RE: [xmlsec] Invalid data char=B; base=10 on verify
Thanks a million. Turns out that any "hex" characters in the serial number (e.g. 1D) will cause the problem. Certs with only numbers in them work. Thanks again, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: November 11, 2003 12:57 AM To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Invalid data char=B; base=10 on verify The problem is caused by incorrect conversion of a big integer to a string. Instead of using base 10 the function incorrectly used base 16. Thus you'll get incorrect numbers sometime. This function is used in writing thus you got it only when you've used this node in your template. Aleksey Edward Shallow wrote: >Thanks, > > Is there any specific characters that cause or are affected by this >problem ? I don't get it for many schemas and documents ? > >I have a demo tomorrow and was wandering if I could work around it ? > >Ed > > > ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Invalid data char=B; base=10 on verify
The problem is caused by incorrect conversion of a big integer to a string. Instead of using base 10 the function incorrectly used base 16. Thus you'll get incorrect numbers sometime. This function is used in writing thus you got it only when you've used this node in your template. Aleksey Edward Shallow wrote: Thanks, Is there any specific characters that cause or are affected by this problem ? I don't get it for many schemas and documents ? I have a demo tomorrow and was wandering if I could work around it ? Ed ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Invalid data char=B; base=10 on verify
Thanks, Is there any specific characters that cause or are affected by this problem ? I don't get it for many schemas and documents ? I have a demo tomorrow and was wandering if I could work around it ? Ed -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: November 11, 2003 12:24 AM To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Invalid data char=B; base=10 on verify Sick! Stupid me :( This one line patch bellow should fix it. The patch is checked in CVS and would be in the next release in a couple days. This code is not used by OpenSSL thus you have no problems with it. Thanks for bug report and sorry for inconvinience! Aleksey Index: src/bn.c === RCS file: /cvs/gnome/xmlsec/src/bn.c,v retrieving revision 1.10 diff -u -r1.10 bn.c --- src/bn.c26 Sep 2003 16:53:19 - 1.10 +++ src/bn.c11 Nov 2003 05:20:39 - @@ -364,7 +364,7 @@ */ xmlChar* xmlSecBnToDecString(xmlSecBnPtr bn) { -return(xmlSecBnToString(bn, 16)); +return(xmlSecBnToString(bn, 10)); } /** Edward Shallow wrote: >I retried the run below with OpenSSL and it works. Problem is unique to >--ms-crypto. Can I send you anything else ? > >Ed > > > ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Invalid data char=B; base=10 on verify
Sick! Stupid me :( This one line patch bellow should fix it. The patch is checked in CVS and would be in the next release in a couple days. This code is not used by OpenSSL thus you have no problems with it. Thanks for bug report and sorry for inconvinience! Aleksey Index: src/bn.c === RCS file: /cvs/gnome/xmlsec/src/bn.c,v retrieving revision 1.10 diff -u -r1.10 bn.c --- src/bn.c26 Sep 2003 16:53:19 - 1.10 +++ src/bn.c11 Nov 2003 05:20:39 - @@ -364,7 +364,7 @@ */ xmlChar* xmlSecBnToDecString(xmlSecBnPtr bn) { -return(xmlSecBnToString(bn, 16)); +return(xmlSecBnToString(bn, 10)); } /** Edward Shallow wrote: I retried the run below with OpenSSL and it works. Problem is unique to --ms-crypto. Can I send you anything else ? Ed ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [xmlsec] Invalid data char=B; base=10 on verify
I retried the run below with OpenSSL and it works. Problem is unique to --ms-crypto. Can I send you anything else ? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Shallow Sent: November 10, 2003 11:47 PM To: [EMAIL PROTECTED] Subject: [xmlsec] Invalid data char=B; base=10 on verify Hi Aleksey, I have a strange one here. I am using --ms-crypto (thanks Wouter and Aleksey) with an XPath-filter (intersect and subtract). I have used a similar template in dozens of tests. Sign works fine. --store-references shows intersect, subtract working fine. However when I go to verify, I get the error below refrring to some invalid data, yet messages state OK 1/1 etc ... As you can see there is next to nothing in the xml doc being signed. I have included input and output from successful sign operation as attachments. The only thing different is the absence of namespace qualifier in base document. Any ideas ? This is for the UN. Ed C:\epmsigner-dev\XMLSec>xmlsec sign --crypto mscrypto --output C:/epmsigner-dev/infopath/FFIEPMcompleted.signed.xml C:/epmsigner-dev/infopath/FFIEPMcompleted2.ToBeSigned.xml C:\epmsigner-dev\XMLSec>xmlsec verify --crypto mscrypto C:/epmsigner-dev/infopath/FFIEPMcompleted.signed.xml func=xmlSecBnFromString:file=..\src\bn.c:line=214:obj=unknown:subj=unknown:e rror=12:invalid data:char=B;base=10;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=586:obj= unknown:subj=xmlSecBnInitialize:error=1:xmlsec library function failed:;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] Invalid data char=B; base=10 on verify
Hi Aleksey, I have a strange one here. I am using --ms-crypto (thanks Wouter and Aleksey) with an XPath-filter (intersect and subtract). I have used a similar template in dozens of tests. Sign works fine. --store-references shows intersect, subtract working fine. However when I go to verify, I get the error below refrring to some invalid data, yet messages state OK 1/1 etc ... As you can see there is next to nothing in the xml doc being signed. I have included input and output from successful sign operation as attachments. The only thing different is the absence of namespace qualifier in base document. Any ideas ? This is for the UN. Ed C:\epmsigner-dev\XMLSec>xmlsec sign --crypto mscrypto --output C:/epmsigner-dev/infopath/FFIEPMcompleted.signed.xml C:/epmsigner-dev/infopath/FFIEPMcompleted2.ToBeSigned.xml C:\epmsigner-dev\XMLSec>xmlsec verify --crypto mscrypto C:/epmsigner-dev/infopath/FFIEPMcompleted.signed.xml func=xmlSecBnFromString:file=..\src\bn.c:line=214:obj=unknown:subj=unknown:e rror=12:invalid data:char=B;base=10;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=586:obj= unknown:subj=xmlSecBnInitialize:error=1:xmlsec library function failed:;last error=-2146885628 (0x80092004);last error msg=Cannot find object or property. OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 http://schemas.microsoft.com/office/infopath/2003/myXSD/2003-11-09T15:04:28"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:xf="http://www.w3.org/2002/06/xmldsig-filter2";> Ed CA CA CA CA CAD 1 CA http://www.w3.org/2000/09/xmldsig#"; xmlns:ds-xpath="http://www.w3.org/2002/06/xmldsig-filter2";> http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> http://www.w3.org/2002/06/xmldsig-filter2";> //FiataForwardingInstructions //EPMSignatures http://www.w3.org/2000/09/xmldsig#sha1"/> e4xaMpzQEQzjpqEHCrsZTULXm2o= o0/e6STodUnoSy6zrEkPBOEjVmz5WgL+dKYdu2CjItgwFB3b3G12xBGgtlFGZAxH PysYlMd6TzxrCnRKrczYNMiQ8P1nTGtHPQMiauUAzqcqW5GfoGqSJ/Pln2aovuuY Yss37ev4r8biFZ4crsNlqy3tZdFliNBgFmOZwr96I1A= http://www.w3.org/2000/09/xmldsig#";>MIIEQzCCAyugAwIBAgIBGzANBgkqhkiG9w0BAQUFADCB8zELMAkGA1UEBhMCQ0Ex EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEgMB4GA1UEChMXQ2Fu YWRhIFBvc3QgQ29ycG9yYXRpb24xGjAYBgNVBAoTEUZvciBUZXN0IFVzZSBPbmx5 MR0wGwYDVQQLExRFbGVjdHJvbmljIFBvc3QgTWFyazE2MDQGA1UEAxMtQ2FuYWRh IFBvc3QgQ29ycG9yYXRpb24gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSwwKgYJKoZI hvcNAQkBFh1TZWN1cml0eU9mZmljZXJAY2FuYWRhcG9zdC5jYTAeFw0wMzA4Mjcx NTAxMDBaFw0wNDA4MjYxNTAxMDBaMIHIMQswCQYDVQQGEwJDQTEQMA4GA1UECBMH T250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMSAwHgYDVQQKExdDYW5hZGEgUG9zdCBD b3Jwb3JhdGlvbjEaMBgGA1UEChMRRm9yIFRlc3QgVXNlIE9ubHkxHTAbBgNVBAsT FEVsZWN0cm9uaWMgUG9zdCBNYXJrMRMwEQYDVQQDEwpFZCBTaGFsbG93MSQwIgYJ KoZIhvcNAQkBFhVlZC5zaGFsbG93QHJvZ2Vycy5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAL/Pk5lOImcvb3y7g8QMJHVml4Xeu5uFzNWZTNd8R4aDiOZF 34gFsyVW45N08ZXiGaxbkjC6/ufRBt3lED5ahWEH1Hlo/eQPdjSxMrfFF3QmoxQQ HGhSqDViL/iU5MTMwortQkfDP/xxwJD4LNHL8oNHC6J/eJBUK9Rko2pNC4XBAgMB AAGjgY4wgYswDAYDVR0TBAUwAwIBADAdBgNVHQ4EFgQUjLQkzx/pguKtlfw0Pp97 clk6uUgwHwYDVR0jBBgwFoAUOUkGbskxjIFdzWLpXghiRC8remowLgYDVR0fBCcw JTAjoCGgH4YdaHR0cDovL2NhMS51cHUuaW50L21hc3Rlci5jcmwwCwYDVR0PBAQD AgWgMA0GCSqGSIb3DQEBBQUAA4IBAQCE953O9dWZp0h4kPUlSbitOA6W9PGyRS1O UvlwlRUgnOj03EF5HvVZKkdYFZ+2Tbb3qjtdGniPZLzNOEvRjBUUo6ACAhMYUgIE ZmBbjYfixffs4eixlPJcgJFm3QkpWx67GTnU740QBSUGZ/RXSFoD4sm/9cJff+JI LSdl1Sy3DOs2RNCFnIe5vT/OFbyV2fDk1yoP2sY20xkx1MOwcDn/i8PbbNmcPSEd scNTqNd+Go0BBYwB3EZwjyI/dwtyBf5G4I+6ZCpKRl2umvvr1l2uGOXZAtKjXHa8 pj2U1Wti4slnbQBLrRYWY2PBoYm8xaYZy4Su01R0g9vvw3gnYbZJ http://www.w3.org/2000/09/xmldsig#";>C=CA, S=Ontario, L=Ottawa, O=Canada Post Corporation, O=For Test Use Only, OU=Electronic Post Mark, CN=Ed Shallo
RE: Fwd: Re: [xmlsec] Problems with MScryto.
Hi, You can try to load the public key as well as the private key with the same call. I think that setting keyrequest info something liek this: keyInfoCtx->keyReq.keyType = xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic should do the trick. Wouter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francisco Lechón Sent: Friday, November 07, 2003 19:02 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Fwd: Re: [xmlsec] Problems with MScryto. Hola Wouter, Thank you very much by the aid that you have contributed to me. Now, I have a problem. As I can add to the signature the node that contains the information of the public key? ... zUhfl2qzFXgfyBtkEGknBs= AQAB ... When attempt to add it to a signature, is empty: ... ... Following the code, I arrive at a point where it says to me that the key is private. ... int xmlSecKeyReqMatchKey(xmlSecKeyReqPtr keyReq, xmlSecKeyPtr key) { xmlSecAssert2(keyReq != NULL, -1); xmlSecAssert2(xmlSecKeyIsValid(key), -1); if((keyReq->keyType != xmlSecKeyDataTypeUnknown) && ((xmlSecKeyGetType(key) & keyReq->keyType) == 0)) { ---> return(0); } ... Is necessary to initialize some field to be able to add to the node < KeyValue >? Thanks, Paco . >You could try something like this (I've removed error handling and other >stuff to make it more clear): > >(...) >xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate(); >xmlSecCryptoAppDefaultKeysMngrInit(mngr); > >xmlSecKeyInfoCtxPtr keyInfoCtx = xmlSecKeyInfoCtxCreate(mngr); >keyInfoCtx->keyReq.keyType = xmlSecKeyDataTypePrivate; > >dsigCtx->signKey = xmlSecKeysMngrFindKey(mngr, (xmlChar *)cert_name, >keyInfoCtx); >(...) > >"cert_name" can be either a so called friendly name of your certificate >you want to use or a subject dn string of the certificate. libxmlsec will >try to locate this cert (with private key) in your default certificate >store location. > >Wouter > > > Hola, > > > > Before nothing, thanks to answer express. > > You are right, that way are two ways to work with mscrypto: > > - Using pkcs12, > > - and using the keys of the certificate store directly. > > > > You have some small example to directly load and to use the keys from >the > > certificate store? > > Because with himself not to do it. > > > > > > Thanks. > > Paco > > > >>From: "Wouter" To: Francisco Lechón CC: [EMAIL PROTECTED] Subject: Re: > >>[xmlsec] Problems with MScryto. Date: Thu, 6 Nov 2003 13:24:42 +0100 > >> (CET) > >> > >>Hi, > >> > >>The example you're referring to doesn't work because mscrypto does not > >>support importing of private keys in any other format then pkcs12. So >you > >>should either use a pkcs12 file for importing the keys, or use a private > >>key that is in your certificate store, and load/use that one. > >> > >>Wouter > >> > >> >I am executing the example < sign2.c > of package XMLSEC in a system > >> >Windows and >using MScripto and it does not work correctly. > >I do >not > >>understand the code of the function < xmlSecMSCryptoAppKeyLoad >, >I use > >> >like parameters, the file that contains the private key, and I >indicate > >> >that the >format is < to xmlSecKeyDataFormatDer >, but the function > >>generates an >error. The >code for that format is not implemented. > >I > >>understand that that error is because uses the method of the interface > >> >of > >>the >CryptoAPI, and I am passing him a key private. > >It is not >finished > >>to use the CryptoAPI? > >Somebody can help me sending some example that > >>works using Windows and >CryptoAPI? > >Thanks > >>___ xmlsec mailing list > >>[EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec > > > > _ > > Accede al romance online. Busca y encuentra a tu media naranja entre los > > perfiles que te interesan. http://match.msn.es/ > > > > ___ > > xmlsec mailing list > > [EMAIL PROTECTED] > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > >___ >xmlsec mailing list >[EMAIL PROTECTED] >http://www.aleksey.com/mailman/listinfo/xmlsec _ Descárgate en tu teléfono los tonos y logos de las canciones y artistas de más éxito en MSN Móviles. http://www.msn.es/MSNMovil/ ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Problem with --with-mozilla-ver configure option
On Mon, Nov 10, 2003 at 03:38:59PM +0200, Roumen Petrov wrote: > Daniel Veillard wrote: > > >On Fri, Nov 07, 2003 at 07:32:40AM -0800, Aleksey Sanin wrote: > > > > > >>>2.) About second diff: > >>>Might is typo err: $(datadir) or ${datadir} ? > >>> > >>> > >>This seems to be working fine for me thus I think this is correct :) > >> > >> > Yes it work. so why the fuss ? > Correct style in configure{|.in|.ac} is to use {} not (), as example Why ? > bindir is defined as ' ${exec_prefix}/bin' not as ' $(exec_prefix)/bin'. $(exec_prefix) sounds perfectly fine as a make evaluation variable. If you have a point, make it, but back it up with some substance, please. Daniel -- Daniel Veillard | Red Hat Network https://rhn.redhat.com/ [EMAIL PROTECTED] | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/ ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Problem with --with-mozilla-ver configure option
Daniel Veillard wrote: On Fri, Nov 07, 2003 at 07:32:40AM -0800, Aleksey Sanin wrote: 2.) About second diff: Might is typo err: $(datadir) or ${datadir} ? This seems to be working fine for me thus I think this is correct :) Yes it work. this is correct because this is evaluated by the Makefile, not by the shell. Daniel O.K., but let see one of generated Makefile[s]: exec_prefix = ${prefix} bindir = ${exec_prefix}/bin sbindir = ${exec_prefix}/sbin libexecdir = ${exec_prefix}/libexec datadir = ${prefix}/share sysconfdir = ${prefix}/etc Correct style in configure{|.in|.ac} is to use {} not (), as example bindir is defined as ' ${exec_prefix}/bin' not as ' $(exec_prefix)/bin'. ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec