RE: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
Yes thanks for your help. I will triple check everything on a new machine. Cheers, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 1:44 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto I am really sorry but I don't understand what you are complaining about. I don't observe the problem you have. And I can do nothing unless you give exact steps to reproduce it. Aleksey Edward Shallow wrote: > Yes of course I get a match on "Test User 1" and everything works. The > point is "It shouldn't work". When I do not load --trusted-der it > should not work, and it does. Meaning "No cert chain checking". > > It is impossible for your script to work without loading "Test User 1" > into the 'MY' store. In fact the command line utility defaults to 'MY' > so you have to put it there. If you are using my signed document it > contains . You said you are not using --enabled-key-data > so standard processing in mscrypto will try to find "Test User 1" no matter what. > > There is nothing tricky about my setup, it passes all your test suite > perfectly. > > I am puzzled at your explanation ? > > Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [Bulk] Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
I am really sorry but I don't understand what you are complaining about. I don't observe the problem you have. And I can do nothing unless you give exact steps to reproduce it. Aleksey Edward Shallow wrote: Yes of course I get a match on "Test User 1" and everything works. The point is "It shouldn't work". When I do not load --trusted-der it should not work, and it does. Meaning "No cert chain checking". It is impossible for your script to work without loading "Test User 1" into the 'MY' store. In fact the command line utility defaults to 'MY' so you have to put it there. If you are using my signed document it contains . You said you are not using --enabled-key-data so standard processing in mscrypto will try to find "Test User 1" no matter what. There is nothing tricky about my setup, it passes all your test suite perfectly. I am puzzled at your explanation ? Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
Yes of course I get a match on "Test User 1" and everything works. The point is "It shouldn't work". When I do not load --trusted-der it should not work, and it does. Meaning "No cert chain checking". It is impossible for your script to work without loading "Test User 1" into the 'MY' store. In fact the command line utility defaults to 'MY' so you have to put it there. If you are using my signed document it contains . You said you are not using --enabled-key-data so standard processing in mscrypto will try to find "Test User 1" no matter what. There is nothing tricky about my setup, it passes all your test suite perfectly. I am puzzled at your explanation ? Ed As I wrote, I *did not* use this option in my test. What your results show is exactly what I already explained to you: the key w/o "--enabled-key-data retrieval-method,x509,raw-x509-cert" is searched by key name and you have a match in your MS Crypto store. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
As I wrote, I *did not* use this option in my test. What your results show is exactly what I already explained to you: the key w/o "--enabled-key-data retrieval-method,x509,raw-x509-cert" is searched by key name and you have a match in your MS Crypto store. Aleksey Edward Shallow wrote: Aleksey, I was able to produce exactly what you produced with the selection below of --enabled-key-data. The message is identical. What you are seeing has nothing to do with cert chain verification. It is likely related to your inability to get the "Test User 1" certificate from the crypto store given the new --enabled-key-data constraint. You still have an mscrypto problem. Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
Aleksey, I was able to produce exactly what you produced with the selection below of --enabled-key-data. The message is identical. What you are seeing has nothing to do with cert chain verification. It is likely related to your inability to get the "Test User 1" certificate from the crypto store given the new --enabled-key-data constraint. You still have an mscrypto problem. Ed C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der --enabled-key-data retrieval-method,x509,raw-x509-cert inout/edsigned-enveloped.xml func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=0 (0x) ;last error msg=The operation completed successfully. func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: ;last error=0 (0x);last error ms g=The operation completed successfully. func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ; last error=0 (0x);last error msg=The operation completed successfully. func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=0 (0x);last error msg=The operation completed successfully. Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "inout/edsigned-enveloped.xml" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 12:14 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto According to the spec, xmldsig application should search key using *all* the information available in the element. Specification *does not* say that X509 certificate is better than key name and it does not require one to search in some particular order. However, xmlsec *DOES* allow one to disable some sub-elements. For example, look for --enabled-key-data option for the xmlsec command line application. I am not sure I understand all the steps you did for adding/removing certificate to MS stores thus I can not comment on the validity of your tests or point my finger at what you did wrong. What I do know that on my computer, I do see the following results: > xmlsec verify --crypto mscrypto --trusted-der d:\upu-cacert.der d:/edsigned-enveloped.xml ... OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 > xmlsec verify --crypto mscrypto d:/edsigned-enveloped.xml ... Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "d:/edsigned-enveloped.xml" which is *exactly* what I expect to see and what I believe you expect to set too. And as I usually say, I *DO* accept patches :) Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
I did not convert or load anything. I just run the two command lines from your email "as-is" and got results I expect to see. I don't know what is the problem you have but I think it is clearly that it somehow related to the setup your have. Aleksey Edward Shallow wrote: Your messages are very short ? There is no mistake with the adding/removing of certs in the MS Store as there is only one cert in play here, the public "Test User 1". And the .der you are loading from the command line utility. You must have converted "Test User 1" to a .cer and loaded into one of the MS cert stores. Yes ? 'MY' or 'AddressBook' ? You did not use the --enabled-key-data in your example below ? Why did you mention it ? Just tell me what you did. And the .der you are loading from the command line utility I rather suspect your binairies are simply newer than Igor's 1.2.8 or you are picking up Dmitry's patch and that has fixed it. Please be more specific in your explanation. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 12:14 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto According to the spec, xmldsig application should search key using *all* the information available in the element. Specification *does not* say that X509 certificate is better than key name and it does not require one to search in some particular order. However, xmlsec *DOES* allow one to disable some sub-elements. For example, look for --enabled-key-data option for the xmlsec command line application. I am not sure I understand all the steps you did for adding/removing certificate to MS stores thus I can not comment on the validity of your tests or point my finger at what you did wrong. What I do know that on my computer, I do see the following results: > xmlsec verify --crypto mscrypto --trusted-der d:\upu-cacert.der d:/edsigned-enveloped.xml ... OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 > xmlsec verify --crypto mscrypto d:/edsigned-enveloped.xml ... Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "d:/edsigned-enveloped.xml" which is *exactly* what I expect to see and what I believe you expect to set too. And as I usually say, I *DO* accept patches :) Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
RE: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
Your messages are very short ? There is no mistake with the adding/removing of certs in the MS Store as there is only one cert in play here, the public "Test User 1". And the .der you are loading from the command line utility. You must have converted "Test User 1" to a .cer and loaded into one of the MS cert stores. Yes ? 'MY' or 'AddressBook' ? You did not use the --enabled-key-data in your example below ? Why did you mention it ? Just tell me what you did. And the .der you are loading from the command line utility I rather suspect your binairies are simply newer than Igor's 1.2.8 or you are picking up Dmitry's patch and that has fixed it. Please be more specific in your explanation. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 12:14 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto According to the spec, xmldsig application should search key using *all* the information available in the element. Specification *does not* say that X509 certificate is better than key name and it does not require one to search in some particular order. However, xmlsec *DOES* allow one to disable some sub-elements. For example, look for --enabled-key-data option for the xmlsec command line application. I am not sure I understand all the steps you did for adding/removing certificate to MS stores thus I can not comment on the validity of your tests or point my finger at what you did wrong. What I do know that on my computer, I do see the following results: > xmlsec verify --crypto mscrypto --trusted-der d:\upu-cacert.der d:/edsigned-enveloped.xml ... OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 > xmlsec verify --crypto mscrypto d:/edsigned-enveloped.xml ... Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "d:/edsigned-enveloped.xml" which is *exactly* what I expect to see and what I believe you expect to set too. And as I usually say, I *DO* accept patches :) Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] OpenSSL vs mscrypto
According to the spec, xmldsig application should search key using *all* the information available in the element. Specification *does not* say that X509 certificate is better than key name and it does not require one to search in some particular order. However, xmlsec *DOES* allow one to disable some sub-elements. For example, look for --enabled-key-data option for the xmlsec command line application. I am not sure I understand all the steps you did for adding/removing certificate to MS stores thus I can not comment on the validity of your tests or point my finger at what you did wrong. What I do know that on my computer, I do see the following results: > xmlsec verify --crypto mscrypto --trusted-der d:\upu-cacert.der d:/edsigned-enveloped.xml ... OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 > xmlsec verify --crypto mscrypto d:/edsigned-enveloped.xml ... Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "d:/edsigned-enveloped.xml" which is *exactly* what I expect to see and what I believe you expect to set too. And as I usually say, I *DO* accept patches :) Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] OpenSSL vs mscrypto
Aleksey,
Sorry for the lengthy dialogue on this topic, but we really have a
fundamental problem here with mscrypto.
Please let me state first that the observations below are with the unpatched
xmlsec V 1.2.8 using mscrypto, which is supposed to verify cert chains but
in fact does not. In fact there are no circumstances I can detect under
which it does. I doubt it ever has. So unless someone describes otherwise,
it is starting to look like the only hope for cert chain verification with
mscrypto may very well lie with Dmitry's patch. I have yet to test it, but I
will tomorrow.
With xmlsec 1.2.8 and mscrypto ...
The is in the signed document (which we are attempting to
verify the chain on) because that is the way you tell mscrypto how to select
the key for signing. So it is left over from the sign operation.
I "again" performed the test that both Dmitry and you suggested.
If you remove the "Test User 1" key from all the MS crypto stores ('MY' and
'AddressBook') you get the following on the verify:
func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=754:obj=
unknown:subj=xmlSecMSCryptoCertStrToName:error=1:xmlsec library function
failed: ;last error=-2146885597 (0x80092023);last error msg=The string
contains an invalid X500 name attribute key, oid, value or delimiter.
func=xmlSecMSCryptoX509FindCert:file=..\src\mscrypto\x509vfy.c:line=754:obj=
unknown:subj=xmlSecMSCryptoCertStrToName:error=1:xmlsec library function
failed: ;last error=-2146885597 (0x80092023);last error msg=The string
contains an invalid X500 name attribute key, oid, value or delimiter.
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS
ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last
error=-2146885628 (0x80092004);last error msg=Cannot find object or
property.
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn
own:subj=unknown:error=45:key is not found: ;last error=-2146885628
(0x80092004);last error msg=Cannot find object or property.
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un
known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function
failed: ;last error=-2146885628 (0x80092004);last error msg=Cannot find
object or property.
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml
SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last
error=-2146885628 (0x80092004);last error msg=Cannot find object or
property.
If you load the "Test User 1" certificate only into the 'AddressBook'
certificate store (which is called "Other People" in the IE UI) it verifies
successfully even when you do NOT have the upu-cacert.der (i.e. the issuer
public root cert) loaded anywhere, in KeysMngr or in the MS ROOT store. In
other words, the chain is never being checked with xmlsec 1.2.8 and mscrypto
or it would have detected the absence of the issuer.
I do not know why any cert store is being searched at all when verifying
signatures if the X509Certificate end cert is in the signed document. One
simply needs to call the crypt32.dll certCreateCertificateContext
initializing the pbCertEncoded argument with the certificate extracted from
the signed document instead of expecting it to already be in a MS crypto
store ? This would avoid the need for the verifier to have the signer's
public certificate in any of their stores, which is highly desireable.
This is the desired functionality for "end certificate in the signed
document" scenarios and is exactly what openssl does. In fact mscrypto
should behave exactly like openssl when verifying signed documents which
include the X509 cert and the xmlSecCryptoAppKeysMngrCertLoad has loaded the
issuer cert.
This is how we need xmlsec to work when the application is a server-based
verification service and no public end certs exist on that server just
public trusted issuers loaded via xmlSecCryptoAppKeysMngrCertLoad. Again
exactly like openssl behaves. The fact that openssl has no store is
irrelevant here since the store is just getting in the way for a verify
especially for the end cert in the chain.
If Dmitry's patch expects the end certificate to be in a store (i.e. Test
User 1 in our example) for a verify to work, then it has the same problem.
If the X509 cert is not in the signed document, then that is another story
and expecting it to be in a store would be justified.
Ed
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Aleksey Sanin
Sent: January 12, 2006 5:55 PM
To: [EMAIL PROTECTED]
Cc: xmlsec@aleksey.com
Subject: [Bulk] Re: [xmlsec] Verify - OpenSSL vsmscrypto
I believe that in this case xmlsec-mscrypto does not construct the
certificates chain at all. The document has element and
xmlsec simply finds the signature key in the MSCrypto store using this key
name. For openssl, there is not "permanent"
key storage and everything works fine.
To correctly test this, you need to either de
