[xmlsec] Custom CRL
Francisco Obispo
fobispo at isc.org
Tue May 21 16:06:31 PDT 2013
Yes,
What I'm currently doing, is trying to validate it by extracting the X509 Cert from the XML (with xmlSecBufferBase64NodeContentRead()), so I can use: xmlSecOpenSSLX509StoreVerify()
But so far I'm getting:
Segmentation fault: 11
which means that I'm doing something the wrong way…
I've tried just adding the CRL by:
if(crlfile != NULL){
crl=__load_crl(crlfile);
if(crl==NULL){
result=-1;
fprintf(stderr,"Error loading CRL: ABorting\n");
goto done;
}
xmlSecKeyDataStorePtr x509Store=NULL;
x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
if(x509Store == NULL) {
fprintf(stderr, "Cannot get key store to open CRL\n");
goto done;
}
if(xmlSecOpenSSLX509StoreAdoptCrl(x509Store, crl ) < 0){
fprintf(stderr, "Cannot Add CRL to keyStore\n");
goto done;
}
}
This all goes OK, and then I do:
/* create signature context */
dsigCtx = xmlSecDSigCtxCreate(mngr);
if (dsigCtx == NULL) {
fprintf(stderr, "Error: failed to create signature context\n");
goto done;
}
/* Verify signature */
if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
fprintf(stderr, "Error: signature verify\n");
goto done;
}
/* print verification result to stdout */
if (dsigCtx->status == xmlSecDSigStatusSucceeded) {
fprintf(stdout, "Signature is OK\n");
// xmlSecDSigCtxDebugDump(dsigCtx,stderr);
res = 1;
}
And the signature validates, when it should fail due to revoked Cert..
any ideas?
On May 21, 2013, at 2:49 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Did you setup the xmlDsigCtx with the keys manager through
> xmlSecDSigCtxCreate() call?
>
> Aleksey
>
> On 5/20/13 11:01 PM, Francisco Obispo wrote:
>> Dear *,
>>
>> I'm using the C API to write perl bindings to xmlsec, I'm currently just interested in using the signature validation, since I don't currently care about signing.
>>
>> I've been able to successfully validate a signature going through the examples, however, I now need to add a custom CRL (Certificate Revocation List), which will be published by the root-ca one or two times a day.
>>
>> I added the following code to my validator:
>>
>>
>> /* initialize CRL */
>>
>> /* if a CRLFILE was passed, load it */
>> X509_CRL *crl=NULL;
>>
>> if(crlfile != NULL){
>>
>> crl=__load_crl(crlfile);
>>
>> if(crl==NULL){
>> result=-1;
>> goto done;
>> }
>>
>> xmlSecKeyDataStorePtr x509Store=NULL;
>>
>> x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
>> if(x509Store == NULL) {
>> fprintf(stderr, "Cannot get key store to open CRL\n");
>> goto done;
>> }
>>
>>
>> if(xmlSecOpenSSLX509StoreAdoptCrl(x509Store, crl ) < 0){
>> fprintf(stderr, "Cannot Add CRL to keyStore\n");
>> goto done;
>> }
>> }
>>
>>
>>
>> However, it yields no results when performing the actual validation, if the signature is valid, but the certificate has been revoked, xmlSecDSigCtxVerify() will still validate.
>>
>> Any thoughts?
>>
>>
>>
>> Francisco Obispo
>> Director of Applications and Services - ISC
>> email: fobispo at isc.org
>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>> PGP KeyID = B38DB1BE
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
Francisco Obispo
Director of Applications and Services - ISC
email: fobispo at isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE
More information about the xmlsec
mailing list