Well, you have public key in the signature. No surprises it doesn't even hit certificates validation (why bother???).
Funny, I just wrote another reply about the same topic: enabledKeyData in xmlSecKeyInfoCtx (see examples in xmlsec command line tool code). Aleksey On 5/21/13 9:15 PM, Francisco Obispo wrote: > This is the one that I'm currently using.. > > I also have the same file signed with a revoked cert for testing purposes. > > > > > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > XML Security Library example: Simple signature template file for sign1 > example. > --> > <demo id="test"> > <Data> > Hello, World! > </Data> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference URI=""> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>LdhuGRwbntos7k+Bi5zGpZg8alY=</DigestValue> > </Reference> > </SignedInfo> > > <SignatureValue>1NGlGwove0a1cyGySo8AUkQqXCGCyyKJIA6+JjVGQtgFZJ//DbLf+da5w32KBlRg > YAh+vMOH3455nZudj4exL14pVtFXlvLPTSsRRYSKf9E3KH2B5CI21vCgto8e85t+ > 47bQyoodvqPKyq21o94qwAvSKPkyibUYdqmSvU/s8Cg=</SignatureValue> > <KeyInfo> > <KeyValue> > <RSAKeyValue> > <Modulus> > 5ql5wGtT/5uxGcjeUxbCoA9VVFYer4BF7IbPcQg4BNbu9e3iXiNe+nKCXXEg+vAp > e6zjIc6ZwgVMVXBms+gCMdsKkOl4MmmPyWgew0JLbURq19qEFFfvWu4VpigcGYMM > /9BCp8wSNxck4bRqNTpt0CB+fPxdkEqjHi2/YSWynuk= > </Modulus> > <Exponent> > AQAB > </Exponent> > </RSAKeyValue> > </KeyValue> > <X509Data> > <X509Certificate> > MIIC1TCCAb2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADAAMB4XDTEzMDUyMTAyNDUw > MFoXDTE0MDUyMTAyNDUwMFowgYoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEV > MBMGA1UEBxMMUmVkd29vZCBDaXR5MQwwCgYDVQQKEwNJU0MxETAPBgNVBAsTCFNl > cnZpY2VzMRUwEwYDVQQDEwxpc2Mtc2VydmljZXMxHzAdBgkqhkiG9w0BCQEWEHNl > cnZpY2VzQGlzYy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOapecBr > U/+bsRnI3lMWwqAPVVRWHq+AReyGz3EIOATW7vXt4l4jXvpygl1xIPrwKXus4yHO > mcIFTFVwZrPoAjHbCpDpeDJpj8loHsNCS21EatfahBRX71ruFaYoHBmDDP/QQqfM > EjcXJOG0ajU6bdAgfnz8XZBKox4tv2Elsp7pAgMBAAGjUzBRMA8GA1UdEwEB/wQF > MAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhC > AQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4IBAQDUJPIsQSmN > 3bEBvSfQUSoo0wswVzSBjdAzFw03br06V22GZqYn9lyItvZYLBu6k1C/aOUALod5 > eaXmtxkJ4lKzgsV6o1OryQmlXYQImVR1mYHoGjtg+m/0vJn44xaw2+krfjjz4/3m > g9XgS7ylnijhCWIipYOHbr2hcS1Bk5UgLXL/Dca/9q/qy43aVaj7B5TQt+m6jI5K > BckFk4tGz3nQHnvTqURMG/yMBvGZjEL5eTZCd8CmtlHsdTfN6dxPJC0FJ/Ua7v+x > wuB8dfRggEImIjZpT1qoH6J6FLvFamc8Fv0888H7vcjTKAYka1QTe2svFa246svN > 8cwhfzbaztws > </X509Certificate> > </X509Data> > </KeyInfo> > </Signature> > </demo> > > > > > > > On May 21, 2013, at 9:12 PM, Aleksey Sanin <[email protected]> wrote: > >> Hm... Something is really wrong. How is you signed document looks like? >> Does it have the public key in it by a chance? >> >> Aleksey >> >> On 5/21/13 9:10 PM, Francisco Obispo wrote: >>> Mhm, >>> >>> It doesn't break there either: >>> >>> $ gdb verify >>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC >>> 2012) >>> Copyright 2004 Free Software Foundation, Inc. >>> GDB is free software, covered by the GNU General Public License, and you are >>> welcome to change it and/or distribute copies of it under certain >>> conditions. >>> Type "show copying" to see the conditions. >>> There is absolutely no warranty for GDB. Type "show warranty" for details. >>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for >>> shared libraries ........... done >>> >>> (gdb) break xmlSecOpenSSLX509StoreVerify >>> Breakpoint 1 at 0x3126e978d442cb >>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml >>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crt >>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id >>> Starting program: >>> /Users/fobispo/code/registry/tools/isc-xml-signature/verify >>> Perl/ISC-XML-Signature/t/files/sample-signed.xml >>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crt >>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id >>> Reading symbols for shared libraries >>> ++++++++++.............................. done >>> VALIDATING!!!!! >>> = KEY INFO READ CONTEXT >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled key data: all >>> == RetrievalMethod level (cur/max): 0/1 >>> == TRANSFORMS CTX (status=0) >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled transforms: all >>> === uri: NULL >>> === uri xpointer expr: NULL >>> == EncryptedKey level (cur/max): 0/1 >>> === KeyReq: >>> ==== keyId: rsa >>> ==== keyType: 0x00000001 >>> ==== keyUsage: 0x00000002 >>> ==== keyBitsSize: 0 >>> === list size: 0 >>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK >>> >>> Program exited normally. >>> (gdb) >>> >>> >>> >>> >>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <[email protected]> wrote: >>> >>>> It should do the check. I am surprised it doesn't. >>>> >>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is >>>> a piece of code that checks against in-document crl and then store crl. >>>> Curious to find out why it doesn't do the expected thing. >>>> >>>> >>>> Aleksey >>>> >>>> On 5/21/13 8:32 PM, Francisco Obispo wrote: >>>>> Tried it, >>>>> >>>>> It never gets called, so I'm wondering if I'm missing something. :-( >>>>> >>>>> So, besides adding the CRL to the key store, is there anything else I >>>>> need to call to verify the cert? >>>>> >>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another >>>>> function separately? >>>>> >>>>> thanks >>>>> >>>>> >>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <[email protected]> wrote: >>>>> >>>>>> Well, the code clearly uses the crls (it's the same function that >>>>>> process crls in the signature). If you have debug version, put >>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function >>>>>> to see if it is called and what's happening inside it. >>>>> >>>>> Francisco Obispo >>>>> Director of Applications and Services - ISC >>>>> email: [email protected] >>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>>>> PGP KeyID = B38DB1BE >>>>> >>> >>> Francisco Obispo >>> Director of Applications and Services - ISC >>> email: [email protected] >>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>> PGP KeyID = B38DB1BE >>> > > Francisco Obispo > Director of Applications and Services - ISC > email: [email protected] > Phone: +1 650 423 1374 || INOC-DBA *3557* NOC > PGP KeyID = B38DB1BE > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
