[xmlsec] Custom CRL

Aleksey Sanin aleksey at aleksey.com
Tue May 21 21:53:24 PDT 2013 

No! Just disable the use of "raw" public keys with enabledKeyData. Or
to be precise, enable only X509 certs. This will ensure that xmlsec
actually verifies the cert and extracts public key from it.

Aleksey

On 5/21/13 9:49 PM, Francisco Obispo wrote:
> So basically, if I want to check the X509 certificate in the XML against the CRL, I'm going to have to decode the <X509Certificate> node and compare it with OpenSSL directly?
> 
> I have a requirement to check the cert against the CRL.
> 
> Any suggestions?
> 
> 
> On May 21, 2013, at 9:36 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> 
>> Again, certificates are not used. See my other email.
>>
>> Aleksey
>>
>> On 5/21/13 9:35 PM, Francisco Obispo wrote:
>>> tried with another XML file, and same result :-(,
>>>
>>>
>>>
>>>
>>> On May 21, 2013, at 9:10 PM, Francisco Obispo <fobispo at isc.org> wrote:
>>>
>>>> Mhm,
>>>>
>>>> It doesn't break there either:
>>>>
>>>> $ gdb verify
>>>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug  5 03:00:42 UTC 2012)
>>>> Copyright 2004 Free Software Foundation, Inc.
>>>> GDB is free software, covered by the GNU General Public License, and you are
>>>> welcome to change it and/or distribute copies of it under certain conditions.
>>>> Type "show copying" to see the conditions.
>>>> There is absolutely no warranty for GDB.  Type "show warranty" for details.
>>>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done
>>>>
>>>> (gdb) break xmlSecOpenSSLX509StoreVerify
>>>> Breakpoint 1 at 0x3126e978d442cb
>>>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>>>> Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>>>> Reading symbols for shared libraries ++++++++++.............................. done
>>>> VALIDATING!!!!!
>>>> = KEY INFO READ CONTEXT
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled key data: all
>>>> == RetrievalMethod level (cur/max): 0/1
>>>> == TRANSFORMS CTX (status=0)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> == EncryptedKey level (cur/max): 0/1
>>>> === KeyReq:
>>>> ==== keyId: rsa
>>>> ==== keyType: 0x00000001
>>>> ==== keyUsage: 0x00000002
>>>> ==== keyBitsSize: 0
>>>> === list size: 0
>>>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK
>>>>
>>>> Program exited normally.
>>>> (gdb) 
>>>>
>>>>
>>>>
>>>>
>>>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>
>>>>> It should do the check. I am surprised it doesn't.
>>>>>
>>>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is
>>>>> a piece of code that checks against in-document crl and then store crl.
>>>>> Curious to find out why it doesn't do the expected thing.
>>>>>
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 5/21/13 8:32 PM, Francisco Obispo wrote:
>>>>>> Tried it,
>>>>>>
>>>>>> It never gets called, so I'm wondering if I'm missing something. :-(
>>>>>>
>>>>>> So, besides adding the CRL to the key store, is there anything else I need to call to verify the cert? 
>>>>>>
>>>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another function separately?
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>>
>>>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>>>
>>>>>>> Well, the code clearly uses the crls (it's the same function that
>>>>>>> process crls in the signature). If you have debug version, put
>>>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
>>>>>>> to see if it is called and what's happening inside it.
>>>>>>
>>>>>> Francisco Obispo 
>>>>>> Director of Applications and Services - ISC
>>>>>> email: fobispo at isc.org
>>>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>>>> PGP KeyID = B38DB1BE
>>>>>>
>>>>
>>>> Francisco Obispo 
>>>> Director of Applications and Services - ISC
>>>> email: fobispo at isc.org
>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>> PGP KeyID = B38DB1BE
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>> Francisco Obispo 
>>> Director of Applications and Services - ISC
>>> email: fobispo at isc.org
>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>> PGP KeyID = B38DB1BE
>>>
> 
> Francisco Obispo 
> Director of Applications and Services - ISC
> email: fobispo at isc.org
> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
> PGP KeyID = B38DB1BE
>

More information about the xmlsec mailing list