You're the best! func=xmlSecOpenSSLX509VerifyCertAgainstCrls:file=x509vfy.c:line=987:obj=unknown:subj=unknown:error=73:certificate is revoked: func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature verify File: Perl/ISC-XML-Signature/t/files/sample-signed-bad.xml does not validate
Got it nicely working now. Owe you a beer! On May 21, 2013, at 9:53 PM, Aleksey Sanin <[email protected]> wrote: > No! Just disable the use of "raw" public keys with enabledKeyData. Or > to be precise, enable only X509 certs. This will ensure that xmlsec > actually verifies the cert and extracts public key from it. > > Aleksey > > On 5/21/13 9:49 PM, Francisco Obispo wrote: >> So basically, if I want to check the X509 certificate in the XML against the >> CRL, I'm going to have to decode the <X509Certificate> node and compare it >> with OpenSSL directly? >> >> I have a requirement to check the cert against the CRL. >> >> Any suggestions? >> >> >> On May 21, 2013, at 9:36 PM, Aleksey Sanin <[email protected]> wrote: >> >>> Again, certificates are not used. See my other email. >>> >>> Aleksey >>> >>> On 5/21/13 9:35 PM, Francisco Obispo wrote: >>>> tried with another XML file, and same result :-(, >>>> >>>> >>>> >>>> >>>> On May 21, 2013, at 9:10 PM, Francisco Obispo <[email protected]> wrote: >>>> >>>>> Mhm, >>>>> >>>>> It doesn't break there either: >>>>> >>>>> $ gdb verify >>>>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC >>>>> 2012) >>>>> Copyright 2004 Free Software Foundation, Inc. >>>>> GDB is free software, covered by the GNU General Public License, and you >>>>> are >>>>> welcome to change it and/or distribute copies of it under certain >>>>> conditions. >>>>> Type "show copying" to see the conditions. >>>>> There is absolutely no warranty for GDB. Type "show warranty" for >>>>> details. >>>>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for >>>>> shared libraries ........... done >>>>> >>>>> (gdb) break xmlSecOpenSSLX509StoreVerify >>>>> Breakpoint 1 at 0x3126e978d442cb >>>>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml >>>>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crt >>>>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id >>>>> Starting program: >>>>> /Users/fobispo/code/registry/tools/isc-xml-signature/verify >>>>> Perl/ISC-XML-Signature/t/files/sample-signed.xml >>>>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crt >>>>> Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id >>>>> Reading symbols for shared libraries >>>>> ++++++++++.............................. done >>>>> VALIDATING!!!!! >>>>> = KEY INFO READ CONTEXT >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled key data: all >>>>> == RetrievalMethod level (cur/max): 0/1 >>>>> == TRANSFORMS CTX (status=0) >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled transforms: all >>>>> === uri: NULL >>>>> === uri xpointer expr: NULL >>>>> == EncryptedKey level (cur/max): 0/1 >>>>> === KeyReq: >>>>> ==== keyId: rsa >>>>> ==== keyType: 0x00000001 >>>>> ==== keyUsage: 0x00000002 >>>>> ==== keyBitsSize: 0 >>>>> === list size: 0 >>>>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK >>>>> >>>>> Program exited normally. >>>>> (gdb) >>>>> >>>>> >>>>> >>>>> >>>>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <[email protected]> wrote: >>>>> >>>>>> It should do the check. I am surprised it doesn't. >>>>>> >>>>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is >>>>>> a piece of code that checks against in-document crl and then store crl. >>>>>> Curious to find out why it doesn't do the expected thing. >>>>>> >>>>>> >>>>>> Aleksey >>>>>> >>>>>> On 5/21/13 8:32 PM, Francisco Obispo wrote: >>>>>>> Tried it, >>>>>>> >>>>>>> It never gets called, so I'm wondering if I'm missing something. :-( >>>>>>> >>>>>>> So, besides adding the CRL to the key store, is there anything else I >>>>>>> need to call to verify the cert? >>>>>>> >>>>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another >>>>>>> function separately? >>>>>>> >>>>>>> thanks >>>>>>> >>>>>>> >>>>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <[email protected]> wrote: >>>>>>> >>>>>>>> Well, the code clearly uses the crls (it's the same function that >>>>>>>> process crls in the signature). If you have debug version, put >>>>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function >>>>>>>> to see if it is called and what's happening inside it. >>>>>>> >>>>>>> Francisco Obispo >>>>>>> Director of Applications and Services - ISC >>>>>>> email: [email protected] >>>>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>>>>>> PGP KeyID = B38DB1BE >>>>>>> >>>>> >>>>> Francisco Obispo >>>>> Director of Applications and Services - ISC >>>>> email: [email protected] >>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>>>> PGP KeyID = B38DB1BE >>>>> >>>>> _______________________________________________ >>>>> xmlsec mailing list >>>>> [email protected] >>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>> >>>> Francisco Obispo >>>> Director of Applications and Services - ISC >>>> email: [email protected] >>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>>> PGP KeyID = B38DB1BE >>>> >> >> Francisco Obispo >> Director of Applications and Services - ISC >> email: [email protected] >> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >> PGP KeyID = B38DB1BE >> Francisco Obispo Director of Applications and Services - ISC email: [email protected] Phone: +1 650 423 1374 || INOC-DBA *3557* NOC PGP KeyID = B38DB1BE _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
