[xmlsec] Custom CRL
Francisco Obispo
fobispo at isc.org
Tue May 21 22:13:41 PDT 2013
You're the best!
func=xmlSecOpenSSLX509VerifyCertAgainstCrls:file=x509vfy.c:line=987:obj=unknown:subj=unknown:error=73:certificate is revoked:
func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature verify
File: Perl/ISC-XML-Signature/t/files/sample-signed-bad.xml does not validate
Got it nicely working now.
Owe you a beer!
On May 21, 2013, at 9:53 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> No! Just disable the use of "raw" public keys with enabledKeyData. Or
> to be precise, enable only X509 certs. This will ensure that xmlsec
> actually verifies the cert and extracts public key from it.
>
> Aleksey
>
> On 5/21/13 9:49 PM, Francisco Obispo wrote:
>> So basically, if I want to check the X509 certificate in the XML against the CRL, I'm going to have to decode the <X509Certificate> node and compare it with OpenSSL directly?
>>
>> I have a requirement to check the cert against the CRL.
>>
>> Any suggestions?
>>
>>
>> On May 21, 2013, at 9:36 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>
>>> Again, certificates are not used. See my other email.
>>>
>>> Aleksey
>>>
>>> On 5/21/13 9:35 PM, Francisco Obispo wrote:
>>>> tried with another XML file, and same result :-(,
>>>>
>>>>
>>>>
>>>>
>>>> On May 21, 2013, at 9:10 PM, Francisco Obispo <fobispo at isc.org> wrote:
>>>>
>>>>> Mhm,
>>>>>
>>>>> It doesn't break there either:
>>>>>
>>>>> $ gdb verify
>>>>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC 2012)
>>>>> Copyright 2004 Free Software Foundation, Inc.
>>>>> GDB is free software, covered by the GNU General Public License, and you are
>>>>> welcome to change it and/or distribute copies of it under certain conditions.
>>>>> Type "show copying" to see the conditions.
>>>>> There is absolutely no warranty for GDB. Type "show warranty" for details.
>>>>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done
>>>>>
>>>>> (gdb) break xmlSecOpenSSLX509StoreVerify
>>>>> Breakpoint 1 at 0x3126e978d442cb
>>>>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>>>>> Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>>>>> Reading symbols for shared libraries ++++++++++.............................. done
>>>>> VALIDATING!!!!!
>>>>> = KEY INFO READ CONTEXT
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled key data: all
>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>> == TRANSFORMS CTX (status=0)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> == EncryptedKey level (cur/max): 0/1
>>>>> === KeyReq:
>>>>> ==== keyId: rsa
>>>>> ==== keyType: 0x00000001
>>>>> ==== keyUsage: 0x00000002
>>>>> ==== keyBitsSize: 0
>>>>> === list size: 0
>>>>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK
>>>>>
>>>>> Program exited normally.
>>>>> (gdb)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>>
>>>>>> It should do the check. I am surprised it doesn't.
>>>>>>
>>>>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is
>>>>>> a piece of code that checks against in-document crl and then store crl.
>>>>>> Curious to find out why it doesn't do the expected thing.
>>>>>>
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 5/21/13 8:32 PM, Francisco Obispo wrote:
>>>>>>> Tried it,
>>>>>>>
>>>>>>> It never gets called, so I'm wondering if I'm missing something. :-(
>>>>>>>
>>>>>>> So, besides adding the CRL to the key store, is there anything else I need to call to verify the cert?
>>>>>>>
>>>>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another function separately?
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>>
>>>>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>>>>
>>>>>>>> Well, the code clearly uses the crls (it's the same function that
>>>>>>>> process crls in the signature). If you have debug version, put
>>>>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
>>>>>>>> to see if it is called and what's happening inside it.
>>>>>>>
>>>>>>> Francisco Obispo
>>>>>>> Director of Applications and Services - ISC
>>>>>>> email: fobispo at isc.org
>>>>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>>>>> PGP KeyID = B38DB1BE
>>>>>>>
>>>>>
>>>>> Francisco Obispo
>>>>> Director of Applications and Services - ISC
>>>>> email: fobispo at isc.org
>>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>>> PGP KeyID = B38DB1BE
>>>>>
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>>> Francisco Obispo
>>>> Director of Applications and Services - ISC
>>>> email: fobispo at isc.org
>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>> PGP KeyID = B38DB1BE
>>>>
>>
>> Francisco Obispo
>> Director of Applications and Services - ISC
>> email: fobispo at isc.org
>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>> PGP KeyID = B38DB1BE
>>
Francisco Obispo
Director of Applications and Services - ISC
email: fobispo at isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE
More information about the xmlsec
mailing list