[xmlsec] RES: how verify sig using xmlAddID and local certs!

Renato Tegon Forti re.tf at acm.org
Mon Jun 11 07:09:58 PDT 2012


Hi

>>  xmlAddID - look at LibXML2 documentation for the function, it's pretty
simple.
OK

>> Actually default trusted certs are loaded in the xmlsec-openssl init
function.
Then I don't need load certs in "xmlSecKeysMngrPtr"?

I am trying to use sample "Verifying a signature with X 509 certificates."

And I changed load_trusted_certs  to accept a vector with keys file, like:

----------------------------------------------------------------------------
---------------------------------
std::vector<std::string> certs;
   
certs.push_back("/usr/lib/ssl/certs/Serasa_Certificadora_Digital_v2.pem");
certs.push_back("/usr/lib/ssl/certs/Serasa_Autoridade_Certificadora_Principa
l_v2.pem");
certs.push_back("/usr/lib/ssl/certs/Autoridade_Certificadora_Raiz_Brasileira
_v2.pem");
	
mngr = load_trusted_certs(certs);

----------------------------------------------------------------------------
---------------------------------

And for now, I using DTD on xml file:

----------------------------------------------------------------------------
---------------------------------
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [
<!ATTLIST infNFe Id ID #IMPLIED>
]>
----------------------------------------------------------------------------
---------------------------------

But always I received: "Signature is INVALID"!

If I use xmlsec1 command, its work in some file!

----------------------------------------------------------------------------
---------------------------------
afe/engine/libs/xmldsig/test$ xmlsec1 --verify mt-embedded-id-dtd-attr.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
----------------------------------------------------------------------------
---------------------------------

How I can print debug into to try see what's happening?

My current code, and file that I need check is attached!

Thanks again, and again, and again ...!

-----Mensagem original-----
De: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Enviada em: segunda-feira, 11 de junho de 2012 10:46
Para: Renato Tegon Forti
Cc: xmlsec at aleksey.com
Assunto: Re: [xmlsec] how verify sig using xmlAddID and local certs!

1) xmlAddID - look at LibXML2 documentation for the function, it's pretty
simple.

2) Actually default trusted certs are loaded in the xmlsec-openssl init
function.

Aleksey

On 6/11/12 5:39 AM, Renato Tegon Forti wrote:
> Hi All,
> 
>  
> 
> I'm trying to understand how the xmlsec tool interprets this command:
> 
>  
> 
> xmlsec1 --verify --id-attr:Id infNFe file.xml
> 
>  
> 
> which parts of code are activated! Need to reproduce this behavior in 
> my code
> 
>  
> 
> Can someone explain to me?
> 
>  
> 
> In special how "xmlSecAppLoadKeys" load CA 's files of 
> /usr/lib/ssl/certs/ : (for sample. openssl  ssl files folder) !
> 
>  
> 
> I need use "xmlAddID" to add "infNFe" like an id! Ok? How?
> 
>  
> 
> Anything else!
> 
>  
> 
> My test code:
> 
>  
> 
> // Copyright 2011-2012 Renato Tegon Forti
> 
>  
> 
> #define BOOST_ALL_DYN_LINK
> 
> #define BOOST_THREAD_USE_DLL  //thread header not compliant with 
> 'BOOST_ALL_DYN_LINK'
> 
> #define BOOST_LIB_DIAGNOSTIC
> 
>  
> 
> #include <boost/test/minimal.hpp>
> 
> #include <dsafe/xmlsig.hpp>
> 
>  
> 
> #define XMLSEC_CRYPTO_OPENSSL
> 
>  
> 
> #include <libxml/tree.h>
> 
> #include <libxml/xmlmemory.h>
> 
> #include <libxml/parser.h>
> 
>  
> 
> #ifndef XMLSEC_NO_XSLT
> 
> #include <libxslt/xslt.h>
> 
> #endif /* XMLSEC_NO_XSLT */
> 
>  
> 
> #include <xmlsec/xmlsec.h>
> 
> #include <xmlsec/xmltree.h>
> 
> #include <xmlsec/xmldsig.h>
> 
> #include <xmlsec/xmlenc.h>
> 
> #include <xmlsec/templates.h>
> 
> #include <xmlsec/crypto.h>
> 
>  
> 
>  
> 
> /**
> 
>  * verify_file:
> 
> * @mngr:                              the pointer to keys manager.
> 
> * @xml_file:                    the signed XML file name.
> 
> *
> 
> * Verifies XML signature in #xml_file.
> 
> *
> 
> * Returns 0 on success or a negative value if an error occurs.
> 
> */
> 
> int
> 
> verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file)
> 
> {
> 
>    xmlDocPtr doc = NULL;
> 
>    xmlNodePtr node = NULL;
> 
>    xmlSecDSigCtxPtr dsigCtx = NULL;
> 
>     int res = -1;
> 
>    
> 
>     assert(mngr);
> 
>     assert(xml_file);
> 
>  
> 
>     /* load file */
> 
>     doc = xmlParseFile(xml_file);
> 
>     if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
> 
>                 fprintf(stderr, "Error: unable to parse file 
> \"%s\"\n", xml_file);
> 
>                 goto done;        
> 
>     }
> 
>    
> 
>     /* find start node */
> 
>     node = xmlSecFindNode(xmlDocGetRootElement(doc),
> xmlSecNodeSignature, xmlSecDSigNs);
> 
>     if(node == NULL) {
> 
>                 fprintf(stderr, "Error: start node not found in 
> \"%s\"\n", xml_file);
> 
>                 goto done;        
> 
>     }
> 
>  
> 
>     /* create signature context */
> 
>     dsigCtx = xmlSecDSigCtxCreate(mngr);
> 
>     if(dsigCtx == NULL) {
> 
>         fprintf(stderr,"Error: failed to create signature context\n");
> 
>                 goto done;
> 
>     }
> 
>                
> 
>  
> 
>    
> 
>  
> 
>     /* limit the Reference URI attributes to empty or NULL */
> 
>     dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
> 
>    
> 
>     /* limit allowed transforms for siganture and reference processing 
> */
> 
>     if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformInclC14NId) < 0) ||
> 
>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformExclC14NId) < 0) ||
> 
>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformSha1Id) < 0) ||
> 
>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformRsaSha1Id) < 0)) {
> 
>  
> 
>         fprintf(stderr,"Error: failed to limit allowed siganture 
> transforms\n");
> 
>                 goto done;
> 
>     }
> 
>     if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformInclC14NId) < 0) ||
> 
>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformExclC14NId) < 0) ||
> 
>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformSha1Id) < 0) ||
> 
>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformEnvelopedId) < 0)) {
> 
>  
> 
>         fprintf(stderr,"Error: failed to limit allowed reference 
> transforms\n");
> 
>                 goto done;
> 
>     }
> 
>  
> 
>     /* in addition, limit possible key data to valid X509 certificates 
> only */
> 
>     if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
> BAD_CAST xmlSecKeyDataX509Id) < 0) {
> 
>         fprintf(stderr,"Error: failed to limit allowed key data\n");
> 
>                 goto done;
> 
>     }
> 
>    
> 
>     /* Verify signature */
> 
>     if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
> 
>         fprintf(stderr,"Error: signature verify\n");
> 
>                 goto done;
> 
>     }
> 
>  
> 
>     /* check that we have only one Reference */
> 
>     if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
> 
>         (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1)) 
> {
> 
>                
> 
>         fprintf(stderr,"Error: only one reference is allowed\n");
> 
>                 goto done;
> 
>     }
> 
>        
> 
>     /* print verification result to stdout */
> 
>     if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
> 
>                 fprintf(stdout, "Signature is OK\n");
> 
>     } else {
> 
>                 fprintf(stdout, "Signature is INVALID\n");
> 
>     }   
> 
>  
> 
>     /* success */
> 
>     res = 0;
> 
>  
> 
> done:   
> 
>     /* cleanup */
> 
>     if(dsigCtx != NULL) {
> 
>                 xmlSecDSigCtxDestroy(dsigCtx);
> 
>     }
> 
>    
> 
>     if(doc != NULL) {
> 
>                 xmlFreeDoc(doc);
> 
>     }
> 
>     return(res);
> 
>  
> 
> }
> 
>  
> 
> int
> 
> init_allxml_lib()
> 
> {   
> 
>    // Init libxml and libxslt libraries
> 
>    xmlInitParser();
> 
>   
> 
>    LIBXML_TEST_VERSION
> 
>    xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
> 
>    xmlSubstituteEntitiesDefault(1);
> 
> #ifndef XMLSEC_NO_XSLT
> 
>    xmlIndentTreeOutput = 1;
> 
> #endif // XMLSEC_NO_XSLT
> 
>                
> 
>    // Init xmlsec library
> 
>    if(xmlSecInit() < 0) {
> 
>    fprintf(stderr, "Error: xmlsec initialization failed.\n");
> 
>    return(-1);
> 
>    }
> 
>  
> 
>    // Check loaded library version
> 
>    if(xmlSecCheckVersion() != 1) {
> 
>    fprintf(stderr, "Error: loaded xmlsec library version is not 
> compatible.\n");
> 
>    return(-1);
> 
>    }   
> 
>    
> 
>    // Load default crypto engine if we are supporting dynamic
> 
>    // loading for xmlsec-crypto libraries. Use the crypto library
> 
>    // name ("openssl", "nss", etc.) to load corresponding
> 
>    // xmlsec-crypto library.
> 
>  
> 
> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
> 
>    if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
> 
>    fprintf(stderr, "Error: unable to load default xmlsec-crypto library.
> Make sure\n"
> 
>                                                "that you have it 
> installed and check shared libraries path\n"
> 
>                                                "(LD_LIBRARY_PATH) 
> envornment variable.\n");
> 
>    return(-1);      
> 
>    }
> 
> #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
> 
>  
> 
>    // Init crypto library
> 
>    if(xmlSecCryptoAppInit(NULL) < 0) {
> 
>       fprintf(stderr, "Error: crypto initialization failed.\n");
> 
>       return(-1);
> 
>    }
> 
>  
> 
>    // Init xmlsec-crypto library
> 
>    if(xmlSecCryptoInit() < 0) {
> 
>    fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
> 
>    return(-1);
> 
>    }
> 
>                               
> 
>    return 0;
> 
> }
> 
>  
> 
> void
> 
> fnit_allxml_lib()
> 
> {
> 
>    // Shutdown xmlsec-crypto library
> 
>    xmlSecCryptoShutdown();
> 
>    
> 
>    //Shutdown crypto library
> 
>    xmlSecCryptoAppShutdown();
> 
>    
> 
>    //Shutdown xmlsec library
> 
>    xmlSecShutdown();
> 
>  
> 
>    // Shutdown libxslt/libxml
> 
> #ifndef XMLSEC_NO_XSLT
> 
>    xsltCleanupGlobals();           
> 
> #endif //XMLSEC_NO_XSLT
> 
>  
> 
>    xmlCleanupParser();
> 
> }
> 
>  
> 
> const std::string XML_FILE =
>
"/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/libs/xml
dsig/test/"
> 
>                              "mt-embedded-id-dtd-attr.xml";
> 
>

> // "mt.xml";
> 
>  
> 
> // Unit Tests
> 
>  
> 
> void do_0()
> 
> {
> 
>    xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate();
> 
>    if(mngr == NULL)
> 
>    {
> 
>       fprintf(stderr, "Error: failed to create keys manager.\n");
> 
>    }
> 
>                
> 
>    if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0)
> 
>    {
> 
>       fprintf(stderr, "Error: failed to initialize keys manager.\n");
> 
>       xmlSecKeysMngrDestroy(mngr);
> 
>    }
> 
>                
> 
>    BOOST_CHECK(init_allxml_lib() == 0);
> 
>    BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0);
> 
>   
> 
>    fnit_allxml_lib();
> 
> }
> 
>  
> 
> // -
> 
>  
> 
> int test_main(int, char*[])
> 
> {
> 
>    do_0();
> 
>  
> 
>    return 0;
> 
> }
> 
>  
> 
>  
> 
>  
> 
>  
> 
> Thanks
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mt-embedded-id-dtd-attr.xml
Type: text/xml
Size: 7527 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120611/dd726390/attachment-0001.xml>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: xmldsig_test.cpp
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120611/dd726390/attachment-0001.ksh>


More information about the xmlsec mailing list