use Igor's pre-compiled binaries for our Windows support. We have been running with the memory leak for awhile and things are getting worse. Can I trouble you to send me your versions of these Windows dll's: libxmlsec-mscrypto.dll libxmlsec-openssl.dll libxmlsec.dll xmlsec.exe It would be enormously appreciated. Cheers, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: February 20, 2006 5:43 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] FW: Free/Destroy versus Memory Leak OK, I was able to reproduce the leak on Windows XP (before I tried Win2K). The attached patch fixes the leak by reordering MSCrypto key cleanup calls. Thanks for reporting the problem! Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [Bulk] [xmlsec] Re: Loaded Private Key and mscrypto
Hi Aleksey, Confirmed that problem in xmlSecSimpleKeysStoreSave is indeed with mscrypto. Openssl works fine. Python ctypes works fine using all of c_uint(1) for Public, c_uint(2) for Private, c_uint(4) for Symmetric, and sums thereof. Only selected key types saved in each case. c_uint(65535) produces equiv of 0x'' and selects all types. No problem here either. Private Exponent comes out as would be expected for both test-rsa and p12 loaded key named 'Ed Shallow' using openssl. NOT for mscrypto. savedKeysStore.xml for both openssl and mscrypto are attached. keysMngr = xmlsec.xmlSecKeysMngrCreate() rc = xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr) id = xmlsec.xmlSecSimpleKeysStoreGetKlass() keyStore = xmlsec.xmlSecKeyStoreCreate(id) rc = xmlsec.xmlSecSimpleKeysStoreLoad(keyStore, 'c:/xmlsec/keys/keys.xml', keysMngr) desKlass = xmlsec.xmlSecKeyDataDesGetKlass() symmetricKey = xmlsec.xmlSecKeyGenerateByName(desKlass.contents.name, c_uint(192), c_uint(12)) rc = xmlsec.xmlSecKeySetName(symmetricKey, 'symmetric-des') rc = xmlsec.xmlSecSimpleKeysStoreAdoptKey(keyStore, symmetricKey) privateKey = xmlsec.xmlSecCryptoAppKeyLoad(p12, c_uint(6), password, None, None) print 'xmlSecKeySetName\t\t\tstatus code', xmlsec.xmlSecKeySetName(privateKey, 'Ed Shallow') rc = xmlsec.xmlSecSimpleKeysStoreAdoptKey(keyStore, privateKey) rc = xmlsec.xmlSecKeysMngrAdoptKeysStore(keysMngr, keyStore) print 'KeysMngrAdoptKeysStore \t\t\tstatus code', rc rc = xmlsec.xmlSecSimpleKeysStoreSave(keyStore, 'c:/xmlsec/keys/savedKeysStore65535.xml', c_uint(65535)) Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 17, 2006 11:48 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [Bulk] [xmlsec] Re: Loaded Private Key and mscrypto rc = xmlsec.xmlSecSimpleKeysStoreSave(keyStore, 'c:/xmlsec/keys/savedKeysStore.xml', c_uint(65535)) print 'xmlSecSimpleKeysStoreSave \t\tstatus code', rc c_uint(65535) is incorrect. Please set just private keys to be saved (xmlSecKeyDataTypePrivate define). Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [Bulk] [xmlsec] Re: Loaded Private Key and mscrypto
With attachments ... -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: January 19, 2006 6:36 PM To: 'Aleksey Sanin' Cc: 'xmlsec@aleksey.com' Subject: RE: [Bulk] Re: [Bulk] [xmlsec] Re: Loaded Private Key and mscrypto Hi Aleksey, Confirmed that problem in xmlSecSimpleKeysStoreSave is indeed with mscrypto. Openssl works fine. Python ctypes works fine using all of c_uint(1) for Public, c_uint(2) for Private, c_uint(4) for Symmetric, and sums thereof. Only selected key types saved in each case. c_uint(65535) produces equiv of 0x'' and selects all types. No problem here either. Private Exponent comes out as would be expected for both test-rsa and p12 loaded key named 'Ed Shallow' using openssl. NOT for mscrypto. savedKeysStore.xml for both openssl and mscrypto are attached. keysMngr = xmlsec.xmlSecKeysMngrCreate() rc = xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr) id = xmlsec.xmlSecSimpleKeysStoreGetKlass() keyStore = xmlsec.xmlSecKeyStoreCreate(id) rc = xmlsec.xmlSecSimpleKeysStoreLoad(keyStore, 'c:/xmlsec/keys/keys.xml', keysMngr) desKlass = xmlsec.xmlSecKeyDataDesGetKlass() symmetricKey = xmlsec.xmlSecKeyGenerateByName(desKlass.contents.name, c_uint(192), c_uint(12)) rc = xmlsec.xmlSecKeySetName(symmetricKey, 'symmetric-des') rc = xmlsec.xmlSecSimpleKeysStoreAdoptKey(keyStore, symmetricKey) privateKey = xmlsec.xmlSecCryptoAppKeyLoad(p12, c_uint(6), password, None, None) print 'xmlSecKeySetName\t\t\tstatus code', xmlsec.xmlSecKeySetName(privateKey, 'Ed Shallow') rc = xmlsec.xmlSecSimpleKeysStoreAdoptKey(keyStore, privateKey) rc = xmlsec.xmlSecKeysMngrAdoptKeysStore(keysMngr, keyStore) print 'KeysMngrAdoptKeysStore \t\t\tstatus code', rc rc = xmlsec.xmlSecSimpleKeysStoreSave(keyStore, 'c:/xmlsec/keys/savedKeysStore65535.xml', c_uint(65535)) Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 17, 2006 11:48 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [Bulk] [xmlsec] Re: Loaded Private Key and mscrypto rc = xmlsec.xmlSecSimpleKeysStoreSave(keyStore, 'c:/xmlsec/keys/savedKeysStore.xml', c_uint(65535)) print 'xmlSecSimpleKeysStoreSave \t\tstatus code', rc c_uint(65535) is incorrect. Please set just private keys to be saved (xmlSecKeyDataTypePrivate define). Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ?xml version=1.0? Keys xmlns=http://www.aleksey.com/xmlsec/2002; KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNametest-dsa/KeyName KeyValue DSAKeyValue P 4jl6DkcmDDBt815kg/WbxW1gnLtqH+kdjqEeFDD9m6EqGqvVhFbbvNNQqAwuaiJU nWlR8gG47GtHKFN6w8CM1qteIo3foK504otZFNsl1p3cInQpdRCp2e/lQ+E24J/H /n4Ix9pBNV63JIiSIqa+GpDuBpW4o3rrBRxTjOwYpWk= /P Q 9WQwByMPy0u1C8e2SeNQTvkG6tM= /Q G Rrg7e8pNLHMFK0pGW7xvzb7Kh6icJSsiBaX6aHqaQc9rSzzMJG3snBuQricNaUH5 8ipucT+hdPRTo6g0ty5noyyBmqUvYHf9NuskQhPDmC3uTtqQTHeCEuX8XoH3YYlB uE4nXvQRGZoyy+43ISe9aDnEAgIUVQXEayTVppRF24I= /G Y WT0+1bR+bj65u5iDJ0MRc6/8iEAbvj7l5sAVn/H+SdZy94wW5mnSLCC5ufN33QPp WNvgVk2igM+W51WlhFDgA8Xz9lRPk19jW8BXQpqv11MKoIBpaSAWvnhs/0AKubiT XxJz7i78ZJy4hVTn99Rvt6Tc16/LICZfsqIJr+VK4Sg= /Y /DSAKeyValue /KeyValue /KeyInfo KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNametest-rsa/KeyName KeyValue RSAKeyValue Modulus 0rGgazIyv0XjPXGGBwt1wvfCPO++VAlxW15LFinbxCeBkq/5jb/71gC7R2CJtUK4 y/tIi7g89YBwQosJpgMMZt69fz51omEv/WobD0vUFcbRxek+Yi23ZHxhZMtO42Re zfpwgC4ep0fXL+V105BUmjGFYACnUJdtMkG8ahH8/Zs= /Modulus Exponent Aw== /Exponent /RSAKeyValue /KeyValue /KeyInfo KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNametest-des/KeyName KeyValue DESKeyValue xmlns=http://www.aleksey.com/xmlsec/2002;zBFljViy/Qhd8AG0vGxf+SekrJ1ttpIz/DESKeyValue /KeyValue /KeyInfo KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNametest-aes128/KeyName KeyValue AESKeyValue xmlns=http://www.aleksey.com/xmlsec/2002;0Xfy3ES+Fbv/OfWuQHKvPA==/AESKeyValue /KeyValue /KeyInfo KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNametest-aes192/KeyName KeyValue AESKeyValue xmlns=http://www.aleksey.com/xmlsec/2002;lk9DyA07xL/m45fUb7zbLoy3c0hLhw80/AESKeyValue /KeyValue /KeyInfo KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNametest-aes256/KeyName KeyValue AESKeyValue xmlns=http://www.aleksey.com/xmlsec/2002;fpCPQLCMZCw9WipH8kk1J75CqYgWBhbJDMFPiUS0hzE=/AESKeyValue /KeyValue /KeyInfo KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNamesymmetric-des/KeyName KeyValue DESKeyValue xmlns=http://www.aleksey.com/xmlsec/2002;O4uCDqTOLUTgajJ3pGRs5zmY+4snvijd/DESKeyValue /KeyValue /KeyInfo KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNameEd Shallow/KeyName KeyValue RSAKeyValue Modulus ueWI67MxGNuP+LsiPkrqgN6og8+CitAU4gumFAbW/L2q7zv6JE7WaMwZTH/8Als0 kS1StqwCZXLCci5sziWUwkHW0h0W5PhnJwf5Jxt0p4Hnz1IGlJMueD6lwqKwcbNN lKuenHnTLpL4HvyT5Gy2HdJwxxjRXJOZDTVcPUIZ5LE= /Modulus Exponent AQAB /Exponent
RE: [Bulk] [xmlsec] Re: Loaded Private Key and mscrypto
More surprises from mscrypto !!! It seems that there is no need to save the xmlsec signKey across operations using that key. Nor do you have to reset the dsigCtx. Once a process has loaded a private key from the mscrypto store using the default MS Crypto Service Provider, the CSP will not prompt the user (or process in this case) again for the password. Authentication into the MS Crypto Store seems to only be required once per process. I tried the KeysMngr approach assuming I had to adopt the key and then keep the KeysMngr around for all subsequent calls. It turns out that you can treat each call totally independently and not worry about which keys you have loaded and which once you haven't. Dmitry, do you observe this as well ? Cheers, Ed P.S. On a separate note ... This function works and saves a new keys file, but never saves any private exponent for private keys into the new saved file. rc = xmlsec.xmlSecSimpleKeysStoreSave(keyStore, 'c:/xmlsec/keys/savedKeysStore.xml', c_uint(65535)) print 'xmlSecSimpleKeysStoreSave \t\tstatus code', rc This section is always missing. PrivateExponent xmlns=http://www.aleksey.com/xmlsec/2002; jHZq8iF3Ki6Xfkuur1z5LKUsKJ/UOAZLkj7cuXE9LW+rtx/7s9VSjqsnhOsGeNcl 3VIwXSV9+QBK1wdbxAIIQ16+yWXNY+21K94h4C6ssx44lqgODL25OXDsE92EZFu0 1gApBhqOUxV1gUXDqMnHqSWbk7/1kwX6RzsioRu0UKs= /PrivateExponent Can you re-produce this ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 16, 2006 10:43 PM To: [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: [Bulk] [xmlsec] Re: Loaded Private Key and mscrypto You can specify the signature key in the xmldsig context: http://www.aleksey.com/xmlsec/api/xmlsec-notes-sign.html Though, I have no idea how it works with Python :) Aleksey Edward Shallow wrote: Hi Aleksey, In mscrypto, is there any way to save the private signing key or hold the key (KeyPtr really) and reuse it for subsequent sign operations ? Sort of like a memory loaded and resuable signing key. I need something like an xmlSecCryptoAppKeyLoad which returns a KeyPtr I can sign with. This works fine for P12s, but I need the equivalent for mscrypto keys in the MS Crypto Store. It seems like the only way to load and use a private signing key in mscrypto is via a template with a KeyName reference in it. Problem is I can't keep the keyPtr that got used. The 2 functions below do not allow one to subsequently sign with the retrieved key. I can find them, load them, even save them to an XML keys file, but I can't sign with them. Private RSA exponent does not seem to be available. key = xmlsec.xmlSecKeysMngrFindKey(keysMngr, friendly name for the key, keyInfoCtx) . and ... key = xmlsec.xmlSecKeysMngrGetKey(keyInfoNode, keyInfoCtx) Any idea ? This is for a server-resident application which must repeatedly sign things and I do not want the password prompt. Thanks, Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] FW: Cert Chain Validation 1.2.8 mscrypto
First post bounced ? -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: January 13, 2006 9:34 AM To: 'Aleksey Sanin' Subject: Cert Chain Validation 1.2.8 mscrypto Aleksey, I think I might have something here ... This output looks very very close to yours ... Since you didn't send me the entire stderr output, please comment on the attached I ran the same tests as you Note error messages ... Error lines 3, 4, 5, and 6 only appear in the 1st run when trusted cert is NOT loaded, so the 45: key is not found must be the upu-cacert.der This is good. Error lines 3, 4, 5, and 6 do not appear in the 2nd run, also good. What does appear in both runs are error lines 1 and 2 claiming something invalid (xmlSecMSCryptoCertStrToName) about the KeyName I suspect. This threw me off. Did you ignore these 2 messages when reporting results to me. The final OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 does look good. Can error messages 1 and 2 be ignored ? Ed 1st Run Without trusted der loaded ** C:\XMLSecxmlsec verify --crypto mscrypto inout/edsigned-enveloped.xml 1) func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=754:obj= unknown:subj=xmlSecMSCryptoCertStrToName:error=1:xmlsec library function failed: ;last error=-2146885597 (0x80092023);last error msg=The string contains an invalid X500 name attribute key, oid, value or delimiter. 2) func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=754:obj= unknown:subj=xmlSecMSCryptoCertStrToName:error=1:xmlsec library function failed: ;last error=-2146885597 (0x80092023);last error msg=The string contains an invalid X500 name attribute key, oid, value or delimiter. 3) func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. 4) func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. 5) func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. 6) func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file inout/edsigned-enveloped.xml 2nd Run With trusted der loaded *** C:\XMLSecxmlsec.bat C:\XMLSecxmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der inout/edsigned-enveloped.xml 1) func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=754:obj= unknown:subj=xmlSecMSCryptoCertStrToName:error=1:xmlsec library function failed: ;last error=-2146885597 (0x80092023);last error msg=The string contains an invalid X500 name attribute key, oid, value or delimiter. 2) func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=754:obj= unknown:subj=xmlSecMSCryptoCertStrToName:error=1:xmlsec library function failed: ;last error=-2146885597 (0x80092023);last error msg=The string contains an invalid X500 name attribute key, oid, value or delimiter. OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] FW: Cert Chain Validation 1.2.8 mscrypto
OK. Thanks for all the support. I am not crazy about the misleading error messages on both the unable to find local issuer certificate and the CertStrToName, but everything seems to be the same on both your setup and mine. I will move on to continue testing Dmitry's patch. Thanks again, Ed P.S. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 10:40 AM To: Dmitry Belyavsky Cc: Edward Shallow; xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] FW: Cert Chain Validation 1.2.8 mscrypto Can error messages 1 and 2 be ignored ? It seems to be they can. I've got this messages when I used wrong-delimited CN as KeyName. Exactly! You have several ways to get keys. If some of them do not work and you get error messages from xmlsec or OS but one of them does work then everything is good and the signature is valid. I did not send this output because it was irrelevant for the discussion we had about xmlsec-mscrypto certs verification :) Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] OpenSSL vs mscrypto
to either delete the key from your MSCrypto keys store or login as a different user (with different key store). I believe Dmitry already suggested this before but I missed the point then :( Aleksey Edward Shallow wrote: Here they are ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 12, 2006 1:01 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vsmscrypto Can you share the designed-enveloped.xml and upu-cacert.der, please? Aleksey Edward Shallow wrote: Aleksey wrote: Please, try to reproduce the problem with xmlsec command line utility. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] RE: OpenSSL vs mscrypto
PostScript: It seems that OpenOffice.org V2.0 also does not check certificate chains when validating a signature. It will show the public issuer in the chain hierarchy (if it is loaded in the ROOT store) when you View the Certificate in the Certification Path tab. It will not show any hierarchy if it the issuer is not present. That is, it will just show the signer's certificate in the 1 line path. However it will not display any warning or error if the issuer cannot be found. I believe OpenOffice.org uses xmlsec with nss. Ed -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: January 12, 2006 11:57 PM To: 'Aleksey Sanin' Cc: 'xmlsec@aleksey.com' Subject: OpenSSL vs mscrypto Aleksey, Sorry for the lengthy dialogue on this topic, but we really have a fundamental problem here with mscrypto. Please let me state first that the observations below are with the unpatched xmlsec V 1.2.8 using mscrypto, which is supposed to verify cert chains but in fact does not. In fact there are no circumstances I can detect under which it does. I doubt it ever has. So unless someone describes otherwise, it is starting to look like the only hope for cert chain verification with mscrypto may very well lie with Dmitry's patch. I have yet to test it, but I will tomorrow. With xmlsec 1.2.8 and mscrypto ... The dsig:KeyName is in the signed document (which we are attempting to verify the chain on) because that is the way you tell mscrypto how to select the key for signing. So it is left over from the sign operation. I again performed the test that both Dmitry and you suggested. If you remove the Test User 1 key from all the MS crypto stores ('MY' and 'AddressBook') you get the following on the verify: func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=754:obj= unknown:subj=xmlSecMSCryptoCertStrToName:error=1:xmlsec library function failed: ;last error=-2146885597 (0x80092023);last error msg=The string contains an invalid X500 name attribute key, oid, value or delimiter. func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=754:obj= unknown:subj=xmlSecMSCryptoCertStrToName:error=1:xmlsec library function failed: ;last error=-2146885597 (0x80092023);last error msg=The string contains an invalid X500 name attribute key, oid, value or delimiter. func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. If you load the Test User 1 certificate only into the 'AddressBook' certificate store (which is called Other People in the IE UI) it verifies successfully even when you do NOT have the upu-cacert.der (i.e. the issuer public root cert) loaded anywhere, in KeysMngr or in the MS ROOT store. In other words, the chain is never being checked with xmlsec 1.2.8 and mscrypto or it would have detected the absence of the issuer. I do not know why any cert store is being searched at all when verifying signatures if the X509Certificate end cert is in the signed document. One simply needs to call the crypt32.dll certCreateCertificateContext initializing the pbCertEncoded argument with the certificate extracted from the signed document instead of expecting it to already be in a MS crypto store ? This would avoid the need for the verifier to have the signer's public certificate in any of their stores, which is highly desireable. This is the desired functionality for end certificate in the signed document scenarios and is exactly what openssl does. In fact mscrypto should behave exactly like openssl when verifying signed documents which include the X509 cert and the xmlSecCryptoAppKeysMngrCertLoad has loaded the issuer cert. This is how we need xmlsec to work when the application is a server-based verification service and no public end certs exist on that server just public trusted issuers loaded via xmlSecCryptoAppKeysMngrCertLoad. Again exactly like openssl behaves. The fact that openssl has no store is irrelevant here since the store is just getting in the way for a verify especially for the end cert in the chain. If Dmitry's patch expects the end certificate to be in a store (i.e. Test User 1 in our example) for a verify to work, then it has
RE: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
Your messages are very short ? There is no mistake with the adding/removing of certs in the MS Store as there is only one cert in play here, the public Test User 1. And the .der you are loading from the command line utility. You must have converted Test User 1 to a .cer and loaded into one of the MS cert stores. Yes ? 'MY' or 'AddressBook' ? You did not use the --enabled-key-data in your example below ? Why did you mention it ? Just tell me what you did. And the .der you are loading from the command line utility I rather suspect your binairies are simply newer than Igor's 1.2.8 or you are picking up Dmitry's patch and that has fixed it. Please be more specific in your explanation. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 12:14 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto According to the spec, xmldsig application should search key using *all* the information available in the dsig:KeyInfo/ element. Specification *does not* say that X509 certificate is better than key name and it does not require one to search in some particular order. However, xmlsec *DOES* allow one to disable some dsig:KeyInfo/ sub-elements. For example, look for --enabled-key-data option for the xmlsec command line application. I am not sure I understand all the steps you did for adding/removing certificate to MS stores thus I can not comment on the validity of your tests or point my finger at what you did wrong. What I do know that on my computer, I do see the following results: xmlsec verify --crypto mscrypto --trusted-der d:\upu-cacert.der d:/edsigned-enveloped.xml ... OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 xmlsec verify --crypto mscrypto d:/edsigned-enveloped.xml ... Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file d:/edsigned-enveloped.xml which is *exactly* what I expect to see and what I believe you expect to set too. And as I usually say, I *DO* accept patches :) Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] RE: OpenSSL vs mscrypto
Then it is exhibiting the same problem I am describing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 12:36 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] RE: OpenSSL vs mscrypto On windows, OO.org uses xmlsec-mscrypto. Aleksey Edward Shallow wrote: PostScript: It seems that OpenOffice.org V2.0 also does not check certificate chains when validating a signature. It will show the public issuer in the chain hierarchy (if it is loaded in the ROOT store) when you View the Certificate in the Certification Path tab. It will not show any hierarchy if it the issuer is not present. That is, it will just show the signer's certificate in the 1 line path. However it will not display any warning or error if the issuer cannot be found. I believe OpenOffice.org uses xmlsec with nss. Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
Aleksey, I was able to produce exactly what you produced with the selection below of --enabled-key-data. The message is identical. What you are seeing has nothing to do with cert chain verification. It is likely related to your inability to get the Test User 1 certificate from the crypto store given the new --enabled-key-data constraint. You still have an mscrypto problem. Ed C:\XMLSecxmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der --enabled-key-data retrieval-method,x509,raw-x509-cert inout/edsigned-enveloped.xml func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=0 (0x) ;last error msg=The operation completed successfully. func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: ;last error=0 (0x);last error ms g=The operation completed successfully. func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ; last error=0 (0x);last error msg=The operation completed successfully. func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=0 (0x);last error msg=The operation completed successfully. Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file inout/edsigned-enveloped.xml -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 12:14 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto According to the spec, xmldsig application should search key using *all* the information available in the dsig:KeyInfo/ element. Specification *does not* say that X509 certificate is better than key name and it does not require one to search in some particular order. However, xmlsec *DOES* allow one to disable some dsig:KeyInfo/ sub-elements. For example, look for --enabled-key-data option for the xmlsec command line application. I am not sure I understand all the steps you did for adding/removing certificate to MS stores thus I can not comment on the validity of your tests or point my finger at what you did wrong. What I do know that on my computer, I do see the following results: xmlsec verify --crypto mscrypto --trusted-der d:\upu-cacert.der d:/edsigned-enveloped.xml ... OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 xmlsec verify --crypto mscrypto d:/edsigned-enveloped.xml ... Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file d:/edsigned-enveloped.xml which is *exactly* what I expect to see and what I believe you expect to set too. And as I usually say, I *DO* accept patches :) Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
Yes of course I get a match on Test User 1 and everything works. The point is It shouldn't work. When I do not load --trusted-der it should not work, and it does. Meaning No cert chain checking. It is impossible for your script to work without loading Test User 1 into the 'MY' store. In fact the command line utility defaults to 'MY' so you have to put it there. If you are using my signed document it contains dsig:KeyName. You said you are not using --enabled-key-data so standard processing in mscrypto will try to find Test User 1 no matter what. There is nothing tricky about my setup, it passes all your test suite perfectly. I am puzzled at your explanation ? Ed As I wrote, I *did not* use this option in my test. What your results show is exactly what I already explained to you: the key w/o --enabled-key-data retrieval-method,x509,raw-x509-cert is searched by key name and you have a match in your MS Crypto store. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
Yes thanks for your help. I will triple check everything on a new machine. Cheers, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 1:44 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto I am really sorry but I don't understand what you are complaining about. I don't observe the problem you have. And I can do nothing unless you give exact steps to reproduce it. Aleksey Edward Shallow wrote: Yes of course I get a match on Test User 1 and everything works. The point is It shouldn't work. When I do not load --trusted-der it should not work, and it does. Meaning No cert chain checking. It is impossible for your script to work without loading Test User 1 into the 'MY' store. In fact the command line utility defaults to 'MY' so you have to put it there. If you are using my signed document it contains dsig:KeyName. You said you are not using --enabled-key-data so standard processing in mscrypto will try to find Test User 1 no matter what. There is nothing tricky about my setup, it passes all your test suite perfectly. I am puzzled at your explanation ? Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Verify - OpenSSL vs mscrypto
Dmitry wrote ... Edward, when you verify the signature using your own certs ('MY' cert storage), the library doesn't verify chain using my patch. To see my patch really works you need to verify the signature from the other user's account with signer's CA cert and CRL installed. I do not know what you mean by the other user's account. All personal certificates used by an individual are installed in the default 'MY' store. At verification time, the starting point for the get certificate chain processing is from the cert context of the signer's cert no matter who does that verification. In fact the signer's cert should not have to be in the verifier's store at verify time. The first certificate to chase in the chain should be the immediate issuer's certificate etc ... What does other user's account mean ? Aleksey, Dmitry is answering with respect to how his patch works. How do you get the current Build to verify the certificate chain ? Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Verify - OpenSSL vs mscrypto
Yes I see what you are saying now. In my environment the store is called other people. So from a recipient as a verifier 'MY' signing cert would be in his Other People store. However if the cert is in 'MY' as opposed to 'OtherPeople' it should still work. There are 2 concerns here: 1) the verifier may have to check multiple stores to find the signer's cert 2) why does the cert even have to be in any store if it is already contained in the signed document ? In the case of OpenSSL all you need to verify the trust chain is the issuer or issuers certs loaded into the KeysMngr. This makes sense. In mscrypto, why can't we start the chain search from the signer's issuer extracted from the cert in the signed document, and not from the signer itself ? There will be many situations where the recipient does not have the signer's public cert in their store. Ed -Original Message- From: Dmitry Belyavsky [mailto:[EMAIL PROTECTED] Sent: January 11, 2006 11:51 AM To: Edward Shallow Cc: xmlsec@aleksey.com Subject: RE: [xmlsec] Verify - OpenSSL vs mscrypto Greetings! On Wed, 11 Jan 2006, Edward Shallow wrote: Dmitry wrote ... Edward, when you verify the signature using your own certs ('MY' cert storage), the library doesn't verify chain using my patch. To see my patch really works you need to verify the signature from the other user's account with signer's CA cert and CRL installed. I do not know what you mean by the other user's account. All personal certificates used by an individual are installed in the default 'MY' store. At verification time, the starting point for the get certificate chain processing is from the cert context of the signer's cert no matter who does that verification. In fact the signer's cert should not have to be in the verifier's store at verify time. The first certificate to chase in the chain should be the immediate issuer's certificate etc ... What does other user's account mean ? I mean the signature is verified more often with the user differing from the signer. So sender's certs are not placed in MY store. In my copy of windows the store is known as Trusted users, though my collegues say it's correct name is Addressbook. -- SY, Dmitry Belyavsky (ICQ UIN 6575) ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] Verify - OpenSSL vs mscrypto
If I am not using Dmitry's patch, is it even possible to trigger a cert chain verify ? Your posts to the list seem to indicate that it is. Just tell me what function or sequence of functions it is and I'll call them. They must be xmlSecMSCrypto specific. The xmlSecDSigCtxVerify function does NOT presently trigger the checking of the cert chain when using mscrypto. It does when using openssl. This is an API inconsistency at the xmlsec level. So if xmlSecDSigCtxVerify doesn't trigger the checking, what mscrypto function does ? Is it even supported ? Perhaps you are telling me I MUST download Dmitry's latest patch and build it to get what I am seeking ? Is this the case ? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 11, 2006 11:15 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] Verify - OpenSSL vs mscrypto Dmitry is answering with respect to how his patch works. How do you get the current Build to verify the certificate chain ? You can check out the sources from CVS and do a build. It is very easy to do even on Windows. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Verify - OpenSSL vs mscrypto
Dmitry, I have not checked your latest patch, but to avoid my concern 2) below, can you call certCreateCertificateContext from the pbCertEncoded certificate extracted from the signed document instead of expecting it to already be in a store ? This would avoid the need for the verifier to have the signer's public certificate in any of their stores. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/s ecurity/certcreatecertificatecontext.asp If you are not already doing this, is this possible ? Ed -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: January 11, 2006 1:16 PM To: 'Dmitry Belyavsky' Cc: 'xmlsec@aleksey.com' Subject: RE: [xmlsec] Verify - OpenSSL vs mscrypto Yes I see what you are saying now. In my environment the store is called other people. So from a recipient as a verifier 'MY' signing cert would be in his Other People store. However if the cert is in 'MY' as opposed to 'OtherPeople' it should still work. There are 2 concerns here: 1) the verifier may have to check multiple stores to find the signer's cert 2) why does the cert even have to be in any store if it is already contained in the signed document ? In the case of OpenSSL all you need to verify the trust chain is the issuer or issuers certs loaded into the KeysMngr. This makes sense. In mscrypto, why can't we start the chain search from the signer's issuer extracted from the cert in the signed document, and not from the signer itself ? There will be many situations where the recipient does not have the signer's public cert in their store. Ed -Original Message- From: Dmitry Belyavsky [mailto:[EMAIL PROTECTED] Sent: January 11, 2006 11:51 AM To: Edward Shallow Cc: xmlsec@aleksey.com Subject: RE: [xmlsec] Verify - OpenSSL vs mscrypto Greetings! On Wed, 11 Jan 2006, Edward Shallow wrote: Dmitry wrote ... Edward, when you verify the signature using your own certs ('MY' cert storage), the library doesn't verify chain using my patch. To see my patch really works you need to verify the signature from the other user's account with signer's CA cert and CRL installed. I do not know what you mean by the other user's account. All personal certificates used by an individual are installed in the default 'MY' store. At verification time, the starting point for the get certificate chain processing is from the cert context of the signer's cert no matter who does that verification. In fact the signer's cert should not have to be in the verifier's store at verify time. The first certificate to chase in the chain should be the immediate issuer's certificate etc ... What does other user's account mean ? I mean the signature is verified more often with the user differing from the signer. So sender's certs are not placed in MY store. In my copy of windows the store is known as Trusted users, though my collegues say it's correct name is Addressbook. -- SY, Dmitry Belyavsky (ICQ UIN 6575) ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] ErrorsCallback ???
Thanks for your patience, All I would like to do is trap the most informative message in whatever way works, I am not fussy. In this simple password example it would be The specified network password is not correct message. Neither of 1) setting ErrorsCallback or 2) using xmlGetLastError is working for me. This is true of both openssl and mscrypto. With the ErrorsCallback set, mscrypto returns nothing in the msg argument, and openssl returns the offending p12 file name. I think it makes sense to get back the more informative The specified network password is not correct message. The best would be to get at this most informative msg which always goes to stderr perfectly, but can't be trappped in any easy way programmatically. The xmlGetLastError seemed very attractive and it does work perfectly for all libxml2 calls and returns output which is identical to stderr. Hope this helps, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 6, 2006 12:01 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] ErrorsCallback ??? Ed, I think I found the reason for your confusion. In the first email in this thread you gave several example for MSCrypto error messages with and without errors callback set. I'll pick one of them and will explain the problem: mscrypto epmErrorCallback xmlsec error follows: file..\src\mscrypto\app.c line614 funcxmlSecMSCryptoAppPkcs12LoadMemory errorObject None errorSubjectPFXVerifyPassword reason 4 msg No ErrorsCallback set * func=xmlSecMSCryptoAppPkcs12LoadMemory:file=..\src\mscrypto\app.c:line=614:o bj=unknown:subj=PFXVerifyPassword:error=4:crypto library function failed: ;last error=86 (0x0056);last error msg=The specified network password is not correct. The 'msg' you see in the first case (with epmErrorsCallback) is provided by the xmlsec-mscrypto (or xmlsec-openssl) author. If you go to the corresponding file, you'll see that there is *no* message provided in this case thus you observe correct results. The messages you see in the second case (no custom ErrorsCallback) are created by xmlSecMSCryptoErrorsDefaultCallback() function which is *the* default errors callback when xmlsec-mscrypto is used (yes, it is a little bit confusing :( ). This function simply calls Windows GetLastError() and FormatMessage() to generate the last error=86 (0x0056);last error msg=The specified network password is not correct. message and append it to *all* error messages. I agree, this is confusing but the system does what it was written to do. May be a better approach would be to move this extra xmlSecMSCryptoErrorsDefaultCallback() functionality into the generic xmlSecErrorsDefaultCallback() and just ifdef it for Windows only. Then the output will be consistent between different crypto libraries. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [Bulk] Re: [xmlsec] ErrorsCallback ???
Hi Aleksey, Yes that is correct. When I do not set the callback, I get verbose error messages on stderr. I never see the specific error msg=The specified network password is not correct coming to the callback. The callback when it does receive a msg is not as verbose as what goes to stderr. See output examples from my previous post. 6 out of the 7 arguments work perfectly all the time, it is just the last argument i.e. msg that is inconsistent. No ErrorsCallback set * func=xmlSecMSCryptoAppPkcs12LoadMemory:file=..\src\mscrypto\app.c:line=614:o bj=unknown:subj=PFXVerifyPassword:error=4:crypto library function failed: ;last error=86 (0x0056);last error msg=The specified network password is not correct. func=xmlSecMSCryptoAppPkcs12Load:file=..\src\mscrypto\app.c:line=522:obj=unk nown:subj=xmlSecMSCryptoAppPkcs12LoadMemory:error=1:xmlsec library function failed: ;last error=86 (0x0056);last error msg=The specified network password is not correct. func=xmlSecMSCryptoAppKeyLoad:file=..\src\mscrypto\app.c:line=128:obj=unknow n:subj=xmlSecMSCryptoAppPkcs12Load:error=1:xmlsec library function failed: ;last error=86 (0x0056);last error msg=The specified network password is not correct. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 5, 2006 11:43 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [Bulk] Re: [xmlsec] ErrorsCallback ??? Do you see the error message on stderr? Aleksey Edward Shallow wrote: PostScript ... A call to the following works fine after any libxml2 function throwing an error. I tried it after a failed xmlsec function call and received nothing (i.e. Python None aka NULL) Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [Bulk] Re: [xmlsec] ErrorsCallback ???
Hi Aleksey, Thanks once again. The following worked when added to the ErrorsCallback (mscrypto only) ... errCode = win32api.GetLastError() errMsg = win32api.FormatMessage(errCode) Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Shallow Sent: January 6, 2006 12:07 PM To: xmlsec@aleksey.com Subject: RE: [Bulk] Re: [Bulk] Re: [xmlsec] ErrorsCallback ??? Oh I see. You mean the Windows Win32::GetLastError() call. I do not mind trying this as a work-around. I'll let you know. I think the ideal would be to normalize the error handling as you suggested. Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 6, 2006 12:00 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [Bulk] Re: [xmlsec] ErrorsCallback ??? The xmlGetLastError seemed very attractive and it does work perfectly for all libxml2 calls and returns output which is identical to stderr. The message on std err from xmlsec is printed by LibXML2. I can not test it on Windows at the moment, but I can get back all this information using xmlGetLastError() on Linux. As I wrote you before, the extra information you see is provided from *system* GetLasstError() call. You can make same call from python inside your error callback. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] ErrorsCallback ???
Hi Aleksey, A few weeks ago I sent a post related to a problem whereby the last argument being passed to the ErrorsCallback seemed always to be NULL. I double checked a few things, and it seems to be isolated to mscrypto, though there are other inconsistencies in general. Below is a simple password error trapped and sent to the callback in 1) openssl, and 2) mscrypto (all msg arguments missing), and 3) what is sent to stdout w/o Callback set. This msg NULL problem happens for most every operation in mscrypto. Sign, Encrypt, Decrypt. I have found a few isolated messages which do get passed when doing a Verify. Normally though I see nothing in msg for mscrypto. Is anyone else seeing this or is it just me ? Ed P.S. Does it make sense to add a call to xmlsec similar to libxml2's xmlGetLastError() as an option to the ErrorsCallback ? OpenSSL *** epmErrorCallback xmlsec error follows: file..\src\openssl\app.c line676 funcxmlSecOpenSSLAppPkcs12LoadBIO errorObject None errorSubjectPKCS12_verify_mac reason 4 msg epmErrorCallback xmlsec error follows: file..\src\openssl\app.c line292 funcxmlSecOpenSSLAppKeyLoadBIO errorObject None errorSubjectxmlSecOpenSSLAppPkcs12LoadBIO reason 1 msg epmErrorCallback xmlsec error follows: file..\src\openssl\app.c line140 funcxmlSecOpenSSLAppKeyLoad errorObject None errorSubjectxmlSecOpenSSLAppKeyLoadBIO reason 1 msg filename=/usr/local/src/epm/keys/upu/EdShallow.p12;errno=0 mscrypto epmErrorCallback xmlsec error follows: file..\src\mscrypto\app.c line614 funcxmlSecMSCryptoAppPkcs12LoadMemory errorObject None errorSubjectPFXVerifyPassword reason 4 msg epmErrorCallback xmlsec error follows: file..\src\mscrypto\app.c line522 funcxmlSecMSCryptoAppPkcs12Load errorObject None errorSubjectxmlSecMSCryptoAppPkcs12LoadMemory reason 1 msg epmErrorCallback xmlsec error follows: file..\src\mscrypto\app.c line128 funcxmlSecMSCryptoAppKeyLoad errorObject None errorSubjectxmlSecMSCryptoAppPkcs12Load reason 1 Msg No ErrorsCallback set * func=xmlSecMSCryptoAppPkcs12LoadMemory:file=..\src\mscrypto\app.c:line=614:o bj=unknown:subj=PFXVerifyPassword:error=4:crypto library function failed: ;last error=86 (0x0056);last error msg=The specified network password is not correct. func=xmlSecMSCryptoAppPkcs12Load:file=..\src\mscrypto\app.c:line=522:obj=unk nown:subj=xmlSecMSCryptoAppPkcs12LoadMemory:error=1:xmlsec library function failed: ;last error=86 (0x0056);last error msg=The specified network password is not correct. func=xmlSecMSCryptoAppKeyLoad:file=..\src\mscrypto\app.c:line=128:obj=unknow n:subj=xmlSecMSCryptoAppPkcs12Load:error=1:xmlsec library function failed: ;last error=86 (0x0056);last error msg=The specified network password is not correct. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] ErrorsCallback ???
PostScript ... A call to the following works fine after any libxml2 function throwing an error. I tried it after a failed xmlsec function call and received nothing (i.e. Python None aka NULL) Ed errMsg = self.checkLibxml2Error() ... def checkLibxml2Error(self): libxml2 = self.env.libxml2 errMsg = None errorPtr = libxml2.xmlGetLastError() if errorPtr != 0: try: error = xmlError.from_address(errorPtr) # set up pointer to a libxml2 xmlError structure errMsg = 'level ' + str(error.level) + ' error in domain ' + str(error.domain) + ' code ' + str(error.code) + error.message, ' at line ' + str(error.line) except: errMsg = 'Fatal error in xmlGetLastError function' return errMsg -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: January 5, 2006 11:02 PM To: 'Aleksey Sanin' Subject: RE: [Bulk] Re: [xmlsec] ErrorsCallback ??? Re 2, Yes that sounds good !!! I'll try the xmlGetLastError support for xmlsec as well. I am already using it for libxml2 parsing errors. Re 1, Yes I am using Python with the ctypes module to directly access libxml2 and xmlsec. I can set the breakpoint on Linux but my problem is mscrypto and on Windows I am using Igor's binaries. I have never compiled under Windows, don't have the patience or the software. I doubt there is a coding problem as everything is coming back for openssl and sometimes is coming back for mscrypto (Verify calls) Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 5, 2006 7:51 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] ErrorsCallback ??? 1) Are you using xmlsec directly or via python? If you have C/C++ app, simply set a breakpoint in the error callback and then trace it back to the error origin. You'll see the exact place where NULL shows up. 2) The default callback sets the reported error in to libxml2 thus you can use xmlGetLastError() directly. If you have a custom callback then you can do similar thing yourself. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain
Great. Will this checking be invoked automatically as part of a Verify call (as it is with OpenSSL) ? If not, when and how is it called ? Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitry Belyavsky Sent: December 20, 2005 9:52 AM To: Aleksey Sanin Cc: [EMAIL PROTECTED]; 'XMLSec' Subject: [Bulk] Re: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain Greetings! On Mon, 19 Dec 2005, Aleksey Sanin wrote: Then does a call to xmlSecMSCryptoX509StoreConstructCertsChain do both a cert chain check and a revocation check ? Take a look at the code. Yes, it does everything including all the checks (e.g. verification time). Does this work now, or will it work only after Dmitry's patch ? Unrelated to Dmirty's patch. His patch provides a shortcut that does not call this function. I've found out I should improve the patch concerning to the revocation status of the chain. So I'll provide the improved version tomorrow. The improved version is attached. -- SY, Dmitry Belyavsky (ICQ UIN 6575) ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain
As far as I know certificate chain verification and CRL checking are 2 distinct functions in the MS world. They are not even in the same library. CRL checking is part of the Microsoft Crypto API (CAPI) and can be found in crypt32.dll. The function in question is CertVerifyCRLRevocation and requires a certificate context and a CRL context and compares one to the other. The CRL context can be created from a CRL file or retrieved and loaded. Presently I do not think xmlsec does either for mscrypto. For OpenSSL, xmlSecOpenSSLX509StoreVerify in x509vfy.c does perform the check for the issuer certificate (i.e. certificate chain verification) and one must perform an xmlSecCryptoAppKeysMngrCertLoad in order to get the trusted issuer certificate into the KeyMngr prior to the verify call to avoid an Unable to get local issuer certificate error msg. Dmitry I understand is patching mscrypto to do the certificate chain validation. Is this correct ? I can't find where CRL checking is done. Is certificate verification against a CRL the application's responsibility outside of xmlsec ? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitry Belyavsky Sent: December 19, 2005 4:44 AM To: Aleksey Sanin Cc: XMLSec Subject: Re: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain Greetings! On Sun, 18 Dec 2005, Aleksey Sanin wrote: Sorry for delay with response... Just too many things happen in the same time :( Anyway, I have some questions about the patch: 1) Do you have some specific problem you are trying to address with this patch? It seem like you do call xmlSecBuildChainUsingWinapi() function right before doing xmlsec cert verification. And in all my tests cases this function never returns OK. Yes, I do. I try to build chain when a signer certificate is present in the signed file and the other are not. So existing code does not build chain and my does. 2) In all the MSDN examples I can find, CertGetCertificateChain() function always has NULL for the additional store parameter and in the code you pass the trusted certificates handle. Are you sure that this is the correct way? Shouldn't it be untrusted certs or may be CRLs list instead? I'm not sure in it. May be NULL should be passed always and possibly there should be 2 calls, 1st with the trusted store and the 2nd with the untrusted one. 3) I don't see how CertGetCertificateChain() function handles CRLs that might have been passed to xmlsec. CertGetCertificateChain seems not use CRL (accept already installed) at all. So it's a problem my Winapi knowledge are not enough to solve. Thank you! -- SY, Dmitry Belyavsky (ICQ UIN 6575) ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain
Thanks Aleksey, I guess there is no non-crypto-specific version of this function ? Then does a call to xmlSecMSCryptoX509StoreConstructCertsChain do both a cert chain check and a revocation check ? Does this work now, or will it work only after Dmitry's patch ? Thanks, Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: December 19, 2005 10:58 AM To: [EMAIL PROTECTED] Cc: 'Dmitry Belyavsky'; 'XMLSec' Subject: Re: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain I can't find where CRL checking is done. Is certificate verification against a CRL the application's responsibility outside of xmlsec ? In the current xmlsec-mscrypto code the CRL check is done in xmlSecMSCryptoCheckRevocation() function called from xmlSecMSCryptoX509StoreConstructCertsChain() function. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Openssl OK - mscrypto NOT
Hi Aleksey, When using public certificate for encrypt with mscrypto, cert type must be CertDer (i.e. type 8). It doesn't like CertPem. No problem. No need to go to Pkcs12. Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: December 13, 2005 5:53 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com; 'Kershaw, PJ (Philip)' Subject: Re: [xmlsec] Openssl OK - mscrypto NOT Tried several variations i.e. .der cert, public key .pem, etc Can you try private key from pkcs12 file, please? Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Password Callback
Yes you are right. It is available on the explicit function call. However when you are specifying private key to use via KeyName in template key loading is done for you. Hence the need for the callback. Wouter responded separately saying it is CSP specific, not always the same, and not available in all version of Windows. Hence he didn't do one. Can NSS do this ? It has the same challenge with private keys loaded from NSS database and specified by KeyName in templates ? Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: December 16, 2005 3:12 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] Password Callback I believe in xmlsec you should be able specify callback in the function call (e.g. read key from file). However, I don't know if xmlsec-mscrypto or mscrypto itself supports it or not. Aleksey Edward Shallow wrote: Hi Aleksey, Is there an equivalent password callback that is similar in functionality to the xmlsec xmlSecErrorsSetCallback ? I am using private keys with passwords loaded by name from the MS Crypto Store. At run time the Windows password prompt dialog box pops up. I would like to be able to specify/set a password callback which would take a string argument and return a password. Is this possible with mscrypto ? If not is there another way to do this ? Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Wouter's response to mscrypto password callback
On Friday 16 December 2005 20:03, Edward Shallow wrote: Hi Aleksey, Is there an equivalent password callback that is similar in functionality to the xmlsec xmlSecErrorsSetCallback ? I am using private keys with passwords loaded by name from the MS Crypto Store. At run time the Windows password prompt dialog box pops up. I would like to be able to specify/set a password callback which would take a string argument and return a password. Is this possible with mscrypto ? If not is there another way to do this ? Password callback functionality is not implemented for mscrypto currently, the reason for this is that MS CryptoAPI does only have partial password callback support itself: only for certain crypto service providers, only on the latest platforms, like windows XP and up. You could give it a try though Wouter ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Openssl OK - mscrypto NOT
Not sure I understand. The objective is to encrypt the session key with an X509 Public Certificate (likely retrieved via LDAP) at the sender's end. They won't have a PKCS12 or a private key. Am I missing something ? Or are you attempting to zero in on something ? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: December 13, 2005 5:53 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com; 'Kershaw, PJ (Philip)' Subject: Re: [xmlsec] Openssl OK - mscrypto NOT Tried several variations i.e. .der cert, public key .pem, etc Can you try private key from pkcs12 file, please? Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Finding Keys
Eureka !!!, Got it working. That is, Python ctypes against xmlsec on Windows. This allows Python to call xmslec directly on Windows without the need to compile a Python C extension module. Thus Python Windows users can call Igor's binaries directly with only Python code. Here is what I had to do to get it going ... - mapped xmlSecMSCryptoAppInit('MY') directly from libxmlsec-mscrypto.dll instead of from libxmlsec - mapped xmlSecMSCryptoKeysStoreGetKlass() directly from libxmlsec-mscrypto.dll instead of from libxmlsec - mapped xmlSecMSCryptoKeysStoreLoad(.) directly from libxmlsec-mscrypto.dll instead of from libxmlsec - removed xmlSecKeysMngrAdoptKeysStore(.) from call sequence I discovered it by doing an xmlSecMSCryptoAppGetCertStoreName which should have been returning a MY but wasn't. This allows the rest of the generic xmlsec code to work fine. It might have something to do with defaulting constants I think, not sure. Perhaps Wouter would know. Small price to pay. As usual thanks for your help, Ed -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: October 28, 2005 4:36 PM To: 'Aleksey Sanin' Subject: RE: [xmlsec] Finding Keys Not sure on the broken possibility ... As you can see keysMngr gets successfully passed in on AdoptKeysStore call below which subsequently works OK when I KeysMngrFindKey, so I think basic pointer passing from one call to the next is working. This is the same convention I used in libxml2. The one area I can't do is any macro work because Python ctypes requires no compilation since it marshals calls dynamically to/from C. Could this absence cause problems ? Ed parsedDoc = libxml2.xmlParseFile('c:/xmlsec/tmpl/tmpl-EPM-sign-enveloped-friendly-rsa.xm l') rootNode = libxml2.xmlDocGetRootElement(parsedDoc) sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature', 'http://www.w3.org/2000/09/xmldsig#') print 'found signature node with name', sigNode.contents.name, 'and type', sigNode.contents.type keysMngr = xmlsec.xmlSecKeysMngrCreate() rc = xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr) print 'CryptoAppDefaultKeysMngrInit returned with rc', rc id = xmlsec.xmlSecSimpleKeysStoreGetKlass() keyStore = xmlsec.xmlSecKeyStoreCreate(id) rc = xmlsec.xmlSecSimpleKeysStoreLoad(keyStore, 'c:/xmlsec/keys/keys2.xml', keysMngr) print 'SimpleKeysStoreLoad returned with rc', rc rc = xmlsec.xmlSecKeysMngrAdoptKeysStore(keysMngr, keyStore) print 'KeysMngrAdoptKeysStore returned with rc', rc dsigCtx = xmlsec.xmlSecDSigCtxCreate() rc = xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr) print 'DSigCtxInitialize returned with rc', rc keyInfoCtx = xmlsec.xmlSecKeyInfoCtxCreate(keysMngr) print 'keyInfoCtx.contents.keysMngr', keyInfoCtx.contents.keysMngr, 'keyInfoCtx.contents.mode', keyInfoCtx.contents.mode key = xmlsec.xmlSecKeysMngrFindKey(keysMngr, 'test-rsa', keyInfoCtx) print 'xmlSecKeysMngrFindKey returned with key', key.contents.name key = xmlsec.xmlSecKeyStoreFindKey(keyStore, 'test-rsa', keyInfoCtx) print 'xmlSecKeyStoreFindKey returned with key', key.contents.name keyInfoNode = xmlsec.xmlSecFindNode(sigNode, 'KeyInfo', 'http://www.w3.org/2000/09/xmldsig#') print 'found KeyInfo node with name and type', keyInfoNode.contents.name, keyInfoNode.contents.type print 'about to execute xmlSecKeysMngrGetKey' key = xmlsec.xmlSecKeysMngrGetKey(keyInfoNode, keyInfoCtx) print 'xmlSecKeysMngrGetKey returned with key', key.contents.name #xmlsec.xmlSecKeyInfoCtxDebugDump(keyInfoCtx, stdout) xmlsec.xmlSecDSigCtxDebugDump(dsigCtx, stdout) rc = xmlsec.xmlSecDSigCtxSign(dsigCtx, sigNode) print 'Signature creation complete with status code', rc -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: October 28, 2005 4:10 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] Finding Keys Do you see something obvious that I don't see ? Stupid idea but ... would it be possible that Python wrapper does not pass the key manager to dsig context correctly? E.g. the assignment operator for keys manager is broken or it's just the Python syntax/semantic? Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Finding Keys
Hi Aleksey, Making progress, but still having problem getting at keys with Python and ctypes module. I won't ask you any Python or ctype questions, I promise. But I will ask you to comment on these observations from an xmlsec perspective if you would be so kind. What I am able to do: * - using xmlsec command line utility, sign with keys specified by KeyName in template sourced from Simple Keys Store in (i.e. keys.xml) - using xmlsec command line utility, sign with keys specified by KeyName in template sourced from mscrypto store in either short friendly name form or long X.500 name form - using Python and ctypes against libxml2, I can parse docs, walk trees, access children, get and set node contents, pretty much anything the lib can do - using Python and ctypes against xmlsec I can run everything clean up to the last 2 lines below where it fails That is, I can Find keys using either xmlSecKeysMngrFindKey or xmlSecKeyStoreFindKey, and I can Get keys using xmlSecKeysMngrGetKey as long as they are in the keys.xml Simple Keys Store. None of these 3 work when an mscrypto store key is specified. Mscrypto support is advertised as being able to first look in the SimpleKeysStore and if not found there to then look in mscrypto store. What I am NOT able to do: * I can't however go on to use the key to actually sign using the DSigCtx (last 2 lines). This inability applies to both keys.xml and the mscrypto store. Do you see something obvious that I don't see ? Thanks, Ed Simplified code snippet ... libxml2.xmlParseFile() rootNode = libxml2.xmlDocGetRootElement(parsedDoc) sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature', 'http://www.w3.org/2000/09/xmldsig#') keysMngr = xmlsec.xmlSecKeysMngrCreate() rc = xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr) id = xmlsec.xmlSecSimpleKeysStoreGetKlass() keyStore = xmlsec.xmlSecKeyStoreCreate(id) rc = xmlsec.xmlSecSimpleKeysStoreLoad(keyStore, 'c:/xmlsec/keys/keys2.xml', keysMngr) rc = xmlsec.xmlSecKeysMngrAdoptKeysStore(keysMngr, keyStore) dsigCtx = xmlsec.xmlSecDSigCtxCreate() rc = xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr) keyInfoCtx = xmlsec.xmlSecKeyInfoCtxCreate(keysMngr) # block below works for keys in Simple Key Store key = xmlsec.xmlSecKeysMngrFindKey(keysMngr, 'test-rsa', keyInfoCtx) key = xmlsec.xmlSecKeyStoreFindKey(keyStore, 'test-rsa', keyInfoCtx) keyInfoNode = xmlsec.xmlSecFindNode(sigNode, 'KeyInfo', 'http://www.w3.org/2000/09/xmldsig#') key = xmlsec.xmlSecKeysMngrGetKey(keyInfoNode, keyInfoCtx) # can't get keys when signing though ??? rc = xmlsec.xmlSecDSigCtxSign(dsigCtx, sigNode) print 'Signature creation complete with status code', rc Output from above ... Entering xmlsec ctypes wrap Initializing libxml2 parser Loading dynamic crypto support, return code 0 Loading mscrypto, return code 0 CryptoAppInit, return code 0 Initializing xmlsec, return code 0 CryptoInit, return code 0 stdin fileno = 0 stdout fileno = 1 stderr fileno = 2 found signature node with name Signature and type 1 CryptoAppDefaultKeysMngrInit returned with rc 0 SimpleKeysStoreLoad returned with rc 0 KeysMngrAdoptKeysStore returned with rc 0 DSigCtxInitialize allocated ctypes.LP_xmlSecDSigCtx object at 0x00B3CD30 keyInfoCtx.contents.keysMngr 11586024 keyInfoCtx.contents.mode 0 xmlSecKeysMngrFindKey returned with key test-rsa xmlSecKeyStoreFindKey returned with key test-rsa found KeyInfo node with name KeyInfo and type 1 xmlSecKeysMngrGetKey returned with key test-rsa func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSe cDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. Signature creation complete with status code -1 ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Can't find key using mscrpto
Yes you are right. What I hoped you could confirm is that I have the right call sequence. I have simplified it further below. What I was not sure of is whether I need to issue an explicit xmlSecKeysMngrGetKey or is that already implied given I am using a template. Either way seems to result in a key not found. Am I missing a call somewhere ? Thanks xmlSecInit() xmlSecCryptoDLInit() xmlSecCryptoDLLoadLibrary('mscrypto') xmlsec.xmlSecCryptoAppInit() xmlSecCryptoInit() xmlSecParseFile(filename) xmlDocGetRootElement(parsedDoc) xmlSecKeysMngrCreate() xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr) xmlsec.xmlSecDSigCtxCreate(keysMngr) xmlSecDSigCtxSign(dsigCtx, sigNode) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: October 13, 2005 9:42 PM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] Can't find key using mscrpto I have successfully wrapped most of libxml2 using Python and ctypes and was then moving onto xmlsec. Got stalled at the GetKey. Sorry, can't help you with Python :( May be you should ask on python xmlsec mailing list? Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Can't find key using mscrpto
Hi Aleksey, This sign over a template and subsequent verify works fine using command-line utility: xmlsec sign --crypto mscrypto --output inout/edsigned-enveloped.xml tmpl/tmpl-EPM-sign-enveloped.xml xmlsec verify --store-references --crypto mscrypto inout/edsigned-enveloped.xml The KeyInfo from simple enveloped signature template looks like this: dsig:KeyInfo dsig:KeyName[EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post Mark,O=For Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH/dsig:KeyName dsig:X509Data dsig:X509Certificate/dsig:X509Certificate dsig:X509SubjectName/dsig:X509SubjectName dsig:X509IssuerSerial/dsig:X509IssuerSerial /dsig:X509Data /dsig:KeyInfo I am trying to recreate this simple sign scenario from code using Python with the ctypes module (which marshals Python calls to/from C dll's and so's) I have successfully wrapped most of libxml2 using Python and ctypes and was then moving onto xmlsec. Got stalled at the GetKey. Not sure my call sequence is good though. This simplified code snippet produces the stdout below it: ### # Initialization ### print 'Entering xmlsec ctypes wrap' print 'Loading libxml2 parser' libxml2 = cdll.libxml2 xmlsec = cdll.libxmlsec print 'Initializing xmlsec, return code', xmlsec.xmlSecInit() print 'Loading dynamic crypto support, return code ', xmlsec.xmlSecCryptoDLInit() print 'Loading mscrypto, return code ', xmlsec.xmlSecCryptoDLLoadLibrary('mscrypto') print 'CryptoAppInit, return code ', xmlsec.xmlSecCryptoAppInit() print 'CryptoInit, return code ', xmlsec.xmlSecCryptoInit() ### # Let's sign a template ### parsedDoc = xmlsec.xmlSecParseFile('c:/xmlsec/tmpl-EPM-sign-enveloped-keyname.xml') # uses xmlsec rootNode = libxml2.xmlDocGetRootElement(parsedDoc) sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature', 'http://www.w3.org/2000/09/xmldsig#') print 'found signature node', sigNode.contents.name keysMngr = xmlsec.xmlSecKeysMngrCreate() rc = xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr) print 'CryptoAppDefaultKeysMngrInit returned with rc', rc dsigCtx = xmlsec.xmlSecDSigCtxCreate(keysMngr) keyInfoCtx = xmlsec.xmlSecKeyInfoCtxCreate(keysMngr) print 'keyInfoCtx.contents.keysMngr', keyInfoCtx.contents.keysMngr, 'keyInfoCtx.contents.mode', keyInfoCtx.contents.mode #keyNode = xmlsec.xmlSecFindNode(rootNode, 'KeyInfo', 'http://www.w3.org/2000/09/xmldsig#') #print 'found KeyInfo node', keyNode.contents.name xmlsec.xmlSecKeyInfoCtxDebugDump(keyInfoCtx, stdout) #key = xmlsec.xmlSecKeysMngrGetKey(keyNode, keyInfoCtx) #print 'found key', key.contents.name #xmlsec.xmlSecDSigCtxDebugDump(dsigCtx, stdout) rc = xmlsec.xmlSecDSigCtxSign(dsigCtx, sigNode) print 'Signature creation complete with status code', rc Output from above follows ... (doesn't find key when I do an explicit KeysMngrGetKey either)Any ideas ? C:\XMLSeclibxmlsec.py Entering xmlsec ctypes wrap Initializing libxml2 parser Initializing xmlsec, return code 0 Loading dynamic crypto support, return code 0 Loading mscrypto, return code 0 CryptoAppInit, return code 0 CryptoInit, return code 0 stdin fileno = 0 stdout fileno = 1 stderr fileno = 2 found signature node Signature CryptoAppDefaultKeysMngrInit returned with rc 0 keyInfoCtx.contents.keysMngr 12159304 keyInfoCtx.contents.mode 0 = KEY INFO READ CONTEXT == flags: 0x == flags2: 0x == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: keyId: NULL keyType: 0x keyUsage: 0x keyBitsSize: 0 === list size: 0 func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: ;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ; last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSe cDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=-2146885628
Re: [xmlsec] Re: Stack Traces re: crypto nss
No problem !!! Files affected ? Download them all ? Ed Aleksey Sanin wrote: Sorry for delay with response, I was out of town for the weekend :) The crash should be fixed in CVS. Thanks for your bug report! Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Re: Stack Traces re: crypto nss
Hi Aleksey, Finally aaa !!! Thanks for all your help. Some quick notes: - the --enabled-key-data option must be either left, out or set to key-name when accessing keys in the nssdb - importing .p12's into local nssdb's using mozilla or firefox or thunderbird seems to work fine (i.e. cert8.db and keys3.db are inter-changeable with p12util-created db's - it would be helpful to add an rsakey to the /tmp/xmlsec-crypto-config nssdb files and then add a test which signs with that key nickname to test out nssdb access The rest seems perfect !!! Thanks once again, Ed Aleksey Sanin wrote: You need to get the whole xmlsec source tree from CVS using anonymous cvs access: http://developer.gnome.org/tools/cvs.html Then run ./autogen.sh once and after that you can do usual ./configure make Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Re: Stack Traces re: crypto nss
I tried upgrading mozilla, mozilla-nss, mozilla-nspr, etc to 1.7.10 ... No luck Still seg faulting whenever I try KeyName access to NSS DBs from within template Would it be possible to add a keycert/p12 to the empty nssdb in testKeys and then test signing with it in the testDSig suite ? This would help prove installation as well. Thanks again, Ed Edward Shallow wrote: Here are 2 stack traces for your review ... This is the test using KeyName in the template: (gdb) run sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --trusted-der /usr/local/src/epm/keys/nss/cacert.der --output /usr/local/src/epm/inout/edsign-nss-enveloping-rsa-keyname-x509chain.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-enveloping-rsa-keyname-x509chain.xml The program being debugged has been started already. Start it from the beginning? (y or n) y warning: cannot close shared object read from target memory: File in wrong format Starting program: /usr/bin/xmlsec1 sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --trusted-der /usr/local/src/epm/keys/nss/cacert.der --output /usr/local/src/epm/inout/edsign-nss-enveloping-rsa-keyname-x509chain.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-enveloping-rsa-keyname-x509chain.xml Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x43c000 [Thread debugging using libthread_db enabled] [New Thread -1208363328 (LWP 3448)] Detaching after fork from child process 3449. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208363328 (LWP 3448)] 0x06a7b166 in SECKEY_GetPublicKeyType () from /usr/lib/libnss3.so (gdb) This seg fault I managed to get from a --pkcs12 test which I hadn't received before: (gdb) run sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --pkcs12 /usr/local/src/epm/keys/nss/rsakey.p12 --pwd secret --output /usr/local/src/epm/inout/edsign-nss-sign-enveloped.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-sign-enveloped.xml warning: cannot close shared object read from target memory: File in wrong format Starting program: /usr/bin/xmlsec1 sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --pkcs12 /usr/local/src/epm/keys/nss/rsakey.p12 --pwd secret --output /usr/local/src/epm/inout/edsign-nss-sign-enveloped.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-sign-enveloped.xml Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x14f000 [Thread debugging using libthread_db enabled] [New Thread -120902 (LWP 3384)] Detaching after fork from child process 3385. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -120902 (LWP 3384)] 0x06a7b166 in SECKEY_GetPublicKeyType () from /usr/lib/libnss3.so (gdb) ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Re: Stack Traces re: crypto nss
Tried something else ... - copied empty nssdb files from xmlsec1-1.2.9/tests/nssdb - imported rsakey.p12 and ca2cert.der into nssdb using p12util - verified content of nssdb using certutil -L Everything looked good. Re-ran tests ... still seg faulting Ed Edward Shallow wrote: Forgot to mention ... I recompiled xmlsec and verified that it picked up mozilla 1.7.10 Edward Shallow wrote: I tried upgrading mozilla, mozilla-nss, mozilla-nspr, etc to 1.7.10 ... No luck Still seg faulting whenever I try KeyName access to NSS DBs from within template Would it be possible to add a keycert/p12 to the empty nssdb in testKeys and then test signing with it in the testDSig suite ? This would help prove installation as well. Thanks again, Ed Edward Shallow wrote: Here are 2 stack traces for your review ... This is the test using KeyName in the template: (gdb) run sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --trusted-der /usr/local/src/epm/keys/nss/cacert.der --output /usr/local/src/epm/inout/edsign-nss-enveloping-rsa-keyname-x509chain.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-enveloping-rsa-keyname-x509chain.xml The program being debugged has been started already. Start it from the beginning? (y or n) y warning: cannot close shared object read from target memory: File in wrong format Starting program: /usr/bin/xmlsec1 sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --trusted-der /usr/local/src/epm/keys/nss/cacert.der --output /usr/local/src/epm/inout/edsign-nss-enveloping-rsa-keyname-x509chain.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-enveloping-rsa-keyname-x509chain.xml Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x43c000 [Thread debugging using libthread_db enabled] [New Thread -1208363328 (LWP 3448)] Detaching after fork from child process 3449. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208363328 (LWP 3448)] 0x06a7b166 in SECKEY_GetPublicKeyType () from /usr/lib/libnss3.so (gdb) This seg fault I managed to get from a --pkcs12 test which I hadn't received before: (gdb) run sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --pkcs12 /usr/local/src/epm/keys/nss/rsakey.p12 --pwd secret --output /usr/local/src/epm/inout/edsign-nss-sign-enveloped.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-sign-enveloped.xml warning: cannot close shared object read from target memory: File in wrong format Starting program: /usr/bin/xmlsec1 sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --pkcs12 /usr/local/src/epm/keys/nss/rsakey.p12 --pwd secret --output /usr/local/src/epm/inout/edsign-nss-sign-enveloped.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-sign-enveloped.xml Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x14f000 [Thread debugging using libthread_db enabled] [New Thread -120902 (LWP 3384)] Detaching after fork from child process 3385. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -120902 (LWP 3384)] 0x06a7b166 in SECKEY_GetPublicKeyType () from /usr/lib/libnss3.so (gdb) ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nssdb problems ... still : (
Aleksey Sanin wrote: 1) and 2) above work fine with pkcs#12 based keys, but as soon as I switch to the nssdb-resident equivalent I am unsuccessful. Can you run 3rd test under gdb and get a stack trace? Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec Yes, I will do that soon. Just as a postscript, if it helps you. It seems it will always seg fault unless you have x509 first in the --enabled-key-data list example: --enabled-key-data x509,key-name == no seg fault example: --enabled-key-data key-name,x509 == seg fault Even when there is no seg fault, however, I always get error=45:key is not found I'll send you the stack trace. Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nssdb problems ... still : (
Edward Shallow wrote: Aleksey Sanin wrote: 1) and 2) above work fine with pkcs#12 based keys, but as soon as I switch to the nssdb-resident equivalent I am unsuccessful. Can you run 3rd test under gdb and get a stack trace? Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec Yes, I will do that soon. Just as a postscript, if it helps you. It seems it will always seg fault unless you have x509 first in the --enabled-key-data list example: --enabled-key-data x509,key-name == no seg fault example: --enabled-key-data key-name,x509 == seg fault Even when there is no seg fault, however, I always get error=45:key is not found I'll send you the stack trace. Ed In the meatime can I impose on you to send me your cert8.db keys3.db and secmod.db files. I would like to rule out the nssdb as the culprit here. Thanks, Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] nssdb problems ... still : (
Actually I am simply testing with your cert/keys from the /tests suite. Specifically rsakey.p12 i.e. TestRsaKey (nickname) issued from your test CA. But if you'd rather not ... I'll send you the stack trace soon. Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: September 23, 2005 11:54 AM To: Edward Shallow Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] nssdb problems ... still : ( In the meatime can I impose on you to send me your cert8.db keys3.db and secmod.db files. I don't have your keys imported in the nss db. Please get a stack trace $ gdb xmlsec1 r xmlsec options Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Stack Traces re: crypto nss
Here are 2 stack traces for your review ... This is the test using KeyName in the template: (gdb) run sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --trusted-der /usr/local/src/epm/keys/nss/cacert.der --output /usr/local/src/epm/inout/edsign-nss-enveloping-rsa-keyname-x509chain.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-enveloping-rsa-keyname-x509chain.xml The program being debugged has been started already. Start it from the beginning? (y or n) y warning: cannot close shared object read from target memory: File in wrong format Starting program: /usr/bin/xmlsec1 sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --trusted-der /usr/local/src/epm/keys/nss/cacert.der --output /usr/local/src/epm/inout/edsign-nss-enveloping-rsa-keyname-x509chain.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-enveloping-rsa-keyname-x509chain.xml Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x43c000 [Thread debugging using libthread_db enabled] [New Thread -1208363328 (LWP 3448)] Detaching after fork from child process 3449. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208363328 (LWP 3448)] 0x06a7b166 in SECKEY_GetPublicKeyType () from /usr/lib/libnss3.so (gdb) This seg fault I managed to get from a --pkcs12 test which I hadn't received before: (gdb) run sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --pkcs12 /usr/local/src/epm/keys/nss/rsakey.p12 --pwd secret --output /usr/local/src/epm/inout/edsign-nss-sign-enveloped.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-sign-enveloped.xml warning: cannot close shared object read from target memory: File in wrong format Starting program: /usr/bin/xmlsec1 sign --crypto nss --crypto-config /usr/local/src/epm/xmlsec-crypto-config-all --pkcs12 /usr/local/src/epm/keys/nss/rsakey.p12 --pwd secret --output /usr/local/src/epm/inout/edsign-nss-sign-enveloped.xml /usr/local/src/epm/tmpl/signing/tmpl-EPM-nss-sign-enveloped.xml Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x14f000 [Thread debugging using libthread_db enabled] [New Thread -120902 (LWP 3384)] Detaching after fork from child process 3385. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -120902 (LWP 3384)] 0x06a7b166 in SECKEY_GetPublicKeyType () from /usr/lib/libnss3.so (gdb) ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Question on --crypto-config
Hi Aleksey, When using nss, where in the API does one set the --crypto-config option from the command line utility ? Thanks, Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] RE: Question on NSS Support
I looked at xmlsec.c and crypto.c and it seems --crypto-config is passed in on a gerneric xmlsecCryptoAppInit call and needs no specific nss support. Is this a correct assumption ? Ed -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: September 21, 2005 12:20 PM To: '[EMAIL PROTECTED]' Cc: 'xmlsec@aleksey.com' Subject: Question on NSS Support Hi Valery, (... perhaps Aleksey could shed some light here too) Was wondering if pyxmlsec might have nss support already ? If I have nss as my default (or only) crypto, and I call the non-crypto specific version cryptoAppInit(crypto-config-dir) using the NSS DB as the parameter to this call, would the NSS crypto pick it up properly. This would be a totally transparent way I would think. Or must one call cryptoNssAppInit(crypto-config-dir) using the crypto-specific version of the call to get it passed on to NSS correctly ? Have you tried this yet ? Thanks, Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] nss crypto and test suite
Hi Aleksey, Trying out nss crypto after much success with openssl. nss tests from the install worked fine, yet when I try to run testDSig.sh it works for openssl but not for nss. Here is nss run ... --- testDSig started for xmlsec-nss library (20050918_134319) --- LD_LIBRARY_PATH= Test: /aleksey-xmldsig-01/enveloping-dsa-x509chain xmlsec1 verify --crypto nss --crypto-config /tmp/xmlsec-crypto-config --trusted-pem /usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem --enabled-key-data x509 /usr/local/src/xmlsec1-1.2.9/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml func=xmlSecNssAppInit:file=app.c:line=76:obj=unknown:subj=NSS_InitReadWrite:error=4:crypto library function failed:config=/tmp/xmlsec-crypto-config func=xmlSecAppCryptoInit:file=crypto.c:line=26:obj=unknown:subj=xmlSecCryptoAppInit:error=1:xmlsec library function failed: Error: xmlsec crypto intialization failed. Error: initialization faile Here is openssl run ... --- testDSig started for xmlsec-openssl library (20050918_134200) --- LD_LIBRARY_PATH= Test: /aleksey-xmldsig-01/enveloping-dsa-x509chain xmlsec1 verify --crypto openssl --crypto-config /tmp/xmlsec-crypto-config --trusted-pem /usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem --enabled-key-data x509 /usr/local/src/xmlsec1-1.2.9/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Thought it was unset LD-LIBRARY_PATH, but it works fine that way for openssl. Thanks, Ed smime.p7s Description: S/MIME cryptographic signature ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nss crypto and test suite
Would an installation of Firefox or Thunderbird after xmlsec compilation screw things up perhaps ? Ed On Sun, 2005-09-18 at 11:20 -0700, Aleksey Sanin wrote: Did you recompile xmlsec on the same box? I've seen a similar error when NSS/NSPR versions on the box did not match ones used during xmlsec compilation. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec smime.p7s Description: S/MIME cryptographic signature ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nss crypto and test suite
Yes I had discoverd that, was just about to inform you. Evertything working fine now. nss is much more picky about things than openssl ; ) Thanks again, Ed Aleksey Sanin wrote: You MUST use 'der' format for keys because nss does not understand 'pem' ./testDSig.sh nss /usr/local/src/xmlsec1-1.2.9/tests xmlsec1 der Aleksey Edward Shallow wrote: Aleksey Sanin wrote: Can you try to run testKeys.sh for nss first, please? It will create necessary keys in NSS keys storage. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec Yes I do not get the init failure, all keys created in /tmp/xmlsec-crypto-config. I am running following command line ... ./testDSig.sh nss /usr/local/src/xmlsec1-1.2.9/tests xmlsec1 pem ... and received following --- testDSig started for xmlsec-nss library (20050918_182358) --- LD_LIBRARY_PATH=/usr/local/src/xmlsec1-1.2.9/src/nss/.libs:/usr/local/src/xmlsec1-1.2.9/src/openssl/.libs:/usr/lib Test: /aleksey-xmldsig-01/enveloping-dsa-x509chain xmlsec1 verify --crypto nss --crypto-config /tmp/xmlsec-crypto-config --trusted-pem /usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem --enabled-key-data x509 /usr/local/src/xmlsec1-1.2.9/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml func=xmlSecNssAppKeysMngrCertLoadSECItem:file=app.c:line=1389:obj=unknown:subj=unknown:error=17:invalid format:format=2;last nss error=-5977 (0xE8A7) func=xmlSecNssAppKeysMngrCertLoad:file=app.c:line=1278:obj=unknown:subj=xmlSecNssAppKeysMngrCertLoadSECItem:error=1:xmlsec library function failed: ;last nss error=-5977 (0xE8A7) Error: failed to load trusted cert from /usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem. Error: keys manager creation failed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] nss Support in pyxmlsec
Hi Aleksey and Valery, Apart from the xmlSecCryptoDLLoadLibrary call, how transparent is the xmlsec API when using nss versus openssl ? The API reference has a huge set of nss specific functions, must they be used when running the nss engine ? If one wants to load keys from the mozilla/nss keys.db and certs.db must the xmlSecNssKeysStoreAdoptKey, xmlSecNssKeysStoreLoad, xmlSecNssKeysStoreSave be implemented in Valery's python bindings ? Can we get away with just xmlSecCryptoDLLoadLibrary and the rest is the same ? Or if only nss is compiled will pyxmlsec run without having implemented any nss-specific calls ? Thanks for your help, Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Compiling on Fedora Core 4
You set me on the right track. I had forgotten to specify the shared option on the openssl configure script (no-shared is the default) and the new libcrypto.so was not generated in /usr/lib Thanks for your help On Tue, 2005-08-30 at 21:14 -0700, Aleksey Sanin wrote: You'll notice that most all of the tests failed, see make-check-xmlsec1.txt attached. When I run my own scripts I get ... xmlsec1: symbol lookup error: /usr/lib/libxmlsec1-openssl.so: undefined symbol: X509_VERIFY_PARAM_new Seems that you are not loading correct openssl library. Use 'ldd' to figure out what it loads now and then set correct LD_LIBRARY_PATH. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Upgrading from RPMs
Hi Aleksey, - Will your 1.2.9 Fedora3 RPMs cause any problems against a RedHat9 build ? - Will your 1.2.9 Fedora3 RPMs cause any problems against a Fedora4 build ? - Can't find any OpenSSL 0.9.8 RPMs out there yet must I build from source ? Thanks ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] How can I use XML security library to process online XMLtraffic?
This sounds more like an environment question. Given you are in a servlet container with Tomcat I assume your application is Java based. To get out to the xmlsec library (without bindings) you probably have to define the required xmlsec C functions to JNI (Java Native Interface). The only bindings I am aware of are Python bindings at http://pyxmlsec.labs.libre-entreprise.org/ With these Python bindings you could run in any Web Server or Application Server or Framework supporting Python. E.g. mod_python, Twisted, ZOPE, etc Although you would have to write your application, or at least part of it, in Python to avoid the JNI mapping job. I know of no one working on Java bindings for xmlsec ... Anyone out there doing so ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zhenxiao Liu Sent: July 24, 2005 10:20 PM To: xmlsec@aleksey.com Cc: [EMAIL PROTECTED] Subject: [xmlsec] How can I use XML security library to process online XMLtraffic? Hi, all, I'm new in this area. Could any one help me start? Below is my question. Can I use Tomcat as the Web server? How should I configure or compile it to call functions in XML security library? Any help is appreciated. Zhenxiao Liu ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Perl bindings for xmlsec1?
There is a very good Python binding available on the chance that might interest you. I have worked extensively with it and have not found a single problem with it as yet. http://pyxmlsec.labs.libre-entreprise.org/ Ed P.S. Valery, BTW version 0.2.1 and the added errorsSetCallback work perfectly. Thanks for the update ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: March 25, 2005 12:24 PM To: Jacob Fugal Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] Perl bindings for xmlsec1? No, there is no open source perl bindings for xmlsec. I know that one company did something like this but they did not want to share their work. BTW, I would be glad to add perl bindings to the xmlsec cvs tree if you want. Thanks! Aleksey Aleksey Jacob Fugal wrote: Are there any known perl bindings to the xmlsec1 library? Searching CPAN turns up XML::Canonical, but while that is useful, I need the more complete Signature and Encryption functionality. Alas, if there are none, I'm willing to begin work on them myself (I need them for my current project, not just want) but want to make sure that won't be duplicated effort. Jacob Fugal ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Microsoft CAPI support with hardware token
No prob ... On a related question, has anyone got NSS working with tokens/HSMs via PKCS#11 ? Tejkumar ? -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: September 13, 2004 5:54 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Microsoft CAPI support with hardware token Cool! Thanks for sharing your expirience! Aleksey Edward Shallow wrote: Hi, Yes I have successfully used an Aladdin eToken Pro in a Windows XP environment with XMLsec 1.2.1 using the command line and template below. ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Microsoft CAPI support with hardware token
Hi, Yes I have successfully used an Aladdin eToken Pro in a Windows XP environment with XMLsec 1.2.1 using the command line and template below. Key points: 1) use --crypto mscrypto 2) point xmlsec at your token using dsig:KeyName in the template 3) make sure your keys were generated on the token and the returned certificate is bound to those token-resident keys 4) if you can't get the key/cert working in other Windows applications, then it won't work with XMLsec either 5) xmlsec (with --mscrypto) is just using CAPI with appropriate CSP as dictated by particular cert you choose 6) xmlsec (with --mscrypto) really doesn't even know its using the token, that is standard CAPI/CSP functionality support Cheers, Ed P.S. Good job Aleksey and Wouter ;) xmlsec sign --crypto mscrypto --output inout/edsigned3-enveloped.xml tmpl/tmpl-EPM-signtoken-enveloped.xml ?xml version=1.0 encoding=UTF-8? !-- Signature created by EPMSigner V1.12 - Sign Template - enveloped-simple - Ed Shallow June 27, 2003 -- Document Data SubData1 SubSubData1 MimeType=text/plainThis is the data to be signed./SubSubData1 SubSubData2 MimeType=text/plainThis is the data to be signed./SubSubData2 SubSubData3 MimeType=text/plainThis is the data to be signed./SubSubData3 /SubData1 SubData2This is the data to be signed./SubData2 SubData3This is the data to be signed./SubData3 /Data dsig:Signature xmlns:dsig=http://www.w3.org/2000/09/xmldsig#; dsig:SignedInfo dsig:CanonicalizationMethod Algorithm=http://www.w3.org/TR/2001/REC-xml-c14n-20010315/ dsig:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ dsig:Reference URI= dsig:Transforms dsig:Transform Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/ /dsig:Transforms dsig:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ dsig:DigestValue/dsig:DigestValue /dsig:Reference /dsig:SignedInfo dsig:SignatureValue /dsig:SignatureValue dsig:KeyInfo dsig:KeyNameCN=Thawte Freemail Member, [EMAIL PROTECTED]/dsig:KeyName dsig:X509Data dsig:X509Certificate/dsig:X509Certificate dsig:X509SubjectName/dsig:X509SubjectName dsig:X509IssuerSerial/dsig:X509IssuerSerial /dsig:X509Data /dsig:KeyInfo /dsig:Signature /Document ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Brackets in Reference
Hello Aleksey, Please find enclosed a signature produced by another toolkit which uses left and right brackets in its reference element. XMLSec seems to be objecting to the presence of the brackets. If I take them out, XMLSec gets further, but naturally complains about the data to digest compare. Reference URI=#Object[040327174718Z] Is this use legitimate ? Any ideas ? Ed C:\XMLSecxmlsec verify --store-references --crypto mscrypto inout/signedXMLDSIG .xml func=xmlSecXPathDataExecute:file=..\src\xpath.c:line=273:obj=unknown:subj=xmlXPt rEval:error=5:libxml2 library function failed:expr=xpointer(id('Object[040327174 718Z]'));last error=0 (0x);last error msg=The operation completed succes sfully. func=xmlSecXPathDataListExecute:file=..\src\xpath.c:line=356:obj=unknown:subj=xm lSecXPathDataExecute:error=1:xmlsec library function failed: ;last error=0 (0x00 00);last error msg=The operation completed successfully. func=xmlSecTransformXPathExecute:file=..\src\xpath.c:line=466:obj=xpointer:subj= xmlSecXPathDataExecute:error=1:xmlsec library function failed: ;last error=0 (0x );last error msg=The operation completed successfully. func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2371:obj=xpoint er:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: ;last err or=0 (0x);last error msg=The operation completed successfully. func=xmlSecTransformCtxXmlExecute:file=..\src\transforms.c:line=1207:obj=unknown :subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xp ointer;last error=0 (0x);last error msg=The operation completed successf ully. func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1267:obj=unknown:su bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: ;last er ror=0 (0x);last error msg=The operation completed successfully. func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1568:obj=unkno wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: ;last error=0 (0x);last error msg=The operation completed successfully. func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unkno wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed :node=Reference;last error=0 (0x);last error msg=The operation completed successfully. func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknow n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed : ;last error=0 (0x);last error msg=The operation completed successfully . func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecD SigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=0 (0x);last error msg=The operation completed successfully. Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: unknown == flags: 0x0006 == flags2: 0x == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x == flags2: 0x == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x == flags2: 0x == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 == Signature Transform Ctx: == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: unknown == URI: #Object[040327174718Z] == Reference Transform Ctx: == TRANSFORMS CTX (status=1) == flags: 0x == flags2: 0x == enabled transforms: all === uri: === uri xpointer expr: #Object[040327174718Z] === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: membuf-transform (href=NULL) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == Manifest References List: === list size: 0 Error: failed to verify file inout/signedXMLDSIG.xml?xml version=1.0 encoding=UTF-8? !DOCTYPE Signature Signature
RE: [xmlsec] Invalid data char=B; base=10 on verify
Yes I realized that. However itwon't blow up for the demo. I am happy. From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: November 11, 2003 1:56 AMTo: Edward ShallowCc: [EMAIL PROTECTED]Subject: Re: [xmlsec] Invalid data char=B; base=10 on verify Well, the actually won't work correctly: 0x10 != 10 Most likely in your caseyou have more information about the cert that is used if search by serial number fails. But it's just an acident :(AlekseyEdward Shallow wrote: Thanks a million. Turns out that any "hex" characters in the serial number (e.g. 1D) will cause the problem. Certs with only numbers in them work. Thanks again, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aleksey Sanin Sent: November 11, 2003 12:57 AM To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Invalid data char=B; base=10 on verify The problem is caused by incorrect conversion of a big integer to a string. Instead of using base 10 the function incorrectly used base 16. Thus you'll get incorrect numbers sometime. This function is used in writing dsig:X509SerialNumber/ thus you got it only when you've used this node in your template. Aleksey Edward Shallow wrote: Thanks, Is there any specific characters that cause or are affected by this problem ? I don't get it for many schemas and documents ? I have a demo tomorrow and was wandering if I could work around it ? Ed ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Invalid data char=B; base=10 on verify
Hi Aleksey, I have a strange one here. I am using --ms-crypto (thanks Wouter and Aleksey) with an XPath-filter (intersect and subtract). I have used a similar template in dozens of tests. Sign works fine. --store-references shows intersect, subtract working fine. However when I go to verify, I get the error below refrring to some invalid data, yet messages state OK 1/1 etc ... As you can see there is next to nothing in the xml doc being signed. I have included input and output from successful sign operation as attachments. The only thing different is the absence of namespace qualifier in base document. Any ideas ? This is for the UN. Ed C:\epmsigner-dev\XMLSecxmlsec sign --crypto mscrypto --output C:/epmsigner-dev/infopath/FFIEPMcompleted.signed.xml C:/epmsigner-dev/infopath/FFIEPMcompleted2.ToBeSigned.xml C:\epmsigner-dev\XMLSecxmlsec verify --crypto mscrypto C:/epmsigner-dev/infopath/FFIEPMcompleted.signed.xml func=xmlSecBnFromString:file=..\src\bn.c:line=214:obj=unknown:subj=unknown:e rror=12:invalid data:char=B;base=10;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=586:obj= unknown:subj=xmlSecBnInitialize:error=1:xmlsec library function failed:;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 ?xml version=1.0 encoding=UTF-8? ?mso-infoPathSolution solutionVersion=1.0.0.29 productVersion=11.0.5531 PIVersion=1.0.0.0 href=file:///C:\epmsigner-dev\infopath\FFIEPMdemo.xsn language=en-us ? ?mso-application progid=InfoPath.Document? FiataForwardingInstructions xmlns:my=http://schemas.microsoft.com/office/infopath/2003/myXSD/2003-11-09T15:04:28; xmlns:ds=http://www.w3.org/2000/09/xmldsig#; xmlns:xf=http://www.w3.org/2002/06/xmldsig-filter2; Header MessageType/ MessageVersionNumber/ MessageReleaseNumber/ DocumentMessageName/ DocumentMessageNumber/ DocumentMessageStatusCoded/ /Header Consignor NameAndAddress PartyIdentificationDetails PartyIdIdentification/ CodeListResponsibleAgencyCoded/ /PartyIdentificationDetails StructuredAddress PartyNameEd/PartyName StreetAndNumberP.O.Box/ CityName/ CountrySub-entityIdentification/ PostcodeIdentification/ CountryCodedCA/CountryCoded /StructuredAddress /NameAndAddress ListOfContacts InformationContact ContactName/ ListOfCommunicationNumbers Telephone/ Telefax/ ElectronicMail/ Telex/ Teletext/ InternalMail/ /ListOfCommunicationNumbers /InformationContact /ListOfContacts /Consignor Consignee NameAndAddress PartyIdentificationDetails PartyIdIdentification/ CodeListResponsibleAgencyCoded/ /PartyIdentificationDetails StructuredAddress PartyName/ StreetAndNumberP.O.Box/ CityName/ CountrySub-entityIdentification/ PostcodeIdentification/ CountryCodedCA/CountryCoded /StructuredAddress /NameAndAddress ListOfContacts InformationContact ContactName/ ListOfCommunicationNumbers Telephone/ Telefax/ ElectronicMail/ Telex/ Teletext/ InternalMail/ /ListOfCommunicationNumbers /InformationContact /ListOfContacts /Consignee FreightForwarder NameAndAddress PartyIdentificationDetails PartyIdIdentification/ CodeListResponsibleAgencyCoded/ /PartyIdentificationDetails StructuredAddress PartyName/ StreetAndNumberP.O.Box/ CityName/ CountrySub-entityIdentification/ PostcodeIdentification/ CountryCodedCA/CountryCoded /StructuredAddress /NameAndAddress ListOfContacts InformationContact ContactName/ ListOfCommunicationNumbers Telephone/ Telefax/ ElectronicMail/ Telex/ Teletext/ InternalMail/ /ListOfCommunicationNumbers /InformationContact /ListOfContacts /FreightForwarder NotifyParty NameAndAddress PartyIdentificationDetails PartyIdIdentification/ CodeListResponsibleAgencyCoded/ /PartyIdentificationDetails StructuredAddress PartyName/ StreetAndNumberP.O.Box/ CityName/ CountrySub-entityIdentification/ PostcodeIdentification/ CountryCodedCA/CountryCoded /StructuredAddress /NameAndAddress ListOfContacts InformationContact ContactName/ ListOfCommunicationNumbers Telephone/ Telefax/ ElectronicMail/ Telex/ Teletext/ InternalMail/ /ListOfCommunicationNumbers /InformationContact /ListOfContacts /NotifyParty ListOfReferences DocumentaryCreditAdviceReference ReferenceNumber/ ReferenceDate Date/ DateFormatCoded/ /ReferenceDate /DocumentaryCreditAdviceReference /ListOfReferences AcceptanceDate Date/ DateFormatCoded/ /AcceptanceDate PlaceOfAcceptance LocationName/ LocationCoded/ /PlaceOfAcceptance DeliveryTerms TermsOfDelivery/
RE: [xmlsec] Invalid data char=B; base=10 on verify
I retried the run below with OpenSSL and it works. Problem is unique to --ms-crypto. Can I send you anything else ? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Shallow Sent: November 10, 2003 11:47 PM To: [EMAIL PROTECTED] Subject: [xmlsec] Invalid data char=B; base=10 on verify Hi Aleksey, I have a strange one here. I am using --ms-crypto (thanks Wouter and Aleksey) with an XPath-filter (intersect and subtract). I have used a similar template in dozens of tests. Sign works fine. --store-references shows intersect, subtract working fine. However when I go to verify, I get the error below refrring to some invalid data, yet messages state OK 1/1 etc ... As you can see there is next to nothing in the xml doc being signed. I have included input and output from successful sign operation as attachments. The only thing different is the absence of namespace qualifier in base document. Any ideas ? This is for the UN. Ed C:\epmsigner-dev\XMLSecxmlsec sign --crypto mscrypto --output C:/epmsigner-dev/infopath/FFIEPMcompleted.signed.xml C:/epmsigner-dev/infopath/FFIEPMcompleted2.ToBeSigned.xml C:\epmsigner-dev\XMLSecxmlsec verify --crypto mscrypto C:/epmsigner-dev/infopath/FFIEPMcompleted.signed.xml func=xmlSecBnFromString:file=..\src\bn.c:line=214:obj=unknown:subj=unknown:e rror=12:invalid data:char=B;base=10;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=586:obj= unknown:subj=xmlSecBnInitialize:error=1:xmlsec library function failed:;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Invalid data char=B; base=10 on verify
Thanks, Is there any specific characters that cause or are affected by this problem ? I don't get it for many schemas and documents ? I have a demo tomorrow and was wandering if I could work around it ? Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: November 11, 2003 12:24 AM To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Invalid data char=B; base=10 on verify Sick! Stupid me :( This one line patch bellow should fix it. The patch is checked in CVS and would be in the next release in a couple days. This code is not used by OpenSSL thus you have no problems with it. Thanks for bug report and sorry for inconvinience! Aleksey Index: src/bn.c === RCS file: /cvs/gnome/xmlsec/src/bn.c,v retrieving revision 1.10 diff -u -r1.10 bn.c --- src/bn.c26 Sep 2003 16:53:19 - 1.10 +++ src/bn.c11 Nov 2003 05:20:39 - @@ -364,7 +364,7 @@ */ xmlChar* xmlSecBnToDecString(xmlSecBnPtr bn) { -return(xmlSecBnToString(bn, 16)); +return(xmlSecBnToString(bn, 10)); } /** Edward Shallow wrote: I retried the run below with OpenSSL and it works. Problem is unique to --ms-crypto. Can I send you anything else ? Ed ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Invalid data char=B; base=10 on verify
Thanks a million. Turns out that any hex characters in the serial number (e.g. 1D) will cause the problem. Certs with only numbers in them work. Thanks again, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: November 11, 2003 12:57 AM To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Invalid data char=B; base=10 on verify The problem is caused by incorrect conversion of a big integer to a string. Instead of using base 10 the function incorrectly used base 16. Thus you'll get incorrect numbers sometime. This function is used in writing dsig:X509SerialNumber/ thus you got it only when you've used this node in your template. Aleksey Edward Shallow wrote: Thanks, Is there any specific characters that cause or are affected by this problem ? I don't get it for many schemas and documents ? I have a demo tomorrow and was wandering if I could work around it ? Ed ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Emailing: EdTestFormNoMSO.zip
Aleksey, Thanks for your hints. The following works fine. 2 points of notice. 1) In the Pre-Digest buffer (see below) I will get extra white space and/or CRLFs for every subtract I add in the transform chain. Do I need to do another Canonicalization after the set of filters ? Can this be expressed as a transform ? 2) Is there any way to do a wildcard type thing with the subtract so I might use only a single filter instead of one for every //SignatureN ? Like a sort of //Signature(*) or something ? Thanks, Ed ?xml version=1.0? Document ToBeSigned DataWe must sign this./Data Signature11st exclude/Signature1 Signature22nd exclude/Signature2 /ToBeSigned Signature xmlns=http://www.w3.org/2000/09/xmldsig#; xmlns:dsig-xpath=http://www.w3.org/2002/06/xmldsig-filter2; SignedInfo CanonicalizationMethod Algorithm=http://www.w3.org/TR/2001/REC-xml-c14n-20010315/ SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ Reference URI= Transforms Transform Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/ Transform Algorithm=http://www.w3.org/2002/06/xmldsig-filter2; dsig-xpath:XPath Filter=intersect //Document /dsig-xpath:XPath dsig-xpath:XPath Filter=subtract //Signature1 /dsig-xpath:XPath dsig-xpath:XPath Filter=subtract //Signature2 /dsig-xpath:XPath /Transform /Transforms DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ DigestValue/DigestValue /Reference /SignedInfo SignatureValue /SignatureValue KeyInfo X509Data X509SubjectName/X509SubjectName X509IssuerSerial/X509IssuerSerial X509Certificate/X509Certificate /X509Data /KeyInfo /Signature /Document == PreDigest data - start buffer: Document ToBeSigned DataWe must sign this./Data /ToBeSigned /Document == PreDigest data - end buffer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: September 23, 2003 11:55 PM To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Emailing: EdTestFormNoMSO.zip Secondly but related, how would one create parallel signatures over the same data using XMLSec ? Using 2 successive sign operations ? Yes. Assuming one is using a template, what would it look like for the 2nd sign operation ? Template is just an XML file, remember :) For this 2nd pass, does the enveloped-signature transform only exclude the signature being applied (i.e. the 2nd) ? Enveloped transform by definition excludes only the current signature (see XMLDSig spec for details). It does not matter is it first or second signature. If so, what is the best way to exclude the 1st ? XInclude, XPath, XPath2 or XSLT transofrms are probably the simplest ways (you might have interop problems with XPath2). But probably I wouldn't use XSLT just for that task. Aleksey ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Emailing: EdTestFormNoMSO.zip
Yes, there is no burning reason to carry different element names for each signature. I thought I'd need distinct names for countersignature support, but I don't believe I do. Even in that scenario, the counter-signature should arguably be over all existing signatures, etc ... Thanks, Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: September 24, 2003 10:07 AM To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Emailing: EdTestFormNoMSO.zip 1) In the Pre-Digest buffer (see below) I will get extra white space and/or CRLFs for every subtract I add in the transform chain. Do I need to do another Canonicalization after the set of filters ? Can this be expressed as a transform ? It's OK. You just need to remember that XML includes not only element but also text nodes. For example if you have following XML doc Signature1/ Signature2/ /doc then you have 3 element nodes and 3 text nodes. If you remove, say, Signature1/, the text nodes around it stay. Thus you would have doc Signature2/ /doc If you want to remove this text node \nthen you need to specify it in the XPath expression but actually there is no reason to do this. 2) Is there any way to do a wildcard type thing with the subtract so I might use only a single filter instead of one for every //SignatureN ? Like a sort of //Signature(*) or something ? It's an XPath expression and //dsig:Signature should do it (http://www.zvon.org/xxl/XPathTutorial/Output/example2.html) Aleksey ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Emailing: EdTestFormNoMSO.zip
Aleksey, This attached is a signature which resulted from successive signings over the same XML from within Microsoft's InfoPath Release Candidate (i.e. coming soon). It is confusing in its use of copy and copy-of. Both signatures have enveloped-signature tranforms followed by XSLT tranasforms. The first signature uses 2 templates the 1st of which is a copy whereas the second signature uses a single template within a copy-of and matches on the @Id of the 1st signature. The second signature seems to cover only the first ? Is this a valid countersignature ? Secondly but related, how would one create parallel signatures over the same data using XMLSec ? Using 2 successive sign operations ? Assuming one is using a template, what would it look like for the 2nd sign operation ? For this 2nd pass, does the enveloped-signature transform only exclude the signature being applied (i.e. the 2nd) ? If so, what is the best way to exclude the 1st ? Thanks, Ed EdTestFormNoMSO.zip Description: Zip compressed data
[xmlsec] RE: Emailing: EdTestFormNoMSO.zip
As it pertains to the example below, can you see any reason why Microsoft did not use xmldsig-filter2 ? Ed -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: September 23, 2003 11:35 PM To: '[EMAIL PROTECTED]' Subject: Emailing: EdTestFormNoMSO.zip Aleksey, This attached is a signature which resulted from successive signings over the same XML from within Microsoft's InfoPath Release Candidate (i.e. coming soon). It is confusing in its use of copy and copy-of. Both signatures have enveloped-signature tranforms followed by XSLT tranasforms. The first signature uses 2 templates the 1st of which is a copy whereas the second signature uses a single template within a copy-of and matches on the @Id of the 1st signature. The second signature seems to cover only the first ? Is this a valid countersignature ? Secondly but related, how would one create parallel signatures over the same data using XMLSec ? Using 2 successive sign operations ? Assuming one is using a template, what would it look like for the 2nd sign operation ? For this 2nd pass, does the enveloped-signature transform only exclude the signature being applied (i.e. the 2nd) ? If so, what is the best way to exclude the 1st ? Thanks, Ed ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] XMLsec Command Line Utility and MSCrypto
I think I got the answer I was looking for, but please explain exactly how (that is with which command line sub-argument) do I identify private and public (or both) keys when doing for example a sign or an encrpyt. In other words today with OpenSSL I just say the following on the command line: sign --pkcs12 keys/EdCert.p12 --pwd 1234 . Or encrypt --pubkey-pem keys/EdPub.pem --session-key des-192 ... What do I say when referring to these keys in the MS world ? Are there subtle command line syntax differences ? Lastly, when using our XMLSec-enabled application in a real MS Crypto Store world there will be no pkcs12s lying around. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wouter Sent: September 18, 2003 2:37 PM To: 'Aleksey Sanin'; 'Edward Shallow' Cc: [EMAIL PROTECTED] Hi, Aleksey is right here. Currently the key or certificate can be loaded by giving it's keyname. However there are a few angles here (when I use certificate, I mean actually certificate *with* public/private keypair, since the certificate is the identifier for the keys with MS): If more then 1 certificate is available in your certificate store with the same name (I think it's even quite a big change that will happen), only the first found will be loaded. If you look for a certificate that does not reside in your personal local default store, it will not be found. I think there is a need to load the keys with other parameters as well, possibly with a (limited?) support from the command line. I think for example that the NSS Keys database also can benefit with a more generic interface in the loading of keys (for example using another then default key db)? I was thinking about a more generic approach here where some kind of 'search parameter(s)' can be set for finding keys (and possible certificates) (setKeySearchParameter(enum searchType, *value)). The type of search parameters supported by a keys manager can be different for each keys manager. This story is a bit vague probably, and interferes perhaps with the keyinfo context, but I had no clear idea yet, how this can fit in the xmlsec library. Another (a bit related) thing I ran into is the lack of support for loading keys from memory. I know OpenSSL crypto implementation supports this feature, but it isn't propagated in the generic interface. Are there plans into this direction? Wouter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: Thursday, September 18, 2003 21:12 To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] XMLsec Command Line Utility and MSCrypto I am not sure I clear understand what do you want to do. The --pkcs12, --privkey, etc. just load the key from a file and put it into the keys manager. The key then could be refered to by name from xml files. If I understand the MSCrypto implementation correctly, you should be able to refer to the exsiting key in MS Crypto store by name w/o any special loading because default keys manager for MSCrypto does look for key in MS Crypto store. Wouter? Aleksey ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Emailing: tmpl-EPM-sign-stylesheet.xml
Hi Aleksey, After numerous attempts to verify the Microsoft InfoPath-created dsig which uses an XSLT transform, I decided to dummy it down and both sign and verify it with XMLSec, to get some clues. The attached is the only stylesheet transform technique I can get working with XMLSec. I verified this from the pre-digest transform put out by --store-references. That is good. This working approach completely embeds the entire stylesheet, HTML and all, under the Transform element like this ... Transform Algorithm=http://www.w3.org/TR/1999/REC-xslt-19991116; xsl:stylesheet xmlns:xsl=http://www.w3.org/1999/XSL/Transform; version=1.0 xsl:template match=books htmlbody ... My question: Is there any way that XMLSec (libxslt ?) will honour a stylesheet reference whose body resides outside the XML doc being transformed ? Simply adding ... ?xml-stylesheet type=text/xsl href=books.xsl? ... as the 1st line in books.xml doesn't do it. I also tried a href to the stylesheet in several places both in the template and in the doc without success. Is this possible ? Thanks, Ed ?xml version=1.0 encoding=UTF-8? Envelope xmlns=urn:envelope Signature xmlns=http://www.w3.org/2000/09/xmldsig#; SignedInfo CanonicalizationMethod Algorithm=http://www.w3.org/TR/2001/REC-xml-c14n-20010315/ SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ Reference URI=inout/books.xml Transforms Transform Algorithm=http://www.w3.org/TR/1999/REC-xslt-19991116; xsl:stylesheet xmlns:xsl=http://www.w3.org/1999/XSL/Transform; version=1.0 xsl:template match=books htmlbody h1A list of books/h1 table width=640 xsl:apply-templates/ /table /body/html /xsl:template xsl:template match=book tr tdxsl:number//td xsl:apply-templates/ /tr /xsl:template xsl:template match=author | title | price tdxsl:value-of select=.//td /xsl:template /xsl:stylesheet /Transform /Transforms DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ DigestValue/DigestValue /Reference /SignedInfo SignatureValue /SignatureValue KeyInfo X509Data X509SubjectName /X509SubjectName X509Certificate /X509Certificate /X509Data /KeyInfo /Signature /Envelope
RE: [xmlsec] Emailing: tmpl-EPM-sign-stylesheet.xml
Yes Rich, this is what I meant. Thanks. Yes, Aleksey I had already tried it with xsltproc without any problems, both referenced and not. I am not reporting a problem here, I am asking for guidance on how to externally reference the stylesheet (URI, import, etc ...) from within the sign template. I assume xsl:include and xsl:import (as Rich pointed) out are supported within XMLSec (libxslt) ? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: September 7, 2003 9:09 PM To: Edward Shallow Cc: [EMAIL PROTECTED] I am not sure I clear understand what do you mean by this because books.xml file was not referenced anywhere in your message and I just don't understand how is this related to signatures. BTW, have you tried to run your xml file with xsltproc? I am sure it's able to handle ?xml-stylesheet ... href=... ? construction because it is widely used in docbook. It would be great if you can either provide an example of a standalone xsl template that does not work as you expect or an example of a signature template that does not work plus a standalone xsl template that does work. This would greatly help with locating and fixing this problem :) Aleksey Simply adding ... ?xml-stylesheet type=text/xsl href=books.xsl? ... as the 1st line in books.xml doesn't do it. I also tried a href to the stylesheet in several places both in the template and in the doc without success. ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Emailing: tmpl-EPM-sign-stylesheet.xml
I'll try it and let you know tomorrow. Thanks for the quick response Aleksey and Rich. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: September 7, 2003 9:41 PM To: Edward Shallow Cc: [EMAIL PROTECTED] I am not reporting a problem here... Sorry, I got it wrong way :( I assume xsl:include and xsl:import (as Rich pointed) out are supported within XMLSec (libxslt) ? Both are defenitly supported by libxslt, I used them myself :) But I never tried it with xmlsec. I would expect it to work and if it does not then it's a bug (which have to be fixed) :) Aleksey ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Mscrypto patch 2, for cvs XMLSEC_MSCRYPTO_083103 branch
Wouter, Are you saying that for your P12 support, your are using CAPI for the core crypto operations but not for key/cert retrieval ? Ed -Original Message- From: Wouter [mailto:[EMAIL PROTECTED] Sent: September 4, 2003 9:26 AM To: Edward Shallow Cc: 'Roumen Petrov'; 'Wouter'; [EMAIL PROTECTED] You're right here, but I think it would be nice to have support for pkcs12 as well (which I've just implemented), it makes the core testing the same for every supported platform. In addition to that we could add some extra tests / examples for the Certificate store support. Wouter Wouter, If one if using MS CAPI or CAPICOM, it is a foregone comclusion one is working keys/certificates from the MS Crypto Store. Building support for PKCS12 outside of the CAPI library makes no sense, since the test will not be exercising the real MS Crypto and Key Store access built into CAPI. The test suite will have to change somewhat, or as a test pre-step, one imports all the P12s into the MS Crypto Store and works with them from that CAPI-centric location. Importing is supported bacl to Win98 no problem. We have been doing the reverse (while waiting for Wouter), that is: exporting from the MS Crypto Store when the user session starts out to a P12, and then using the an XMLSec/OpenSSL build on the exported key/cert. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roumen Petrov Sent: September 4, 2003 3:28 AM To: Wouter Cc: Aleksey Sanin; [EMAIL PROTECTED] Wouter wrote: SNIP Great that you added the mscrypto option for the tests :) The tests indeed fail since importing of keys is nit supported at this time. Iwas planning to implement pkcs12 support anyway. The only disadvantage is that pkcs 12 import is only supported in windows XP, as far as I know. No Import of PKCS12 files *.{p12|.pfx} should work with NTx (nt4/w2k/xp) and 95x (+ME). Realy I cannot remember for w95, but for 98 works. When ms os has instaled IE = 5.x it should work fine. ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Verify on Microsoft-produced sig
Hi Aleksey, The attached file is a signature produced by Microsoft's InfoPath (XML forms Manager from Office 2003). It's an enveloped signature with an extra reference to a comment element. XMLSec verify reports data and digest problem (as below). InfoPath uses the latest .Net Framework librairies which is used across all Microsoft XMLDSIG implementations. Is this the same problem as referenced in your FAQ section 3.2 ? Or is this something else ? Ed C:\XMLSecxmlsec verify --store-signatures --print-debug inout/SimpleForm-2003-08-13.xml func=xmlSecOpenSSLEvpDigestVerify:file=..\src\openssl\digests.c:line=164:obj =sha1:subj=unknown:error=12:invalid data:data and digest do not match FAIL P.S. For all the XMLSec followers waiting for a MS CAPI implementation, we have a work-around for our desktop signer which essentially exports the key from the MS Crypto Store using CAPICOM. There XMLSEC can get at it as a P12/PFX on the file system. There is a password prompt, but we enforce password protection of the MS Crypto Store anyway. The only pre-requisite is that the key/cert must be marked as exportable when initially loaded into the MS Crypto Store. It has been getting us by while we wait. Our XMLSec is running OpenSSL on the desktop. SimpleForm-2003-08-13.zip Description: Zip compressed data
RE: [xmlsec] X509Data sub-element detail ?
As always, thanks for the quick reply. I'm using Igor's Windows binaries which I believe were and still are at 1.04 Yes the p12 has a cert in it. I can otherwise sign and validate documents signed with it. As I mentioned the X509 gets populated O.K. in the first template below, I'd just like to get the other details in. If you are tuning in Igor, is there any chance you will be recompiling the Windows binaries for 1.1.0 any time soon ? Thanks in advance, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: August 7, 2003 12:05 AM To: Edward Shallow Cc: [EMAIL PROTECTED] xmlsec sign --pkcs12 keys/EdSign.p12 --output inout/edsigned1.xml tmpl/tmpl-EPM-sign.xml ... This in the template works ... X509Data /X509Data ... This in the template does not ... X509Data X509SubjectName/ X509Certificate/ /X509Data The second template should work if you are using xmlsec-openssl 1.1.0 or xmlsec-nss from CVS trunk. If you have correct version and it does not work then it's probably a bug somewhere. I would appreciate if you can file a bug report and provide as much details as possible (xmlsec version + crypto, os, templates you are using, pkcs12 file if possible). Where is the additional X509 detail extracted from ? I tried adding: --trusted-der keys/cacert.der ... to the command line to no avail. This has nothing to do with it. --trusted-* options tells xmlsec which certs are trusted when it verifies signature. XMLSec gets certificates from the key. In you case, from PKCS12 file. BTW, do you have a cert in this file? I'd also like to include other X509 info like issuer, valid from, valid to, cert serial number, etc ... This goes outside the scope of XMLDSig specification [1]. All this information is available inside the cert itself and you can include full certificate using X509Certificate/ node. Aleksey [1] http://www.w3.org/TR/xmldsig-core/#sec-X509Data ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Encrypt with DES and RSA key wrap
Aleksey, It seems like it might be an xmlsec command line utility problem as opposed to a library problem per se. However our application is driving the command line utility due to its file-based nature, which suits us just fine. Any insight would be greatlty appreciated. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Shallow Sent: July 13, 2003 11:42 AM To: [EMAIL PROTECTED] Aleksey, That didn't do it. Must be something deeper. Operation competed but with exactly the same output (i.e. empty inner key CipherValue) Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: July 13, 2003 10:55 AM To: Edward Shallow Cc: [EMAIL PROTECTED] You have a mistake in your template, should be ds:KeyNameEdShallow/ds:KeyName instead of KeyNameEdShallow/KeyName Aleksey ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Encrypt with DES and RSA key wrap
Hi Aleksey, Got it working (i.e. 3des-kt-rsa) with the command line below and the above template, attached for others. xmlsec encrypt --pubkey-pem EdShallowPub.pem --session-key des-192 --xml-data encrypt1-doc.xml --node-name Salary --output encrypted-3des-kt-RSA.xml tmpl-EPM-encrypt-3des-kt-RSA.xml Apologize for not being more diligent before posting previous dumb question. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: July 13, 2003 3:08 PM To: Edward Shallow Cc: [EMAIL PROTECTED] Take a look at the ds:KeyInfo/ element. It says that default namespace is dsig namespace. Thus, you got EncryptedKey/ node in dsig namespace which is defenetly wrong. Aleksey ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ?xml version=1.0 encoding=UTF-8? !-- XML Security Library example: Original XML doc file before encryption (encrypt2 example). -- PersonalData NameEd Shallow/Name StreetAddress1234 Mockingbird Lane/StreetAddress CityYellowknife/City PostalCodeW1C6J3/PostalCode SIN123456789/SIN SalaryEncryptedData xmlns=http://www.w3.org/2001/04/xmlenc#; Id=ED Type=http://www.w3.org/2001/04/xmlenc#Content; EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#tripledes-cbc/ ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#; EncryptedKey xmlns=http://www.w3.org/2001/04/xmlenc#; Id=EK EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#rsa-1_5/ ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#; ds:KeyNameEdShallowPub.pem/ds:KeyName /ds:KeyInfo CipherData CipherValuenBHGOzBuT+DFtBJE+5oCIVwF1gfdcYWWU88T+YfeFygYl1LNpxLCNOTB+7crLxIU A0aPaNuBIxvfizGYPByA8ByokEshMEeSsFO83uhGA0+TA5FX8aJKl75APiDbBX31 okCyIYwF11HmvpnZD0ap6+Vwx+LSuqJ+lq5idzHJ0n4=/CipherValue /CipherData /EncryptedKey /ds:KeyInfo CipherData CipherValue8UFIiid1kcUKBJtGpLg15YUhkKA/crMrx35vIvY93SM=/CipherValue /CipherData /EncryptedData/Salary /PersonalData ?xml version=1.0 encoding=UTF-8? !-- XML Security Library example: XML doc file encrypted with DES sym key then transported using xmlenc#rsa-1_5 -- EncryptedData Id=ED Type=http://www.w3.org/2001/04/xmlenc#Content; xmlns=http://www.w3.org/2001/04/xmlenc#; EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#tripledes-cbc/ ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#; EncryptedKey Id=EK xmlns=http://www.w3.org/2001/04/xmlenc#; EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#rsa-1_5/ ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#; ds:KeyNameEdShallowPub.pem/ds:KeyName /ds:KeyInfo CipherData CipherValue / /CipherData /EncryptedKey /ds:KeyInfo CipherData CipherValue / /CipherData /EncryptedData
[xmlsec] Encrypt with DES and RSA key wrap
Hi Aleksey, I have just about everything working except a 3DES symmetric encrypt whose key is RSA wrapped. I send in this on the xmlsec command line util ... xmlsec encrypt --xml-data encrypt1-doc.xml --node-name Salary --deskey deskey.bin --pubkey-pem EdShallowPub.pem --output encrypted-DES-wrap.xml tmpl-EPM-encrypt-DES-RSA-wrap.xml Using the attached template tmpl-EPM-encrypt-DES-RSA-wrap.xml and I get the following attached output in encrypted-DES-wrap.xml It seems to be ignoring the request to wrap key since the inner CipherValue is empty ? Any ideas ? Both 3DES or RSA work alone fine but not together ? Thanks Again, Ed ?xml version=1.0 encoding=UTF-8? !-- XML Security Library example: XML doc file encrypted with DES sym key then wrappped using xmlenc#rsa-1_5 -- EncryptedData xmlns=http://www.w3.org/2001/04/xmlenc#; xmlns:ds=http://www.w3.org/2000/09/xmldsig#; Type=http://www.w3.org/2001/04/xmlenc#Content; EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#tripledes-cbc/ ds:KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNameEdShallow/KeyName EncryptedKey Recipient=name:EdShallow EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#rsa-1_5/ ds:KeyInfo ds:KeyNameEdShallow/ds:KeyName /ds:KeyInfo CipherData CipherValue/CipherValue /CipherData /EncryptedKey /ds:KeyInfo CipherData CipherValue/CipherValue /CipherData /EncryptedData ?xml version=1.0 encoding=UTF-8? !-- XML Security Library example: Original XML doc file before encryption (encrypt2 example). -- PersonalData NameEd Shallow/Name StreetAddress1234 Mockingbird Lane/StreetAddress CityYellowknife/City PostalCodeW1C6J3/PostalCode SIN123456789/SIN Salary1,000,000,000,000/Salary /PersonalData ?xml version=1.0 encoding=UTF-8? !-- XML Security Library example: Original XML doc file before encryption (encrypt2 example). -- PersonalData NameEd Shallow/Name StreetAddress1234 Mockingbird Lane/StreetAddress CityYellowknife/City PostalCodeW1C6J3/PostalCode SIN123456789/SIN SalaryEncryptedData xmlns=http://www.w3.org/2001/04/xmlenc#; xmlns:ds=http://www.w3.org/2000/09/xmldsig#; Type=http://www.w3.org/2001/04/xmlenc#Content; EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#tripledes-cbc/ ds:KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNameEdShallow/KeyName EncryptedKey Recipient=name:EdShallow EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#rsa-1_5/ ds:KeyInfo ds:KeyNameEdShallow/ds:KeyName /ds:KeyInfo CipherData CipherValue/ /CipherData /EncryptedKey /ds:KeyInfo CipherData CipherValueX7P1n2DcBY2vK/CGpokpGZRRZgRxjUqKJ9tmhj8zp7I=/CipherValue /CipherData /EncryptedData/Salary /PersonalData
[xmlsec] Can't Encrypt with command-line utility
Hi Aleksey, I can't get this simple xmlsec command line utility version of your encrypt1 example to work. Files (renamed) are straight from your examples directory. I'm using the most recent pre-compiled Windows version 1.0.3 from Igor's site. Console output below. Any ideas ? xmlsec encrypt --xml-data encrypt1-doc.xml --deskey deskey.bin tmpl-EPM-encrypt.xml func=xmlSecEncCtxXmlEncrypt:file=..\src\xmlenc.c:line=417:obj=unknown:subj=u nknown:error=14:invalid type:type=NULL Error: failed to encrypt xml file encrypt1-doc.xml Error: failed to encrypt file with template tmpl-EPM-encrypt.xml Also if it is not too much trouble, I would like a simple template and command line encrypt example which uses recipient's public key file (instead of deskey.bin). I assume this would be in conjunction with some suitable symmetric block cipher. Any example would help. Thanks, Ed ?xml version=1.0? !-- XML Security Library example: Simple encryption template file for encrypt1 example. -- EncryptedData xmlns=http://www.w3.org/2001/04/xmlenc#; EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#tripledes-cbc/ KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#; KeyNamedeskey.bin/KeyName /KeyInfo CipherData CipherValue/CipherValue /CipherData /EncryptedData ?xml version=1.0 encoding=UTF-8? !-- XML Security Library example: Original XML doc file before encryption (encrypt2 example). -- Envelope xmlns=urn:envelope Data Data to Encrypt. Ed test July 6, 2003. /Data /Envelope
[xmlsec] Including the X509 ?
Hi Aleksey, Firstly, I love your library, marvelous achievement. Now, I'd like to get the sign to include my signing certificate in signed documents. If I manually insert them in the template file, and do a command line like this: xmlsec sign --privkey-pem:EdShallow EdShallow.pem --trusted-der cacert.der --output edsigned1.xml --pwd 123456 templateX509.xml ... And including the KeyInfo in the template as such ... KeyInfo KeyNameYourName/KeyName X509Data X509Certificate MII ... ... Everything works great !!! However, what to I put in the xmlsec command line and in the template file to get xmlsec to automatically include the X509Certificate in the resultant signed document ? Or should I be using sign-tmpl ? Thanks, Ed ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec