[xmlsec] Key/cert selected for verification

Peter allmail89 at gmail.com
Mon Jul 1 23:21:30 PDT 2013 

Thanks a lot for the reply. That’s exactly what I tried yesterday. And I
can access the Subject, Issuer, etc.

If you don't mind, I do have a question about the cert pointers. The
following is the code, basically copied the code from the
xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data,..)****

** **

---------------------------------------------------------------------****

PCCERT_CONTEXT cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data);****

if (cert == NULL)****

  return false;****

** **

CheckSignKeyCert(cert); // Check Subject, Isuuer, etc****

** **

xmlSecSize size = xmlSecMSCryptoKeyDataX509GetCertsSize(data);****

for(xmlSecSize certPos = 0; certPos < size; ++certPos)****

{****

  cert = xmlSecMSCryptoKeyDataX509GetCert(data, certPos);****

  if(cert == NULL)****

    return false;****

** **

  CheckSignKeyCert(cert); // Check Subject, Isuuer, etc****

}****

---------------------------------------------------------------------****

** **

So I looked at the xmlSecMSCryptoKeyDataX509GetKeyCert and
xmlSecMSCryptoKeyDataX509GetCert functions.****

** **

xmlSecMSCryptoKeyDataX509GetKeyCert() seems pretty straight forward. It
returns****

    ctx = xmlSecMSCryptoX509DataGetCtx(data);****

    return(ctx->keyCert);****

** **

xmlSecMSCryptoKeyDataX509GetCert() is the one giving me doubts.****

It internally calls CertEnumCertificatesInStore(ctx->hMemStore, pCert)****

This is the documentation for CertEnumCertificatesInStore which says that
it calls CertFreeCertificateContext on anything passed in the
pPrevCertContext paramter. Won't that cause double delete for the cert
returned by the xmlSecMSCryptoKeyDataX509GetKeyCert(), the second one when
I destroy the dSigCtx. Also I think I need to call
CertFreeCertificateContext for the last cert****

returned by xmlSecMSCryptoKeyDataX509GetCert(). I apologize if I am
mistaken but will appreciate your input regarding this.****

** **

//+-------------------------------------------------------------------------
****

//  Enumerate the certificate contexts in the store.****

//****

//  If a certificate isn't found, NULL is returned.****

//  Otherwise, a pointer to a read only CERT_CONTEXT is returned.
CERT_CONTEXT****

//  must be freed by calling CertFreeCertificateContext or is freed when
passed as the****

//  pPrevCertContext on a subsequent call. CertDuplicateCertificateContext**
**

//  can be called to make a duplicate.****

//****

//  pPrevCertContext MUST BE NULL to enumerate the first****

//  certificate in the store. Successive certificates are enumerated by
setting****

//  pPrevCertContext to the CERT_CONTEXT returned by a previous call.****

//****

//  NOTE: a NON-NULL pPrevCertContext is always
CertFreeCertificateContext'ed by****

//  this function, even for an error.****

//--------------------------------------------------------------------------
****

WINCRYPT32API****

PCCERT_CONTEXT****

WINAPI****

CertEnumCertificatesInStore(IN HCERTSTORE hCertStore, IN PCCERT_CONTEXT
pPrevCertContext);


On Mon, Jul 1, 2013 at 9:38 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> 1) You are probably looking for xmlSecMSCryptoKeyDataX509GetKeyCert()
> function:
>
>
> http://www.aleksey.com/xmlsec/api/xmlsec-mscrypto-x509.html#XMLSECMSCRYPTOKEYDATAX509GETKEYCERT
>
> that returns the "raw" crypto-library specific (MSCrypto in this case)
> cert data structure. After that you can use native calls to get the
> cert subject, etc. There is no "generic" function to do that in xmlsec
> since the library doesn't need such function :)
>
> 2) "--enabled-key-data" and the dsigCtx->keyInfoReadCtx.enabledKeyData
> options define the list of enabled sources for loading the key. If these
> parameters are "empty" (not set) then all the sources are allowed.
> I would suggest to use "key-name" instead of "hmac" and just have
> nothing loaded in the keysManager.
>
>
> Best,
>
> Aleksey
>
> On 6/30/13 11:27 AM, Peter wrote:
> > Hi Aleksey
> >
> > I am new to xmlsec and have a few questions. I tried to do my home first
> > and went through the documentation and old emails but still have a few
> > question. I will be very grateful if you can find the time to look into
> > this please.
> > I am using x509 certs and I am using the .18 prebuilt windows version
> >
> >
> > FIRST
> > ---------
> >
> > My first question is very similar to the one posted
> > here http://www.aleksey.com/pipermail/xmlsec/2002/004466.html
> > <http://www.aleksey.com/pipermail/xmlsec/2002/004466.html>
> > I basically want to look at the certificate or the chain that actually
> > validated the xml to check the Subject, Issuer, etc. I can’t find the
> > structures mentioned in that thread, I am guessing the code must have
> > changed since then or may be I am looking in the wrong place. Can you
> > please confirm?
> > So then I looked at the command line tool code since it prints out the
> > info that I need. I followed through the code but I cant find any
> > accessible function to pull out the subject/issuer for the certs. I
> > found the xmlSecKeyDataGetIdentifier function but it didnt print anythng
> > for me. It was late and may be I am doing something wrong but I thought
> > I will check with you if I am on the right track
> >
> > /////////////////////////////////////////////////////////////
> > //key is the signKey from the context
> > if (!xmlSecPtrListIsValid(key->dataList))
> > {
> > info = "SignKey dataList is not valid";
> > return false;
> > }
> >
> > // key->dataList->id is the pointer to the xmlSecKeyDataListKlass struct
> > if (!xmlSecPtrListCheckId(key->dataList, xmlSecKeyDataListId))
> > {
> > info = "SignKey dataList kind is not xmlSecKeyDataListId";
> > return false;
> > }
> >
> > // "key-data-list"
> > InfoLog << " DATALIST kind ["  << (char*)key->dataList->id->name << "]
> > size ["  << key->dataList->use << "]" << endl;
> >
> > xmlSecSize pos;
> > for (pos = 0; pos < key->dataList->use; ++pos)
> > {
> > ostringstream ss; ss << pos;
> > xmlSecKeyDataPtr value = (xmlSecKeyDataPtr)key->dataList->data[pos];
> > if (value == NULL)
> > {
> > info = "SignKey dataList data[" + ss.str() + "] is not valid";
> > return false;
> > }
> >
> > //key->dataList->id->debugDumpItem(key->dataList->data[pos], stdout);
> > if (!xmlSecKeyDataCheckId(value, xmlSecMSCryptoKeyDataX509Id))
> > {
> > info = "SignKey dataList data[" + ss.str() + "] kind is not
> > xmlSecMSCryptoKeyDataX509Id";
> > return false;
> > }
> >
> > InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] kind [" <<
> > (char*)value->id->name << "]" << endl;
> >
> > string identifier = (char*)xmlSecKeyDataGetIdentifier(value) ;
> > // this did not print anything
> > InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] identifier
> > [" << identifier.c_str() << "]" << endl;
> > }
> >
> > /* THIS IS THE INFO I AM LOOKING FOR. Is it accessible from outside?
> >
> >     xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE*
> > output) {
> >     PCCERT_CONTEXT cert;
> >     xmlSecSize size, pos;
> >
> >     xmlSecAssert(xmlSecKeyDataCheckId(data,
> xmlSecMSCryptoKeyDataX509Id));
> >
> >     fprintf(output, "=== X509 Data:\n");
> >
> >     cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data);
> >
> >     if(cert != NULL) {
> >         fprintf(output, "==== Key Certificate:\n");
> >         xmlSecMSCryptoX509CertDebugDump(cert, output);
> >     }
> >
> >     size = xmlSecMSCryptoKeyDataX509GetCertsSize(data);
> >     for(pos = 0; pos < size; ++pos) {
> >         cert = xmlSecMSCryptoKeyDataX509GetCert(data, pos);
> >         if(cert == NULL) {
> >             xmlSecError(XMLSEC_ERRORS_HERE,
> >
> xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
> >                         "xmlSecMSCryptoKeyDataX509GetCert",
> >                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
> >                         "pos=%d", pos);
> >             return;
> >         }
> >         fprintf(output, "==== Certificate:\n");
> >         xmlSecMSCryptoX509CertDebugDump(cert, output);
> >     }
> > */
> > /////////////////////////////////////////////////////////////
> >
> >
> > SECOND
> >
> > --------------
> >
> > In one of your replies
> > (http://www.aleksey.com/pipermail/xmlsec/2011/009076.html
> > <http://www.aleksey.com/pipermail/xmlsec/2011/009076.html>) you said____
> >
> > “I think you can get what you want by using "--enabled-key-data" (and
> > "--list-key-data") command line options for xmlsec utility. Simply
> > disable reading of certs from XML file completely and provide the
> > signature key (not necessarily in  a cert) from the command line.”
> >
> > How exactly do I do that? Because –enabled-key-data always expects a
> > parameter. I guess I can just say “hmac” or some other option that
> > doesn’t apply in my case to achieve that, is that right?
> >
> > __
> >
> > Also the command to list them "xmlsec list-key-data –crypto mscrypto", I
> > didn’t see it documented in the command line help.
> >
> > From verify4 example, I found the following. What is the corresponding
> > equivalent for the code (to disable reading of certs from xml completely?
> >
> >     /* in addition, limit possible key data to valid X509 certificates
> > only */
> >
> >     if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
> > BAD_CAST xmlSecKeyDataX509Id) < 0) {
> >
> >         fprintf(stderr,"Error: failed to limit allowed key data\n");
> >
> >         goto done;
> >
> >     }
> >
> >
> > Thanks a lot for your help
> >
> > __
> >
> > __
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130702/395a46f8/attachment-0001.html>

More information about the xmlsec mailing list