[xmlsec] Problem with some cert which has a negative serial number
Michael Mi
Hao.Mi at Sun.COM
Tue Feb 22 01:50:43 PST 2005
Aleksey,
I will take some time to integrate your patch to my local libxmlsec.
(You know, I am working on libxmlsec 1.2.6, not the latest one, so I
have to merge your change manually.)
I will let you know the result when it finishes.
Thanks
Michael
Aleksey Sanin wrote:
> Michael,
>
> I have a better patch for you (see attached file). Also I already
> tested it and checked in (thanks to Andrew for his openssl trick :) ).
>
> However, there are few things I would like to note:
> 1) I did test openssl <-> mscrypto interoperability for negative
> serial numbers and everything seems to be working. I did not test
> NSS <-> mscrypto at all.
> 2) I noticed that NSS does not handle large serial numbers at all.
> It seems that the code just converts a string to regular integer
> using NSPR's analog for atoi() function.
> 3) It turns out that mscrypto does not recognize "emailAddress"
> attribute in x509 string. Worse, when it writes a string, it puts
> email into "E" attribute but then refuses to read it back (or to
> be precise, it reads it in a *different* internal format and then
> can not find this cert)! I hacked the code to workaround this
> problem but this is really a quick-and-dirty hack and you might
> want to think about a better solution.
>
> Aleksey
>
>
>
> Aleksey Sanin wrote:
>
>> Just do "patch -p0 < path-to-negative-bn.diff" from the top level
>> xmlsec folder.
>>
>> Aleksey
>>
>> Michael Mi wrote:
>>
>>> I'd love to try it.
>>>
>>> But can you tell me how to merge the diff into my bn.c when I am
>>> using the libxmlsec tarball?
>>>
>>> Michael
>>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>------------------------------------------------------------------------
>
>Index: src/bn.c
>===================================================================
>RCS file: /cvs/gnome/xmlsec/src/bn.c,v
>retrieving revision 1.14
>diff -u -r1.14 bn.c
>--- src/bn.c 26 Jan 2005 16:52:09 -0000 1.14
>+++ src/bn.c 22 Feb 2005 09:16:51 -0000
>@@ -170,9 +170,10 @@
> */
> int
> xmlSecBnFromString(xmlSecBnPtr bn, const xmlChar* str, xmlSecSize base) {
>- xmlSecSize i, len;
>+ xmlSecSize i, len, size;
> xmlSecByte ch;
> xmlSecByte* data;
>+ int positive;
> int nn;
> int ret;
>
>@@ -184,7 +185,7 @@
> /* trivial case */
> len = xmlStrlen(str);
> if(len == 0) {
>- return(0);
>+ return(0);
> }
>
> /* The result size could not exceed the input string length
>@@ -192,60 +193,102 @@
> * In truth, it would be likely less than 1/2 input string length
> * because each byte is represented by 2 chars. If needed,
> * buffer size would be increased by Mul/Add functions.
>- * Finally, we add one byte for 00 prefix if first byte is > 127.
>+ * Finally, we can add one byte for 00 or 10 prefix.
> */
> ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 1 + 1);
> if(ret < 0) {
>- xmlSecError(XMLSEC_ERRORS_HERE,
>- NULL,
>- "xmlSecBnRevLookupTable",
>- XMLSEC_ERRORS_R_XMLSEC_FAILED,
>- "size=%d", len / 2 + 1);
>- return (-1);
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBnRevLookupTable",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "size=%d", len / 2 + 1);
>+ return (-1);
>+ }
>+
>+ /* figure out if it is positive or negative number */
>+ positive = 1;
>+ i = 0;
>+ while(i < len) {
>+ ch = str[i++];
>+
>+ /* skip spaces */
>+ if(isspace(ch)) {
>+ continue;
>+ }
>+
>+ /* check if it is + or - */
>+ if(ch == '+') {
>+ positive = 1;
>+ break;
>+ } else if(ch == '-') {
>+ positive = 0;
>+ break;
>+ }
>+
>+ /* otherwise, it must be start of the number */
>+ nn = xmlSecBnLookupTable[ch];
>+ if((nn >= 0) && ((xmlSecSize)nn < base)) {
>+ xmlSecAssert2(i > 0, -1);
>+
>+ /* no sign, positive by default */
>+ positive = 1;
>+ --i; /* make sure that we will look at this character in next loop */
>+ break;
>+ } else {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ NULL,
>+ XMLSEC_ERRORS_R_INVALID_DATA,
>+ "char=%c;base=%d",
>+ ch, base);
>+ return (-1);
>+ }
> }
>
>- for(i = 0; i < len; i++) {
>- ch = str[i];
>- if(isspace(ch)) {
>- continue;
>- }
>+ /* now parse the number itself */
>+ while(i < len) {
>+ ch = str[i++];
>+ if(isspace(ch)) {
>+ continue;
>+ }
>
>- xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
>- nn = xmlSecBnLookupTable[ch];
>- if((nn < 0) || ((xmlSecSize)nn > base)) {
>- xmlSecError(XMLSEC_ERRORS_HERE,
>- NULL,
>- NULL,
>- XMLSEC_ERRORS_R_INVALID_DATA,
>- "char=%c;base=%d",
>- ch, base);
>- return (-1);
>- }
>-
>- ret = xmlSecBnMul(bn, base);
>- if(ret < 0) {
>- xmlSecError(XMLSEC_ERRORS_HERE,
>- NULL,
>- "xmlSecBnMul",
>- XMLSEC_ERRORS_R_XMLSEC_FAILED,
>- "base=%d", base);
>- return (-1);
>- }
>+ xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
>+ nn = xmlSecBnLookupTable[ch];
>+ if((nn < 0) || ((xmlSecSize)nn > base)) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ NULL,
>+ XMLSEC_ERRORS_R_INVALID_DATA,
>+ "char=%c;base=%d",
>+ ch, base);
>+ return (-1);
>+ }
>
>- ret = xmlSecBnAdd(bn, nn);
>- if(ret < 0) {
>- xmlSecError(XMLSEC_ERRORS_HERE,
>- NULL,
>- "xmlSecBnAdd",
>- XMLSEC_ERRORS_R_XMLSEC_FAILED,
>- "base=%d", base);
>- return (-1);
>- }
>+ ret = xmlSecBnMul(bn, base);
>+ if(ret < 0) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBnMul",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "base=%d", base);
>+ return (-1);
>+ }
>+
>+ ret = xmlSecBnAdd(bn, nn);
>+ if(ret < 0) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBnAdd",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "base=%d", base);
>+ return (-1);
>+}
> }
>
>- /* check whether need to add 00 prefix */
>+ /* check if we need to add 00 prefix */
> data = xmlSecBufferGetData(bn);
>- if(data[0] > 127) {
>+ size = xmlSecBufferGetSize(bn);
>+ if(size > 0 && data[0] > 127) {
> ch = 0;
> ret = xmlSecBufferPrepend(bn, &ch, 1);
> if(ret < 0) {
>@@ -257,6 +300,26 @@
> return (-1);
> }
> }
>+
>+ /* do 2's compliment and add 1 to represent negative value */
>+ if(positive == 0) {
>+ data = xmlSecBufferGetData(bn);
>+ size = xmlSecBufferGetSize(bn);
>+ for(i = 0; i < size; ++i) {
>+ data[i] ^= 0xFF;
>+ }
>+
>+ ret = xmlSecBnAdd(bn, 1);
>+ if(ret < 0) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBnAdd",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "base=%d", base);
>+ return (-1);
>+ }
>+ }
>+
> return(0);
> }
>
>@@ -272,8 +335,12 @@
> */
> xmlChar*
> xmlSecBnToString(xmlSecBnPtr bn, xmlSecSize base) {
>+ xmlSecBn bn2;
>+ int positive = 1;
> xmlChar* res;
>- xmlSecSize i, len;
>+ xmlSecSize i, len, size;
>+ xmlSecByte* data;
>+ int ret;
> int nn;
> xmlChar ch;
>
>@@ -281,35 +348,86 @@
> xmlSecAssert2(base > 1, NULL);
> xmlSecAssert2(base <= sizeof(xmlSecBnRevLookupTable), NULL);
>
>+
>+ /* copy bn */
>+ data = xmlSecBufferGetData(bn);
>+ size = xmlSecBufferGetSize(bn);
>+ ret = xmlSecBnInitialize(&bn2, size);
>+ if(ret < 0) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBnCreate",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "size=%d", size);
>+ return (NULL);
>+ }
>+
>+ ret = xmlSecBnSetData(&bn2, data, size);
>+ if(ret < 0) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBnSetData",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "size=%d", size);
>+ xmlSecBnFinalize(&bn2);
>+ return (NULL);
>+ }
>+
>+ /* check if it is a negative number or not */
>+ data = xmlSecBufferGetData(&bn2);
>+ size = xmlSecBufferGetSize(&bn2);
>+ if((size > 0) && (data[0] > 127)) {
>+ /* subtract 1 and do 2's compliment */
>+ ret = xmlSecBnAdd(&bn2, -1);
>+ if(ret < 0) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBnAdd",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "size=%d", size);
>+ xmlSecBnFinalize(&bn2);
>+ return (NULL);
>+ }
>+ for(i = 0; i < size; ++i) {
>+ data[i] ^= 0xFF;
>+ }
>+
>+ positive = 0;
>+ } else {
>+ positive = 1;
>+ }
>+
> /* Result string len is
> * len = log base (256) * <bn size>
> * Since the smallest base == 2 then we can get away with
> * len = 8 * <bn size>
> */
>- len = 8 * xmlSecBufferGetSize(bn) + 1;
>+ len = 8 * size + 1 + 1;
> res = (xmlChar*)xmlMalloc(len + 1);
> if(res == NULL) {
>- xmlSecError(XMLSEC_ERRORS_HERE,
>- NULL,
>- NULL,
>- XMLSEC_ERRORS_R_MALLOC_FAILED,
>- "len=%d", len);
>- return (NULL);
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ NULL,
>+ XMLSEC_ERRORS_R_MALLOC_FAILED,
>+ "len=%d", len);
>+ xmlSecBnFinalize(&bn2);
>+ return (NULL);
> }
> memset(res, 0, len + 1);
>
>- for(i = 0; (xmlSecBufferGetSize(bn) > 0) && (i < len); i++) {
>- if(xmlSecBnDiv(bn, base, &nn) < 0) {
>- xmlSecError(XMLSEC_ERRORS_HERE,
>- NULL,
>- "xmlSecBnDiv",
>- XMLSEC_ERRORS_R_XMLSEC_FAILED,
>- "base=%d", base);
>- xmlFree(res);
>- return (NULL);
>- }
>- xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
>- res[i] = xmlSecBnRevLookupTable[nn];
>+ for(i = 0; (xmlSecBufferGetSize(&bn2) > 0) && (i < len); i++) {
>+ if(xmlSecBnDiv(&bn2, base, &nn) < 0) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBnDiv",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "base=%d", base);
>+ xmlFree(res);
>+ xmlSecBnFinalize(&bn2);
>+ return (NULL);
>+ }
>+ xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
>+ res[i] = xmlSecBnRevLookupTable[nn];
> }
> xmlSecAssert2(i < len, NULL);
>
>@@ -317,13 +435,20 @@
> for(len = i; (len > 1) && (res[len - 1] == '0'); len--);
> res[len] = '\0';
>
>+ /* add "-" for negative numbers */
>+ if(positive == 0) {
>+ res[len] = '-';
>+ res[++len] = '\0';
>+ }
>+
> /* swap the string because we wrote it in reverse order */
> for(i = 0; i < len / 2; i++) {
>- ch = res[i];
>- res[i] = res[len - i - 1];
>- res[len - i - 1] = ch;
>+ ch = res[i];
>+ res[i] = res[len - i - 1];
>+ res[len - i - 1] = ch;
> }
>
>+ xmlSecBnFinalize(&bn2);
> return(res);
> }
>
>@@ -408,7 +533,9 @@
> }
>
> data = xmlSecBufferGetData(bn);
>- for(over = 0, i = xmlSecBufferGetSize(bn); i > 0;) {
>+ i = xmlSecBufferGetSize(bn);
>+ over = 0;
>+ while(i > 0) {
> xmlSecAssert2(data != NULL, -1);
>
> over = over + multiplier * data[--i];
>@@ -503,43 +630,57 @@
> */
> int
> xmlSecBnAdd(xmlSecBnPtr bn, int delta) {
>- int over;
>+ int over, tmp;
> xmlSecByte* data;
> xmlSecSize i;
> xmlSecByte ch;
> int ret;
>
> xmlSecAssert2(bn != NULL, -1);
>- xmlSecAssert2(delta >= 0, -1);
>
> if(delta == 0) {
>- return(0);
>+ return(0);
> }
>
> data = xmlSecBufferGetData(bn);
>- for(over = delta, i = xmlSecBufferGetSize(bn); i > 0;) {
>- xmlSecAssert2(data != NULL, -1);
>+ if(delta > 0) {
>+ for(over = delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0) ;) {
>+ xmlSecAssert2(data != NULL, -1);
>
>- over += data[--i];
>- data[i] = over % 256;
>- over = over / 256;
>- }
>+ tmp = data[--i];
>+ over += tmp;
>+ data[i] = over % 256;
>+ over = over / 256;
>+ }
>
>- while(over > 0) {
>- ch = over % 256;
>- over = over / 256;
>+ while(over > 0) {
>+ ch = over % 256;
>+ over = over / 256;
>
>- ret = xmlSecBufferPrepend(bn, &ch, 1);
>- if(ret < 0) {
>- xmlSecError(XMLSEC_ERRORS_HERE,
>- NULL,
>- "xmlSecBufferPrepend",
>- XMLSEC_ERRORS_R_XMLSEC_FAILED,
>- "size=1");
>- return (-1);
>- }
>+ ret = xmlSecBufferPrepend(bn, &ch, 1);
>+ if(ret < 0) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecBufferPrepend",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ "size=1");
>+ return (-1);
>+ }
>+ }
>+ } else {
>+ for(over = -delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0);) {
>+ xmlSecAssert2(data != NULL, -1);
>+
>+ tmp = data[--i];
>+ if(tmp < over) {
>+ data[i] = 0;
>+ over = (over - tmp) / 256;
>+ } else {
>+ data[i] = tmp - over;
>+ over = 0;
>+ }
>+ }
> }
>-
> return(0);
> }
>
>Index: src/mscrypto/crypto.c
>===================================================================
>RCS file: /cvs/gnome/xmlsec/src/mscrypto/crypto.c,v
>retrieving revision 1.5
>diff -u -r1.5 crypto.c
>--- src/mscrypto/crypto.c 12 Nov 2003 02:38:51 -0000 1.5
>+++ src/mscrypto/crypto.c 22 Feb 2005 09:16:51 -0000
>@@ -330,13 +330,15 @@
> BYTE*
> xmlSecMSCryptoCertStrToName(DWORD dwCertEncodingType, LPCTSTR pszX500, DWORD dwStrType, DWORD* len) {
> BYTE* str = NULL;
>-
>+ LPCTSTR ppszError = NULL;
>+
> xmlSecAssert2(pszX500 != NULL, NULL);
> xmlSecAssert2(len != NULL, NULL);
>
> if (!CertStrToName(dwCertEncodingType, pszX500, dwStrType,
>- NULL, NULL, len, NULL)) {
>+ NULL, NULL, len, &ppszError)) {
> /* this might not be an error, string might just not exist */
>+ DWORD dw = GetLastError();
> return(NULL);
> }
>
>Index: src/mscrypto/x509.c
>===================================================================
>RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509.c,v
>retrieving revision 1.2
>diff -u -r1.2 x509.c
>--- src/mscrypto/x509.c 26 Sep 2003 00:58:13 -0000 1.2
>+++ src/mscrypto/x509.c 22 Feb 2005 09:16:52 -0000
>@@ -1882,7 +1882,7 @@
> xmlSecAssert2(nm->pbData != NULL, NULL);
> xmlSecAssert2(nm->cbData > 0, NULL);
>
>- csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, NULL, 0);
>+ csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, 0);
> str = (char *)xmlMalloc(csz);
> if (NULL == str) {
> xmlSecError(XMLSEC_ERRORS_HERE,
>@@ -1893,7 +1893,7 @@
> return (NULL);
> }
>
>- csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, str, csz);
>+ csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, str, csz);
> if (csz < 1) {
> xmlSecError(XMLSEC_ERRORS_HERE,
> NULL,
>@@ -1904,17 +1904,37 @@
> return(NULL);
> }
>
>- res = xmlStrdup(BAD_CAST str);
>- if(res == NULL) {
>- xmlSecError(XMLSEC_ERRORS_HERE,
>- NULL,
>- "xmlStrdup",
>- XMLSEC_ERRORS_R_MALLOC_FAILED,
>- XMLSEC_ERRORS_NO_MESSAGE);
>- xmlFree(str);
>- return(NULL);
>- }
>+ /* aleksey: this is a hack, but mscrypto can not read E= flag and wants Email= instead.
>+ * don't ask me how is it possible not to read something you wrote yourself but also
>+ * see comment in the xmlSecMSCryptoX509FindCert function.
>+ */
>+ if(strncmp(str, "E=", 2) == 0) {
>+ res = xmlMalloc(strlen(str) + 13 + 1);
>+ if(res == NULL) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlMalloc",
>+ XMLSEC_ERRORS_R_MALLOC_FAILED,
>+ "size=%d",
>+ strlen(str) + 13 + 1);
>+ xmlFree(str);
>+ return(NULL);
>+ }
>
>+ memcpy(res, "emailAddress=", 13);
>+ strcpy(res + 13, BAD_CAST (str + 2));
>+ } else {
>+ res = xmlStrdup(BAD_CAST str);
>+ if(res == NULL) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlStrdup",
>+ XMLSEC_ERRORS_R_MALLOC_FAILED,
>+ XMLSEC_ERRORS_NO_MESSAGE);
>+ xmlFree(str);
>+ return(NULL);
>+ }
>+ }
> xmlFree(str);
> return(res);
> }
>Index: src/mscrypto/x509vfy.c
>===================================================================
>RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509vfy.c,v
>retrieving revision 1.3
>diff -u -r1.3 x509vfy.c
>--- src/mscrypto/x509vfy.c 27 Sep 2003 03:12:22 -0000 1.3
>+++ src/mscrypto/x509vfy.c 22 Feb 2005 09:16:52 -0000
>@@ -567,10 +567,41 @@
>
> if((pCert == NULL) && (NULL != issuerName) && (NULL != issuerSerial)) {
> xmlSecBn issuerSerialBn;
>+ xmlChar * p;
> CERT_NAME_BLOB cnb;
>+ CRYPT_INTEGER_BLOB cib;
> BYTE *cName = NULL;
> DWORD cNameLen = 0;
>+
>+ /* aleksey: for some unknown to me reasons, mscrypto wants Email
>+ * instead of emailAddress. This code is not bullet proof and may
>+ * produce incorrect results if someone has "emailAddress=" string
>+ * in one of the fields, but it is best I can suggest to fix this problem.
>+ * Also see xmlSecMSCryptoX509NameWrite function.
>+ */
>+ while( (p = (xmlChar*)xmlStrstr(issuerName, BAD_CAST "emailAddress=")) != NULL) {
>+ memcpy(p, " Email=", 13);
>+ }
>
>+
>+
>+ /* get issuer name */
>+ cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
>+ issuerName,
>+ CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG | CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
>+ &cNameLen);
>+ if(cName == NULL) {
>+ xmlSecError(XMLSEC_ERRORS_HERE,
>+ NULL,
>+ "xmlSecMSCryptoCertStrToName",
>+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+ XMLSEC_ERRORS_NO_MESSAGE);
>+ return (NULL);
>+ }
>+ cnb.pbData = cName;
>+ cnb.cbData = cNameLen;
>+
>+ /* get serial number */
> ret = xmlSecBnInitialize(&issuerSerialBn, 0);
> if(ret < 0) {
> xmlSecError(XMLSEC_ERRORS_HERE,
>@@ -578,6 +609,7 @@
> "xmlSecBnInitialize",
> XMLSEC_ERRORS_R_XMLSEC_FAILED,
> XMLSEC_ERRORS_NO_MESSAGE);
>+ xmlFree(cName);
> return(NULL);
> }
>
>@@ -589,26 +621,30 @@
> XMLSEC_ERRORS_R_XMLSEC_FAILED,
> XMLSEC_ERRORS_NO_MESSAGE);
> xmlSecBnFinalize(&issuerSerialBn);
>- return(NULL);
>+ xmlFree(cName);
>+ return(NULL);
> }
>
>- cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
>- issuerName,
>- CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
>- &cNameLen);
>- if(cName == NULL) {
>+ /* I have no clue why at a sudden a swap is needed to
>+ * convert from lsb... This code is purely based upon
>+ * trial and error :( WK
>+ */
>+ ret = xmlSecBnReverse(&issuerSerialBn);
>+ if(ret < 0) {
> xmlSecError(XMLSEC_ERRORS_HERE,
> NULL,
>- "xmlSecMSCryptoCertStrToName",
>+ "xmlSecBnReverse",
> XMLSEC_ERRORS_R_XMLSEC_FAILED,
> XMLSEC_ERRORS_NO_MESSAGE);
> xmlSecBnFinalize(&issuerSerialBn);
>- return (NULL);
>+ xmlFree(cName);
>+ return(NULL);
> }
>
>- cnb.pbData = cName;
>- cnb.cbData = cNameLen;
>- while((pCert = CertFindCertificateInStore(store,
>+ cib.pbData = xmlSecBufferGetData(&issuerSerialBn);
>+ cib.cbData = xmlSecBufferGetSize(&issuerSerialBn);
>+
>+ while((pCert = CertFindCertificateInStore(store,
> PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
> 0,
> CERT_FIND_ISSUER_NAME,
>@@ -622,10 +658,9 @@
> if((pCert->pCertInfo != NULL) &&
> (pCert->pCertInfo->SerialNumber.pbData != NULL) &&
> (pCert->pCertInfo->SerialNumber.cbData > 0) &&
>- (0 == xmlSecBnCompareReverse(&issuerSerialBn, pCert->pCertInfo->SerialNumber.pbData,
>- pCert->pCertInfo->SerialNumber.cbData))) {
>-
>- break;
>+ (CertCompareIntegerBlob(&(pCert->pCertInfo->SerialNumber), &cib) == TRUE)
>+ ) {
>+ break;
> }
> }
> xmlFree(cName);
>Index: tests/testDSig.sh
>===================================================================
>RCS file: /cvs/gnome/xmlsec/tests/testDSig.sh,v
>retrieving revision 1.35
>diff -u -r1.35 testDSig.sh
>--- tests/testDSig.sh 17 Mar 2004 05:06:48 -0000 1.35
>+++ tests/testDSig.sh 22 Feb 2005 09:16:53 -0000
>@@ -1,8 +1,15 @@
> #!/bin/sh
>
>+OS_ARCH=`uname -o`
>+
>+if [ "z$OS_ARCH" = "zCygwin" ] ; then
>+ topfolder=`cygpath -wa $2`
>+ xmlsec_app=`cygpath -a $3`
>+else
>+ topfolder=$2
>+ xmlsec_app=$3
>+fi
> crypto=$1
>-topfolder=$2
>-xmlsec_app=$3
> file_format=$4
>
> pub_key_format=$file_format
>@@ -13,10 +20,15 @@
> if [ "z$TMPFOLDER" = "z" ] ; then
> TMPFOLDER=/tmp
> fi
>-
> timestamp=`date +%Y%m%d_%H%M%S`
>-tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
>-logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
>+if [ "z$OS_ARCH" = "zCygwin" ] ; then
>+ tmpfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.tmp`
>+ logfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.log`
>+else
>+ tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
>+ logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
>+fi
>+
> script="$0"
>
> # prepate crypto config folder
>@@ -104,7 +116,6 @@
> echo "--- testDSig started for xmlsec-$crypto library ($timestamp)" >> $logfile
> echo "--- LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> $logfile
>
>-
> execDSigTest "" "merlin-xmldsig-twenty-three/signature-enveloped-dsa" \
> " " \
> "$priv_key_option $topfolder/keys/dsakey.$priv_key_format --pwd secret" \
>@@ -238,6 +249,11 @@
> "$priv_key_option tests/keys/rsakey.$priv_key_format --pwd secret" \
> "--trusted-$cert_format $topfolder/keys/cacert.$cert_format"
>
>+execDSigTest "" "aleksey-xmldsig-01/x509data-sn-test" \
>+ "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509" \
>+ "$priv_key_option tests/keys/rsa2key.$priv_key_format --pwd secret" \
>+ "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509"
>+
> execDSigTest "" "merlin-exc-c14n-one/exc-signature" \
> ""
>
>@@ -249,6 +265,7 @@
>
> execDSigTest "" "merlin-xpath-filter2-three/sign-spec" \
> ""
>+
> execDSigTest "phaos-xmldsig-three" "signature-big" \
> "--pubkey-cert-$cert_format certs/rsa-cert.$cert_format"
>
>Index: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
>===================================================================
>RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
>diff -N tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
>--- /dev/null 1 Jan 1970 00:00:00 -0000
>+++ tests/aleksey-xmldsig-01/x509data-sn-test.tmpl 22 Feb 2005 09:16:53 -0000
>@@ -0,0 +1,27 @@
>+<?xml version="1.0" encoding="UTF-8"?>
>+<Document>
>+ <ToBeSigned>
>+ Some very secret data
>+ </ToBeSigned>
>+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>+ <SignedInfo>
>+ <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
>+ <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>+ <Reference URI="">
>+ <Transforms>
>+ <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
>+ <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect"> //ToBeSigned </XPath>
>+ </Transform>
>+ </Transforms>
>+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>+ <DigestValue/>
>+ </Reference>
>+ </SignedInfo>
>+ <SignatureValue/>
>+ <KeyInfo>
>+ <X509Data>
>+ <X509IssuerSerial/>
>+ </X509Data>
>+ </KeyInfo>
>+ </Signature>
>+</Document>
>Index: tests/aleksey-xmldsig-01/x509data-sn-test.xml
>===================================================================
>RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.xml
>diff -N tests/aleksey-xmldsig-01/x509data-sn-test.xml
>--- /dev/null 1 Jan 1970 00:00:00 -0000
>+++ tests/aleksey-xmldsig-01/x509data-sn-test.xml 22 Feb 2005 09:16:53 -0000
>@@ -0,0 +1,33 @@
>+<?xml version="1.0" encoding="UTF-8"?>
>+<Document>
>+ <ToBeSigned>
>+ Some very secret data
>+ </ToBeSigned>
>+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>+ <SignedInfo>
>+ <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>+ <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>+ <Reference URI="">
>+ <Transforms>
>+ <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
>+ <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect"> //ToBeSigned </XPath>
>+ </Transform>
>+ </Transforms>
>+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>+ <DigestValue>3om1gINPzaogcdLuDdjIQlls4NE=</DigestValue>
>+ </Reference>
>+ </SignedInfo>
>+ <SignatureValue>pcsM3Uz0+85OJTV28sg+mQ5khOCxeToam9ojj5F7D5IVXoQAnCNDuyDbKLsn0UKv
>+I06RXzlb4MXb88fBJaFd4ygfpy3Ude8n6erjwxtwU6tPiesHyJB64GSD9yeSGDZt
>+UnD0EYB9ammZxoqVUlZR5FiqG/vTUtjHN+Fo6DTuY+g=</SignatureValue>
>+ <KeyInfo>
>+ <X509Data>
>+
>+ <X509IssuerSerial>
>+<X509IssuerName>emailAddress=xmlsec at aleksey.com,CN=Aleksey Sanin,OU=Second Level Certificate,O=XML Security Library (http://www.aleksey.com/xmlsec),ST=California,C=US</X509IssuerName>
>+<X509SerialNumber>-1</X509SerialNumber>
>+</X509IssuerSerial>
>+</X509Data>
>+ </KeyInfo>
>+ </Signature>
>+</Document>
>Index: tests/keys/README
>===================================================================
>RCS file: /cvs/gnome/xmlsec/tests/keys/README,v
>retrieving revision 1.6
>diff -u -r1.6 README
>--- tests/keys/README 30 Jul 2003 02:47:22 -0000 1.6
>+++ tests/keys/README 22 Feb 2005 09:16:53 -0000
>@@ -17,6 +17,8 @@
> hmackey.bin HMAC key ('secret')
> expired.key key for expired cert
> expired.crt expired certificate
>+ rsa2key.pem RSA private key
>+ rsa2cert.pem Self signed RSA certificate with negative serial number
>
> 2. How certificates were generated:
>
>@@ -66,6 +68,9 @@
>
> Convert PEM cert file to DER file
> > openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der
>+
>+ Convert DER cert file to PEM file
>+ > openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
>
> 4. Converting an unencrypted PEM or DER file containing a private key
> to an encrypted PEM or DER file containing the same private key but
>Index: tests/keys/rsa2cert.der
>===================================================================
>RCS file: tests/keys/rsa2cert.der
>diff -N tests/keys/rsa2cert.der
>Binary files /dev/null and rsa2cert.der differ
>Index: tests/keys/rsa2cert.pem
>===================================================================
>RCS file: tests/keys/rsa2cert.pem
>diff -N tests/keys/rsa2cert.pem
>--- /dev/null 1 Jan 1970 00:00:00 -0000
>+++ tests/keys/rsa2cert.pem 22 Feb 2005 09:16:53 -0000
>@@ -0,0 +1,17 @@
>+-----BEGIN CERTIFICATE-----
>+MIICujCCAmQCAf8wDQYJKoZIhvcNAQEEBQAwgb8xCzAJBgNVBAYTAlVTMRMwEQYD
>+VQQIEwpDYWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFyeSAo
>+aHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMSEwHwYDVQQLExhTZWNvbmQg
>+TGV2ZWwgQ2VydGlmaWNhdGUxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAfBgkq
>+hkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTAeFw0wNTAyMjIwODAxNDJaFw0x
>+NTAyMjAwODAxNDJaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
>+YTESMBAGA1UEBxMJU3Vubnl2YWxlMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGli
>+cmFyeSAoaHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMTwwOgYDVQQLEzNU
>+aGlyZCBsZXZlbCBjZXJ0aWZpY2F0ZSB3aXRoIG5lZ2F0aXZlIHNlcmlhbCBudW1i
>+ZXIxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
>+MIGJAoGBAONHVDP5sBVclV0pClZYjcB6Os70uGmKZzAFgq8+lUZmu9utk78ZCK0A
>+NtvxjQ/C+/17plevhXFGeWgjGGbEq6OpEkAjDyXX+j5ZMI6b6zYwVEo0+Eh15Sbb
>+LIYat1m4kR5A7/gIhsVKT8GfWAYzamPYrPmsa9JVDKEqsh9PPaz7AgMBAAEwDQYJ
>+KoZIhvcNAQEEBQADQQAOTj9O30MjCt8darphiTDSYaLof5IvJiDfu38UnSukH/Ut
>+t5C7EU+1X5/uKacfYnHs/0UQYbmq5Zsm4Zky+ht9
>+-----END CERTIFICATE-----
>Index: tests/keys/rsa2key.der
>===================================================================
>RCS file: tests/keys/rsa2key.der
>diff -N tests/keys/rsa2key.der
>Binary files /dev/null and rsa2key.der differ
>Index: tests/keys/rsa2key.p12
>===================================================================
>RCS file: tests/keys/rsa2key.p12
>diff -N tests/keys/rsa2key.p12
>Binary files /dev/null and rsa2key.p12 differ
>Index: tests/keys/rsa2key.pem
>===================================================================
>RCS file: tests/keys/rsa2key.pem
>diff -N tests/keys/rsa2key.pem
>--- /dev/null 1 Jan 1970 00:00:00 -0000
>+++ tests/keys/rsa2key.pem 22 Feb 2005 09:16:53 -0000
>@@ -0,0 +1,18 @@
>+-----BEGIN RSA PRIVATE KEY-----
>+Proc-Type: 4,ENCRYPTED
>+DEK-Info: DES-EDE3-CBC,4500DDD8194CE192
>+
>+E1FQxiq6hX9GbvWm2HyzvfgDvFXFLjruys4cL6gCXLl7kNPBEUsi3geICO3bFVsk
>+XTI/JYZQosR3mhglydDQU/JJ0JXid6T9wxdRxokr8K2O2KGFjN2n95RZ2gkDyYfd
>+4/4OmGymm1g8VFUqeJuR6x2Lwh9ML2k2R8dqJqLhuoLlfp14fqlMRvzni53aTDSU
>+xxLYQ0SphGpE2gdEbowZDKLx8v+w7tZvTES/4jZQL3rosPJgcSy4Hif9pSHYDK91
>+e3N8rz/lyrQ1sb0z808GXVrK2h8nrJiuBAcS3S4smvKbV3fl0nu2um/ZFZPqAjiQ
>+4rNa77a+uA0FmRHrtb4zL6aRwoybkaO7TwwKhCjDtM1OdCia5+sINXBdswtBwvGf
>+lURgIBiORsdDNjmk4TYb3g9V3cAccnWzA80GqefiokzFteATl02c2aN+AsV2BCxv
>+fBCV/mX/+ygzctK0W/auaVl/qN0kezbkrZiCr7FB/Im2IRsVJ+NZoe7BW5/LiC+F
>+5mn6ExkuLwQ6o7OZpUkjQunFFE+hwiCvObSv3dhTBRn3iQg/0i7Ufb8FcQfF7Mfy
>+4oK1yZqvnHoH8BbeTuGYY/PRFIdXwM+mEJy1Sk8pBcGwMNlJf6UdTCvRoQ1SB+a0
>+EpMP1/AgZ2F4MVOuZLYOp7OOLTaB9Yu92Gtm9g0YbMg6OKkkoW5SVuk+Kvo8tv/3
>+ITY8bLfSn2T0MRRwds71uW9vo4IhN/IT6Js+xEteY4kaufXtcSIZ+h6XrmjuoxZR
>+voBxkA4KgGUKKU1aemeHUCxzdqYlhrLvlXcjxvPmCjKdFjc9PX1/Ag==
>+-----END RSA PRIVATE KEY-----
>Index: win32/Makefile.msvc
>===================================================================
>RCS file: /cvs/gnome/xmlsec/win32/Makefile.msvc,v
>retrieving revision 1.27
>diff -u -r1.27 Makefile.msvc
>--- win32/Makefile.msvc 9 Jun 2004 14:35:12 -0000 1.27
>+++ win32/Makefile.msvc 22 Feb 2005 09:16:54 -0000
>@@ -456,21 +456,21 @@
> check-keys : $(BINDIR)\$(APP_NAME)
> cd ..
> if not exist win32\tmp mkdir win32\tmp
>- set TMPFOLDER=win32\tmp
>+ set TMPFOLDER=win32/tmp
> sh ./tests/testKeys.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
> cd win32
>
> check-dsig : $(BINDIR)\$(APP_NAME)
> cd ..
> if not exist win32\tmp mkdir win32\tmp
>- set TMPFOLDER=win32\tmp
>+ set TMPFOLDER=win32/tmp
> sh ./tests/testDSig.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
> cd win32
>
> check-enc : $(BINDIR)\$(APP_NAME)
> cd ..
> if not exist win32\tmp mkdir win32\tmp
>- set TMPFOLDER=win32\tmp
>+ set TMPFOLDER=win32/tmp
> sh ./tests/testEnc.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
> cd win32
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20050222/d71c9a64/attachment-0001.htm
More information about the xmlsec
mailing list