[Bulk] Re: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify -
OpenSSL vsmscrypto
Edward Shallow
ed.shallow at rogers.com
Thu Jan 12 13:08:08 PST 2006
Here they are ...
-----Original Message-----
From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Aleksey Sanin
Sent: January 12, 2006 1:01 AM
To: ed.shallow at rogers.com
Cc: xmlsec at aleksey.com
Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify -
OpenSSL vsmscrypto
Can you share the designed-enveloped.xml and upu-cacert.der, please?
Aleksey
Edward Shallow wrote:
> Aleksey wrote:
>
> Please, try to reproduce the problem with xmlsec command line utility.
>
>
>
>
> Good suggestion ...
>
> Here are the results using xmlsec 1.2.8 ...
>
> With trusted certs loaded
> *************************
>
> C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der
> keys/upu-cacert.der inout/edsigned-enveloped.xml OK SignedInfo
> References (ok/all): 1/1 Manifests References (ok/all): 0/0
>
>
> Without trusted certs loaded
> ****************************
>
> C:\XMLSec>xmlsec verify --crypto mscrypto inout/edsigned-enveloped.xml
> OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all):
> 0/0
>
> This is the same as what I am seeing programmatically with mscrypto.
> No cert chain checking with 1.2.8 mscrypto ???
>
> Ed
>
>
> Here is the verbose output using --store-references for both tests ...
>
>
> C:\XMLSec>xmlsec verify --crypto mscrypto --store-references
> --trusted-der keys/upu-cacert.der inout/edsigned-enveloped.xml OK
> SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0
> = VERIFICATION CONTEXT == Status: succeeded == flags: 0x00000006 ==
> flags2: 0x00000000 == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0)
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level
> (cur/max): 0/1 === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0)
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level
> (cur/max): 0/1 === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL) == Signature Method:
> === Transform: rsa-sha1
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key name: E=CAAdmin at upu.int,CN=Test User 1,OU=Electronic Post
> Mark,O=For Test Use Only,O=Universal Postal
> Union,L=Berne,ST=Berne,C=CH === key usage: -1 === rsa key: size = 1024
> === list size: 1 === X509 Data:
> ==== Key Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test
> Use Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int ====
> Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM
> Authority, CAAdmin at upu.int
>
> 06
> ==== Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test
> Use Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int ====
> Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM
> Authority, CAAdmin at upu.int
>
> 06
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: ""
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL) === Transform: sha1
> (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL) == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Document>
> <Data>
> <SubData1>
> <SubSubData1 MimeType="text/plain">This is the
> data to be signed.</SubSubData1>
> <SubSubData2 MimeType="text/plain">This is the
> data to be signed.</SubSubData2>
> <SubSubData3 MimeType="text/plain">This is the
> data to be signed.</SubSubData3>
> </SubData1>
> <SubData2>This is the data to be signed.</SubData2>
> <SubData3>This is the data to be signed.</SubData3>
> </Data>
>
> </Document>
> == PreDigest data - end buffer
> == Manifest References List:
> === list size: 0
>
>
>
>
>
>
> C:\XMLSec>xmlsec verify --crypto mscrypto --store-references
> inout/edsigned-enveloped.xml OK SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status:
> succeeded == flags: 0x00000006 == flags2: 0x00000000 == Key Info Read
> Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0)
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level
> (cur/max): 0/1 === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0)
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level
> (cur/max): 0/1 === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL) == Signature Method:
> === Transform: rsa-sha1
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key name: E=CAAdmin at upu.int,CN=Test User 1,OU=Electronic Post
> Mark,O=For Test Use Only,O=Universal Postal
> Union,L=Berne,ST=Berne,C=CH === key usage: -1 === rsa key: size = 1024
> === list size: 1 === X509 Data:
> ==== Key Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test
> Use Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int ====
> Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM
> Authority, CAAdmin at upu.int
>
> 06
> ==== Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test
> Use Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int ====
> Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM
> Authority, CAAdmin at upu.int
>
> 06
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: ""
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL) === Transform: sha1
> (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL) == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Document>
> <Data>
> <SubData1>
> <SubSubData1 MimeType="text/plain">This is the
> data to be signed.</SubSubData1>
> <SubSubData2 MimeType="text/plain">This is the
> data to be signed.</SubSubData2>
> <SubSubData3 MimeType="text/plain">This is the
> data to be signed.</SubSubData3>
> </SubData1>
> <SubData2>This is the data to be signed.</SubData2>
> <SubData3>This is the data to be signed.</SubData3>
> </Data>
>
> </Document>
> == PreDigest data - end buffer
> == Manifest References List:
> === list size: 0
>
>
>
> -----Original Message-----
> From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com]
> On Behalf Of Aleksey Sanin
> Sent: January 11, 2006 2:26 PM
> To: ed.shallow at rogers.com
> Cc: xmlsec at aleksey.com
> Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vs
> mscrypto
>
> Please, try to reproduce the problem with xmlsec command line utility.
>
> Aleksey
>
> Edward Shallow wrote:
>> Aleksey wrote ...
>>
>> I do believe that the xmlsec-mscrypto code *does* build the chain and
>> it
>> *does* verify it against the "trusted" certificates installed by the app.
>> With Dmitry's patch, xmlsec-mscrypto *also* uses trusted certificates
>> from the MSCrypto certificates store.
>>
>>
>>
>> Yes this is what I thought too. But my test on 1.2.8 (shown in
>> previous post and included below) never checks whether I load the
>> trusted
> certs or not ???
>> 2nd last line.
>>
>> I don't mind waiting for Dmitry's patch, I was just trying to get it
>> going now.
>>
>> Ed
>>
>>
>>
>> xmlsec.xmlSecInit()
>> xmlsec.xmlSecCryptoDLInit()
>> xmlsec.xmlSecCryptoDLLoadLibrary('mscrypto')
>> xmlsec.xmlSecCryptoAppInit('MY')
>> xmlsec.xmlSecCryptoInit()
>> parsedDoc =
>> libxml2.xmlParseFile('c:/xmlsec/inout/edsigned-enveloped.xml')
>> trustedDer = 'c:/xmlsec/keys/cacert.der'
> <===
>> trusted root in der format
>> rootNode = libxml2.xmlDocGetRootElement(parsedDoc)
>> sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature',
>> 'http://www.w3.org/2000/09/xmldsig#')
>> keysMngr = xmlsec.xmlSecKeysMngrCreate()
>> xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
>> dsigCtx = xmlsec.xmlSecDSigCtxCreate()
>> xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr)
>> xmlsec.xmlSecCryptoAppKeysMngrCertLoad(keysMngr, trustedDer, 3, 256)
>> <=== load trusted root
>> xmlsec.xmlSecDSigCtxVerify(dsigCtx, sigNode)
>>
>>
>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec at aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: edsigned-enveloped.xml
Type: text/xml
Size: 3685 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20060112/c3809226/edsigned-enveloped-0002.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: upu-cacert.der
Type: application/x-x509-ca-cert
Size: 1151 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20060112/c3809226/upu-cacert-0002.bin
More information about the xmlsec
mailing list