[xmlsec] Custom CRL

Francisco Obispo fobispo at isc.org
Tue May 21 21:10:45 PDT 2013 

Mhm,

It doesn't break there either:

$ gdb verify
GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug  5 03:00:42 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done

(gdb) break xmlSecOpenSSLX509StoreVerify
Breakpoint 1 at 0x3126e978d442cb
(gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
Reading symbols for shared libraries ++++++++++.............................. done
VALIDATING!!!!!
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK

Program exited normally.
(gdb) 




On May 21, 2013, at 9:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> It should do the check. I am surprised it doesn't.
> 
> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is
> a piece of code that checks against in-document crl and then store crl.
> Curious to find out why it doesn't do the expected thing.
> 
> 
> Aleksey
> 
> On 5/21/13 8:32 PM, Francisco Obispo wrote:
>> Tried it,
>> 
>> It never gets called, so I'm wondering if I'm missing something. :-(
>> 
>> So, besides adding the CRL to the key store, is there anything else I need to call to verify the cert? 
>> 
>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another function separately?
>> 
>> thanks
>> 
>> 
>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>> 
>>> Well, the code clearly uses the crls (it's the same function that
>>> process crls in the signature). If you have debug version, put
>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
>>> to see if it is called and what's happening inside it.
>> 
>> Francisco Obispo 
>> Director of Applications and Services - ISC
>> email: fobispo at isc.org
>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>> PGP KeyID = B38DB1BE
>> 

Francisco Obispo 
Director of Applications and Services - ISC
email: fobispo at isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE

More information about the xmlsec mailing list