So basically, if I want to check the X509 certificate in the XML against the CRL, I'm going to have to decode the <X509Certificate> node and compare it with OpenSSL directly?
I have a requirement to check the cert against the CRL. Any suggestions? On May 21, 2013, at 9:36 PM, Aleksey Sanin <[email protected]> wrote: > Again, certificates are not used. See my other email. > > Aleksey > > On 5/21/13 9:35 PM, Francisco Obispo wrote: >> tried with another XML file, and same result :-(, >> >> >> >> >> On May 21, 2013, at 9:10 PM, Francisco Obispo <[email protected]> wrote: >> >>> Mhm, >>> >>> It doesn't break there either: >>> >>> $ gdb verify >>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC >>> 2012) >>> Copyright 2004 Free Software Foundation, Inc. >>> GDB is free software, covered by the GNU General Public License, and you are >>> welcome to change it and/or distribute copies of it under certain >>> conditions. >>> Type "show copying" to see the conditions. >>> There is absolutely no warranty for GDB. Type "show warranty" for details. >>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for >>> shared libraries ........... done >>> >>> (gdb) break xmlSecOpenSSLX509StoreVerify >>> Breakpoint 1 at 0x3126e978d442cb >>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml >>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crt >>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id >>> Starting program: >>> /Users/fobispo/code/registry/tools/isc-xml-signature/verify >>> Perl/ISC-XML-Signature/t/files/sample-signed.xml >>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crt >>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id >>> Reading symbols for shared libraries >>> ++++++++++.............................. done >>> VALIDATING!!!!! >>> = KEY INFO READ CONTEXT >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled key data: all >>> == RetrievalMethod level (cur/max): 0/1 >>> == TRANSFORMS CTX (status=0) >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled transforms: all >>> === uri: NULL >>> === uri xpointer expr: NULL >>> == EncryptedKey level (cur/max): 0/1 >>> === KeyReq: >>> ==== keyId: rsa >>> ==== keyType: 0x00000001 >>> ==== keyUsage: 0x00000002 >>> ==== keyBitsSize: 0 >>> === list size: 0 >>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK >>> >>> Program exited normally. >>> (gdb) >>> >>> >>> >>> >>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <[email protected]> wrote: >>> >>>> It should do the check. I am surprised it doesn't. >>>> >>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is >>>> a piece of code that checks against in-document crl and then store crl. >>>> Curious to find out why it doesn't do the expected thing. >>>> >>>> >>>> Aleksey >>>> >>>> On 5/21/13 8:32 PM, Francisco Obispo wrote: >>>>> Tried it, >>>>> >>>>> It never gets called, so I'm wondering if I'm missing something. :-( >>>>> >>>>> So, besides adding the CRL to the key store, is there anything else I >>>>> need to call to verify the cert? >>>>> >>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another >>>>> function separately? >>>>> >>>>> thanks >>>>> >>>>> >>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <[email protected]> wrote: >>>>> >>>>>> Well, the code clearly uses the crls (it's the same function that >>>>>> process crls in the signature). If you have debug version, put >>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function >>>>>> to see if it is called and what's happening inside it. >>>>> >>>>> Francisco Obispo >>>>> Director of Applications and Services - ISC >>>>> email: [email protected] >>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>>>> PGP KeyID = B38DB1BE >>>>> >>> >>> Francisco Obispo >>> Director of Applications and Services - ISC >>> email: [email protected] >>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>> PGP KeyID = B38DB1BE >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> Francisco Obispo >> Director of Applications and Services - ISC >> email: [email protected] >> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >> PGP KeyID = B38DB1BE >> Francisco Obispo Director of Applications and Services - ISC email: [email protected] Phone: +1 650 423 1374 || INOC-DBA *3557* NOC PGP KeyID = B38DB1BE _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
