[xmlsec] Verify - OpenSSL vs mscrypto

Edward Shallow ed.shallow at rogers.com
Tue Jan 10 10:49:47 PST 2006 

Hi Folks,

   I need direction to sort through the differing requirements of
verification across openssl versus mscrypto. I innocently assume that the
code should be identical except the DL loading itself. 

Here is the rough call sequence for openssl Test 1 ... It works perfectly

xmlsec.xmlSecInit()
xmlsec.xmlSecCryptoDLInit()
xmlsec.xmlSecCryptoDLLoadLibrary('openssl')
xmlsec.xmlSecCryptoAppInit()
xmlsec.xmlSecCryptoInit()
parsedDoc = libxml2.xmlParseFile('c:/xmlsec/inout/edsigned-enveloped.xml')
trustedDer = 'c:/xmlsec/keys/cacert.der'
rootNode = libxml2.xmlDocGetRootElement(parsedDoc)
sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature',
'http://www.w3.org/2000/09/xmldsig#')
keysMngr = xmlsec.xmlSecKeysMngrCreate()
xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
dsigCtx = xmlsec.xmlSecDSigCtxCreate()
xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr)
xmlsec.xmlSecCryptoAppKeysMngrCertLoad(keysMngr, trustedDer, 3, 256)
xmlsec.xmlSecDSigCtxVerify(dsigCtx, sigNode)

Test 2: If I do not perform the 2nd last call above (i.e.
xmlSecCryptoAppKeysMngrCertLoad) I correctly get the following:

func=xmlSecOpenSSLX509StoreVerify:file=..\src\openssl\x509vfy.c:line=351:obj
=x509-store:subj=unknown:error=71:certificate verification
failed:err=20;msg=unable to get local issuer certificate
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS
ecKeysMngrFindKey:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn
own:subj=unknown:error=45:key is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un
known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function
failed:
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml
SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:

This is perfect !!! If I load the trusted certificates
xmlSecOpenSSLX509StoreVerify checks out the chain OK and reports results.

Test 3: When I do the above and only change
xmlSecCryptoDLLoadLibrary('mscrypto') and xmlsec.xmlSecCryptoAppInit('MY')
it always returns success. That is, xmlSecMSX509StoreVerify does not seem to
be checking the certificate chain.

Dmitry's patch aside ... What am I supposed to do to get mscrypto to check
the cert chain ? To check the CRL ?

Thanks,
Ed

More information about the xmlsec mailing list