Hello Aleksey et al, Thanks for all your work on XMLSec, and apologies in advance for the long mail.
I'm working on a library in Ruby that uses ruby-ffi to interop with XMLSec. The goal is to implement a sufficient subset of XMLSec functionality to allow it to serve as a valid backend for the ruby-saml library, which currently uses its own home-grown implementation of XML security standards. I believe that will allow ruby-saml to handle XML security considerations more "correctly" as well as provide the opportunity to have ruby-saml support signing, encrypting and decrypting (which it currently does not). I've got a basic framework up and running with a few passing tests, but now that I'm trying to exercise my code with a sample of real world SAML requests, I'm running into trouble with xmlSecDSigCtxVerify (with OpenSSL for crypto) refusing to verify signatures for which it cannot build a proper CA chain. As far as I understand it, the de facto trust model for SAML integrations is to check the fingerprint of the signing certificate against a pre-shared fingerprint stored by the consumer when the trust relationship is established. Provided the fingerprint matches that of the signing cert, and provided the XML signature is verified against that cert, everything is assumed to be peachy. Now, I'm aware that this trust model may be flawed, and I'm also aware that this model goes against the grain of the "web of trust" concept that OpenSSL is built on. My question is whether it's technically feasible to utilize XMLSec to support this model. Essentially I need to be able to verify signatures for which the cert may be self-signed, or for which the CA cert is not immediately available. My current working strategy is to extract the cert from the XML document in question and load it into the keys manager that will be used for the verification. Here's the code that successfully passes tests against a self-signed cert I generated: https://github.com/instructure/xml_security/blob/0e3cbc30da1558ad2ffa541482014727d088a153/lib/xml_security/signature_verifier.rb Here is the test cert for which this code works: https://gist.github.com/phinze/745c4b224dde8e0053fb Now as I attempted to integrate with ruby-saml, I ran into a set of requests in the ruby-saml tests signed with the following key: https://gist.github.com/phinze/fdce716947bc6128d6e6 Verifying those signatures with the same code yields an error here: x509vfy.c:360 (xmlSecOpenSSLX509StoreVerify) - x509-store X509_verify_cert 4 subj={{redacted}};err=20;msg=unable to get local issuer certificate My understanding is that the x509v3 extensions on the latter cert prevent it from acting as a CA for itself. I've tried sticking XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS on the keyInfoReadCtx flags of the digital signature context, but that only yields a different error: keys.c:1370 (xmlSecKeysMngrGetKey) - xmlSecKeysMngrFindKey 1 >From reading archives it seems like this flag disables the extraction of the certificate from the XML, which I'm guessing is what's happening in this case. I'm also running into trouble with certs issued by a valid CA for which I do not have the CA cert in the context where my code is running, since the prior versions of the application relied only on a pre-shared fingerprint. So, is there a way for me to pull this off? Or do I need to look elsewhere for code that can achieve the behavior I'm looking to model? Thanks so much for your time, Paul
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
