Aleksey wrote: Please, try to reproduce the problem with xmlsec command line utility.
Good suggestion ... Here are the results using xmlsec 1.2.8 ... With trusted certs loaded ************************* C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der inout/edsigned-enveloped.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Without trusted certs loaded **************************** C:\XMLSec>xmlsec verify --crypto mscrypto inout/edsigned-enveloped.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 This is the same as what I am seeing programmatically with mscrypto. No cert chain checking with 1.2.8 mscrypto ??? Ed Here is the verbose output using --store-references for both tests ... C:\XMLSec>xmlsec verify --crypto mscrypto --store-references --trusted-der keys/upu-cacert.der inout/edsigned-enveloped.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: succeeded == flags: 0x00000006 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) === Transform: membuf-transform (href=NULL) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Key: == KEY === method: RSAKeyValue === key type: Public === key name: [EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post Mark,O=For Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH === key usage: -1 === rsa key: size = 1024 === list size: 1 === X509 Data: ==== Key Certificate: === X509 Certificate ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED] ==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority, [EMAIL PROTECTED] 06 ==== Certificate: === X509 Certificate ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED] ==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority, [EMAIL PROTECTED] 06 == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: membuf-transform (href=NULL) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == PreDigest data - start buffer: <Document> <Data> <SubData1> <SubSubData1 MimeType="text/plain">This is the data to be signed.</SubSubData1> <SubSubData2 MimeType="text/plain">This is the data to be signed.</SubSubData2> <SubSubData3 MimeType="text/plain">This is the data to be signed.</SubSubData3> </SubData1> <SubData2>This is the data to be signed.</SubData2> <SubData3>This is the data to be signed.</SubData3> </Data> </Document> == PreDigest data - end buffer == Manifest References List: === list size: 0 C:\XMLSec>xmlsec verify --crypto mscrypto --store-references inout/edsigned-enveloped.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: succeeded == flags: 0x00000006 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) === Transform: membuf-transform (href=NULL) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Key: == KEY === method: RSAKeyValue === key type: Public === key name: [EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post Mark,O=For Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH === key usage: -1 === rsa key: size = 1024 === list size: 1 === X509 Data: ==== Key Certificate: === X509 Certificate ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED] ==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority, [EMAIL PROTECTED] 06 ==== Certificate: === X509 Certificate ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED] ==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority, [EMAIL PROTECTED] 06 == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: membuf-transform (href=NULL) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == PreDigest data - start buffer: <Document> <Data> <SubData1> <SubSubData1 MimeType="text/plain">This is the data to be signed.</SubSubData1> <SubSubData2 MimeType="text/plain">This is the data to be signed.</SubSubData2> <SubSubData3 MimeType="text/plain">This is the data to be signed.</SubSubData3> </SubData1> <SubData2>This is the data to be signed.</SubData2> <SubData3>This is the data to be signed.</SubData3> </Data> </Document> == PreDigest data - end buffer == Manifest References List: === list size: 0 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 11, 2006 2:26 PM To: [EMAIL PROTECTED] Cc: [email protected] Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vs mscrypto Please, try to reproduce the problem with xmlsec command line utility. Aleksey Edward Shallow wrote: > Aleksey wrote ... > > I do believe that the xmlsec-mscrypto code *does* build the chain and > it > *does* verify it against the "trusted" certificates installed by the app. > With Dmitry's patch, xmlsec-mscrypto *also* uses trusted certificates > from the MSCrypto certificates store. > > > > Yes this is what I thought too. But my test on 1.2.8 (shown in > previous post and included below) never checks whether I load the trusted certs or not ??? > 2nd last line. > > I don't mind waiting for Dmitry's patch, I was just trying to get it > going now. > > Ed > > > > xmlsec.xmlSecInit() > xmlsec.xmlSecCryptoDLInit() > xmlsec.xmlSecCryptoDLLoadLibrary('mscrypto') > xmlsec.xmlSecCryptoAppInit('MY') > xmlsec.xmlSecCryptoInit() > parsedDoc = libxml2.xmlParseFile('c:/xmlsec/inout/edsigned-enveloped.xml') > trustedDer = 'c:/xmlsec/keys/cacert.der' <=== > trusted root in der format > rootNode = libxml2.xmlDocGetRootElement(parsedDoc) > sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature', > 'http://www.w3.org/2000/09/xmldsig#') > keysMngr = xmlsec.xmlSecKeysMngrCreate() > xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr) > dsigCtx = xmlsec.xmlSecDSigCtxCreate() > xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr) > xmlsec.xmlSecCryptoAppKeysMngrCertLoad(keysMngr, trustedDer, 3, 256) > <=== load trusted root > xmlsec.xmlSecDSigCtxVerify(dsigCtx, sigNode) > > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
