[xmlsec] Key/cert selected for verification

Peter allmail89 at gmail.com
Sun Jun 30 11:27:08 PDT 2013 

Hi Aleksey

I am new to xmlsec and have a few questions. I tried to do my home first
and went through the documentation and old emails but still have a few
question. I will be very grateful if you can find the time to look into
this please.
I am using x509 certs and I am using the .18 prebuilt windows version


FIRST
---------

My first question is very similar to the one posted here
http://www.aleksey.com/pipermail/xmlsec/2002/004466.html
I basically want to look at the certificate or the chain that actually
validated the xml to check the Subject, Issuer, etc. I can’t find the
structures mentioned in that thread, I am guessing the code must have
changed since then or may be I am looking in the wrong place. Can you
please confirm?
So then I looked at the command line tool code since it prints out the info
that I need. I followed through the code but I cant find any accessible
function to pull out the subject/issuer for the certs. I found
the xmlSecKeyDataGetIdentifier function but it didnt print anythng for me.
It was late and may be I am doing something wrong but I thought I will
check with you if I am on the right track

/////////////////////////////////////////////////////////////
//key is the signKey from the context
if (!xmlSecPtrListIsValid(key->dataList))
{
info = "SignKey dataList is not valid";
return false;
}

// key->dataList->id is the pointer to the xmlSecKeyDataListKlass struct
if (!xmlSecPtrListCheckId(key->dataList, xmlSecKeyDataListId))
{
info = "SignKey dataList kind is not xmlSecKeyDataListId";
return false;
}

// "key-data-list"
InfoLog << " DATALIST kind ["  << (char*)key->dataList->id->name << "] size
["  << key->dataList->use << "]" << endl;

xmlSecSize pos;
for (pos = 0; pos < key->dataList->use; ++pos)
{
ostringstream ss; ss << pos;
xmlSecKeyDataPtr value = (xmlSecKeyDataPtr)key->dataList->data[pos];
 if (value == NULL)
{
info = "SignKey dataList data[" + ss.str() + "] is not valid";
return false;
}

//key->dataList->id->debugDumpItem(key->dataList->data[pos], stdout);
if (!xmlSecKeyDataCheckId(value, xmlSecMSCryptoKeyDataX509Id))
{
info = "SignKey dataList data[" + ss.str() + "] kind is not
xmlSecMSCryptoKeyDataX509Id";
return false;
}

InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] kind [" <<
(char*)value->id->name << "]" << endl;

string identifier = (char*)xmlSecKeyDataGetIdentifier(value) ;
// this did not print anything
InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] identifier ["
<< identifier.c_str() << "]" << endl;
}

/* THIS IS THE INFO I AM LOOKING FOR. Is it accessible from outside?

    xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE* output)
{
    PCCERT_CONTEXT cert;
    xmlSecSize size, pos;

    xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecMSCryptoKeyDataX509Id));

    fprintf(output, "=== X509 Data:\n");

    cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data);

    if(cert != NULL) {
        fprintf(output, "==== Key Certificate:\n");
        xmlSecMSCryptoX509CertDebugDump(cert, output);
    }

    size = xmlSecMSCryptoKeyDataX509GetCertsSize(data);
    for(pos = 0; pos < size; ++pos) {
        cert = xmlSecMSCryptoKeyDataX509GetCert(data, pos);
        if(cert == NULL) {
            xmlSecError(XMLSEC_ERRORS_HERE,
                        xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                        "xmlSecMSCryptoKeyDataX509GetCert",
                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
                        "pos=%d", pos);
            return;
        }
        fprintf(output, "==== Certificate:\n");
        xmlSecMSCryptoX509CertDebugDump(cert, output);
    }
*/
/////////////////////////////////////////////////////////////


SECOND

--------------

In one of your replies (http://www.aleksey.com/pipermail/xmlsec
/2011/009076.html) you said****

“I think you can get what you want by using "--enabled-key-data" (and
"--list-key-data") command line options for xmlsec utility. Simply disable
reading of certs from XML file completely and provide the signature key
(not necessarily in  a cert) from the command line.”

How exactly do I do that? Because –enabled-key-data always expects a
parameter. I guess I can just say “hmac” or some other option that doesn’t
apply in my case to achieve that, is that right?

**

Also the command to list them "xmlsec list-key-data –crypto mscrypto", I
didn’t see it documented in the command line help.

>From verify4 example, I found the following. What is the corresponding
equivalent for the code (to disable reading of certs from xml completely?

    /* in addition, limit possible key data to valid X509 certificates only
*/

    if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST
xmlSecKeyDataX509Id) < 0) {

        fprintf(stderr,"Error: failed to limit allowed key data\n");

        goto done;

    }


Thanks a lot for your help

**

**
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130630/dbe85bca/attachment.html>

More information about the xmlsec mailing list