Hm... Something is really wrong. How is you signed document looks like? Does it have the public key in it by a chance?
Aleksey On 5/21/13 9:10 PM, Francisco Obispo wrote: > Mhm, > > It doesn't break there either: > > $ gdb verify > GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC > 2012) > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared > libraries ........... done > > (gdb) break xmlSecOpenSSLX509StoreVerify > Breakpoint 1 at 0x3126e978d442cb > (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml > Perl/ISC-XML-Signature/t/files/xca/TestCA.crt > Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id > Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify > Perl/ISC-XML-Signature/t/files/sample-signed.xml > Perl/ISC-XML-Signature/t/files/xca/TestCA.crt > Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id > Reading symbols for shared libraries ++++++++++.............................. > done > VALIDATING!!!!! > = KEY INFO READ CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: rsa > ==== keyType: 0x00000001 > ==== keyUsage: 0x00000002 > ==== keyBitsSize: 0 > === list size: 0 > File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK > > Program exited normally. > (gdb) > > > > > On May 21, 2013, at 9:09 PM, Aleksey Sanin <[email protected]> wrote: > >> It should do the check. I am surprised it doesn't. >> >> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is >> a piece of code that checks against in-document crl and then store crl. >> Curious to find out why it doesn't do the expected thing. >> >> >> Aleksey >> >> On 5/21/13 8:32 PM, Francisco Obispo wrote: >>> Tried it, >>> >>> It never gets called, so I'm wondering if I'm missing something. :-( >>> >>> So, besides adding the CRL to the key store, is there anything else I need >>> to call to verify the cert? >>> >>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another >>> function separately? >>> >>> thanks >>> >>> >>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <[email protected]> wrote: >>> >>>> Well, the code clearly uses the crls (it's the same function that >>>> process crls in the signature). If you have debug version, put >>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function >>>> to see if it is called and what's happening inside it. >>> >>> Francisco Obispo >>> Director of Applications and Services - ISC >>> email: [email protected] >>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>> PGP KeyID = B38DB1BE >>> > > Francisco Obispo > Director of Applications and Services - ISC > email: [email protected] > Phone: +1 650 423 1374 || INOC-DBA *3557* NOC > PGP KeyID = B38DB1BE > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
