Aleksey:
  There is only one key and it's only certified by one CA, a self-signed
root CA. So, w/o the PEM file, it must fail. I'm attaching a test
document to this e-mail. Try:
  xmlsec verify --print-all test_allkey_99.xml
It says everything is cool (except the cert validation error) -- but it
can't really be OK since there's no way to verify the cert w/o a trusted
root specification.
  xmlsec verify --print-all --trusted new_export.pem test_allkey_99.xml 
The above works completely because the root of the cert can be
validated. The issue appears to be that there must be at least one key
whose certification passes *and* one of those certifiable keys must be
used to validate the signed hash. Anything less is a security problem
because anyone can resign the document with any key they choose based on
a self-signed root and that root will be trusted -- the validation will
succeed and there's no real way to tell it didn't. As you point out, I
can't merely look for a cert validation error -- since the cert that
fails may not be needed to validate the signature. Somehow xmlsec *has*
to ensure that any key it reports success on must have been validated by
a trusted cert chain.
Thanks!
  Ferrell

-----Original Message-----
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, August 28, 2002 7:59 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] 0.0.8a build error on Win32


Not necessary. Suppose your are signing a message with a key and
provide more than one certificate for this key (for example, signed by
root CAs A and B). It is possible that one of your recipients trusts
the root CA A but not B and another trusts root CA B and not A.
Then in this case *both* recipients will be able to successfully
validate
the message and both of them will have the same error.
I believe that in your case the message verification succeeds because
XML Sec library was able to find correct keys for the message in some
other place (another cert, keys manager, etc.). From my point of view,
this is a correct behavior and the verification *must* succeed (see
scenario above).


Aleksey



Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  One other question .. when xmlSecDSigValidate() returns I'm getting a
>return code of zero, and pResult->result is equal to
>xmlSecTransformStatusOk. According to the doc, that means it worked.
>However, down in the guts of x509 verification, the following error is
>being generated: "error 31: cert verification failed : ".
Unfortunately,
>while that does result in a callback to the default error handler, it
>doesn't result in any final error status from the verification routine.
>So, unless I monitor the error handler, I don't know that the error
>occurred. In this case, because the uncertified public key is really OK
>and the hash is OK and the data is OK, the verify returns OK -- but it
>really isn't OK because I forgot to supply the PEM data needed to
>authenticate the certificate. Shouldn't this have resulted in a
failure?
>Verification with an invalid cert really isn't validation of the
>signature, IMO. 
>Thanks!
>  Ferrell
>
>-----Original Message-----
>From: Aleksey Sanin [mailto:[EMAIL PROTECTED]] 
>Sent: Wednesday, August 28, 2002 7:36 PM
>To: Moultrie, Ferrell (ISSAtlanta)
>Cc: [EMAIL PROTECTED]
>Subject: Re: [xmlsec] 0.0.8a build error on Win32
>
>
>Ferrell,
>
>Thanks for reporting the problem! I am really sucks :(  and I am doing
>new
>build right now. For 0.0.8 release I've tried to use a new box for
doing
>builds but looks like it was really WRONG idea. I did 0.0.9 release on
>the
>old box and now smoke testing it.  Should be done in 15-30 minutes.
>
>Sorry for the inconvinience,
>Aleksey
>
>Moultrie, Ferrell (ISSAtlanta) wrote:
>
>  
>
>>When I try to build 0.0.8a, I get an error:
>>D:\xmlsec-0.0.8\src\enveloped.c(24) : fatal error C1083: Cannot open
>>include file: 'xmlsec/xpath.h': No such file or directory
>>
>>I don't see an xmlsec/xpath.h in the xmlsec distribution (there is one
>>in libxml2 -- but this specifically asks for xmlsec/xpath.h). 
>>
>>If I simply comment out the line:
>>//#include <xmlsec/xpath.h>
>>.. then everything builds OK.
>>
>>Am I missing something? This same error persists in the 020828 daily
>>build also.
>>Thanks!
>> Ferrell
>>
>>=====================================
>>Ferrell Moultrie ([EMAIL PROTECTED])
>>Software Engineer
>>
>>Internet Security Systems, Inc.
>>6303 Barfield Road
>>Atlanta, Georgia 30328
>>Phone:  404-236-2600
>>Direct: 404-236-2849
>>Fax:    404-236-2632
>>http://www.iss.net
>>
>>Internet Security Systems -- The Power to Protect
>>=====================================
>>_______________________________________________
>>xmlsec mailing list
>>[EMAIL PROTECTED]
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>> 
>>
>>    
>>
>
>_______________________________________________
>xmlsec mailing list
>[EMAIL PROTECTED]
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>

<ISSKeys Source="ISS Atlanta"><!-- TestKey ISS keygen -->
<Contacts><Contact><Keys Address1="2626 Somewhere Lane" Address2="suite 200A" City="Atlanta" Country="US" Email="[EMAIL PROTECTED]" Fax="778-555-1212" Phone="777.555.1212" PostCode="30064" Weburl="http://web.fubar.net";></Keys><CustomerRelations Address1="1313 knowwhere Lane" Address2="suite 300A" City="Atlanta" Country="US" Email="[EMAIL PROTECTED]" Fax="778-555-7799" Phone="777.555.7788" PostCode="30064" Weburl="http://web.customer_relations_iss.net";></CustomerRelations><Support Address1="1234 Anvil Rd." Address2="suite 440B" City="Atlanta" Country="US" Email="[EMAIL PROTECTED]" Fax="778-555-7755" Phone="777.555.7744" PostCode="30064" Weburl="http://web.suport_iss.net";></Support><Version>1.0</Version><OCN>163444</OCN><Source>ISS Atlanta</Source><Serial>ACC64BB4-A53D-AC83-3E6F-E0AB737DEC9D</Serial><Timestamp>2000-06-14 10:34:09</Timestamp><sig:Signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#";>
<sig:SignedInfo>
<sig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></sig:CanonicalizationMethod>
<sig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></sig:SignatureMethod>
<sig:Reference URI="">
<sig:Transforms>
<sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";>
<sig:XPath>
not(ancestor-or-self::sig:Signature)
 and (
    (ancestor-or-self::node() = /ISSKeys/Contacts/Contact) 
)
</sig:XPath>
</sig:Transform>
<sig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments";></sig:Transform>
</sig:Transforms>
<sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></sig:DigestMethod>
<sig:DigestValue>pj96s6n/wNTsaxKWMtqyTsWbTrU=</sig:DigestValue>
</sig:Reference>
</sig:SignedInfo>
<sig:SignatureValue>jDZBVuX7vtG1MgIQyii5+10NcG8nrE8ak0Vds12Kmrq3s7hiqUk6yP6ntt7izos/uDkakrrW0qwA
WrfRa0MfqIUdojyM1nzbqTmGX23BhCeU1BKvjFf75CEMikEhC+ZgY4lKN9BiIE5SV2DbirL87TsZ
Kjta6tlwYgEMxGlCs4I=</sig:SignatureValue>
<sig:KeyInfo>
<sig:X509Data>
<sig:X509Certificate>
MIICCjCCAXMCBDzvGMIwDQYJKoZIhvcNAQEEBQAwTDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDVdl
YiBEZXZlbG9wZXIxCzAJBgNVBAsTAklUMRgwFgYDVQQDEw9JU1MgS2V5Z2VuIFRlc3QwHhcNMDIw
NTI1MDQ1MzIyWhcNMjcwMTE0MDQ1MzIyWjBMMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNV2ViIERl
dmVsb3BlcjELMAkGA1UECxMCSVQxGDAWBgNVBAMTD0lTUyBLZXlnZW4gVGVzdDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAy6ACsVtGJ69fkeKxJUlZqUP4FJFDIrkrUEi04c8UAAmC6jxu9+mM
uLD+766Ztrjp/2anYX0QS7ReD+Q78ky3a0nmPDIpAzv8P7tUCBc6Yq11w5c1yHSNDdLPxLlX6+JT
nUXnmXMsfAyC2cnoevc38gfEEkEJnS4iCzUC7WHsNgMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBy
08EvqGY4QL5GYhuT5Lx26t7V0Tk9bKxzh9YKxtyTLux0sqDFcAQWu1UpjPSOLwgNhE+uaS+CuyIK
wsSzMx84gOIk7/fOS5F7oRk2ouC0QPPhY0iT2wXi9Zhvd6CifjNwvCdDe0tinSeQNfvpo0FSlg8c
GL2eqXYylPEeMvZ5aw==
</sig:X509Certificate>
</sig:X509Data>
<sig:KeyValue>
<sig:RSAKeyValue>
<sig:Modulus>
y6ACsVtGJ69fkeKxJUlZqUP4FJFDIrkrUEi04c8UAAmC6jxu9+mMuLD+766Ztrjp/2anYX0QS7Re
D+Q78ky3a0nmPDIpAzv8P7tUCBc6Yq11w5c1yHSNDdLPxLlX6+JTnUXnmXMsfAyC2cnoevc38gfE
EkEJnS4iCzUC7WHsNgM=
</sig:Modulus>
<sig:Exponent>AQAB</sig:Exponent>
</sig:RSAKeyValue>
</sig:KeyValue>
</sig:KeyInfo>
</sig:Signature></Contact></Contacts><EndUsers><EndUser Address1="666 Rockets way" Address2="Apt. B" City="Scienceville" CompanyName="Spacely Sprockets" Country="US" Email="[EMAIL PROTECTED]" PostCode="" State="Disturbed" SubjectName="George Jetson" Title="Whipping Boy"><Version>1.0</Version><OCN>163444</OCN><Source>ISS Atlanta</Source><Serial>CE8135D7-8D27-4BC4-BCA6-2DBDE703B6AE</Serial><Timestamp>2000-06-14 10:34:09</Timestamp></EndUser></EndUsers><LicensedModules><LicensedModule ContactInfo="ACC64BB4-A53D-AC83-3E6F-E0AB737DEC9D" EndUserInfo="CE8135D7-8D27-4BC4-BCA6-2DBDE703B6AE" Identity="RO" LicenseExpiration="2003-06-14" LicenseType="evaluation" Limit="2147483647" LimitOutOfMaintenance="0" MaintenanceExpiration="2003-06-14"><Version>1.0</Version><OCN>163444</OCN><Source>ISS Atlanta</Source><Serial>F61BD0F3-D5D9-2F90-A24D-BF989200D712</Serial><Timestamp>2000-06-14 10:34:09</Timestamp></LicensedModule></LicensedModules></ISSKeys>

Attachment: new_export.pem
Description: new_export.pem

Reply via email to