Mhm, It doesn't break there either:
$ gdb verify GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC 2012) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done (gdb) break xmlSecOpenSSLX509StoreVerify Breakpoint 1 at 0x3126e978d442cb (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id Reading symbols for shared libraries ++++++++++.............................. done VALIDATING!!!!! = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK Program exited normally. (gdb) On May 21, 2013, at 9:09 PM, Aleksey Sanin <[email protected]> wrote: > It should do the check. I am surprised it doesn't. > > Can you break into xmlSecOpenSSLX509StoreVerify() function. There is > a piece of code that checks against in-document crl and then store crl. > Curious to find out why it doesn't do the expected thing. > > > Aleksey > > On 5/21/13 8:32 PM, Francisco Obispo wrote: >> Tried it, >> >> It never gets called, so I'm wondering if I'm missing something. :-( >> >> So, besides adding the CRL to the key store, is there anything else I need >> to call to verify the cert? >> >> Would xmlSecDSigCtxVerify() do the check? or do I need to call another >> function separately? >> >> thanks >> >> >> On May 21, 2013, at 7:14 PM, Aleksey Sanin <[email protected]> wrote: >> >>> Well, the code clearly uses the crls (it's the same function that >>> process crls in the signature). If you have debug version, put >>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function >>> to see if it is called and what's happening inside it. >> >> Francisco Obispo >> Director of Applications and Services - ISC >> email: [email protected] >> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >> PGP KeyID = B38DB1BE >> Francisco Obispo Director of Applications and Services - ISC email: [email protected] Phone: +1 650 423 1374 || INOC-DBA *3557* NOC PGP KeyID = B38DB1BE _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
