Cert validation errors (was RE: [xmlsec] 0.0.8a build error on Win32)

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Wed Aug 28 17:53:13 PDT 2002 

Aleksey:
  There is only one key and it's only certified by one CA, a self-signed
root CA. So, w/o the PEM file, it must fail. I'm attaching a test
document to this e-mail. Try:
  xmlsec verify --print-all test_allkey_99.xml
It says everything is cool (except the cert validation error) -- but it
can't really be OK since there's no way to verify the cert w/o a trusted
root specification.
  xmlsec verify --print-all --trusted new_export.pem test_allkey_99.xml 
The above works completely because the root of the cert can be
validated. The issue appears to be that there must be at least one key
whose certification passes *and* one of those certifiable keys must be
used to validate the signed hash. Anything less is a security problem
because anyone can resign the document with any key they choose based on
a self-signed root and that root will be trusted -- the validation will
succeed and there's no real way to tell it didn't. As you point out, I
can't merely look for a cert validation error -- since the cert that
fails may not be needed to validate the signature. Somehow xmlsec *has*
to ensure that any key it reports success on must have been validated by
a trusted cert chain.
Thanks!
  Ferrell

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Wednesday, August 28, 2002 7:59 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: xmlsec at aleksey.com
Subject: Re: [xmlsec] 0.0.8a build error on Win32


Not necessary. Suppose your are signing a message with a key and
provide more than one certificate for this key (for example, signed by
root CAs A and B). It is possible that one of your recipients trusts
the root CA A but not B and another trusts root CA B and not A.
Then in this case *both* recipients will be able to successfully
validate
the message and both of them will have the same error.
I believe that in your case the message verification succeeds because
XML Sec library was able to find correct keys for the message in some
other place (another cert, keys manager, etc.). From my point of view,
this is a correct behavior and the verification *must* succeed (see
scenario above).


Aleksey



Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  One other question .. when xmlSecDSigValidate() returns I'm getting a
>return code of zero, and pResult->result is equal to
>xmlSecTransformStatusOk. According to the doc, that means it worked.
>However, down in the guts of x509 verification, the following error is
>being generated: "error 31: cert verification failed : ".
Unfortunately,
>while that does result in a callback to the default error handler, it
>doesn't result in any final error status from the verification routine.
>So, unless I monitor the error handler, I don't know that the error
>occurred. In this case, because the uncertified public key is really OK
>and the hash is OK and the data is OK, the verify returns OK -- but it
>really isn't OK because I forgot to supply the PEM data needed to
>authenticate the certificate. Shouldn't this have resulted in a
failure?
>Verification with an invalid cert really isn't validation of the
>signature, IMO. 
>Thanks!
>  Ferrell
>
>-----Original Message-----
>From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
>Sent: Wednesday, August 28, 2002 7:36 PM
>To: Moultrie, Ferrell (ISSAtlanta)
>Cc: xmlsec at aleksey.com
>Subject: Re: [xmlsec] 0.0.8a build error on Win32
>
>
>Ferrell,
>
>Thanks for reporting the problem! I am really sucks :(  and I am doing
>new
>build right now. For 0.0.8 release I've tried to use a new box for
doing
>builds but looks like it was really WRONG idea. I did 0.0.9 release on
>the
>old box and now smoke testing it.  Should be done in 15-30 minutes.
>
>Sorry for the inconvinience,
>Aleksey
>
>Moultrie, Ferrell (ISSAtlanta) wrote:
>
>  
>
>>When I try to build 0.0.8a, I get an error:
>>D:\xmlsec-0.0.8\src\enveloped.c(24) : fatal error C1083: Cannot open
>>include file: 'xmlsec/xpath.h': No such file or directory
>>
>>I don't see an xmlsec/xpath.h in the xmlsec distribution (there is one
>>in libxml2 -- but this specifically asks for xmlsec/xpath.h). 
>>
>>If I simply comment out the line:
>>//#include <xmlsec/xpath.h>
>>.. then everything builds OK.
>>
>>Am I missing something? This same error persists in the 020828 daily
>>build also.
>>Thanks!
>> Ferrell
>>
>>=====================================
>>Ferrell Moultrie (ferrell at iss.net)
>>Software Engineer
>>
>>Internet Security Systems, Inc.
>>6303 Barfield Road
>>Atlanta, Georgia 30328
>>Phone:  404-236-2600
>>Direct: 404-236-2849
>>Fax:    404-236-2632
>>http://www.iss.net
>>
>>Internet Security Systems -- The Power to Protect
>>=====================================
>>_______________________________________________
>>xmlsec mailing list
>>xmlsec at aleksey.com
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>> 
>>
>>    
>>
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_allkey_99.xml
Type: text/xml
Size: 4070 bytes
Desc: test_allkey_99.xml
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20020828/2b3dbeef/test_allkey_99.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: new_export.pem
Type: application/octet-stream
Size: 2434 bytes
Desc: new_export.pem
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20020828/2b3dbeef/new_export.obj

More information about the xmlsec mailing list