[Bulk] Re: [xmlsec] OpenSSL vs mscrypto

Edward Shallow ed.shallow at rogers.com
Thu Jan 12 22:15:20 PST 2006


Aleksey,

I was able to produce exactly what you produced with the selection below of
--enabled-key-data. The message is identical. What you are seeing has
nothing to do with cert chain verification. It is likely related to your
inability to get the "Test User 1" certificate from the crypto store given
the new --enabled-key-data constraint.

You still have an mscrypto problem.

Ed


C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der
--enabled-key-data retrieval-method,x509,raw-x509-cert
inout/edsigned-enveloped.xml

func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS
ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=0
(0x00000000)
;last error msg=The operation completed successfully.

func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn
own:subj=unknown:error=45:key is not found: ;last error=0 (0x00000000);last
error ms
g=The operation completed successfully.

func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un
known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function
failed: ;
last error=0 (0x00000000);last error msg=The operation completed
successfully.

func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml
SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last
error=0
 (0x00000000);last error msg=The operation completed successfully.

Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "inout/edsigned-enveloped.xml"

 

-----Original Message-----
From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Aleksey Sanin
Sent: January 13, 2006 12:14 AM
To: ed.shallow at rogers.com
Cc: xmlsec at aleksey.com
Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto

According to the spec, xmldsig application should search key using *all* the
information available in the <dsig:KeyInfo/> element. Specification *does
not* say that X509 certificate is better than key name and it does not
require one to search in some particular order.

However, xmlsec *DOES* allow one to disable some <dsig:KeyInfo/>
sub-elements. For example, look for --enabled-key-data option for the xmlsec
command line application.

I am not sure I understand all the steps you did for adding/removing
certificate to MS stores thus I can not comment on the validity of your
tests or point my finger at what you did wrong. What I do know that on my
computer, I do see the following results:

 > xmlsec verify --crypto mscrypto
        --trusted-der d:\upu-cacert.der
        d:/edsigned-enveloped.xml
...

OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

 > xmlsec verify --crypto mscrypto
	d:/edsigned-enveloped.xml
...

Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "d:/edsigned-enveloped.xml"

which is *exactly* what I expect to see and what I believe you expect to set
too.


And as I usually say, I *DO* accept patches :)

Aleksey




_______________________________________________
xmlsec mailing list
xmlsec at aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec





More information about the xmlsec mailing list