[xmlsec] nss -- xmlSecNssX509StoreVerify question

Miklos Vajna vmiklos at vmiklos.hu
Thu Dec 8 13:06:02 PST 2016


Hi,

Context: currently we patch xmlsec in LibreOffice with
<https://cgit.freedesktop.org/libreoffice/core/tree/external/libxmlsec/xmlsec1-noverify.patch.1>,
and I'm trying to find out if it would be possible to avoid that patch.
As far as I understand, using the
XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS flag makes this possible
when calling xmlSecDSigCtxVerify(), but I wanted to first see
xmlSecDSigCtxVerify() failing without using that flag (when the above
patch is not applied).

However, for some reason xmlSecDSigCtxVerify() doesn't fail with my test
"self-signed" certificate (when the NSS DB doesn't contain the
root/intermediate CA), even when I'm not using that flag. Reading
xmlSecNssX509StoreVerify(), it seems that it calls NSS
CERT_VerifyCertificate() with requiredUsages=0:

https://github.com/lsh123/xmlsec/blob/master/src/nss/x509vfy.c#L217

And when that happens, CERT_VerifyCertificate() just iterates over the
usages of the certificicate, and on each iteration it returns
("continues") early, as "i & requiredUsages" is false. The result is
that later functions like cert_CheckLeafTrust() and
cert_VerifyCertChain() are not called:

https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certhigh/certvfy.c#1220

Now the question: is this expected? I'm not sure if this is a bug in
xmlsec or I generate my self-signed certificate in an incorrect way.

FWIW, here is my script to generate 1) a root CA 2) an intermediate CA
and 3) an actual certificate:

https://cgit.freedesktop.org/libreoffice/core/tree/xmlsecurity/qa/create-certs/create-certs.sh

Thanks,

Miklos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20161208/1bb9b652/attachment.sig>


More information about the xmlsec mailing list