code from .../apps/xmlsec.c show that we can call xmlsec1 with more than one option --untrustedXXX file_name,
but when xmlsec is build with openssl, source code in .../src/openssl/x509vfy.c method xmlSecOpenSSLX509StoreAdoptCert() is:
===========================================================
....
int
xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecKeyDataType type) {
if((type & xmlSecKeyDataTypeTrusted) != 0) {
xmlSecAssert2(ctx->xst != NULL, -1);
....
} else {
xmlSecAssert2(ctx->untrusted != NULL, -1);
ret = sk_X509_push(ctx->untrusted, cert);
if(ret != 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"sk_X509_push",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
....
===========================================================
OpenSSL function sk_X509_push return number of certificates in stack.
When stack ctx->untrusted contain one cert. on next call of xmlSecOpenSSLX509StoreAdoptCert(..) sk_X509_push return 2 and check ( ret != 1 ) fail.
Where/What is problem:
- xmlsec1 can accept only one untrusted certificate, i.e. .../apps/xmlsec.c should skip extra --untrustedXXX options;
- after sk_X509_push check should be if ( ret < 1 );
- all source code is correct. But in that case xmlsec1 core dump and might .../src/openssl/x509vfy.c source should pop from untrusted stack to avoid core dump or never to push a cert. when stack contain already one;
?
All is tested with xmlsec 1.0.3 and CVS version. Test file rumen-sn.tmp is attached and test commans are:
apps/xmlsec1 verify \
--untrusted-der tests/keys/dsacert.der \
--[un]trusted-der tests/keys/ca2cert.der \
--trusted-der tests/keys/cacert.der \
rumen-sn.tmp
<?xml version="1.0" encoding="UTF-8"?> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/xml-stylesheet";> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue> </Reference> </SignedInfo> <SignatureValue>vAS4NUtweyTpauQlw0OKw38j6K9iV3hagtCV6T8FoEpsaXwp/+q+Ag==</SignatureValue> <KeyInfo> <X509Data> <X509SubjectName>[EMAIL PROTECTED],CN=Aleksey Sanin,OU=Third Level DSA Certificate,O=XML Security Library (http://www.aleksey.com/xmlsec),ST=California,C=US</X509SubjectName> <X509SubjectName>[EMAIL PROTECTED],CN=Aleksey Sanin,OU=Second Level Certificate,O=XML Security Library (http://www.aleksey.com/xmlsec),ST=California,C=US</X509SubjectName> </X509Data> </KeyInfo> </Signature>
