[xmlsec] RES: RES: how verify sig using xmlAddID and local certs!
Aleksey Sanin
aleksey at aleksey.com
Mon Jun 11 11:46:00 PDT 2012
I am really sorry but this goes beyond the support I provide.
Aleksey
On 6/11/12 11:40 AM, Renato Tegon Forti wrote:
> Hi Again,
>
> I write one new code, but I can put it to work! Please you can point me what
> I forgot!
>
> The verify function is : verify_f
>
> Output:
>
> ========================================================================
> verify_f
> ========================================================================
> Signature is ***INVALID***
> func=xmlSecDSigCtxDebugXmlDump:file=xmldsig.c:line=1148:obj=unknown:subj=out
> put != NULL:error=100:assertion:
> func=xmlSecDSigCtxDebugDump:file=xmldsig.c:line=1068:obj=unknown:subj=output
> != NULL:error=100:assertion:
>
> Thanks
>
> -----Mensagem original-----
> De: Aleksey Sanin [mailto:aleksey at aleksey.com]
> Enviada em: segunda-feira, 11 de junho de 2012 13:22
> Para: Renato Tegon Forti
> Cc: xmlsec at aleksey.com
> Assunto: Re: RES: [xmlsec] how verify sig using xmlAddID and local certs!
>
> xmlsec1 --help
>
> Aleksey
>
> On 6/11/12 7:09 AM, Renato Tegon Forti wrote:
>> Hi
>>
>>>> xmlAddID - look at LibXML2 documentation for the function, it's
>>>> pretty
>> simple.
>> OK
>>
>>>> Actually default trusted certs are loaded in the xmlsec-openssl init
>> function.
>> Then I don't need load certs in "xmlSecKeysMngrPtr"?
>>
>> I am trying to use sample "Verifying a signature with X 509 certificates."
>>
>> And I changed load_trusted_certs to accept a vector with keys file, like:
>>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>> std::vector<std::string> certs;
>>
>> certs.push_back("/usr/lib/ssl/certs/Serasa_Certificadora_Digital_v2.pe
>> m");
>> certs.push_back("/usr/lib/ssl/certs/Serasa_Autoridade_Certificadora_Pr
>> incipa
>> l_v2.pem");
>> certs.push_back("/usr/lib/ssl/certs/Autoridade_Certificadora_Raiz_Bras
>> ileira
>> _v2.pem");
>>
>> mngr = load_trusted_certs(certs);
>>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>>
>> And for now, I using DTD on xml file:
>>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [ <!ATTLIST
>> infNFe Id ID #IMPLIED> ]>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>>
>> But always I received: "Signature is INVALID"!
>>
>> If I use xmlsec1 command, its work in some file!
>>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>> afe/engine/libs/xmldsig/test$ xmlsec1 --verify
>> mt-embedded-id-dtd-attr.xml OK SignedInfo References (ok/all): 1/1
>> Manifests References (ok/all): 0/0
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>>
>> How I can print debug into to try see what's happening?
>>
>> My current code, and file that I need check is attached!
>>
>> Thanks again, and again, and again ...!
>>
>> -----Mensagem original-----
>> De: Aleksey Sanin [mailto:aleksey at aleksey.com] Enviada em:
>> segunda-feira, 11 de junho de 2012 10:46
>> Para: Renato Tegon Forti
>> Cc: xmlsec at aleksey.com
>> Assunto: Re: [xmlsec] how verify sig using xmlAddID and local certs!
>>
>> 1) xmlAddID - look at LibXML2 documentation for the function, it's
>> pretty simple.
>>
>> 2) Actually default trusted certs are loaded in the xmlsec-openssl
>> init function.
>>
>> Aleksey
>>
>> On 6/11/12 5:39 AM, Renato Tegon Forti wrote:
>>> Hi All,
>>>
>>>
>>>
>>> I'm trying to understand how the xmlsec tool interprets this command:
>>>
>>>
>>>
>>> xmlsec1 --verify --id-attr:Id infNFe file.xml
>>>
>>>
>>>
>>> which parts of code are activated! Need to reproduce this behavior in
>>> my code
>>>
>>>
>>>
>>> Can someone explain to me?
>>>
>>>
>>>
>>> In special how "xmlSecAppLoadKeys" load CA 's files of
>>> /usr/lib/ssl/certs/ : (for sample. openssl ssl files folder) !
>>>
>>>
>>>
>>> I need use "xmlAddID" to add "infNFe" like an id! Ok? How?
>>>
>>>
>>>
>>> Anything else!
>>>
>>>
>>>
>>> My test code:
>>>
>>>
>>>
>>> // Copyright 2011-2012 Renato Tegon Forti
>>>
>>>
>>>
>>> #define BOOST_ALL_DYN_LINK
>>>
>>> #define BOOST_THREAD_USE_DLL //thread header not compliant with
>>> 'BOOST_ALL_DYN_LINK'
>>>
>>> #define BOOST_LIB_DIAGNOSTIC
>>>
>>>
>>>
>>> #include <boost/test/minimal.hpp>
>>>
>>> #include <dsafe/xmlsig.hpp>
>>>
>>>
>>>
>>> #define XMLSEC_CRYPTO_OPENSSL
>>>
>>>
>>>
>>> #include <libxml/tree.h>
>>>
>>> #include <libxml/xmlmemory.h>
>>>
>>> #include <libxml/parser.h>
>>>
>>>
>>>
>>> #ifndef XMLSEC_NO_XSLT
>>>
>>> #include <libxslt/xslt.h>
>>>
>>> #endif /* XMLSEC_NO_XSLT */
>>>
>>>
>>>
>>> #include <xmlsec/xmlsec.h>
>>>
>>> #include <xmlsec/xmltree.h>
>>>
>>> #include <xmlsec/xmldsig.h>
>>>
>>> #include <xmlsec/xmlenc.h>
>>>
>>> #include <xmlsec/templates.h>
>>>
>>> #include <xmlsec/crypto.h>
>>>
>>>
>>>
>>>
>>>
>>> /**
>>>
>>> * verify_file:
>>>
>>> * @mngr: the pointer to keys manager.
>>>
>>> * @xml_file: the signed XML file name.
>>>
>>> *
>>>
>>> * Verifies XML signature in #xml_file.
>>>
>>> *
>>>
>>> * Returns 0 on success or a negative value if an error occurs.
>>>
>>> */
>>>
>>> int
>>>
>>> verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file)
>>>
>>> {
>>>
>>> xmlDocPtr doc = NULL;
>>>
>>> xmlNodePtr node = NULL;
>>>
>>> xmlSecDSigCtxPtr dsigCtx = NULL;
>>>
>>> int res = -1;
>>>
>>>
>>>
>>> assert(mngr);
>>>
>>> assert(xml_file);
>>>
>>>
>>>
>>> /* load file */
>>>
>>> doc = xmlParseFile(xml_file);
>>>
>>> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
>>>
>>> fprintf(stderr, "Error: unable to parse file
>>> \"%s\"\n", xml_file);
>>>
>>> goto done;
>>>
>>> }
>>>
>>>
>>>
>>> /* find start node */
>>>
>>> node = xmlSecFindNode(xmlDocGetRootElement(doc),
>>> xmlSecNodeSignature, xmlSecDSigNs);
>>>
>>> if(node == NULL) {
>>>
>>> fprintf(stderr, "Error: start node not found in
>>> \"%s\"\n", xml_file);
>>>
>>> goto done;
>>>
>>> }
>>>
>>>
>>>
>>> /* create signature context */
>>>
>>> dsigCtx = xmlSecDSigCtxCreate(mngr);
>>>
>>> if(dsigCtx == NULL) {
>>>
>>> fprintf(stderr,"Error: failed to create signature
>>> context\n");
>>>
>>> goto done;
>>>
>>> }
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> /* limit the Reference URI attributes to empty or NULL */
>>>
>>> dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
>>>
>>>
>>>
>>> /* limit allowed transforms for siganture and reference
>>> processing */
>>>
>>> if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>>> xmlSecTransformInclC14NId) < 0) ||
>>>
>>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>>> xmlSecTransformExclC14NId) < 0) ||
>>>
>>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>>> xmlSecTransformSha1Id) < 0) ||
>>>
>>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>>> xmlSecTransformRsaSha1Id) < 0)) {
>>>
>>>
>>>
>>> fprintf(stderr,"Error: failed to limit allowed siganture
>>> transforms\n");
>>>
>>> goto done;
>>>
>>> }
>>>
>>> if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>>> xmlSecTransformInclC14NId) < 0) ||
>>>
>>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>>> xmlSecTransformExclC14NId) < 0) ||
>>>
>>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>>> xmlSecTransformSha1Id) < 0) ||
>>>
>>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>>> xmlSecTransformEnvelopedId) < 0)) {
>>>
>>>
>>>
>>> fprintf(stderr,"Error: failed to limit allowed reference
>>> transforms\n");
>>>
>>> goto done;
>>>
>>> }
>>>
>>>
>>>
>>> /* in addition, limit possible key data to valid X509
>>> certificates only */
>>>
>>> if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
>>> BAD_CAST xmlSecKeyDataX509Id) < 0) {
>>>
>>> fprintf(stderr,"Error: failed to limit allowed key data\n");
>>>
>>> goto done;
>>>
>>> }
>>>
>>>
>>>
>>> /* Verify signature */
>>>
>>> if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
>>>
>>> fprintf(stderr,"Error: signature verify\n");
>>>
>>> goto done;
>>>
>>> }
>>>
>>>
>>>
>>> /* check that we have only one Reference */
>>>
>>> if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
>>>
>>> (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) !=
>>> 1)) {
>>>
>>>
>>>
>>> fprintf(stderr,"Error: only one reference is allowed\n");
>>>
>>> goto done;
>>>
>>> }
>>>
>>>
>>>
>>> /* print verification result to stdout */
>>>
>>> if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>>>
>>> fprintf(stdout, "Signature is OK\n");
>>>
>>> } else {
>>>
>>> fprintf(stdout, "Signature is INVALID\n");
>>>
>>> }
>>>
>>>
>>>
>>> /* success */
>>>
>>> res = 0;
>>>
>>>
>>>
>>> done:
>>>
>>> /* cleanup */
>>>
>>> if(dsigCtx != NULL) {
>>>
>>> xmlSecDSigCtxDestroy(dsigCtx);
>>>
>>> }
>>>
>>>
>>>
>>> if(doc != NULL) {
>>>
>>> xmlFreeDoc(doc);
>>>
>>> }
>>>
>>> return(res);
>>>
>>>
>>>
>>> }
>>>
>>>
>>>
>>> int
>>>
>>> init_allxml_lib()
>>>
>>> {
>>>
>>> // Init libxml and libxslt libraries
>>>
>>> xmlInitParser();
>>>
>>>
>>>
>>> LIBXML_TEST_VERSION
>>>
>>> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
>>>
>>> xmlSubstituteEntitiesDefault(1);
>>>
>>> #ifndef XMLSEC_NO_XSLT
>>>
>>> xmlIndentTreeOutput = 1;
>>>
>>> #endif // XMLSEC_NO_XSLT
>>>
>>>
>>>
>>> // Init xmlsec library
>>>
>>> if(xmlSecInit() < 0) {
>>>
>>> fprintf(stderr, "Error: xmlsec initialization failed.\n");
>>>
>>> return(-1);
>>>
>>> }
>>>
>>>
>>>
>>> // Check loaded library version
>>>
>>> if(xmlSecCheckVersion() != 1) {
>>>
>>> fprintf(stderr, "Error: loaded xmlsec library version is not
>>> compatible.\n");
>>>
>>> return(-1);
>>>
>>> }
>>>
>>>
>>>
>>> // Load default crypto engine if we are supporting dynamic
>>>
>>> // loading for xmlsec-crypto libraries. Use the crypto library
>>>
>>> // name ("openssl", "nss", etc.) to load corresponding
>>>
>>> // xmlsec-crypto library.
>>>
>>>
>>>
>>> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>>>
>>> if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
>>>
>>> fprintf(stderr, "Error: unable to load default xmlsec-crypto library.
>>> Make sure\n"
>>>
>>> "that you have it
>>> installed and check shared libraries path\n"
>>>
>>> "(LD_LIBRARY_PATH)
>>> envornment variable.\n");
>>>
>>> return(-1);
>>>
>>> }
>>>
>>> #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
>>>
>>>
>>>
>>> // Init crypto library
>>>
>>> if(xmlSecCryptoAppInit(NULL) < 0) {
>>>
>>> fprintf(stderr, "Error: crypto initialization failed.\n");
>>>
>>> return(-1);
>>>
>>> }
>>>
>>>
>>>
>>> // Init xmlsec-crypto library
>>>
>>> if(xmlSecCryptoInit() < 0) {
>>>
>>> fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
>>>
>>> return(-1);
>>>
>>> }
>>>
>>>
>>>
>>> return 0;
>>>
>>> }
>>>
>>>
>>>
>>> void
>>>
>>> fnit_allxml_lib()
>>>
>>> {
>>>
>>> // Shutdown xmlsec-crypto library
>>>
>>> xmlSecCryptoShutdown();
>>>
>>>
>>>
>>> //Shutdown crypto library
>>>
>>> xmlSecCryptoAppShutdown();
>>>
>>>
>>>
>>> //Shutdown xmlsec library
>>>
>>> xmlSecShutdown();
>>>
>>>
>>>
>>> // Shutdown libxslt/libxml
>>>
>>> #ifndef XMLSEC_NO_XSLT
>>>
>>> xsltCleanupGlobals();
>>>
>>> #endif //XMLSEC_NO_XSLT
>>>
>>>
>>>
>>> xmlCleanupParser();
>>>
>>> }
>>>
>>>
>>>
>>> const std::string XML_FILE =
>>>
>> "/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/li
>> bs/xml
>> dsig/test/"
>>>
>>> "mt-embedded-id-dtd-attr.xml";
>>>
>>>
>>
>>> // "mt.xml";
>>>
>>>
>>>
>>> // Unit Tests
>>>
>>>
>>>
>>> void do_0()
>>>
>>> {
>>>
>>> xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate();
>>>
>>> if(mngr == NULL)
>>>
>>> {
>>>
>>> fprintf(stderr, "Error: failed to create keys manager.\n");
>>>
>>> }
>>>
>>>
>>>
>>> if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0)
>>>
>>> {
>>>
>>> fprintf(stderr, "Error: failed to initialize keys manager.\n");
>>>
>>> xmlSecKeysMngrDestroy(mngr);
>>>
>>> }
>>>
>>>
>>>
>>> BOOST_CHECK(init_allxml_lib() == 0);
>>>
>>> BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0);
>>>
>>>
>>>
>>> fnit_allxml_lib();
>>>
>>> }
>>>
>>>
>>>
>>> // -
>>>
>>>
>>>
>>> int test_main(int, char*[])
>>>
>>> {
>>>
>>> do_0();
>>>
>>>
>>>
>>> return 0;
>>>
>>> }
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list