[xmlsec] How to decrypt a message with an invalid certificate
Amiler Scumba
amiler_scumba at hotmail.com
Sun Feb 12 14:52:31 PST 2006
Hi,
I am using the mscrpyto provider on windows platform. I would like to
decrypt a message which was encrypted with a untrusted (or expired)
certificate.
The KeyInfo node only contains <X509Data> holding the certificate. I do not
use <KeyName> tag.
I have noticed that decryption fails in this scenario. The reason is that
the xmlSecMSCryptoX509StoreConstructCertsChain function
does not return the certificate, needed for decryption, because it is not
valid.
If I skip the check in the debuuger, the message is sucessfully decrypted.
Is there any way to decrypt such a message, I thought, that
XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS
would help. but it is not used in the code, that is causing the problems.
Here is the complete call stack. if I change the flow in the last function,
everything goes fine.
libxmlsec-mscrypto.dll!xmlSecMSCryptoX509StoreConstructCertsChain(_xmlSecKeyDataStore
* store=0x003bf9c0, const _CERT_CONTEXT * cert=0x0015de48, void *
certs=0x0015f248, _xmlSecKeyInfoCtx * keyInfoCtx=0x003bdbe0) Line 317 C
libxmlsec-mscrypto.dll!xmlSecMSCryptoX509StoreVerify(_xmlSecKeyDataStore *
store=0x003bf9c0, void * certs=0x0015f248, _xmlSecKeyInfoCtx *
keyInfoCtx=0x003bdbe0) Line 431 + 0x1e C
libxmlsec-mscrypto.dll!xmlSecMSCryptoKeyDataX509VerifyAndExtractKey(_xmlSecKeyData
* data=0x00bf2530, _xmlSecKey * key=0x00bf2480, _xmlSecKeyInfoCtx *
keyInfoCtx=0x003bdbe0) Line 1599 + 0x14 C
libxmlsec-mscrypto.dll!xmlSecMSCryptoKeyDataX509XmlRead(const
_xmlSecKeyDataKlass * id=0x00bbc140, _xmlSecKey * key=0x00bf2480, _xmlNode *
node=0x00bf0860, _xmlSecKeyInfoCtx * keyInfoCtx=0x003bdbe0) Line 702 +
0x11 C
libxmlsec.dll!xmlSecKeyDataXmlRead(const _xmlSecKeyDataKlass *
id=0x00bbc140, _xmlSecKey * key=0x00bf2480, _xmlNode * node=0x00bf0860,
_xmlSecKeyInfoCtx * keyInfoCtx=0x003bdbe0) Line 308 + 0x16 C
libxmlsec.dll!xmlSecKeyInfoNodeRead(_xmlNode * keyInfoNode=0x00bf06d8,
_xmlSecKey * key=0x00bf2480, _xmlSecKeyInfoCtx * keyInfoCtx=0x003bdbe0)
Line 112 + 0x15 C
libxmlsec.dll!xmlSecKeysMngrGetKey(_xmlNode * keyInfoNode=0x00bf06d8,
_xmlSecKeyInfoCtx * keyInfoCtx=0x003bdbe0) Line 1341 + 0x11 C
libxmlsec.dll!xmlSecEncCtxEncDataNodeRead(_xmlSecEncCtx *
encCtx=0x003bdbd0, _xmlNode * node=0x00bf0270) Line 878 + 0x1a C
libxmlsec.dll!xmlSecEncCtxDecryptToBuffer(_xmlSecEncCtx *
encCtx=0x003bdbd0, _xmlNode * node=0x00bf0270) Line 641 + 0xd C
libxmlsec.dll!xmlSecKeyDataEncryptedKeyXmlRead(const _xmlSecKeyDataKlass *
id=0x0055c990, _xmlSecKey * key=0x003bd658, _xmlNode * node=0x00bf0270,
_xmlSecKeyInfoCtx * keyInfoCtx=0x00bf21a8) Line 1442 + 0x10 C
libxmlsec.dll!xmlSecKeyDataXmlRead(const _xmlSecKeyDataKlass *
id=0x0055c990, _xmlSecKey * key=0x003bd658, _xmlNode * node=0x00bf0270,
_xmlSecKeyInfoCtx * keyInfoCtx=0x00bf21a8) Line 308 + 0x16 C
libxmlsec.dll!xmlSecKeyInfoNodeRead(_xmlNode * keyInfoNode=0x00bf00f0,
_xmlSecKey * key=0x003bd658, _xmlSecKeyInfoCtx * keyInfoCtx=0x00bf21a8)
Line 112 + 0x15 C
libxmlsec.dll!xmlSecKeysMngrGetKey(_xmlNode * keyInfoNode=0x00bf00f0,
_xmlSecKeyInfoCtx * keyInfoCtx=0x00bf21a8) Line 1341 + 0x11 C
libxmlsec.dll!xmlSecEncCtxEncDataNodeRead(_xmlSecEncCtx *
encCtx=0x00bf2198, _xmlNode * node=0x003bfb00) Line 878 + 0x1a C
libxmlsec.dll!xmlSecEncCtxDecryptToBuffer(_xmlSecEncCtx *
encCtx=0x00bf2198, _xmlNode * node=0x003bfb00) Line 641 + 0xd C
libxmlsec.dll!xmlSecEncCtxDecrypt(_xmlSecEncCtx * encCtx=0x00bf2198,
_xmlNode * node=0x003bfb00) Line 580 + 0xd
I am using the last stable release (1.2.9)
So, how can one decryt a message which was encrypted with invalid
certificate?
Amiler
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
More information about the xmlsec
mailing list