Wonderful, thanks Aleksey. This looks promising. I'll dig into this and see if I can make it work.
Paul On Thu, Feb 14, 2013 at 6:57 PM, Aleksey Sanin <[email protected]> wrote: > Take a look at this function. I think it might help with some of the > issues you are having: > > https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html > > On the xmlsec-openssl side, you need to understand the > xmlSecOpenSSLX509FindCert() function. In particular, I believe you > need to make sure that ski search (last if block) works with you certs. > > Does it make sense? > > > > Aleksey > > On 2/14/13 4:41 PM, Paul Hinze wrote: > > Hello Aleksey et al, > > > > Thanks for all your work on XMLSec, and apologies in advance for the > > long mail. > > > > I'm working on a library in Ruby that uses ruby-ffi to interop with > XMLSec. > > > > The goal is to implement a sufficient subset of XMLSec functionality to > > allow it to serve as a valid backend for the ruby-saml library, which > > currently uses its own home-grown implementation of XML security > > standards. I believe that will allow ruby-saml to handle XML security > > considerations more "correctly" as well as provide the opportunity to > > have ruby-saml support signing, encrypting and decrypting (which it > > currently does not). > > > > I've got a basic framework up and running with a few passing tests, but > > now that I'm trying to exercise my code with a sample of real world SAML > > requests, I'm running into trouble with xmlSecDSigCtxVerify (with > > OpenSSL for crypto) refusing to verify signatures for which it cannot > > build a proper CA chain. > > > > As far as I understand it, the de facto trust model for SAML > > integrations is to check the fingerprint of the signing certificate > > against a pre-shared fingerprint stored by the consumer when the trust > > relationship is established. Provided the fingerprint matches that of > > the signing cert, and provided the XML signature is verified against > > that cert, everything is assumed to be peachy. > > > > Now, I'm aware that this trust model may be flawed, and I'm also aware > > that this model goes against the grain of the "web of trust" concept > > that OpenSSL is built on. > > > > My question is whether it's technically feasible to utilize XMLSec to > > support this model. Essentially I need to be able to verify signatures > > for which the cert may be self-signed, or for which the CA cert is not > > immediately available. > > > > My current working strategy is to extract the cert from the XML document > > in question and load it into the keys manager that will be used for the > > verification. > > > > Here's the code that successfully passes tests against a self-signed > > cert I generated: > > > > > https://github.com/instructure/xml_security/blob/0e3cbc30da1558ad2ffa541482014727d088a153/lib/xml_security/signature_verifier.rb > > > > Here is the test cert for which this code works: > > > > https://gist.github.com/phinze/745c4b224dde8e0053fb > > > > Now as I attempted to integrate with ruby-saml, I ran into a set of > > requests in the ruby-saml tests signed with the following key: > > > > https://gist.github.com/phinze/fdce716947bc6128d6e6 > > > > Verifying those signatures with the same code yields an error here: > > > > x509vfy.c:360 (xmlSecOpenSSLX509StoreVerify) - x509-store > > X509_verify_cert 4 subj={{redacted}};err=20;msg=unable to get local > > issuer certificate > > > > My understanding is that the x509v3 extensions on the latter cert > > prevent it from acting as a CA for itself. > > > > I've tried sticking XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS on > > the keyInfoReadCtx flags of the digital signature context, but that only > > yields a different error: > > > > keys.c:1370 (xmlSecKeysMngrGetKey) - xmlSecKeysMngrFindKey 1 > > > > From reading archives it seems like this flag disables the extraction of > > the certificate from the XML, which I'm guessing is what's happening in > > this case. > > > > I'm also running into trouble with certs issued by a valid CA for which > > I do not have the CA cert in the context where my code is running, since > > the prior versions of the application relied only on a pre-shared > > fingerprint. > > > > So, is there a way for me to pull this off? Or do I need to look > > elsewhere for code that can achieve the behavior I'm looking to model? > > > > Thanks so much for your time, > > > > Paul > > > > > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec > > >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
