[xmlsec] External DTD support

[Aleksey Sanin]

This is a multi-part message in MIME format.
--------------020005030807000708060308
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi, Rich!

Thanks for the patch!  I applied and commited the xmlsec utility part
with a small fix (you forgot to free DTD at the end :) ).
The changes in x509.c are not required. The self signed "trusted"
certificate should work. For example, I used the following commands
to create and verify a signature with a self signed cert (see attached 
file):

    > xmlsec sign --privkey:test-key ca.key,ca.crt --output test.xml 
test.tmpl
    > xmlsec verify --trusted ca.crt --verification-time "2002-04-01 
00:00:01" test.xml
        = Status:
        == Signatures ok: 1
        == Signatures fail: 0
        == SignedInfo Ref ok: 1
        == SignedInfo Ref fail: 0
        == Manifest Ref ok: 0   
        == Manifest Ref fail: 0
        OK
    > openssl x509 -in ca.crt -text
        ....
        Issuer: C=US, ST=California, L=Sunnyvale, 
O=http://www.aleksey.com/xmlsec,
                     CN=Aleksey Sanin/emailAddress=aleksey@aleksey.com
        .....
        Subject: C=US, ST=California, L=Sunnyvale, 
O=http://www.aleksey.com/xmlsec,
                      CN=Aleksey Sanin/emailAddress=aleksey@aleksey.com
        ...

I have to specify verification time because I am using the cert from my 
"expired
certs" tests :)  but besides that everything else looks just fine to me.
And according to the OpenSSL 0.9.7 code (crypto/x509/x509_vfy.c, around
line #200) it should work perfectly too. If you are using OpenSSL 0.9.6 then
you might consider upgrading to 0.9.7. It'll save you a lot of time :)

Thanks again,
Aleksey




Rich Salz wrote:

> I want to be use the xmlsec application to verify SOAP messages signed 
> using WS-Security.  SOAP does not allow DTD's.  The attached patch 
> adds a "--dtdfile FILENAME" option to xmlsec, so you can write a DTD 
> that identifies ID attributes.  It includes documentation update (it 
> seems xmlsec.xml is the place to update; I hope I did it right).
>
> Perhaps more controversial, the patch always allows self-signed 
> certificates. That part should, perhaps, be changed to allow 
> self-signed certs if they were specified with the "--trusted" flag, 
> but I haven't been able to figure out how to do that.
>
>     /r$
>
>  
>


--------------020005030807000708060308
Content-Type: application/x-gzip;
 name="test.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="test.tgz"

H4sIAMHyLj4AA+1YXXeiSBDNc/8KjvvoGr5B58Ts4VNAQUEU4Q0RAUVRQFF//WLcZJxsZpLs
TLJn93BfgOqiuqu7+jZcz7310vzmQ4GgCEIRxA2C4DSOYuW1xOO1vCNw6gahCQrDSytOl/4o
iSA3EPKxw7pgl+VuCkE3buwvM//4Xb8i9P34Mwb0uWicwQodWYM4wTBlUeYYU3iwAlWWOZnn
OMZLOEZnCl63lW7iyOHe0xhdENjSFjjJgTsxChtoY5axTSYem6qhFoJu82Cs67JQbHjbOmyc
Ves4XcWhasiFwNh82SYJRWzOLHLnT5xw2hkdlAWzvARKTMkKETCTGKp3bOEz3NuVQWIX12J/
SC6mGLL3O2jmYeOFatiFeAnICwXKTjvjtLSTsqiFoOxxpw7lQmauh75kxVALHx31jpg5Vn5y
JsudjbVylSUmvMkcVV49Au0k4JrpIX0x+cuoH7XFk+2H+Z/TBz+T/zl98DP5n9MH785fLL5Z
alCuNVuuNT8smGJYpsqoOuJvxCCY7Vx0tndXi7q1y3bqCN8MioMkqqs5TAzGdUKZHgkp3wB+
e8jlOjLTjf5Q8+GTyToHrr+PJ0fYVRfwic3gKRItOaacGcZkNDZYbsNl1GkVCMvougiY0saI
nn3cF0LT7gqFGlGZJAwGQZo5R9tIuuG8Q4812UZ0tE+avISvliezg4SF1dvCMDAEbYOJMqwM
pg6eeKOk2ZutO7416npt8FDtgsb/fQf827vz4+G5t8sfsN4vwWv8j1Doc/4naKzi/8/AFf8b
QwYaGPK4rH6oK9iXHTBIE69hHjf+F4j4XdA4wx6YAg94oduQ1/PkC8QLw4bAC3iDY7nfRVzg
OJbgyRZaAqcAKBarltVrbgs9nDTRLambnInL4oTLPQLejaY4KllzzHCtOZwgOjdnrVCfhWul
uRftnIBHYBKYR2tn9aRt7BzygwQXjhILaDYcTLiUI4LIoofmbjBV0mDQVzwpnAdebmQLp58X
CEPtAM7hFNl196HlN/kQp4VxoQbqojVFBJ0I0Ax3gl69I7pbWKdPO84TMDdewPiwf+zP8ILr
gJalbdHZgjRSASaxrBUoRhZQSocP4wjWoqUSRcaWOXUXfIAv0Cmh7BlUNGU97NkYLTEOGKGF
4JTT1pSkZqF7zem4xboHu9jHPn3kB9GhlZ3c1VYg3fDgwiLdxaerkYUWyfAYj1bOFJipie3g
tZn4+/HyEGa47cj+3OhMkIQICy4W0myrUUL/hEVrzaZ6hnVwmhudVpeLZq9bd8A87vv1zoTg
8LWPLXFVJAIFZuz6Slm7s7m1EnqRbJnd1rGfXdHhiwXxbxdshV+K3M/y23y1+Uhqe43/Uazk
fJpCcZJGSIws/TGMwiv+/wzc/XFYxdDeT7MoWbdr6C1Sg/y1l8yiddCujUyx0az9cQ/uhlGw
dvNd6kOl/zpr18I833yB4aIobgv8NkkDGCvXEkZacOkwy6Lgt9o9gKCHF/3Z+aw4P5YGzl0n
68hz4+jk5mWnqp+HyQxi4iBJozxcvRTaNM7RUdgQuEYZvuGhxLpxtiA4StYg+K/QT4N8S8zn
w00zt5GFLvo1nOHP/bScDB8aGXK79lsyXfheXru0lu18FJS755/09U0/T5HGbrzz7+/g66fL
SOCnoTzMKfztpH7N++mdi8szW9c/Xq3DhERavJu7j11cP9/BV753/Ye8IXnWrj1OQZasfCj3
D/kdfGktS+Rrl/fVKfFfwQP/l2X5kX28wv8YjZJP/E9TyJn/yz+Aiv8/A/8H/v+19P9J7P8y
+dPwxMwklx321wq8mPDkHjn1qHHXzpbtnz8YZrQrLuOTpqw9PJaWhl2frOBIw/p13qSlkAoT
hUOjg4rlAw+V+pjVwTuE0oUX9U0s5brfdaJUP7ARHFExtlW3BdfyC73dftdp83DL+Wkezcsq
yP37n5EZwaPO9k9kNnCts71XZgPPdbb3yGzguc74HpkRvKQzvjV/8D2d8S35gx/pjK/lD17T
GX8kM4K36IzfkxnBW3XGl2RG8B6d8bnMCK51xssn1nXlg+qrq0KFChUqVKhQoUKFChUqfA7+
BHXuY+gAKAAA
--------------020005030807000708060308--