[xmlsec] xmlsec question

Aleksey Sanin aleksey at aleksey.com
Thu Jul 18 09:04:34 PDT 2002


Hi, Moultrie!

You are correct, the current code does not handle the self signed cert 
correctly.
I have a fix (see attached diff against GNOME CVS). It's pretty small 
and you can
apply it to your version of xmlsec or wait till tomorrow and get it in 
the daily snapshot.

Thanks for noticing this!
Aleksey.

Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  I'm to the point of trying to use the xmlsec utility to verify a signed
>document produced by our test web server and signed with a private key whose
>public key is certified by a self-signed root cert (i.e., the CA isn't in
>the trusted list, it's just our self-signed cert for this purpose). I
>probably should provide xmlsec with a "--trusted <pemfile>" in order to
>validate that the cert is trusted for this purpose however stepping through
>the code in xmlSecX509StoreVerify() it looks like the loop beginning at line
>1134 (071202 build) never calls X509_verify_cert() because there's only one
>cert, that cert is self-signed (and so passes the first call to
>xmlSecX509FindNextChainCert()) and then the loop terminates. So, even if I
>had that self-signed cert passed in as a trusted root, it look like the
>trusted-root comparison wouldn't ever occur and verification would still
>fail. I'm still a newbie in this code base so I apologize if I'm off-base
>here but I've worked with x509 stuff before and I believe I understand what
>I'm seeing. Meanwhile, I'm trying to get the x509 cert from the webmaster in
>a PEM format but wanted to run this by you since it looks like that root key
>isn't going to be of immediate help given how the code works at this point.
>Any comments/thoughts on how verifications against self-signed cert's should
>work would be appreciated. I'm attaching the file I'm passing to the xmlsec
>test program just in case you want to pop this into the debugger and take a
>look at verifying it. The file contains multiple signed sections of XML but
>xmlsec appears to try to validate the first one w/o my having to supply a
>--node* reference on the command line -- for now it doesn't matter which one
>it tries to validate -- I just need to see it validate one so I can justify
>proceeding down this path. 
>Thanks!!!!
>Ferrell
>PS, let me know if I should submit this to the maillist but 
>
>=====================================
>Ferrell Moultrie (ferrell at iss.net)
>Software Engineer
>
>Internet Security Systems, Inc.
>6303 Barfield Road
>Atlanta, Georgia 30328
>Phone:  404-236-2600
>Direct: 404-236-2849
>Fax:    404-236-2632
>http://www.iss.net
>
>Internet Security Systems -- The Power to Protect
>=====================================
>
>  
>

-------------- next part --------------
Index: src/x509.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/x509.c,v
retrieving revision 1.4
diff -c -r1.4 x509.c
*** src/x509.c	11 Jul 2002 04:23:32 -0000	1.4
--- src/x509.c	18 Jul 2002 15:47:22 -0000
***************
*** 1546,1552 ****
      
      certSubjHash = X509_subject_name_hash(cert);
      for(i = 0; i < chain->num; ++i) {
! 	if(X509_issuer_name_hash(((X509**)(chain->data))[i]) == certSubjHash) {
  	    return(((X509**)(chain->data))[i]);
  	}
      }
--- 1546,1553 ----
      
      certSubjHash = X509_subject_name_hash(cert);
      for(i = 0; i < chain->num; ++i) {
! 	if((((X509**)(chain->data))[i] != cert) && 
! 	   (X509_issuer_name_hash(((X509**)(chain->data))[i]) == certSubjHash)) {
  	    return(((X509**)(chain->data))[i]);
  	}
      }


More information about the xmlsec mailing list