Alright I can follow you, but I don't know how to check the x509 certificate
now?
if(xmlSecDSigCtxVerify(&dsigCtx, data->startNode) < 0)
{
xmlSecDSigCtxFinalize(&dsigCtx);
if(data != NULL)
xmlSecAppXmlDataDestroy(data);
return V_NOSIGNATUR;
}
if ( dsigCtx.signKey == NULL )
return V_NOSIGNATUR;
key = dsigCtx.signKey;
size = xmlSecPtrListGetSize(key->dataList);
sdata = (*((dsigCtx).signKey)).dataList;
for(pos = 0; pos < size; ++pos)
{
tmp = (xmlSecKeyDataPtr)xmlSecPtrListGetItem(key->dataList,
pos);
x509 = xmlSecMSCryptoKeyDataX509GetCert(tmp,pos);
[....]
How can I get access on the X509 Certifiacte.
-----Original Message-----
From: Edward Shallow [mailto:[EMAIL PROTECTED]
Sent: Donnerstag, 01. Juni 2006 13:54
To: Jürgen Heiss; 'Aleksey Sanin'; [email protected]
Subject: RE: [xmlsec] RE: Need urgent help for verify
My point exactly !!!
If X509Certificate is there, then one can only assume the signer wants you to
use it. In xmlsec we are using the KeyName at "signing time" for convenience.
It does stay in the signature though. The problem is KeyName gets in the way
when verifying. Again, I would vote for precedence order.
Check X509Certificate first. If KeyName is the same (i.e. CN= from
X509Certificate is the same as friendly-name in KeyName) DO NOT GO TO MS Cert
Store as they are the same and the in-signature certificate is fine.
Beside the public cert will not be in the cert store anyway !!!
Aleksey ?
Ed
-----Original Message-----
From: Jürgen Heiss [mailto:[EMAIL PROTECTED]
Sent: June 1, 2006 6:53 AM
To: [EMAIL PROTECTED]; Aleksey Sanin; [email protected]
Subject: RE: [xmlsec] RE: Need urgent help for verify
Ups I think I don't understand something.
I call the function
if(xmlSecDSigCtxVerify(&dsigCtx, data->startNode) < 0)
And how it look this function look in the KeyName and try to get the
certificate from the registry.
But of course the certificate isn't registered. So, what if have to do the load
the certificate which is In the signed XML-doucument. How I can tell the
function xmlSecDSigCtxVerify to get the certificate from the signed xml File
and to don't try to look in the registry because there it will be not?
So how I can handle this that I always load the certificate with which the
document was signed.
Thanks
Jürgen
-----Original Message-----
From: Edward Shallow [mailto:[EMAIL PROTECTED]
Sent: Donnerstag, 01. Juni 2006 12:30
To: Jürgen Heiss; 'Aleksey Sanin'; [email protected]
Subject: RE: [xmlsec] RE: Need urgent help for verify
What do you mean the document is no longer valid ?
If it verifies the References covered by the signature are valid. If the DN in
the certificate refers to the same certifiacte as the friendly name in the
KeyName, the KeyName is redundant. This is what I am doing. I am removing the
Keyname for the verify and then putting it back in for consistency.
Alternatively you can tell xmlsec which key sources to consult using the
enabledKeyData list. I find this a pain and prefer to check the keys in each
location myself. If you have created the signature yourself and are
subsequently verifying it, you know they are the same. They should rarely
differ. In fact I cannot think of an instance where the contents of
X509Certificate should get overridden by KeyName in a Verify. Even when
including issuer certificates, they end up as more than one X509Certificate.
I buy that if X509Certifiate is not there one can consult KeyName, but rarely
if ever the reverse. But that is just my opinion. I would like to see an order
to the certificate search.
Ed
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jürgen Heiss
Sent: June 1, 2006 2:40 AM
To: Aleksey Sanin; [EMAIL PROTECTED]; [email protected]
Subject: RE: [xmlsec] RE: Need urgent help for verify
Hi everybody,
Well you are right, its really the Keyname. So if I remove the Keyname it works.
But of course the document isn't anymore valid. Is there a way always to ignore
the keyname and use the the certificate by verify a signed document?
What is the
xmlSecDSigCtx::keyInfoReadCtx->enabledKeyData
xmlSecDSigCtx::keyInfoWriteCtx->enabledKeyData
For? How must I use them?
Thanks I advance.
Jürgen
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin
Sent: Mittwoch, 31. Mai 2006 22:20
To: [EMAIL PROTECTED]; [email protected]
Subject: Re: [xmlsec] RE: Need urgent help for verify
Yes
xmlSecDSigCtx::keyInfoReadCtx->enabledKeyData
xmlSecDSigCtx::keyInfoWriteCtx->enabledKeyData
Aleksey
[EMAIL PROTECTED] wrote:
> Yes you are right !!! I forgot about that.
>
> You mean the "--enabled-key-data" list in the command line utility ?
> Where is this in the API ? in the Ctx ?
>
> ----- Original Message ----
> From: Aleksey Sanin <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Cc: Jürgen Heiss <[EMAIL PROTECTED]>; [email protected]
> Sent: Wednesday, May 31, 2006 2:31:14 PM
> Subject: Re: [xmlsec] RE: Need urgent help for verify
>
> > Does it not make sense to check X509Certificate first ? Or must we
> > consciously remove KeyName to avoid problems in the mscrypto world
> where > the chances of actually having the public verification
> certificate in > the verifiers mscrypto store is remote at best ?
> >
> I think, that either signer or verifier should decide if KeyName makes
> sense for him/her or not. In xmlsec, there is a way to disable KeyName
> usage for verification, for example.
>
> Aleksey
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
