[xmlsec] how verify sig using xmlAddID and local certs!
Aleksey Sanin
aleksey at aleksey.com
Mon Jun 11 06:46:28 PDT 2012
1) xmlAddID - look at LibXML2 documentation for the function,
it's pretty simple.
2) Actually default trusted certs are loaded in the xmlsec-openssl
init function.
Aleksey
On 6/11/12 5:39 AM, Renato Tegon Forti wrote:
> Hi All,
>
>
>
> I'm trying to understand how the xmlsec tool interprets this command:
>
>
>
> xmlsec1 --verify --id-attr:Id infNFe file.xml
>
>
>
> which parts of code are activated! Need to reproduce this behavior in my
> code
>
>
>
> Can someone explain to me?
>
>
>
> In special how “xmlSecAppLoadKeys” load CA ‘s files of
> /usr/lib/ssl/certs/ : (for sample. openssl ssl files folder) !
>
>
>
> I need use “xmlAddID” to add “infNFe” like an id! Ok? How?
>
>
>
> Anything else!
>
>
>
> My test code:
>
>
>
> // Copyright 2011-2012 Renato Tegon Forti
>
>
>
> #define BOOST_ALL_DYN_LINK
>
> #define BOOST_THREAD_USE_DLL //thread header not compliant with
> 'BOOST_ALL_DYN_LINK'
>
> #define BOOST_LIB_DIAGNOSTIC
>
>
>
> #include <boost/test/minimal.hpp>
>
> #include <dsafe/xmlsig.hpp>
>
>
>
> #define XMLSEC_CRYPTO_OPENSSL
>
>
>
> #include <libxml/tree.h>
>
> #include <libxml/xmlmemory.h>
>
> #include <libxml/parser.h>
>
>
>
> #ifndef XMLSEC_NO_XSLT
>
> #include <libxslt/xslt.h>
>
> #endif /* XMLSEC_NO_XSLT */
>
>
>
> #include <xmlsec/xmlsec.h>
>
> #include <xmlsec/xmltree.h>
>
> #include <xmlsec/xmldsig.h>
>
> #include <xmlsec/xmlenc.h>
>
> #include <xmlsec/templates.h>
>
> #include <xmlsec/crypto.h>
>
>
>
>
>
> /**
>
> * verify_file:
>
> * @mngr: the pointer to keys manager.
>
> * @xml_file: the signed XML file name.
>
> *
>
> * Verifies XML signature in #xml_file.
>
> *
>
> * Returns 0 on success or a negative value if an error occurs.
>
> */
>
> int
>
> verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file)
>
> {
>
> xmlDocPtr doc = NULL;
>
> xmlNodePtr node = NULL;
>
> xmlSecDSigCtxPtr dsigCtx = NULL;
>
> int res = -1;
>
>
>
> assert(mngr);
>
> assert(xml_file);
>
>
>
> /* load file */
>
> doc = xmlParseFile(xml_file);
>
> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
>
> fprintf(stderr, "Error: unable to parse file \"%s\"\n",
> xml_file);
>
> goto done;
>
> }
>
>
>
> /* find start node */
>
> node = xmlSecFindNode(xmlDocGetRootElement(doc),
> xmlSecNodeSignature, xmlSecDSigNs);
>
> if(node == NULL) {
>
> fprintf(stderr, "Error: start node not found in
> \"%s\"\n", xml_file);
>
> goto done;
>
> }
>
>
>
> /* create signature context */
>
> dsigCtx = xmlSecDSigCtxCreate(mngr);
>
> if(dsigCtx == NULL) {
>
> fprintf(stderr,"Error: failed to create signature context\n");
>
> goto done;
>
> }
>
>
>
>
>
>
>
>
>
> /* limit the Reference URI attributes to empty or NULL */
>
> dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
>
>
>
> /* limit allowed transforms for siganture and reference processing */
>
> if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformInclC14NId) < 0) ||
>
> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformExclC14NId) < 0) ||
>
> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformSha1Id) < 0) ||
>
> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformRsaSha1Id) < 0)) {
>
>
>
> fprintf(stderr,"Error: failed to limit allowed siganture
> transforms\n");
>
> goto done;
>
> }
>
> if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformInclC14NId) < 0) ||
>
> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformExclC14NId) < 0) ||
>
> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformSha1Id) < 0) ||
>
> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformEnvelopedId) < 0)) {
>
>
>
> fprintf(stderr,"Error: failed to limit allowed reference
> transforms\n");
>
> goto done;
>
> }
>
>
>
> /* in addition, limit possible key data to valid X509 certificates
> only */
>
> if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
> BAD_CAST xmlSecKeyDataX509Id) < 0) {
>
> fprintf(stderr,"Error: failed to limit allowed key data\n");
>
> goto done;
>
> }
>
>
>
> /* Verify signature */
>
> if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
>
> fprintf(stderr,"Error: signature verify\n");
>
> goto done;
>
> }
>
>
>
> /* check that we have only one Reference */
>
> if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
>
> (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1)) {
>
>
>
> fprintf(stderr,"Error: only one reference is allowed\n");
>
> goto done;
>
> }
>
>
>
> /* print verification result to stdout */
>
> if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>
> fprintf(stdout, "Signature is OK\n");
>
> } else {
>
> fprintf(stdout, "Signature is INVALID\n");
>
> }
>
>
>
> /* success */
>
> res = 0;
>
>
>
> done:
>
> /* cleanup */
>
> if(dsigCtx != NULL) {
>
> xmlSecDSigCtxDestroy(dsigCtx);
>
> }
>
>
>
> if(doc != NULL) {
>
> xmlFreeDoc(doc);
>
> }
>
> return(res);
>
>
>
> }
>
>
>
> int
>
> init_allxml_lib()
>
> {
>
> // Init libxml and libxslt libraries
>
> xmlInitParser();
>
>
>
> LIBXML_TEST_VERSION
>
> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
>
> xmlSubstituteEntitiesDefault(1);
>
> #ifndef XMLSEC_NO_XSLT
>
> xmlIndentTreeOutput = 1;
>
> #endif // XMLSEC_NO_XSLT
>
>
>
> // Init xmlsec library
>
> if(xmlSecInit() < 0) {
>
> fprintf(stderr, "Error: xmlsec initialization failed.\n");
>
> return(-1);
>
> }
>
>
>
> // Check loaded library version
>
> if(xmlSecCheckVersion() != 1) {
>
> fprintf(stderr, "Error: loaded xmlsec library version is not
> compatible.\n");
>
> return(-1);
>
> }
>
>
>
> // Load default crypto engine if we are supporting dynamic
>
> // loading for xmlsec-crypto libraries. Use the crypto library
>
> // name ("openssl", "nss", etc.) to load corresponding
>
> // xmlsec-crypto library.
>
>
>
> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>
> if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
>
> fprintf(stderr, "Error: unable to load default xmlsec-crypto library.
> Make sure\n"
>
> "that you have it
> installed and check shared libraries path\n"
>
> "(LD_LIBRARY_PATH)
> envornment variable.\n");
>
> return(-1);
>
> }
>
> #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
>
>
>
> // Init crypto library
>
> if(xmlSecCryptoAppInit(NULL) < 0) {
>
> fprintf(stderr, "Error: crypto initialization failed.\n");
>
> return(-1);
>
> }
>
>
>
> // Init xmlsec-crypto library
>
> if(xmlSecCryptoInit() < 0) {
>
> fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
>
> return(-1);
>
> }
>
>
>
> return 0;
>
> }
>
>
>
> void
>
> fnit_allxml_lib()
>
> {
>
> // Shutdown xmlsec-crypto library
>
> xmlSecCryptoShutdown();
>
>
>
> //Shutdown crypto library
>
> xmlSecCryptoAppShutdown();
>
>
>
> //Shutdown xmlsec library
>
> xmlSecShutdown();
>
>
>
> // Shutdown libxslt/libxml
>
> #ifndef XMLSEC_NO_XSLT
>
> xsltCleanupGlobals();
>
> #endif //XMLSEC_NO_XSLT
>
>
>
> xmlCleanupParser();
>
> }
>
>
>
> const std::string XML_FILE =
> "/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/libs/xmldsig/test/"
>
> "mt-embedded-id-dtd-attr.xml";
>
>
> // "mt.xml";
>
>
>
> // Unit Tests
>
>
>
> void do_0()
>
> {
>
> xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate();
>
> if(mngr == NULL)
>
> {
>
> fprintf(stderr, "Error: failed to create keys manager.\n");
>
> }
>
>
>
> if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0)
>
> {
>
> fprintf(stderr, "Error: failed to initialize keys manager.\n");
>
> xmlSecKeysMngrDestroy(mngr);
>
> }
>
>
>
> BOOST_CHECK(init_allxml_lib() == 0);
>
> BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0);
>
>
>
> fnit_allxml_lib();
>
> }
>
>
>
> // -
>
>
>
> int test_main(int, char*[])
>
> {
>
> do_0();
>
>
>
> return 0;
>
> }
>
>
>
>
>
>
>
>
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list