Aleksey wrote:
Please, try to reproduce the problem with xmlsec command line utility.
Good suggestion ...
Here are the results using xmlsec 1.2.8 ...
With trusted certs loaded
*************************
C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der
inout/edsigned-enveloped.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Without trusted certs loaded
****************************
C:\XMLSec>xmlsec verify --crypto mscrypto inout/edsigned-enveloped.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
This is the same as what I am seeing programmatically with mscrypto. No cert
chain checking with 1.2.8 mscrypto ???
Ed
Here is the verbose output using --store-references for both tests ...
C:\XMLSec>xmlsec verify --crypto mscrypto --store-references --trusted-der
keys/upu-cacert.der inout/edsigned-enveloped.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key name: [EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post Mark,O=For
Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH
=== key usage: -1
=== rsa key: size = 1024
=== list size: 1
=== X509 Data:
==== Key Certificate:
=== X509 Certificate
==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED]
==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
[EMAIL PROTECTED]
06
==== Certificate:
=== X509 Certificate
==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED]
==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
[EMAIL PROTECTED]
06
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<Document>
<Data>
<SubData1>
<SubSubData1 MimeType="text/plain">This is the data
to be signed.</SubSubData1>
<SubSubData2 MimeType="text/plain">This is the data
to be signed.</SubSubData2>
<SubSubData3 MimeType="text/plain">This is the data
to be signed.</SubSubData3>
</SubData1>
<SubData2>This is the data to be signed.</SubData2>
<SubData3>This is the data to be signed.</SubData3>
</Data>
</Document>
== PreDigest data - end buffer
== Manifest References List:
=== list size: 0
C:\XMLSec>xmlsec verify --crypto mscrypto --store-references
inout/edsigned-enveloped.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key name: [EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post Mark,O=For
Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH
=== key usage: -1
=== rsa key: size = 1024
=== list size: 1
=== X509 Data:
==== Key Certificate:
=== X509 Certificate
==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED]
==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
[EMAIL PROTECTED]
06
==== Certificate:
=== X509 Certificate
==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED]
==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
[EMAIL PROTECTED]
06
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<Document>
<Data>
<SubData1>
<SubSubData1 MimeType="text/plain">This is the data
to be signed.</SubSubData1>
<SubSubData2 MimeType="text/plain">This is the data
to be signed.</SubSubData2>
<SubSubData3 MimeType="text/plain">This is the data
to be signed.</SubSubData3>
</SubData1>
<SubData2>This is the data to be signed.</SubData2>
<SubData3>This is the data to be signed.</SubData3>
</Data>
</Document>
== PreDigest data - end buffer
== Manifest References List:
=== list size: 0
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Aleksey Sanin
Sent: January 11, 2006 2:26 PM
To: [EMAIL PROTECTED]
Cc: [email protected]
Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vs
mscrypto
Please, try to reproduce the problem with xmlsec command line utility.
Aleksey
Edward Shallow wrote:
Aleksey wrote ...
I do believe that the xmlsec-mscrypto code *does* build the chain and
it
*does* verify it against the "trusted" certificates installed by the app.
With Dmitry's patch, xmlsec-mscrypto *also* uses trusted certificates
from the MSCrypto certificates store.
Yes this is what I thought too. But my test on 1.2.8 (shown in
previous post and included below) never checks whether I load the trusted
certs or not ???
2nd last line.
I don't mind waiting for Dmitry's patch, I was just trying to get it
going now.
Ed
xmlsec.xmlSecInit()
xmlsec.xmlSecCryptoDLInit()
xmlsec.xmlSecCryptoDLLoadLibrary('mscrypto')
xmlsec.xmlSecCryptoAppInit('MY')
xmlsec.xmlSecCryptoInit()
parsedDoc = libxml2.xmlParseFile('c:/xmlsec/inout/edsigned-enveloped.xml')
trustedDer = 'c:/xmlsec/keys/cacert.der'
<===
trusted root in der format
rootNode = libxml2.xmlDocGetRootElement(parsedDoc)
sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature',
'http://www.w3.org/2000/09/xmldsig#')
keysMngr = xmlsec.xmlSecKeysMngrCreate()
xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
dsigCtx = xmlsec.xmlSecDSigCtxCreate()
xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr)
xmlsec.xmlSecCryptoAppKeysMngrCertLoad(keysMngr, trustedDer, 3, 256)
<=== load trusted root
xmlsec.xmlSecDSigCtxVerify(dsigCtx, sigNode)
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
