RE: [xmlsec] RE: Need urgent help for verify
Hi, Is there a way to load a PCCERT_CONTEXT into the KeyManager? For example something like. xmlSecPtrListAdd( PCCERT_CONTEXT,)? Thanks Jürgen ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] RE: Need urgent help for verify
By the way. I can verify the xml file now if I load the root certificate before verify. xmlSecCryptoAppKeysMngrCertLoad (keyMngr, rootcert ). Is there also a way to load the root cert into the keymanager if the root cert is already in one PCCERT_CONTEXT struct? Thanks for any help Jürgen -Original Message- From: Jürgen Heiss Sent: Freitag, 02. Juni 2006 11:26 To: 'xmlsec@aleksey.com' Subject: RE: [xmlsec] RE: Need urgent help for verify Hi, Is there a way to load a PCCERT_CONTEXT into the KeyManager? For example something like. xmlSecPtrListAdd( PCCERT_CONTEXT,)? Thanks Jürgen ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] RE: Need urgent help for verify
Is there also a way to load the root cert into the keymanager if the root cert is already in one PCCERT_CONTEXT struct? xmlSecMSCryptoX509StoreAdoptCert() Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] RE: Need urgent help for verify
Hi everybody, Well you are right, its really the Keyname. So if I remove the Keyname it works. But of course the document isn't anymore valid. Is there a way always to ignore the keyname and use the the certificate by verify a signed document? What is the xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData For? How must I use them? Thanks I advance. Jürgen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: Mittwoch, 31. Mai 2006 22:20 To: [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: Re: [xmlsec] RE: Need urgent help for verify Yes xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData Aleksey [EMAIL PROTECTED] wrote: Yes you are right !!! I forgot about that. You mean the --enabled-key-data list in the command line utility ? Where is this in the API ? in the Ctx ? - Original Message From: Aleksey Sanin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jürgen Heiss [EMAIL PROTECTED]; xmlsec@aleksey.com Sent: Wednesday, May 31, 2006 2:31:14 PM Subject: Re: [xmlsec] RE: Need urgent help for verify Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ? I think, that either signer or verifier should decide if KeyName makes sense for him/her or not. In xmlsec, there is a way to disable KeyName usage for verification, for example. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] RE: Need urgent help for verify
What do you mean the document is no longer valid ? If it verifies the References covered by the signature are valid. If the DN in the certificate refers to the same certifiacte as the friendly name in the KeyName, the KeyName is redundant. This is what I am doing. I am removing the Keyname for the verify and then putting it back in for consistency. Alternatively you can tell xmlsec which key sources to consult using the enabledKeyData list. I find this a pain and prefer to check the keys in each location myself. If you have created the signature yourself and are subsequently verifying it, you know they are the same. They should rarely differ. In fact I cannot think of an instance where the contents of X509Certificate should get overridden by KeyName in a Verify. Even when including issuer certificates, they end up as more than one X509Certificate. I buy that if X509Certifiate is not there one can consult KeyName, but rarely if ever the reverse. But that is just my opinion. I would like to see an order to the certificate search. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jürgen Heiss Sent: June 1, 2006 2:40 AM To: Aleksey Sanin; [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify Hi everybody, Well you are right, its really the Keyname. So if I remove the Keyname it works. But of course the document isn't anymore valid. Is there a way always to ignore the keyname and use the the certificate by verify a signed document? What is the xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData For? How must I use them? Thanks I advance. Jürgen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: Mittwoch, 31. Mai 2006 22:20 To: [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: Re: [xmlsec] RE: Need urgent help for verify Yes xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData Aleksey [EMAIL PROTECTED] wrote: Yes you are right !!! I forgot about that. You mean the --enabled-key-data list in the command line utility ? Where is this in the API ? in the Ctx ? - Original Message From: Aleksey Sanin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jürgen Heiss [EMAIL PROTECTED]; xmlsec@aleksey.com Sent: Wednesday, May 31, 2006 2:31:14 PM Subject: Re: [xmlsec] RE: Need urgent help for verify Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ? I think, that either signer or verifier should decide if KeyName makes sense for him/her or not. In xmlsec, there is a way to disable KeyName usage for verification, for example. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] RE: Need urgent help for verify
Ups I think I don't understand something. I call the function if(xmlSecDSigCtxVerify(dsigCtx, data-startNode) 0) And how it look this function look in the KeyName and try to get the certificate from the registry. But of course the certificate isn't registered. So, what if have to do the load the certificate which is In the signed XML-doucument. How I can tell the function xmlSecDSigCtxVerify to get the certificate from the signed xml File and to don't try to look in the registry because there it will be not? So how I can handle this that I always load the certificate with which the document was signed. Thanks Jürgen -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 01. Juni 2006 12:30 To: Jürgen Heiss; 'Aleksey Sanin'; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify What do you mean the document is no longer valid ? If it verifies the References covered by the signature are valid. If the DN in the certificate refers to the same certifiacte as the friendly name in the KeyName, the KeyName is redundant. This is what I am doing. I am removing the Keyname for the verify and then putting it back in for consistency. Alternatively you can tell xmlsec which key sources to consult using the enabledKeyData list. I find this a pain and prefer to check the keys in each location myself. If you have created the signature yourself and are subsequently verifying it, you know they are the same. They should rarely differ. In fact I cannot think of an instance where the contents of X509Certificate should get overridden by KeyName in a Verify. Even when including issuer certificates, they end up as more than one X509Certificate. I buy that if X509Certifiate is not there one can consult KeyName, but rarely if ever the reverse. But that is just my opinion. I would like to see an order to the certificate search. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jürgen Heiss Sent: June 1, 2006 2:40 AM To: Aleksey Sanin; [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify Hi everybody, Well you are right, its really the Keyname. So if I remove the Keyname it works. But of course the document isn't anymore valid. Is there a way always to ignore the keyname and use the the certificate by verify a signed document? What is the xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData For? How must I use them? Thanks I advance. Jürgen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: Mittwoch, 31. Mai 2006 22:20 To: [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: Re: [xmlsec] RE: Need urgent help for verify Yes xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData Aleksey [EMAIL PROTECTED] wrote: Yes you are right !!! I forgot about that. You mean the --enabled-key-data list in the command line utility ? Where is this in the API ? in the Ctx ? - Original Message From: Aleksey Sanin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jürgen Heiss [EMAIL PROTECTED]; xmlsec@aleksey.com Sent: Wednesday, May 31, 2006 2:31:14 PM Subject: Re: [xmlsec] RE: Need urgent help for verify Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ? I think, that either signer or verifier should decide if KeyName makes sense for him/her or not. In xmlsec, there is a way to disable KeyName usage for verification, for example. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] RE: Need urgent help for verify
My point exactly !!! If X509Certificate is there, then one can only assume the signer wants you to use it. In xmlsec we are using the KeyName at signing time for convenience. It does stay in the signature though. The problem is KeyName gets in the way when verifying. Again, I would vote for precedence order. Check X509Certificate first. If KeyName is the same (i.e. CN= from X509Certificate is the same as friendly-name in KeyName) DO NOT GO TO MS Cert Store as they are the same and the in-signature certificate is fine. Beside the public cert will not be in the cert store anyway !!! Aleksey ? Ed -Original Message- From: Jürgen Heiss [mailto:[EMAIL PROTECTED] Sent: June 1, 2006 6:53 AM To: [EMAIL PROTECTED]; Aleksey Sanin; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify Ups I think I don't understand something. I call the function if(xmlSecDSigCtxVerify(dsigCtx, data-startNode) 0) And how it look this function look in the KeyName and try to get the certificate from the registry. But of course the certificate isn't registered. So, what if have to do the load the certificate which is In the signed XML-doucument. How I can tell the function xmlSecDSigCtxVerify to get the certificate from the signed xml File and to don't try to look in the registry because there it will be not? So how I can handle this that I always load the certificate with which the document was signed. Thanks Jürgen -Original Message- From: Edward Shallow [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 01. Juni 2006 12:30 To: Jürgen Heiss; 'Aleksey Sanin'; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify What do you mean the document is no longer valid ? If it verifies the References covered by the signature are valid. If the DN in the certificate refers to the same certifiacte as the friendly name in the KeyName, the KeyName is redundant. This is what I am doing. I am removing the Keyname for the verify and then putting it back in for consistency. Alternatively you can tell xmlsec which key sources to consult using the enabledKeyData list. I find this a pain and prefer to check the keys in each location myself. If you have created the signature yourself and are subsequently verifying it, you know they are the same. They should rarely differ. In fact I cannot think of an instance where the contents of X509Certificate should get overridden by KeyName in a Verify. Even when including issuer certificates, they end up as more than one X509Certificate. I buy that if X509Certifiate is not there one can consult KeyName, but rarely if ever the reverse. But that is just my opinion. I would like to see an order to the certificate search. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jürgen Heiss Sent: June 1, 2006 2:40 AM To: Aleksey Sanin; [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify Hi everybody, Well you are right, its really the Keyname. So if I remove the Keyname it works. But of course the document isn't anymore valid. Is there a way always to ignore the keyname and use the the certificate by verify a signed document? What is the xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData For? How must I use them? Thanks I advance. Jürgen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: Mittwoch, 31. Mai 2006 22:20 To: [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: Re: [xmlsec] RE: Need urgent help for verify Yes xmlSecDSigCtx::keyInfoReadCtx-enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx-enabledKeyData Aleksey [EMAIL PROTECTED] wrote: Yes you are right !!! I forgot about that. You mean the --enabled-key-data list in the command line utility ? Where is this in the API ? in the Ctx ? - Original Message From: Aleksey Sanin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jürgen Heiss [EMAIL PROTECTED]; xmlsec@aleksey.com Sent: Wednesday, May 31, 2006 2:31:14 PM Subject: Re: [xmlsec] RE: Need urgent help for verify Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ? I think, that either signer or verifier should decide if KeyName makes sense for him/her or not. In xmlsec, there is a way to disable KeyName usage for verification, for example. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com
[xmlsec] RE: Need urgent help for verify
Does
really now one have any idea?
Hi,
I use the following
code to verify a signed file.
The problem is now,
the xmlSecDSigCtxVerify crahses if the certificate isn't installed on my
machine!?!
How can I check this
file? Can I excract the certificate and load it into a
xmlSecKeysMngrPtr?
thanks for any
help.
some
code
if(xmlSecDSigCtxInitialize(dsigCtx, gKeysMngr) 0)
return (V_INTERNAL);
if(xmlSecAppPrepareDSigCtx(dsigCtx) 0)
{xmlSecDSigCtxFinalize(dsigCtx);return
V_INTERNAL;}
/* parse
template and select start node */data =
"" xmlSecNodeSignature,
xmlSecDSigNs);if(data == NULL)
{xmlSecDSigCtxFinalize(dsigCtx);if(data
!= NULL)
xmlSecAppXmlDataDestroy(data);return
V_INTERNAL;}
/* sign
*/start_time = clock();if(xmlSecDSigCtxVerify(dsigCtx,
data-startNode) 0)
___
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] RE: Need urgent help for verify
Sure, agree. But the KeyName means something specific in the mscrypto world as xmlsec isinterpretting it as the MS "friendly" cert name in the crypto store. I would contend that priority should be given to any included X509Certificate when verifying. This is one of the reasons signers attempt to make things as easy as possible for the verifier by including such things. Even CRLs and issuer certs make verification almost totally independent of external dependencies. Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ? Ed- Original Message From: Aleksey Sanin [EMAIL PROTECTED]To: [EMAIL PROTECTED]Cc: Jürgen Heiss [EMAIL PROTECTED]; xmlsec@aleksey.comSent: Wednesday, May 31, 2006 11:54:26 AMSubject: Re: [xmlsec] RE: Need urgent help for verify I would wager, but Alexsey is the expert, that it might be a good idea to ignore the KeyName if an X509Certificate is present when Verifying. After all the reason it got there in the first place is that it was used to select the cert/key when you originally signed it with xmlsec and is left over from the sign operation. It will verify fine if you manually remove the KeyName. Comments Alexsey ? Well, when you verify a signature, you have to find a key. If bothKeyName and Certificate are present then you have to try both sinceyou don't know which one will workAleksey___xmlsec mailing listxmlsec@aleksey.comhttp://www.aleksey.com/mailman/listinfo/xmlsec___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] RE: Need urgent help for verify
Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ? I think, that either signer or verifier should decide if KeyName makes sense for him/her or not. In xmlsec, there is a way to disable KeyName usage for verification, for example. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
