I am really sorry but this goes beyond the support I provide. Aleksey
On 6/11/12 11:40 AM, Renato Tegon Forti wrote: > Hi Again, > > I write one new code, but I can put it to work! Please you can point me what > I forgot! > > The verify function is : verify_f > > Output: > > ======================================================================== > verify_f > ======================================================================== > Signature is ***INVALID*** > func=xmlSecDSigCtxDebugXmlDump:file=xmldsig.c:line=1148:obj=unknown:subj=out > put != NULL:error=100:assertion: > func=xmlSecDSigCtxDebugDump:file=xmldsig.c:line=1068:obj=unknown:subj=output > != NULL:error=100:assertion: > > Thanks > > -----Mensagem original----- > De: Aleksey Sanin [mailto:[email protected]] > Enviada em: segunda-feira, 11 de junho de 2012 13:22 > Para: Renato Tegon Forti > Cc: [email protected] > Assunto: Re: RES: [xmlsec] how verify sig using xmlAddID and local certs! > > xmlsec1 --help > > Aleksey > > On 6/11/12 7:09 AM, Renato Tegon Forti wrote: >> Hi >> >>>> xmlAddID - look at LibXML2 documentation for the function, it's >>>> pretty >> simple. >> OK >> >>>> Actually default trusted certs are loaded in the xmlsec-openssl init >> function. >> Then I don't need load certs in "xmlSecKeysMngrPtr"? >> >> I am trying to use sample "Verifying a signature with X 509 certificates." >> >> And I changed load_trusted_certs to accept a vector with keys file, like: >> >> ---------------------------------------------------------------------- >> ------ >> --------------------------------- >> std::vector<std::string> certs; >> >> certs.push_back("/usr/lib/ssl/certs/Serasa_Certificadora_Digital_v2.pe >> m"); >> certs.push_back("/usr/lib/ssl/certs/Serasa_Autoridade_Certificadora_Pr >> incipa >> l_v2.pem"); >> certs.push_back("/usr/lib/ssl/certs/Autoridade_Certificadora_Raiz_Bras >> ileira >> _v2.pem"); >> >> mngr = load_trusted_certs(certs); >> >> ---------------------------------------------------------------------- >> ------ >> --------------------------------- >> >> And for now, I using DTD on xml file: >> >> ---------------------------------------------------------------------- >> ------ >> --------------------------------- >> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [ <!ATTLIST >> infNFe Id ID #IMPLIED> ]> >> ---------------------------------------------------------------------- >> ------ >> --------------------------------- >> >> But always I received: "Signature is INVALID"! >> >> If I use xmlsec1 command, its work in some file! >> >> ---------------------------------------------------------------------- >> ------ >> --------------------------------- >> afe/engine/libs/xmldsig/test$ xmlsec1 --verify >> mt-embedded-id-dtd-attr.xml OK SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> ---------------------------------------------------------------------- >> ------ >> --------------------------------- >> >> How I can print debug into to try see what's happening? >> >> My current code, and file that I need check is attached! >> >> Thanks again, and again, and again ...! >> >> -----Mensagem original----- >> De: Aleksey Sanin [mailto:[email protected]] Enviada em: >> segunda-feira, 11 de junho de 2012 10:46 >> Para: Renato Tegon Forti >> Cc: [email protected] >> Assunto: Re: [xmlsec] how verify sig using xmlAddID and local certs! >> >> 1) xmlAddID - look at LibXML2 documentation for the function, it's >> pretty simple. >> >> 2) Actually default trusted certs are loaded in the xmlsec-openssl >> init function. >> >> Aleksey >> >> On 6/11/12 5:39 AM, Renato Tegon Forti wrote: >>> Hi All, >>> >>> >>> >>> I'm trying to understand how the xmlsec tool interprets this command: >>> >>> >>> >>> xmlsec1 --verify --id-attr:Id infNFe file.xml >>> >>> >>> >>> which parts of code are activated! Need to reproduce this behavior in >>> my code >>> >>> >>> >>> Can someone explain to me? >>> >>> >>> >>> In special how "xmlSecAppLoadKeys" load CA 's files of >>> /usr/lib/ssl/certs/ : (for sample. openssl ssl files folder) ! >>> >>> >>> >>> I need use "xmlAddID" to add "infNFe" like an id! Ok? How? >>> >>> >>> >>> Anything else! >>> >>> >>> >>> My test code: >>> >>> >>> >>> // Copyright 2011-2012 Renato Tegon Forti >>> >>> >>> >>> #define BOOST_ALL_DYN_LINK >>> >>> #define BOOST_THREAD_USE_DLL //thread header not compliant with >>> 'BOOST_ALL_DYN_LINK' >>> >>> #define BOOST_LIB_DIAGNOSTIC >>> >>> >>> >>> #include <boost/test/minimal.hpp> >>> >>> #include <dsafe/xmlsig.hpp> >>> >>> >>> >>> #define XMLSEC_CRYPTO_OPENSSL >>> >>> >>> >>> #include <libxml/tree.h> >>> >>> #include <libxml/xmlmemory.h> >>> >>> #include <libxml/parser.h> >>> >>> >>> >>> #ifndef XMLSEC_NO_XSLT >>> >>> #include <libxslt/xslt.h> >>> >>> #endif /* XMLSEC_NO_XSLT */ >>> >>> >>> >>> #include <xmlsec/xmlsec.h> >>> >>> #include <xmlsec/xmltree.h> >>> >>> #include <xmlsec/xmldsig.h> >>> >>> #include <xmlsec/xmlenc.h> >>> >>> #include <xmlsec/templates.h> >>> >>> #include <xmlsec/crypto.h> >>> >>> >>> >>> >>> >>> /** >>> >>> * verify_file: >>> >>> * @mngr: the pointer to keys manager. >>> >>> * @xml_file: the signed XML file name. >>> >>> * >>> >>> * Verifies XML signature in #xml_file. >>> >>> * >>> >>> * Returns 0 on success or a negative value if an error occurs. >>> >>> */ >>> >>> int >>> >>> verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) >>> >>> { >>> >>> xmlDocPtr doc = NULL; >>> >>> xmlNodePtr node = NULL; >>> >>> xmlSecDSigCtxPtr dsigCtx = NULL; >>> >>> int res = -1; >>> >>> >>> >>> assert(mngr); >>> >>> assert(xml_file); >>> >>> >>> >>> /* load file */ >>> >>> doc = xmlParseFile(xml_file); >>> >>> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ >>> >>> fprintf(stderr, "Error: unable to parse file >>> \"%s\"\n", xml_file); >>> >>> goto done; >>> >>> } >>> >>> >>> >>> /* find start node */ >>> >>> node = xmlSecFindNode(xmlDocGetRootElement(doc), >>> xmlSecNodeSignature, xmlSecDSigNs); >>> >>> if(node == NULL) { >>> >>> fprintf(stderr, "Error: start node not found in >>> \"%s\"\n", xml_file); >>> >>> goto done; >>> >>> } >>> >>> >>> >>> /* create signature context */ >>> >>> dsigCtx = xmlSecDSigCtxCreate(mngr); >>> >>> if(dsigCtx == NULL) { >>> >>> fprintf(stderr,"Error: failed to create signature >>> context\n"); >>> >>> goto done; >>> >>> } >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> /* limit the Reference URI attributes to empty or NULL */ >>> >>> dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty; >>> >>> >>> >>> /* limit allowed transforms for siganture and reference >>> processing */ >>> >>> if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, >>> xmlSecTransformInclC14NId) < 0) || >>> >>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, >>> xmlSecTransformExclC14NId) < 0) || >>> >>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, >>> xmlSecTransformSha1Id) < 0) || >>> >>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, >>> xmlSecTransformRsaSha1Id) < 0)) { >>> >>> >>> >>> fprintf(stderr,"Error: failed to limit allowed siganture >>> transforms\n"); >>> >>> goto done; >>> >>> } >>> >>> if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, >>> xmlSecTransformInclC14NId) < 0) || >>> >>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, >>> xmlSecTransformExclC14NId) < 0) || >>> >>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, >>> xmlSecTransformSha1Id) < 0) || >>> >>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, >>> xmlSecTransformEnvelopedId) < 0)) { >>> >>> >>> >>> fprintf(stderr,"Error: failed to limit allowed reference >>> transforms\n"); >>> >>> goto done; >>> >>> } >>> >>> >>> >>> /* in addition, limit possible key data to valid X509 >>> certificates only */ >>> >>> if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), >>> BAD_CAST xmlSecKeyDataX509Id) < 0) { >>> >>> fprintf(stderr,"Error: failed to limit allowed key data\n"); >>> >>> goto done; >>> >>> } >>> >>> >>> >>> /* Verify signature */ >>> >>> if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) { >>> >>> fprintf(stderr,"Error: signature verify\n"); >>> >>> goto done; >>> >>> } >>> >>> >>> >>> /* check that we have only one Reference */ >>> >>> if((dsigCtx->status == xmlSecDSigStatusSucceeded) && >>> >>> (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != >>> 1)) { >>> >>> >>> >>> fprintf(stderr,"Error: only one reference is allowed\n"); >>> >>> goto done; >>> >>> } >>> >>> >>> >>> /* print verification result to stdout */ >>> >>> if(dsigCtx->status == xmlSecDSigStatusSucceeded) { >>> >>> fprintf(stdout, "Signature is OK\n"); >>> >>> } else { >>> >>> fprintf(stdout, "Signature is INVALID\n"); >>> >>> } >>> >>> >>> >>> /* success */ >>> >>> res = 0; >>> >>> >>> >>> done: >>> >>> /* cleanup */ >>> >>> if(dsigCtx != NULL) { >>> >>> xmlSecDSigCtxDestroy(dsigCtx); >>> >>> } >>> >>> >>> >>> if(doc != NULL) { >>> >>> xmlFreeDoc(doc); >>> >>> } >>> >>> return(res); >>> >>> >>> >>> } >>> >>> >>> >>> int >>> >>> init_allxml_lib() >>> >>> { >>> >>> // Init libxml and libxslt libraries >>> >>> xmlInitParser(); >>> >>> >>> >>> LIBXML_TEST_VERSION >>> >>> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS; >>> >>> xmlSubstituteEntitiesDefault(1); >>> >>> #ifndef XMLSEC_NO_XSLT >>> >>> xmlIndentTreeOutput = 1; >>> >>> #endif // XMLSEC_NO_XSLT >>> >>> >>> >>> // Init xmlsec library >>> >>> if(xmlSecInit() < 0) { >>> >>> fprintf(stderr, "Error: xmlsec initialization failed.\n"); >>> >>> return(-1); >>> >>> } >>> >>> >>> >>> // Check loaded library version >>> >>> if(xmlSecCheckVersion() != 1) { >>> >>> fprintf(stderr, "Error: loaded xmlsec library version is not >>> compatible.\n"); >>> >>> return(-1); >>> >>> } >>> >>> >>> >>> // Load default crypto engine if we are supporting dynamic >>> >>> // loading for xmlsec-crypto libraries. Use the crypto library >>> >>> // name ("openssl", "nss", etc.) to load corresponding >>> >>> // xmlsec-crypto library. >>> >>> >>> >>> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING >>> >>> if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { >>> >>> fprintf(stderr, "Error: unable to load default xmlsec-crypto library. >>> Make sure\n" >>> >>> "that you have it >>> installed and check shared libraries path\n" >>> >>> "(LD_LIBRARY_PATH) >>> envornment variable.\n"); >>> >>> return(-1); >>> >>> } >>> >>> #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ >>> >>> >>> >>> // Init crypto library >>> >>> if(xmlSecCryptoAppInit(NULL) < 0) { >>> >>> fprintf(stderr, "Error: crypto initialization failed.\n"); >>> >>> return(-1); >>> >>> } >>> >>> >>> >>> // Init xmlsec-crypto library >>> >>> if(xmlSecCryptoInit() < 0) { >>> >>> fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); >>> >>> return(-1); >>> >>> } >>> >>> >>> >>> return 0; >>> >>> } >>> >>> >>> >>> void >>> >>> fnit_allxml_lib() >>> >>> { >>> >>> // Shutdown xmlsec-crypto library >>> >>> xmlSecCryptoShutdown(); >>> >>> >>> >>> //Shutdown crypto library >>> >>> xmlSecCryptoAppShutdown(); >>> >>> >>> >>> //Shutdown xmlsec library >>> >>> xmlSecShutdown(); >>> >>> >>> >>> // Shutdown libxslt/libxml >>> >>> #ifndef XMLSEC_NO_XSLT >>> >>> xsltCleanupGlobals(); >>> >>> #endif //XMLSEC_NO_XSLT >>> >>> >>> >>> xmlCleanupParser(); >>> >>> } >>> >>> >>> >>> const std::string XML_FILE = >>> >> "/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/li >> bs/xml >> dsig/test/" >>> >>> "mt-embedded-id-dtd-attr.xml"; >>> >>> >> >>> // "mt.xml"; >>> >>> >>> >>> // Unit Tests >>> >>> >>> >>> void do_0() >>> >>> { >>> >>> xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate(); >>> >>> if(mngr == NULL) >>> >>> { >>> >>> fprintf(stderr, "Error: failed to create keys manager.\n"); >>> >>> } >>> >>> >>> >>> if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) >>> >>> { >>> >>> fprintf(stderr, "Error: failed to initialize keys manager.\n"); >>> >>> xmlSecKeysMngrDestroy(mngr); >>> >>> } >>> >>> >>> >>> BOOST_CHECK(init_allxml_lib() == 0); >>> >>> BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0); >>> >>> >>> >>> fnit_allxml_lib(); >>> >>> } >>> >>> >>> >>> // - >>> >>> >>> >>> int test_main(int, char*[]) >>> >>> { >>> >>> do_0(); >>> >>> >>> >>> return 0; >>> >>> } >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Thanks >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
