[xmlsec] RES: how verify sig using xmlAddID and local certs!

Aleksey Sanin aleksey at aleksey.com
Mon Jun 11 09:22:18 PDT 2012


xmlsec1 --help

Aleksey

On 6/11/12 7:09 AM, Renato Tegon Forti wrote:
> Hi
> 
>>>  xmlAddID - look at LibXML2 documentation for the function, it's pretty
> simple.
> OK
> 
>>> Actually default trusted certs are loaded in the xmlsec-openssl init
> function.
> Then I don't need load certs in "xmlSecKeysMngrPtr"?
> 
> I am trying to use sample "Verifying a signature with X 509 certificates."
> 
> And I changed load_trusted_certs  to accept a vector with keys file, like:
> 
> ----------------------------------------------------------------------------
> ---------------------------------
> std::vector<std::string> certs;
>    
> certs.push_back("/usr/lib/ssl/certs/Serasa_Certificadora_Digital_v2.pem");
> certs.push_back("/usr/lib/ssl/certs/Serasa_Autoridade_Certificadora_Principa
> l_v2.pem");
> certs.push_back("/usr/lib/ssl/certs/Autoridade_Certificadora_Raiz_Brasileira
> _v2.pem");
> 	
> mngr = load_trusted_certs(certs);
> 
> ----------------------------------------------------------------------------
> ---------------------------------
> 
> And for now, I using DTD on xml file:
> 
> ----------------------------------------------------------------------------
> ---------------------------------
> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [
> <!ATTLIST infNFe Id ID #IMPLIED>
> ]>
> ----------------------------------------------------------------------------
> ---------------------------------
> 
> But always I received: "Signature is INVALID"!
> 
> If I use xmlsec1 command, its work in some file!
> 
> ----------------------------------------------------------------------------
> ---------------------------------
> afe/engine/libs/xmldsig/test$ xmlsec1 --verify mt-embedded-id-dtd-attr.xml
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> ----------------------------------------------------------------------------
> ---------------------------------
> 
> How I can print debug into to try see what's happening?
> 
> My current code, and file that I need check is attached!
> 
> Thanks again, and again, and again ...!
> 
> -----Mensagem original-----
> De: Aleksey Sanin [mailto:aleksey at aleksey.com] 
> Enviada em: segunda-feira, 11 de junho de 2012 10:46
> Para: Renato Tegon Forti
> Cc: xmlsec at aleksey.com
> Assunto: Re: [xmlsec] how verify sig using xmlAddID and local certs!
> 
> 1) xmlAddID - look at LibXML2 documentation for the function, it's pretty
> simple.
> 
> 2) Actually default trusted certs are loaded in the xmlsec-openssl init
> function.
> 
> Aleksey
> 
> On 6/11/12 5:39 AM, Renato Tegon Forti wrote:
>> Hi All,
>>
>>  
>>
>> I'm trying to understand how the xmlsec tool interprets this command:
>>
>>  
>>
>> xmlsec1 --verify --id-attr:Id infNFe file.xml
>>
>>  
>>
>> which parts of code are activated! Need to reproduce this behavior in 
>> my code
>>
>>  
>>
>> Can someone explain to me?
>>
>>  
>>
>> In special how "xmlSecAppLoadKeys" load CA 's files of 
>> /usr/lib/ssl/certs/ : (for sample. openssl  ssl files folder) !
>>
>>  
>>
>> I need use "xmlAddID" to add "infNFe" like an id! Ok? How?
>>
>>  
>>
>> Anything else!
>>
>>  
>>
>> My test code:
>>
>>  
>>
>> // Copyright 2011-2012 Renato Tegon Forti
>>
>>  
>>
>> #define BOOST_ALL_DYN_LINK
>>
>> #define BOOST_THREAD_USE_DLL  //thread header not compliant with 
>> 'BOOST_ALL_DYN_LINK'
>>
>> #define BOOST_LIB_DIAGNOSTIC
>>
>>  
>>
>> #include <boost/test/minimal.hpp>
>>
>> #include <dsafe/xmlsig.hpp>
>>
>>  
>>
>> #define XMLSEC_CRYPTO_OPENSSL
>>
>>  
>>
>> #include <libxml/tree.h>
>>
>> #include <libxml/xmlmemory.h>
>>
>> #include <libxml/parser.h>
>>
>>  
>>
>> #ifndef XMLSEC_NO_XSLT
>>
>> #include <libxslt/xslt.h>
>>
>> #endif /* XMLSEC_NO_XSLT */
>>
>>  
>>
>> #include <xmlsec/xmlsec.h>
>>
>> #include <xmlsec/xmltree.h>
>>
>> #include <xmlsec/xmldsig.h>
>>
>> #include <xmlsec/xmlenc.h>
>>
>> #include <xmlsec/templates.h>
>>
>> #include <xmlsec/crypto.h>
>>
>>  
>>
>>  
>>
>> /**
>>
>>  * verify_file:
>>
>> * @mngr:                              the pointer to keys manager.
>>
>> * @xml_file:                    the signed XML file name.
>>
>> *
>>
>> * Verifies XML signature in #xml_file.
>>
>> *
>>
>> * Returns 0 on success or a negative value if an error occurs.
>>
>> */
>>
>> int
>>
>> verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file)
>>
>> {
>>
>>    xmlDocPtr doc = NULL;
>>
>>    xmlNodePtr node = NULL;
>>
>>    xmlSecDSigCtxPtr dsigCtx = NULL;
>>
>>     int res = -1;
>>
>>    
>>
>>     assert(mngr);
>>
>>     assert(xml_file);
>>
>>  
>>
>>     /* load file */
>>
>>     doc = xmlParseFile(xml_file);
>>
>>     if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
>>
>>                 fprintf(stderr, "Error: unable to parse file 
>> \"%s\"\n", xml_file);
>>
>>                 goto done;        
>>
>>     }
>>
>>    
>>
>>     /* find start node */
>>
>>     node = xmlSecFindNode(xmlDocGetRootElement(doc),
>> xmlSecNodeSignature, xmlSecDSigNs);
>>
>>     if(node == NULL) {
>>
>>                 fprintf(stderr, "Error: start node not found in 
>> \"%s\"\n", xml_file);
>>
>>                 goto done;        
>>
>>     }
>>
>>  
>>
>>     /* create signature context */
>>
>>     dsigCtx = xmlSecDSigCtxCreate(mngr);
>>
>>     if(dsigCtx == NULL) {
>>
>>         fprintf(stderr,"Error: failed to create signature context\n");
>>
>>                 goto done;
>>
>>     }
>>
>>                
>>
>>  
>>
>>    
>>
>>  
>>
>>     /* limit the Reference URI attributes to empty or NULL */
>>
>>     dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
>>
>>    
>>
>>     /* limit allowed transforms for siganture and reference processing 
>> */
>>
>>     if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>> xmlSecTransformInclC14NId) < 0) ||
>>
>>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>> xmlSecTransformExclC14NId) < 0) ||
>>
>>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>> xmlSecTransformSha1Id) < 0) ||
>>
>>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>> xmlSecTransformRsaSha1Id) < 0)) {
>>
>>  
>>
>>         fprintf(stderr,"Error: failed to limit allowed siganture 
>> transforms\n");
>>
>>                 goto done;
>>
>>     }
>>
>>     if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>> xmlSecTransformInclC14NId) < 0) ||
>>
>>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>> xmlSecTransformExclC14NId) < 0) ||
>>
>>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>> xmlSecTransformSha1Id) < 0) ||
>>
>>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>> xmlSecTransformEnvelopedId) < 0)) {
>>
>>  
>>
>>         fprintf(stderr,"Error: failed to limit allowed reference 
>> transforms\n");
>>
>>                 goto done;
>>
>>     }
>>
>>  
>>
>>     /* in addition, limit possible key data to valid X509 certificates 
>> only */
>>
>>     if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
>> BAD_CAST xmlSecKeyDataX509Id) < 0) {
>>
>>         fprintf(stderr,"Error: failed to limit allowed key data\n");
>>
>>                 goto done;
>>
>>     }
>>
>>    
>>
>>     /* Verify signature */
>>
>>     if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
>>
>>         fprintf(stderr,"Error: signature verify\n");
>>
>>                 goto done;
>>
>>     }
>>
>>  
>>
>>     /* check that we have only one Reference */
>>
>>     if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
>>
>>         (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1)) 
>> {
>>
>>                
>>
>>         fprintf(stderr,"Error: only one reference is allowed\n");
>>
>>                 goto done;
>>
>>     }
>>
>>        
>>
>>     /* print verification result to stdout */
>>
>>     if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>>
>>                 fprintf(stdout, "Signature is OK\n");
>>
>>     } else {
>>
>>                 fprintf(stdout, "Signature is INVALID\n");
>>
>>     }   
>>
>>  
>>
>>     /* success */
>>
>>     res = 0;
>>
>>  
>>
>> done:   
>>
>>     /* cleanup */
>>
>>     if(dsigCtx != NULL) {
>>
>>                 xmlSecDSigCtxDestroy(dsigCtx);
>>
>>     }
>>
>>    
>>
>>     if(doc != NULL) {
>>
>>                 xmlFreeDoc(doc);
>>
>>     }
>>
>>     return(res);
>>
>>  
>>
>> }
>>
>>  
>>
>> int
>>
>> init_allxml_lib()
>>
>> {   
>>
>>    // Init libxml and libxslt libraries
>>
>>    xmlInitParser();
>>
>>   
>>
>>    LIBXML_TEST_VERSION
>>
>>    xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
>>
>>    xmlSubstituteEntitiesDefault(1);
>>
>> #ifndef XMLSEC_NO_XSLT
>>
>>    xmlIndentTreeOutput = 1;
>>
>> #endif // XMLSEC_NO_XSLT
>>
>>                
>>
>>    // Init xmlsec library
>>
>>    if(xmlSecInit() < 0) {
>>
>>    fprintf(stderr, "Error: xmlsec initialization failed.\n");
>>
>>    return(-1);
>>
>>    }
>>
>>  
>>
>>    // Check loaded library version
>>
>>    if(xmlSecCheckVersion() != 1) {
>>
>>    fprintf(stderr, "Error: loaded xmlsec library version is not 
>> compatible.\n");
>>
>>    return(-1);
>>
>>    }   
>>
>>    
>>
>>    // Load default crypto engine if we are supporting dynamic
>>
>>    // loading for xmlsec-crypto libraries. Use the crypto library
>>
>>    // name ("openssl", "nss", etc.) to load corresponding
>>
>>    // xmlsec-crypto library.
>>
>>  
>>
>> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>>
>>    if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
>>
>>    fprintf(stderr, "Error: unable to load default xmlsec-crypto library.
>> Make sure\n"
>>
>>                                                "that you have it 
>> installed and check shared libraries path\n"
>>
>>                                                "(LD_LIBRARY_PATH) 
>> envornment variable.\n");
>>
>>    return(-1);      
>>
>>    }
>>
>> #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
>>
>>  
>>
>>    // Init crypto library
>>
>>    if(xmlSecCryptoAppInit(NULL) < 0) {
>>
>>       fprintf(stderr, "Error: crypto initialization failed.\n");
>>
>>       return(-1);
>>
>>    }
>>
>>  
>>
>>    // Init xmlsec-crypto library
>>
>>    if(xmlSecCryptoInit() < 0) {
>>
>>    fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
>>
>>    return(-1);
>>
>>    }
>>
>>                               
>>
>>    return 0;
>>
>> }
>>
>>  
>>
>> void
>>
>> fnit_allxml_lib()
>>
>> {
>>
>>    // Shutdown xmlsec-crypto library
>>
>>    xmlSecCryptoShutdown();
>>
>>    
>>
>>    //Shutdown crypto library
>>
>>    xmlSecCryptoAppShutdown();
>>
>>    
>>
>>    //Shutdown xmlsec library
>>
>>    xmlSecShutdown();
>>
>>  
>>
>>    // Shutdown libxslt/libxml
>>
>> #ifndef XMLSEC_NO_XSLT
>>
>>    xsltCleanupGlobals();           
>>
>> #endif //XMLSEC_NO_XSLT
>>
>>  
>>
>>    xmlCleanupParser();
>>
>> }
>>
>>  
>>
>> const std::string XML_FILE =
>>
> "/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/libs/xml
> dsig/test/"
>>
>>                              "mt-embedded-id-dtd-attr.xml";
>>
>>
> 
>> // "mt.xml";
>>
>>  
>>
>> // Unit Tests
>>
>>  
>>
>> void do_0()
>>
>> {
>>
>>    xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate();
>>
>>    if(mngr == NULL)
>>
>>    {
>>
>>       fprintf(stderr, "Error: failed to create keys manager.\n");
>>
>>    }
>>
>>                
>>
>>    if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0)
>>
>>    {
>>
>>       fprintf(stderr, "Error: failed to initialize keys manager.\n");
>>
>>       xmlSecKeysMngrDestroy(mngr);
>>
>>    }
>>
>>                
>>
>>    BOOST_CHECK(init_allxml_lib() == 0);
>>
>>    BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0);
>>
>>   
>>
>>    fnit_allxml_lib();
>>
>> }
>>
>>  
>>
>> // -
>>
>>  
>>
>> int test_main(int, char*[])
>>
>> {
>>
>>    do_0();
>>
>>  
>>
>>    return 0;
>>
>> }
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>> Thanks
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list