<div dir="ltr"><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">Thanks a lot for the reply. That’s exactly what I tried yesterday. </span><span style="font-family:'Courier New'">And I can access the Subject, Issuer, etc.</span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">If you don't mind, I do have a question about the cert pointers. The following is the code, basically copied the code from the xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data,..)<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"><u></u> <u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">---------------------------------------------------------------------<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">PCCERT_CONTEXT cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data);<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'">if (cert == NULL)<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"> return false;<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"><u></u> <u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">CheckSignKeyCert(cert); // Check Subject, Isuuer, etc<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"><u></u> <u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">xmlSecSize size = xmlSecMSCryptoKeyDataX509GetCertsSize(data);<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">for(xmlSecSize certPos = 0; certPos < size; ++certPos)<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'">{<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"> cert = xmlSecMSCryptoKeyDataX509GetCert(data, certPos);<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"> if(cert == NULL)<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"> return false;<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"><u></u> <u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"> CheckSignKeyCert(cert); // Check Subject, Isuuer, etc<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">}<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">---------------------------------------------------------------------<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"><u></u> <u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">So I looked at the xmlSecMSCryptoKeyDataX509GetKeyCert and xmlSecMSCryptoKeyDataX509GetCert functions.<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"><u></u> <u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">xmlSecMSCryptoKeyDataX509GetKeyCert() seems pretty straight forward. It returns<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"> ctx = xmlSecMSCryptoX509DataGetCtx(data);<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'"> return(ctx->keyCert);<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'"><u></u> <u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">xmlSecMSCryptoKeyDataX509GetCert() is the one giving me doubts.<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'">It internally calls CertEnumCertificatesInStore(ctx->hMemStore, pCert)<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">This is the documentation for CertEnumCertificatesInStore which says that it calls CertFreeCertificateContext on anything passed in the pPrevCertContext paramter. Won't that cause double delete for the cert returned by the xmlSecMSCryptoKeyDataX509GetKeyCert(), the second one when I destroy the dSigCtx. Also I think I need to call CertFreeCertificateContext for the last cert<u></u><u></u></span></p>
<p class=""><font face="Courier New">returned by xmlSecMSCryptoKeyDataX509GetCe</font><font face="Courier New">rt(). I apologize if I am mistaken but will appreciate your input regarding this.<u></u><u></u></font></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'"><u></u> <u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">//+-------------------------------------------------------------------------<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">// Enumerate the certificate contexts in the store.<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'">//<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">// If a certificate isn't found, NULL is returned.<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">// Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'">// must be freed by calling CertFreeCertificateContext or is freed when passed as the<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'">// pPrevCertContext on a subsequent call. CertDuplicateCertificateContext<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">// can be called to make a duplicate.<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">//<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">// pPrevCertContext MUST BE NULL to enumerate the first<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">// certificate in the store. Successive certificates are enumerated by setting<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'">// pPrevCertContext to the CERT_CONTEXT returned by a previous call.<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">//<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">// NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">// this function, even for an error.<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:'Courier New'">//--------------------------------------------------------------------------<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">WINCRYPT32API<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">PCCERT_CONTEXT<u></u><u></u></span></p><p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">WINAPI<u></u><u></u></span></p>
<p class="" style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:'Courier New'">CertEnumCertificatesInStore(IN HCERTSTORE hCertStore, IN PCCERT_CONTEXT pPrevCertContext);</span></p><div class="gmail_extra">
<br><br><div class="gmail_quote">On Mon, Jul 1, 2013 at 9:38 PM, Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
1) You are probably looking for xmlSecMSCryptoKeyDataX509GetKeyCert()<br>
function:<br>
<br>
<a href="http://www.aleksey.com/xmlsec/api/xmlsec-mscrypto-x509.html#XMLSECMSCRYPTOKEYDATAX509GETKEYCERT" target="_blank">http://www.aleksey.com/xmlsec/api/xmlsec-mscrypto-x509.html#XMLSECMSCRYPTOKEYDATAX509GETKEYCERT</a><br>
<br>
that returns the "raw" crypto-library specific (MSCrypto in this case)<br>
cert data structure. After that you can use native calls to get the<br>
cert subject, etc. There is no "generic" function to do that in xmlsec<br>
since the library doesn't need such function :)<br>
<br>
2) "--enabled-key-data" and the dsigCtx->keyInfoReadCtx.enabledKeyData<br>
options define the list of enabled sources for loading the key. If these<br>
parameters are "empty" (not set) then all the sources are allowed.<br>
I would suggest to use "key-name" instead of "hmac" and just have<br>
nothing loaded in the keysManager.<br>
<br>
<br>
Best,<br>
<br>
Aleksey<br>
<div><div class="h5"><br>
On 6/30/13 11:27 AM, Peter wrote:<br>
> Hi Aleksey<br>
><br>
> I am new to xmlsec and have a few questions. I tried to do my home first<br>
> and went through the documentation and old emails but still have a few<br>
> question. I will be very grateful if you can find the time to look into<br>
> this please.<br>
> I am using x509 certs and I am using the .18 prebuilt windows version<br>
><br>
><br>
> FIRST<br>
> ---------<br>
><br>
> My first question is very similar to the one posted<br>
> here <a href="http://www.aleksey.com/pipermail/xmlsec/2002/004466.html" target="_blank">http://www.aleksey.com/pipermail/xmlsec/2002/004466.html</a><br>
> <<a href="http://www.aleksey.com/pipermail/xmlsec/2002/004466.html" target="_blank">http://www.aleksey.com/pipermail/xmlsec/2002/004466.html</a>><br>
> I basically want to look at the certificate or the chain that actually<br>
> validated the xml to check the Subject, Issuer, etc. I can’t find the<br>
> structures mentioned in that thread, I am guessing the code must have<br>
> changed since then or may be I am looking in the wrong place. Can you<br>
> please confirm?<br>
> So then I looked at the command line tool code since it prints out the<br>
> info that I need. I followed through the code but I cant find any<br>
> accessible function to pull out the subject/issuer for the certs. I<br>
> found the xmlSecKeyDataGetIdentifier function but it didnt print anythng<br>
> for me. It was late and may be I am doing something wrong but I thought<br>
> I will check with you if I am on the right track<br>
><br>
> /////////////////////////////////////////////////////////////<br>
> //key is the signKey from the context<br>
> if (!xmlSecPtrListIsValid(key->dataList))<br>
> {<br>
> info = "SignKey dataList is not valid";<br>
> return false;<br>
> }<br>
><br>
> // key->dataList->id is the pointer to the xmlSecKeyDataListKlass struct<br>
> if (!xmlSecPtrListCheckId(key->dataList, xmlSecKeyDataListId))<br>
> {<br>
> info = "SignKey dataList kind is not xmlSecKeyDataListId";<br>
> return false;<br>
> }<br>
><br>
> // "key-data-list"<br>
> InfoLog << " DATALIST kind [" << (char*)key->dataList->id->name << "]<br>
> size [" << key->dataList->use << "]" << endl;<br>
><br>
> xmlSecSize pos;<br>
> for (pos = 0; pos < key->dataList->use; ++pos)<br>
> {<br>
> ostringstream ss; ss << pos;<br>
> xmlSecKeyDataPtr value = (xmlSecKeyDataPtr)key->dataList->data[pos];<br>
> if (value == NULL)<br>
> {<br>
> info = "SignKey dataList data[" + ss.str() + "] is not valid";<br>
> return false;<br>
> }<br>
><br>
> //key->dataList->id->debugDumpItem(key->dataList->data[pos], stdout);<br>
> if (!xmlSecKeyDataCheckId(value, xmlSecMSCryptoKeyDataX509Id))<br>
> {<br>
> info = "SignKey dataList data[" + ss.str() + "] kind is not<br>
> xmlSecMSCryptoKeyDataX509Id";<br>
> return false;<br>
> }<br>
><br>
> InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] kind [" <<<br>
> (char*)value->id->name << "]" << endl;<br>
><br>
> string identifier = (char*)xmlSecKeyDataGetIdentifier(value) ;<br>
> // this did not print anything<br>
> InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] identifier<br>
> [" << identifier.c_str() << "]" << endl;<br>
> }<br>
><br>
> /* THIS IS THE INFO I AM LOOKING FOR. Is it accessible from outside?<br>
><br>
> xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE*<br>
> output) {<br>
> PCCERT_CONTEXT cert;<br>
> xmlSecSize size, pos;<br>
><br>
> xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecMSCryptoKeyDataX509Id));<br>
><br>
> fprintf(output, "=== X509 Data:\n");<br>
><br>
> cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data);<br>
><br>
> if(cert != NULL) {<br>
> fprintf(output, "==== Key Certificate:\n");<br>
> xmlSecMSCryptoX509CertDebugDump(cert, output);<br>
> }<br>
><br>
> size = xmlSecMSCryptoKeyDataX509GetCertsSize(data);<br>
> for(pos = 0; pos < size; ++pos) {<br>
> cert = xmlSecMSCryptoKeyDataX509GetCert(data, pos);<br>
> if(cert == NULL) {<br>
> xmlSecError(XMLSEC_ERRORS_HERE,<br>
> xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),<br>
> "xmlSecMSCryptoKeyDataX509GetCert",<br>
> XMLSEC_ERRORS_R_XMLSEC_FAILED,<br>
> "pos=%d", pos);<br>
> return;<br>
> }<br>
> fprintf(output, "==== Certificate:\n");<br>
> xmlSecMSCryptoX509CertDebugDump(cert, output);<br>
> }<br>
> */<br>
> /////////////////////////////////////////////////////////////<br>
><br>
><br>
> SECOND<br>
><br>
> --------------<br>
><br>
> In one of your replies<br>
> (<a href="http://www.aleksey.com/pipermail/xmlsec/2011/009076.html" target="_blank">http://www.aleksey.com/pipermail/xmlsec/2011/009076.html</a><br>
</div></div>> <<a href="http://www.aleksey.com/pipermail/xmlsec/2011/009076.html" target="_blank">http://www.aleksey.com/pipermail/xmlsec/2011/009076.html</a>>) you said____<br>
<div class="im">><br>
> “I think you can get what you want by using "--enabled-key-data" (and<br>
> "--list-key-data") command line options for xmlsec utility. Simply<br>
> disable reading of certs from XML file completely and provide the<br>
> signature key (not necessarily in a cert) from the command line.”<br>
><br>
> How exactly do I do that? Because –enabled-key-data always expects a<br>
> parameter. I guess I can just say “hmac” or some other option that<br>
> doesn’t apply in my case to achieve that, is that right?<br>
><br>
</div>> __<br>
<div class="im">><br>
> Also the command to list them "xmlsec list-key-data –crypto mscrypto", I<br>
> didn’t see it documented in the command line help.<br>
><br>
> From verify4 example, I found the following. What is the corresponding<br>
> equivalent for the code (to disable reading of certs from xml completely?<br>
><br>
> /* in addition, limit possible key data to valid X509 certificates<br>
> only */<br>
><br>
> if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),<br>
> BAD_CAST xmlSecKeyDataX509Id) < 0) {<br>
><br>
> fprintf(stderr,"Error: failed to limit allowed key data\n");<br>
><br>
> goto done;<br>
><br>
> }<br>
><br>
><br>
> Thanks a lot for your help<br>
><br>
</div>> __<br>
><br>
> __<br>
><br>
><br>
><br>
> _______________________________________________<br>
> xmlsec mailing list<br>
> <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a><br>
> <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
><br>
</blockquote></div><br></div></div>