Take a look at this function. I think it might help with some of the issues you are having:
https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html On the xmlsec-openssl side, you need to understand the xmlSecOpenSSLX509FindCert() function. In particular, I believe you need to make sure that ski search (last if block) works with you certs. Does it make sense? Aleksey On 2/14/13 4:41 PM, Paul Hinze wrote: > Hello Aleksey et al, > > Thanks for all your work on XMLSec, and apologies in advance for the > long mail. > > I'm working on a library in Ruby that uses ruby-ffi to interop with XMLSec. > > The goal is to implement a sufficient subset of XMLSec functionality to > allow it to serve as a valid backend for the ruby-saml library, which > currently uses its own home-grown implementation of XML security > standards. I believe that will allow ruby-saml to handle XML security > considerations more "correctly" as well as provide the opportunity to > have ruby-saml support signing, encrypting and decrypting (which it > currently does not). > > I've got a basic framework up and running with a few passing tests, but > now that I'm trying to exercise my code with a sample of real world SAML > requests, I'm running into trouble with xmlSecDSigCtxVerify (with > OpenSSL for crypto) refusing to verify signatures for which it cannot > build a proper CA chain. > > As far as I understand it, the de facto trust model for SAML > integrations is to check the fingerprint of the signing certificate > against a pre-shared fingerprint stored by the consumer when the trust > relationship is established. Provided the fingerprint matches that of > the signing cert, and provided the XML signature is verified against > that cert, everything is assumed to be peachy. > > Now, I'm aware that this trust model may be flawed, and I'm also aware > that this model goes against the grain of the "web of trust" concept > that OpenSSL is built on. > > My question is whether it's technically feasible to utilize XMLSec to > support this model. Essentially I need to be able to verify signatures > for which the cert may be self-signed, or for which the CA cert is not > immediately available. > > My current working strategy is to extract the cert from the XML document > in question and load it into the keys manager that will be used for the > verification. > > Here's the code that successfully passes tests against a self-signed > cert I generated: > > https://github.com/instructure/xml_security/blob/0e3cbc30da1558ad2ffa541482014727d088a153/lib/xml_security/signature_verifier.rb > > Here is the test cert for which this code works: > > https://gist.github.com/phinze/745c4b224dde8e0053fb > > Now as I attempted to integrate with ruby-saml, I ran into a set of > requests in the ruby-saml tests signed with the following key: > > https://gist.github.com/phinze/fdce716947bc6128d6e6 > > Verifying those signatures with the same code yields an error here: > > x509vfy.c:360 (xmlSecOpenSSLX509StoreVerify) - x509-store > X509_verify_cert 4 subj={{redacted}};err=20;msg=unable to get local > issuer certificate > > My understanding is that the x509v3 extensions on the latter cert > prevent it from acting as a CA for itself. > > I've tried sticking XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS on > the keyInfoReadCtx flags of the digital signature context, but that only > yields a different error: > > keys.c:1370 (xmlSecKeysMngrGetKey) - xmlSecKeysMngrFindKey 1 > > From reading archives it seems like this flag disables the extraction of > the certificate from the XML, which I'm guessing is what's happening in > this case. > > I'm also running into trouble with certs issued by a valid CA for which > I do not have the CA cert in the context where my code is running, since > the prior versions of the application relied only on a pre-shared > fingerprint. > > So, is there a way for me to pull this off? Or do I need to look > elsewhere for code that can achieve the behavior I'm looking to model? > > Thanks so much for your time, > > Paul > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
