[xmlsec] New feature in xmlsec

jean-etienne.schwartz at bull.net jean-etienne.schwartz at bull.net
Wed Feb 5 07:47:09 PST 2003


Hello aleksey,

at first, really thank you for your good ``xmlsec'' library.
The hint of this feature is to improve the certificate verification
by adding a limitation in the certificate chain. This is necessary because
OpenSSL use a default maximum chain length of nine.

The next 'diffs' are made on the xmlsec-0.0.12 tree
The modifications in 'x509.c' are valid for OpenSSL-0.9.6 and OpenSSL-0.9.7
The test against a 0 value of depth is for backward comptability (the key
manager is
initialized with this value) and for sematic: a value of 0 allow *ONLY*
self signed
certificates.

Regards
     Jean-Etienne SCHWARTZ

src/x509.c
  if a maximum chain length is asked, give it to OpenSSL
  Add the chain depth in the error message

--- ori/src/x509.c      Sun Dec 22 07:52:15 2002
+++ src/x509.c  Wed Feb  5 14:49:24 2003
@@ -1033,6 +1033,8 @@
                X509_STORE_CTX xsc;

                X509_STORE_CTX_init (&xsc, store->xst, cert, certs);
+               if (store->xst->depth > 0)
+                   X509_STORE_CTX_set_depth (&xsc, store->xst->depth);
                if(store->x509_store_flags & X509_V_FLAG_USE_CHECK_TIME) {
                    X509_STORE_CTX_set_time(&xsc, 0,
                        x509Data->certsVerificationTime);
@@ -1069,8 +1071,8 @@
                X509_NAME_oneline(X509_get_issuer_name(err_cert), buf,
256);
                xmlSecError(XMLSEC_ERRORS_HERE,
                        XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
-                       "error=%d (%s); issuer=\"%s\"", err,
-                       X509_verify_cert_error_string(err), buf);
+                       "error=%d (%s); depth=%d, issuer=\"%s\"", err,
+                       X509_verify_cert_error_string(err), depth, buf);
                break;
            case X509_V_ERR_CERT_NOT_YET_VALID:
            case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -1089,8 +1091,8 @@
            default:
                xmlSecError(XMLSEC_ERRORS_HERE,
                        XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
-                       "error=%d (%s)", err,
-                       X509_verify_cert_error_string(err));
+                       "error=%d (%s); depth=%d", err,
+                       X509_verify_cert_error_string(err), depth);
            }
        }
        sk_X509_free(certs);

src/keysmngr.c
include/xmlsec/keysmngr.h
  Add an API to specify the maximum chain length

--- ori/src/keysmngr.c  Thu Oct 10 08:11:20 2002
+++ src/keysmngr.c      Wed Feb  5 15:36:15 2003
@@ -718,4 +718,12 @@
 }


+void
+xmlSecSimpleKeysMngrSetVerifyDepth(xmlSecKeysMngrPtr mngr, int depth) {
+    xmlSecAssert(mngr != NULL);
+    xmlSecAssert(mngr->x509Data != NULL);
+
+    if (depth > 0)
+       ((xmlSecX509StorePtr)mngr->x509Data)->xst->depth = depth ;
+}
 #endif /* XMLSEC_NO_X509 */

--- ori/include/xmlsec/keysmngr.h       Thu Oct 10 06:04:20 2002
+++ include/xmlsec/keysmngr.h   Wed Feb  5 14:48:35 2003
@@ -76,6 +76,8 @@
                                                         const char *pwd);
 XMLSEC_EXPORT void     xmlSecSimpleKeysMngrSetCertsFlags(xmlSecKeysMngrPtr
mngr,
                                                        unsigned long
flags);
+XMLSEC_EXPORT void
xmlSecSimpleKeysMngrSetVerifyDepth(xmlSecKeysMngrPtr mngr,
+                                                       int depth);
 #endif /* XMLSEC_NO_X509 */

apps/xmlsec
  the command line interface

--- ori/apps/xmlsec.c   Mon Jan 27 07:00:34 2003
+++ apps/xmlsec.c       Wed Feb  5 16:29:56 2003
@@ -181,6 +181,7 @@
 #ifndef XMLSEC_NO_X509
     "  --pkcs12[:<name>] <file>\n"
     "                        load private key from pkcs12 file\n"
+    "  --depth <number>      maximum chain depth\n"
 #endif /* XMLSEC_NO_X509 */
 #ifndef XMLSEC_NO_HMAC
     "  --hmackey[:<name>] <file>\n"
@@ -328,6 +329,7 @@
     int pos;
     int ret;
     int templateRequired = 0;
+    int depth = 0;

     /**
      * Read the command
@@ -558,6 +560,11 @@
                ret = 0;
            } else {
                ret = -1;
+           }
+       } else if((strncmp(argv[pos], "--depth", 7) == 0) && (pos + 1 <
argc)) {
+           depth = atoi(argv[++pos]);
+           if(keyMgr != NULL) {
+               xmlSecSimpleKeysMngrSetVerifyDepth(keyMgr, depth);
            }
        } else




More information about the xmlsec mailing list