RE: [Bulk] Re: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vsmscrypto

Thu, 12 Jan 2006 13:08:21 -0800 

Here they are ... 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Aleksey Sanin
Sent: January 12, 2006 1:01 AM
To: [EMAIL PROTECTED]
Cc: [email protected]
Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify -
OpenSSL vsmscrypto

Can you share the designed-enveloped.xml and upu-cacert.der, please?

Aleksey

Edward Shallow wrote:
> Aleksey wrote:
> 
> Please, try to reproduce the problem with xmlsec command line utility.
> 
> 
> 
> 
> Good suggestion ... 
> 
> Here are the results using xmlsec 1.2.8 ...
> 
> With trusted certs loaded
> *************************
> 
> C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der 
> keys/upu-cacert.der inout/edsigned-enveloped.xml OK SignedInfo 
> References (ok/all): 1/1 Manifests References (ok/all): 0/0
> 
> 
> Without trusted certs loaded
> ****************************
> 
> C:\XMLSec>xmlsec verify --crypto mscrypto inout/edsigned-enveloped.xml 
> OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 
> 0/0
> 
> This is the same as what I am seeing programmatically with mscrypto. 
> No cert chain checking with 1.2.8 mscrypto ???
> 
> Ed
> 
> 
> Here is the verbose output using --store-references for both tests ...
> 
> 
> C:\XMLSec>xmlsec verify --crypto mscrypto --store-references 
> --trusted-der keys/upu-cacert.der inout/edsigned-enveloped.xml OK 
> SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 
> = VERIFICATION CONTEXT == Status: succeeded == flags: 0x00000006 == 
> flags2: 0x00000000 == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) 
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all 
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level 
> (cur/max): 0/1 === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) 
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all 
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level 
> (cur/max): 0/1 === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n 
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1 
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL) == Signature Method:
> === Transform: rsa-sha1 
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key name: [EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post 
> Mark,O=For Test Use Only,O=Universal Postal 
> Union,L=Berne,ST=Berne,C=CH === key usage: -1 === rsa key: size = 1024 
> === list size: 1 === X509 Data:
> ==== Key Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test 
> Use Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED] ==== 
> Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use 
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM 
> Authority, [EMAIL PROTECTED]
> 
> 06
> ==== Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test 
> Use Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED] ==== 
> Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use 
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM 
> Authority, [EMAIL PROTECTED]
> 
> 06
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: ""
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n 
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL) === Transform: sha1 
> (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL) == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Document>
>         <Data>
>                 <SubData1>
>                         <SubSubData1 MimeType="text/plain">This is the 
> data to be signed.</SubSubData1>
>                         <SubSubData2 MimeType="text/plain">This is the 
> data to be signed.</SubSubData2>
>                         <SubSubData3 MimeType="text/plain">This is the 
> data to be signed.</SubSubData3>
>                 </SubData1>
>                 <SubData2>This is the data to be signed.</SubData2>
>                 <SubData3>This is the data to be signed.</SubData3>
>         </Data>
> 
> </Document>
> == PreDigest data - end buffer
> == Manifest References List:
> === list size: 0
> 
> 
> 
> 
> 
> 
> C:\XMLSec>xmlsec verify --crypto mscrypto --store-references 
> inout/edsigned-enveloped.xml OK SignedInfo References (ok/all): 1/1 
> Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: 
> succeeded == flags: 0x00000006 == flags2: 0x00000000 == Key Info Read 
> Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) 
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all 
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level 
> (cur/max): 0/1 === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) 
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all 
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level 
> (cur/max): 0/1 === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n 
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1 
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL) == Signature Method:
> === Transform: rsa-sha1 
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key name: [EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post 
> Mark,O=For Test Use Only,O=Universal Postal 
> Union,L=Berne,ST=Berne,C=CH === key usage: -1 === rsa key: size = 1024 
> === list size: 1 === X509 Data:
> ==== Key Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test 
> Use Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED] ==== 
> Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use 
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM 
> Authority, [EMAIL PROTECTED]
> 
> 06
> ==== Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test 
> Use Only, Electronic Post Mark, Test User 1, [EMAIL PROTECTED] ==== 
> Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use 
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM 
> Authority, [EMAIL PROTECTED]
> 
> 06
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: ""
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n 
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL) === Transform: sha1 
> (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL) == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Document>
>         <Data>
>                 <SubData1>
>                         <SubSubData1 MimeType="text/plain">This is the 
> data to be signed.</SubSubData1>
>                         <SubSubData2 MimeType="text/plain">This is the 
> data to be signed.</SubSubData2>
>                         <SubSubData3 MimeType="text/plain">This is the 
> data to be signed.</SubSubData3>
>                 </SubData1>
>                 <SubData2>This is the data to be signed.</SubData2>
>                 <SubData3>This is the data to be signed.</SubData3>
>         </Data>
> 
> </Document>
> == PreDigest data - end buffer
> == Manifest References List:
> === list size: 0
> 
>  
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> On Behalf Of Aleksey Sanin
> Sent: January 11, 2006 2:26 PM
> To: [EMAIL PROTECTED]
> Cc: [email protected]
> Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vs 
> mscrypto
> 
> Please, try to reproduce the problem with xmlsec command line utility.
> 
> Aleksey
> 
> Edward Shallow wrote:
>> Aleksey wrote ... 
>>
>> I do believe that the xmlsec-mscrypto code *does* build the chain and 
>> it
>> *does* verify it against the "trusted" certificates installed by the app.

>> With Dmitry's patch, xmlsec-mscrypto *also* uses trusted certificates 
>> from the MSCrypto certificates store.
>>
>>
>>
>> Yes this is what I thought too. But my test on 1.2.8 (shown in 
>> previous post and included below) never checks whether I load the 
>> trusted
> certs or not ???
>> 2nd last line.
>>
>> I don't mind waiting for Dmitry's patch, I was just trying to get it 
>> going now.
>>
>> Ed
>>
>>  
>>
>> xmlsec.xmlSecInit()
>> xmlsec.xmlSecCryptoDLInit()
>> xmlsec.xmlSecCryptoDLLoadLibrary('mscrypto')
>> xmlsec.xmlSecCryptoAppInit('MY')
>> xmlsec.xmlSecCryptoInit()
>> parsedDoc = 
>> libxml2.xmlParseFile('c:/xmlsec/inout/edsigned-enveloped.xml')
>> trustedDer = 'c:/xmlsec/keys/cacert.der'
> <===
>> trusted root in der format
>> rootNode = libxml2.xmlDocGetRootElement(parsedDoc)
>> sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature',
>> 'http://www.w3.org/2000/09/xmldsig#')
>> keysMngr = xmlsec.xmlSecKeysMngrCreate()
>> xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
>> dsigCtx = xmlsec.xmlSecDSigCtxCreate() 
>> xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr) 
>> xmlsec.xmlSecCryptoAppKeysMngrCertLoad(keysMngr, trustedDer, 3, 256)
>> <===    load trusted root
>> xmlsec.xmlSecDSigCtxVerify(dsigCtx, sigNode)
>>
>>
>>
> _______________________________________________
> xmlsec mailing list
> [email protected]
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> _______________________________________________
> xmlsec mailing list
> [email protected]
> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

<?xml version="1.0" encoding="UTF-8"?>
<!--
Signature created by XMLDSIG Engine and XMLSec Lib V1.21
-->
<Document>
	<Data>
		<SubData1>
			<SubSubData1 MimeType="text/plain">This is the data to be signed.</SubSubData1>
			<SubSubData2 MimeType="text/plain">This is the data to be signed.</SubSubData2>
			<SubSubData3 MimeType="text/plain">This is the data to be signed.</SubSubData3>
		</SubData1>
		<SubData2>This is the data to be signed.</SubData2>
		<SubData3>This is the data to be signed.</SubData3>
	</Data>
	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
		<dsig:SignedInfo>
			<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
			<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<dsig:Reference URI="">
					<dsig:Transforms>
						<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					</dsig:Transforms>
					<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<dsig:DigestValue>r7EhnxYz0j4pYDmYS3TvPqXex/U=</dsig:DigestValue>
				</dsig:Reference>
		</dsig:SignedInfo>
		<dsig:SignatureValue>oRMSp+sYMa8B2VX84rBbf5j4aGmmBtGgHjY5p47QNFZHZOleZdpMrOdyDXJ/klSA
FmbezUH61vuRXK6cA52ZCj9vmYOi4d3Gm+e/aphxy8SUH1R9S9i9VUGBaIEPbWol
IM+JebVrB3SjCcFNfe0a5pR3yYqdJD038p/Ya7BCDRA=</dsig:SignatureValue>
		<dsig:KeyInfo>
			<dsig:KeyName>[EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post Mark,O=For Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH</dsig:KeyName>
			<dsig:X509Data>
				
				
				
			<X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#";>MIIEJTCCAw2gAwIBAgIBBjANBgkqhkiG9w0BAQUFADCB3jELMAkGA1UEBhMCQ0gx
DjAMBgNVBAgTBUJlcm5lMQ4wDAYDVQQHEwVCZXJuZTEfMB0GA1UEChMWVW5pdmVy
c2FsIFBvc3RhbCBVbmlvbjEaMBgGA1UEChMRRm9yIFRlc3QgVXNlIE9ubHkxHTAb
BgNVBAsTFEVsZWN0cm9uaWMgUG9zdCBNYXJrMTMwMQYDVQQDEypVbml2ZXJzYWwg
UG9zdGFsIFVuaW9uIFBpbG90IEVQTSBBdXRob3JpdHkxHjAcBgkqhkiG9w0BCQEW
D0NBQWRtaW5AdXB1LmludDAeFw0wNTAyMDcxOTE2MzNaFw0xMDAyMDYxOTE2MzNa
MIG/MQswCQYDVQQGEwJDSDEOMAwGA1UECBMFQmVybmUxDjAMBgNVBAcTBUJlcm5l
MR8wHQYDVQQKExZVbml2ZXJzYWwgUG9zdGFsIFVuaW9uMRowGAYDVQQKExFGb3Ig
VGVzdCBVc2UgT25seTEdMBsGA1UECxMURWxlY3Ryb25pYyBQb3N0IE1hcmsxFDAS
BgNVBAMTC1Rlc3QgVXNlciAxMR4wHAYJKoZIhvcNAQkBFg9DQUFkbWluQHVwdS5p
bnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPFLURDoWF+GyUm1KoE426zl
oGa36OTGzDhg0uvzbl1l/MvSmMJ+J3m2TnUcvpnOfjZna+//wdmm/oP+YOP9zOdW
RLnuk7C4bpW37p3rNoHUhiNj3d8/LYSYNh35bVUDQDlym507Xh6cwGJMcdWpuEDR
3Z0ZYxKhS+bA9jbbJhYLAgMBAAGjgY4wgYswDAYDVR0TBAUwAwIBADAdBgNVHQ4E
FgQUNzx8HIWUZr6D4EhsdIPdcpUvqQAwHwYDVR0jBBgwFoAU7RXJ0lNkXL2nmf05
PqJxKKvYqFAwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NhMS51cHUuaW50L21h
c3Rlci5jcmwwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4IBAQCGpTind+qO
ti42R5aLbulImOXzGXFUv01hOOI90OBGMNLzjpJHD4pxvoEeZ5ShzUYs3iPQ8Ojv
lfDP66+Rl7GeMRwgKjdEhL7n2kJ5U7VC1XlEKkesX00dS6ikMOMHvVyXOKNUaf/q
UFX0fsQAo5n/8idP0t41ql5JWErH+8zRH0i/aeb9ILx0dgi2IYSPbyOYMP0EjWoJ
KTYEnNW6xmkZ6SgrD0NxqH7+z61k7dHc6ErJ8h9c8AhuNnvR7bJxdsKQcUAMuwKF
/Fhou9Jwdw4Q2jzzCqZyB6tL0PA8S0A9tcdR9sd/mZqzLFJ3ZqxPUOvSwPlCrt/h
bfO/69npryXx</X509Certificate>
<X509SubjectName xmlns="http://www.w3.org/2000/09/xmldsig#";>[EMAIL PROTECTED],CN=Test User 1,OU=Electronic Post Mark,O=For Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH</X509SubjectName>
<X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#";>
<X509IssuerName>[EMAIL PROTECTED],CN=Universal Postal Union Pilot EPM Authority,OU=Electronic Post Mark,O=For Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH</X509IssuerName>
<X509SerialNumber>6</X509SerialNumber>
</X509IssuerSerial>
</dsig:X509Data>
		</dsig:KeyInfo>
	</dsig:Signature>
</Document>

Attachment: upu-cacert.der
Description: application/x509-ca-cert

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to