[xmlsec] Key/cert selected for verification
Aleksey Sanin
aleksey at aleksey.com
Tue Jul 2 13:00:31 PDT 2013
Honestly, it was a very long time ago since I looked at MS crypto
functions so your guess is as good as mine :)
Aleksey
On 7/1/13 11:21 PM, Peter wrote:
> Thanks a lot for the reply. That’s exactly what I tried yesterday. And I
> can access the Subject, Issuer, etc.
>
> If you don't mind, I do have a question about the cert pointers. The
> following is the code, basically copied the code from the
> xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data,..)____
>
> __ __
>
> ---------------------------------------------------------------------____
>
> PCCERT_CONTEXT cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data);____
>
> if (cert == NULL)____
>
> return false;____
>
> __ __
>
> CheckSignKeyCert(cert); // Check Subject, Isuuer, etc____
>
> __ __
>
> xmlSecSize size = xmlSecMSCryptoKeyDataX509GetCertsSize(data);____
>
> for(xmlSecSize certPos = 0; certPos < size; ++certPos)____
>
> {____
>
> cert = xmlSecMSCryptoKeyDataX509GetCert(data, certPos);____
>
> if(cert == NULL)____
>
> return false;____
>
> __ __
>
> CheckSignKeyCert(cert); // Check Subject, Isuuer, etc____
>
> }____
>
> ---------------------------------------------------------------------____
>
> __ __
>
> So I looked at the xmlSecMSCryptoKeyDataX509GetKeyCert and
> xmlSecMSCryptoKeyDataX509GetCert functions.____
>
> __ __
>
> xmlSecMSCryptoKeyDataX509GetKeyCert() seems pretty straight forward. It
> returns____
>
> ctx = xmlSecMSCryptoX509DataGetCtx(data);____
>
> return(ctx->keyCert);____
>
> __ __
>
> xmlSecMSCryptoKeyDataX509GetCert() is the one giving me doubts.____
>
> It internally calls CertEnumCertificatesInStore(ctx->hMemStore, pCert)____
>
> This is the documentation for CertEnumCertificatesInStore which says
> that it calls CertFreeCertificateContext on anything passed in the
> pPrevCertContext paramter. Won't that cause double delete for the cert
> returned by the xmlSecMSCryptoKeyDataX509GetKeyCert(), the second one
> when I destroy the dSigCtx. Also I think I need to call
> CertFreeCertificateContext for the last cert____
>
> returned by xmlSecMSCryptoKeyDataX509GetCert(). I apologize if I am
> mistaken but will appreciate your input regarding this.____
>
> __ __
>
> //+-------------------------------------------------------------------------____
>
> // Enumerate the certificate contexts in the store.____
>
> //____
>
> // If a certificate isn't found, NULL is returned.____
>
> // Otherwise, a pointer to a read only CERT_CONTEXT is returned.
> CERT_CONTEXT____
>
> // must be freed by calling CertFreeCertificateContext or is freed when
> passed as the____
>
> // pPrevCertContext on a subsequent call.
> CertDuplicateCertificateContext____
>
> // can be called to make a duplicate.____
>
> //____
>
> // pPrevCertContext MUST BE NULL to enumerate the first____
>
> // certificate in the store. Successive certificates are enumerated by
> setting____
>
> // pPrevCertContext to the CERT_CONTEXT returned by a previous call.____
>
> //____
>
> // NOTE: a NON-NULL pPrevCertContext is always
> CertFreeCertificateContext'ed by____
>
> // this function, even for an error.____
>
> //--------------------------------------------------------------------------____
>
> WINCRYPT32API____
>
> PCCERT_CONTEXT____
>
> WINAPI____
>
> CertEnumCertificatesInStore(IN HCERTSTORE hCertStore, IN PCCERT_CONTEXT
> pPrevCertContext);
>
>
>
> On Mon, Jul 1, 2013 at 9:38 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> 1) You are probably looking for xmlSecMSCryptoKeyDataX509GetKeyCert()
> function:
>
> http://www.aleksey.com/xmlsec/api/xmlsec-mscrypto-x509.html#XMLSECMSCRYPTOKEYDATAX509GETKEYCERT
>
> that returns the "raw" crypto-library specific (MSCrypto in this case)
> cert data structure. After that you can use native calls to get the
> cert subject, etc. There is no "generic" function to do that in xmlsec
> since the library doesn't need such function :)
>
> 2) "--enabled-key-data" and the dsigCtx->keyInfoReadCtx.enabledKeyData
> options define the list of enabled sources for loading the key. If these
> parameters are "empty" (not set) then all the sources are allowed.
> I would suggest to use "key-name" instead of "hmac" and just have
> nothing loaded in the keysManager.
>
>
> Best,
>
> Aleksey
>
> On 6/30/13 11:27 AM, Peter wrote:
> > Hi Aleksey
> >
> > I am new to xmlsec and have a few questions. I tried to do my home
> first
> > and went through the documentation and old emails but still have a few
> > question. I will be very grateful if you can find the time to look
> into
> > this please.
> > I am using x509 certs and I am using the .18 prebuilt windows version
> >
> >
> > FIRST
> > ---------
> >
> > My first question is very similar to the one posted
> > here http://www.aleksey.com/pipermail/xmlsec/2002/004466.html
> > <http://www.aleksey.com/pipermail/xmlsec/2002/004466.html>
> > I basically want to look at the certificate or the chain that actually
> > validated the xml to check the Subject, Issuer, etc. I can’t find the
> > structures mentioned in that thread, I am guessing the code must have
> > changed since then or may be I am looking in the wrong place. Can you
> > please confirm?
> > So then I looked at the command line tool code since it prints out the
> > info that I need. I followed through the code but I cant find any
> > accessible function to pull out the subject/issuer for the certs. I
> > found the xmlSecKeyDataGetIdentifier function but it didnt print
> anythng
> > for me. It was late and may be I am doing something wrong but I
> thought
> > I will check with you if I am on the right track
> >
> > /////////////////////////////////////////////////////////////
> > //key is the signKey from the context
> > if (!xmlSecPtrListIsValid(key->dataList))
> > {
> > info = "SignKey dataList is not valid";
> > return false;
> > }
> >
> > // key->dataList->id is the pointer to the xmlSecKeyDataListKlass
> struct
> > if (!xmlSecPtrListCheckId(key->dataList, xmlSecKeyDataListId))
> > {
> > info = "SignKey dataList kind is not xmlSecKeyDataListId";
> > return false;
> > }
> >
> > // "key-data-list"
> > InfoLog << " DATALIST kind [" << (char*)key->dataList->id->name << "]
> > size [" << key->dataList->use << "]" << endl;
> >
> > xmlSecSize pos;
> > for (pos = 0; pos < key->dataList->use; ++pos)
> > {
> > ostringstream ss; ss << pos;
> > xmlSecKeyDataPtr value = (xmlSecKeyDataPtr)key->dataList->data[pos];
> > if (value == NULL)
> > {
> > info = "SignKey dataList data[" + ss.str() + "] is not valid";
> > return false;
> > }
> >
> > //key->dataList->id->debugDumpItem(key->dataList->data[pos], stdout);
> > if (!xmlSecKeyDataCheckId(value, xmlSecMSCryptoKeyDataX509Id))
> > {
> > info = "SignKey dataList data[" + ss.str() + "] kind is not
> > xmlSecMSCryptoKeyDataX509Id";
> > return false;
> > }
> >
> > InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] kind
> [" <<
> > (char*)value->id->name << "]" << endl;
> >
> > string identifier = (char*)xmlSecKeyDataGetIdentifier(value) ;
> > // this did not print anything
> > InfoLog << "SignKey dataList data[" << ss.str().c_str() << "]
> identifier
> > [" << identifier.c_str() << "]" << endl;
> > }
> >
> > /* THIS IS THE INFO I AM LOOKING FOR. Is it accessible from outside?
> >
> > xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE*
> > output) {
> > PCCERT_CONTEXT cert;
> > xmlSecSize size, pos;
> >
> > xmlSecAssert(xmlSecKeyDataCheckId(data,
> xmlSecMSCryptoKeyDataX509Id));
> >
> > fprintf(output, "=== X509 Data:\n");
> >
> > cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data);
> >
> > if(cert != NULL) {
> > fprintf(output, "==== Key Certificate:\n");
> > xmlSecMSCryptoX509CertDebugDump(cert, output);
> > }
> >
> > size = xmlSecMSCryptoKeyDataX509GetCertsSize(data);
> > for(pos = 0; pos < size; ++pos) {
> > cert = xmlSecMSCryptoKeyDataX509GetCert(data, pos);
> > if(cert == NULL) {
> > xmlSecError(XMLSEC_ERRORS_HERE,
> >
> xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
> > "xmlSecMSCryptoKeyDataX509GetCert",
> > XMLSEC_ERRORS_R_XMLSEC_FAILED,
> > "pos=%d", pos);
> > return;
> > }
> > fprintf(output, "==== Certificate:\n");
> > xmlSecMSCryptoX509CertDebugDump(cert, output);
> > }
> > */
> > /////////////////////////////////////////////////////////////
> >
> >
> > SECOND
> >
> > --------------
> >
> > In one of your replies
> > (http://www.aleksey.com/pipermail/xmlsec/2011/009076.html
> > <http://www.aleksey.com/pipermail/xmlsec/2011/009076.html>) you
> said____
> >
> > “I think you can get what you want by using "--enabled-key-data" (and
> > "--list-key-data") command line options for xmlsec utility. Simply
> > disable reading of certs from XML file completely and provide the
> > signature key (not necessarily in a cert) from the command line.”
> >
> > How exactly do I do that? Because –enabled-key-data always expects a
> > parameter. I guess I can just say “hmac” or some other option that
> > doesn’t apply in my case to achieve that, is that right?
> >
> > __
> >
> > Also the command to list them "xmlsec list-key-data –crypto
> mscrypto", I
> > didn’t see it documented in the command line help.
> >
> > From verify4 example, I found the following. What is the corresponding
> > equivalent for the code (to disable reading of certs from xml
> completely?
> >
> > /* in addition, limit possible key data to valid X509 certificates
> > only */
> >
> > if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
> > BAD_CAST xmlSecKeyDataX509Id) < 0) {
> >
> > fprintf(stderr,"Error: failed to limit allowed key data\n");
> >
> > goto done;
> >
> > }
> >
> >
> > Thanks a lot for your help
> >
> > __
> >
> > __
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
>
More information about the xmlsec
mailing list