[xmlsec] nss / XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS handling

Miklos Vajna vmiklos at vmiklos.hu
Fri Jan 27 16:28:07 PST 2017 

Hi,

On Sun, Jan 22, 2017 at 01:50:05PM -0800, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Thanks, looks good -- merged. I'll test all other crypto engines
> when I am back to make sure everything works the same way.

Ah yes, that's a good idea. I've tested the mscrypto backend, and it
seems there the this flag doesn't work there as expected either:

----
Miklos at Miklos-PC /cygdrive/c/lo/xmlsec/tests/aleksey-xmldsig-01
$ ../../win32/binaries/xmlsec.exe verify --trusted-der ../keys/cacert.der --enabled-key-data x509 enveloping-sha256-rsa-sha256-verify.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
    
Miklos at Miklos-PC /cygdrive/c/lo/xmlsec/tests/aleksey-xmldsig-01
$ ../../win32/binaries/xmlsec.exe verify --enabled-key-data x509 enveloping-sha256-rsa-sha256-verify.xml
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1246:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "enveloping-sha256-rsa-sha256-verify.xml"

Miklos at Miklos-PC /cygdrive/c/lo/xmlsec/tests/aleksey-xmldsig-01
$ ../../win32/binaries/xmlsec.exe verify --insecure --enabled-key-data x509 enveloping-sha256-rsa-sha256-verify.xml
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1246:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "enveloping-sha256-rsa-sha256-verify.xml"
----

So I understand that:

1) It works properly if the relevant --trusted-... option is used.
2) It fails when --insecure is not used, though it complains about "key
is not found", not NSS-style "certificate verification failed".
3) It still fails with --insecure -> unexpected.

I'll try to find time to look into what's the problem there & fix it
unless somebody beats me to it. :-)

Regards,

Miklos

More information about the xmlsec mailing list