[xmlsec] Custom CRL
Aleksey Sanin
aleksey at aleksey.com
Tue May 21 19:14:45 PDT 2013
Well, the code clearly uses the crls (it's the same function that
process crls in the signature). If you have debug version, put
a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
to see if it is called and what's happening inside it.
Aleksey
On 5/21/13 4:06 PM, Francisco Obispo wrote:
> Yes,
>
> What I'm currently doing, is trying to validate it by extracting the X509 Cert from the XML (with xmlSecBufferBase64NodeContentRead()), so I can use: xmlSecOpenSSLX509StoreVerify()
>
> But so far I'm getting:
>
> Segmentation fault: 11
>
> which means that I'm doing something the wrong way…
>
> I've tried just adding the CRL by:
>
> if(crlfile != NULL){
> crl=__load_crl(crlfile);
>
> if(crl==NULL){
> result=-1;
> fprintf(stderr,"Error loading CRL: ABorting\n");
> goto done;
> }
>
> xmlSecKeyDataStorePtr x509Store=NULL;
>
> x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
> if(x509Store == NULL) {
> fprintf(stderr, "Cannot get key store to open CRL\n");
> goto done;
> }
>
> if(xmlSecOpenSSLX509StoreAdoptCrl(x509Store, crl ) < 0){
> fprintf(stderr, "Cannot Add CRL to keyStore\n");
> goto done;
> }
>
> }
>
>
> This all goes OK, and then I do:
>
> /* create signature context */
> dsigCtx = xmlSecDSigCtxCreate(mngr);
> if (dsigCtx == NULL) {
> fprintf(stderr, "Error: failed to create signature context\n");
> goto done;
> }
>
>
> /* Verify signature */
> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
> fprintf(stderr, "Error: signature verify\n");
> goto done;
> }
>
> /* print verification result to stdout */
> if (dsigCtx->status == xmlSecDSigStatusSucceeded) {
> fprintf(stdout, "Signature is OK\n");
> // xmlSecDSigCtxDebugDump(dsigCtx,stderr);
> res = 1;
> }
>
> And the signature validates, when it should fail due to revoked Cert..
>
> any ideas?
>
>
>
>
>
>
> On May 21, 2013, at 2:49 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>
>> Did you setup the xmlDsigCtx with the keys manager through
>> xmlSecDSigCtxCreate() call?
>>
>> Aleksey
>>
>> On 5/20/13 11:01 PM, Francisco Obispo wrote:
>>> Dear *,
>>>
>>> I'm using the C API to write perl bindings to xmlsec, I'm currently just interested in using the signature validation, since I don't currently care about signing.
>>>
>>> I've been able to successfully validate a signature going through the examples, however, I now need to add a custom CRL (Certificate Revocation List), which will be published by the root-ca one or two times a day.
>>>
>>> I added the following code to my validator:
>>>
>>>
>>> /* initialize CRL */
>>>
>>> /* if a CRLFILE was passed, load it */
>>> X509_CRL *crl=NULL;
>>>
>>> if(crlfile != NULL){
>>>
>>> crl=__load_crl(crlfile);
>>>
>>> if(crl==NULL){
>>> result=-1;
>>> goto done;
>>> }
>>>
>>> xmlSecKeyDataStorePtr x509Store=NULL;
>>>
>>> x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
>>> if(x509Store == NULL) {
>>> fprintf(stderr, "Cannot get key store to open CRL\n");
>>> goto done;
>>> }
>>>
>>>
>>> if(xmlSecOpenSSLX509StoreAdoptCrl(x509Store, crl ) < 0){
>>> fprintf(stderr, "Cannot Add CRL to keyStore\n");
>>> goto done;
>>> }
>>> }
>>>
>>>
>>>
>>> However, it yields no results when performing the actual validation, if the signature is valid, but the certificate has been revoked, xmlSecDSigCtxVerify() will still validate.
>>>
>>> Any thoughts?
>>>
>>>
>>>
>>> Francisco Obispo
>>> Director of Applications and Services - ISC
>>> email: fobispo at isc.org
>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>> PGP KeyID = B38DB1BE
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>
> Francisco Obispo
> Director of Applications and Services - ISC
> email: fobispo at isc.org
> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
> PGP KeyID = B38DB1BE
>
More information about the xmlsec
mailing list