[xmlsec] Problem with some cert which has a negative serial number
Aleksey Sanin
aleksey at aleksey.com
Tue Feb 22 01:31:22 PST 2005
Michael,
I have a better patch for you (see attached file). Also I already
tested it and checked in (thanks to Andrew for his openssl trick :) ).
However, there are few things I would like to note:
1) I did test openssl <-> mscrypto interoperability for negative
serial numbers and everything seems to be working. I did not test
NSS <-> mscrypto at all.
2) I noticed that NSS does not handle large serial numbers at all.
It seems that the code just converts a string to regular integer
using NSPR's analog for atoi() function.
3) It turns out that mscrypto does not recognize "emailAddress"
attribute in x509 string. Worse, when it writes a string, it puts
email into "E" attribute but then refuses to read it back (or to
be precise, it reads it in a *different* internal format and then
can not find this cert)! I hacked the code to workaround this
problem but this is really a quick-and-dirty hack and you might
want to think about a better solution.
Aleksey
Aleksey Sanin wrote:
> Just do "patch -p0 < path-to-negative-bn.diff" from the top level
> xmlsec folder.
>
> Aleksey
>
> Michael Mi wrote:
>
>> I'd love to try it.
>>
>> But can you tell me how to merge the diff into my bn.c when I am using
>> the libxmlsec tarball?
>>
>> Michael
>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
Index: src/bn.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/bn.c,v
retrieving revision 1.14
diff -u -r1.14 bn.c
--- src/bn.c 26 Jan 2005 16:52:09 -0000 1.14
+++ src/bn.c 22 Feb 2005 09:16:51 -0000
@@ -170,9 +170,10 @@
*/
int
xmlSecBnFromString(xmlSecBnPtr bn, const xmlChar* str, xmlSecSize base) {
- xmlSecSize i, len;
+ xmlSecSize i, len, size;
xmlSecByte ch;
xmlSecByte* data;
+ int positive;
int nn;
int ret;
@@ -184,7 +185,7 @@
/* trivial case */
len = xmlStrlen(str);
if(len == 0) {
- return(0);
+ return(0);
}
/* The result size could not exceed the input string length
@@ -192,60 +193,102 @@
* In truth, it would be likely less than 1/2 input string length
* because each byte is represented by 2 chars. If needed,
* buffer size would be increased by Mul/Add functions.
- * Finally, we add one byte for 00 prefix if first byte is > 127.
+ * Finally, we can add one byte for 00 or 10 prefix.
*/
ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 1 + 1);
if(ret < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecBnRevLookupTable",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "size=%d", len / 2 + 1);
- return (-1);
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBnRevLookupTable",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "size=%d", len / 2 + 1);
+ return (-1);
+ }
+
+ /* figure out if it is positive or negative number */
+ positive = 1;
+ i = 0;
+ while(i < len) {
+ ch = str[i++];
+
+ /* skip spaces */
+ if(isspace(ch)) {
+ continue;
+ }
+
+ /* check if it is + or - */
+ if(ch == '+') {
+ positive = 1;
+ break;
+ } else if(ch == '-') {
+ positive = 0;
+ break;
+ }
+
+ /* otherwise, it must be start of the number */
+ nn = xmlSecBnLookupTable[ch];
+ if((nn >= 0) && ((xmlSecSize)nn < base)) {
+ xmlSecAssert2(i > 0, -1);
+
+ /* no sign, positive by default */
+ positive = 1;
+ --i; /* make sure that we will look at this character in next loop */
+ break;
+ } else {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_INVALID_DATA,
+ "char=%c;base=%d",
+ ch, base);
+ return (-1);
+ }
}
- for(i = 0; i < len; i++) {
- ch = str[i];
- if(isspace(ch)) {
- continue;
- }
+ /* now parse the number itself */
+ while(i < len) {
+ ch = str[i++];
+ if(isspace(ch)) {
+ continue;
+ }
- xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
- nn = xmlSecBnLookupTable[ch];
- if((nn < 0) || ((xmlSecSize)nn > base)) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- NULL,
- XMLSEC_ERRORS_R_INVALID_DATA,
- "char=%c;base=%d",
- ch, base);
- return (-1);
- }
-
- ret = xmlSecBnMul(bn, base);
- if(ret < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecBnMul",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "base=%d", base);
- return (-1);
- }
+ xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
+ nn = xmlSecBnLookupTable[ch];
+ if((nn < 0) || ((xmlSecSize)nn > base)) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_INVALID_DATA,
+ "char=%c;base=%d",
+ ch, base);
+ return (-1);
+ }
- ret = xmlSecBnAdd(bn, nn);
- if(ret < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecBnAdd",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "base=%d", base);
- return (-1);
- }
+ ret = xmlSecBnMul(bn, base);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBnMul",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "base=%d", base);
+ return (-1);
+ }
+
+ ret = xmlSecBnAdd(bn, nn);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBnAdd",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "base=%d", base);
+ return (-1);
+}
}
- /* check whether need to add 00 prefix */
+ /* check if we need to add 00 prefix */
data = xmlSecBufferGetData(bn);
- if(data[0] > 127) {
+ size = xmlSecBufferGetSize(bn);
+ if(size > 0 && data[0] > 127) {
ch = 0;
ret = xmlSecBufferPrepend(bn, &ch, 1);
if(ret < 0) {
@@ -257,6 +300,26 @@
return (-1);
}
}
+
+ /* do 2's compliment and add 1 to represent negative value */
+ if(positive == 0) {
+ data = xmlSecBufferGetData(bn);
+ size = xmlSecBufferGetSize(bn);
+ for(i = 0; i < size; ++i) {
+ data[i] ^= 0xFF;
+ }
+
+ ret = xmlSecBnAdd(bn, 1);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBnAdd",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "base=%d", base);
+ return (-1);
+ }
+ }
+
return(0);
}
@@ -272,8 +335,12 @@
*/
xmlChar*
xmlSecBnToString(xmlSecBnPtr bn, xmlSecSize base) {
+ xmlSecBn bn2;
+ int positive = 1;
xmlChar* res;
- xmlSecSize i, len;
+ xmlSecSize i, len, size;
+ xmlSecByte* data;
+ int ret;
int nn;
xmlChar ch;
@@ -281,35 +348,86 @@
xmlSecAssert2(base > 1, NULL);
xmlSecAssert2(base <= sizeof(xmlSecBnRevLookupTable), NULL);
+
+ /* copy bn */
+ data = xmlSecBufferGetData(bn);
+ size = xmlSecBufferGetSize(bn);
+ ret = xmlSecBnInitialize(&bn2, size);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBnCreate",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "size=%d", size);
+ return (NULL);
+ }
+
+ ret = xmlSecBnSetData(&bn2, data, size);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBnSetData",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "size=%d", size);
+ xmlSecBnFinalize(&bn2);
+ return (NULL);
+ }
+
+ /* check if it is a negative number or not */
+ data = xmlSecBufferGetData(&bn2);
+ size = xmlSecBufferGetSize(&bn2);
+ if((size > 0) && (data[0] > 127)) {
+ /* subtract 1 and do 2's compliment */
+ ret = xmlSecBnAdd(&bn2, -1);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBnAdd",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "size=%d", size);
+ xmlSecBnFinalize(&bn2);
+ return (NULL);
+ }
+ for(i = 0; i < size; ++i) {
+ data[i] ^= 0xFF;
+ }
+
+ positive = 0;
+ } else {
+ positive = 1;
+ }
+
/* Result string len is
* len = log base (256) * <bn size>
* Since the smallest base == 2 then we can get away with
* len = 8 * <bn size>
*/
- len = 8 * xmlSecBufferGetSize(bn) + 1;
+ len = 8 * size + 1 + 1;
res = (xmlChar*)xmlMalloc(len + 1);
if(res == NULL) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- NULL,
- XMLSEC_ERRORS_R_MALLOC_FAILED,
- "len=%d", len);
- return (NULL);
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "len=%d", len);
+ xmlSecBnFinalize(&bn2);
+ return (NULL);
}
memset(res, 0, len + 1);
- for(i = 0; (xmlSecBufferGetSize(bn) > 0) && (i < len); i++) {
- if(xmlSecBnDiv(bn, base, &nn) < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecBnDiv",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "base=%d", base);
- xmlFree(res);
- return (NULL);
- }
- xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
- res[i] = xmlSecBnRevLookupTable[nn];
+ for(i = 0; (xmlSecBufferGetSize(&bn2) > 0) && (i < len); i++) {
+ if(xmlSecBnDiv(&bn2, base, &nn) < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBnDiv",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "base=%d", base);
+ xmlFree(res);
+ xmlSecBnFinalize(&bn2);
+ return (NULL);
+ }
+ xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
+ res[i] = xmlSecBnRevLookupTable[nn];
}
xmlSecAssert2(i < len, NULL);
@@ -317,13 +435,20 @@
for(len = i; (len > 1) && (res[len - 1] == '0'); len--);
res[len] = '\0';
+ /* add "-" for negative numbers */
+ if(positive == 0) {
+ res[len] = '-';
+ res[++len] = '\0';
+ }
+
/* swap the string because we wrote it in reverse order */
for(i = 0; i < len / 2; i++) {
- ch = res[i];
- res[i] = res[len - i - 1];
- res[len - i - 1] = ch;
+ ch = res[i];
+ res[i] = res[len - i - 1];
+ res[len - i - 1] = ch;
}
+ xmlSecBnFinalize(&bn2);
return(res);
}
@@ -408,7 +533,9 @@
}
data = xmlSecBufferGetData(bn);
- for(over = 0, i = xmlSecBufferGetSize(bn); i > 0;) {
+ i = xmlSecBufferGetSize(bn);
+ over = 0;
+ while(i > 0) {
xmlSecAssert2(data != NULL, -1);
over = over + multiplier * data[--i];
@@ -503,43 +630,57 @@
*/
int
xmlSecBnAdd(xmlSecBnPtr bn, int delta) {
- int over;
+ int over, tmp;
xmlSecByte* data;
xmlSecSize i;
xmlSecByte ch;
int ret;
xmlSecAssert2(bn != NULL, -1);
- xmlSecAssert2(delta >= 0, -1);
if(delta == 0) {
- return(0);
+ return(0);
}
data = xmlSecBufferGetData(bn);
- for(over = delta, i = xmlSecBufferGetSize(bn); i > 0;) {
- xmlSecAssert2(data != NULL, -1);
+ if(delta > 0) {
+ for(over = delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0) ;) {
+ xmlSecAssert2(data != NULL, -1);
- over += data[--i];
- data[i] = over % 256;
- over = over / 256;
- }
+ tmp = data[--i];
+ over += tmp;
+ data[i] = over % 256;
+ over = over / 256;
+ }
- while(over > 0) {
- ch = over % 256;
- over = over / 256;
+ while(over > 0) {
+ ch = over % 256;
+ over = over / 256;
- ret = xmlSecBufferPrepend(bn, &ch, 1);
- if(ret < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecBufferPrepend",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "size=1");
- return (-1);
- }
+ ret = xmlSecBufferPrepend(bn, &ch, 1);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecBufferPrepend",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "size=1");
+ return (-1);
+ }
+ }
+ } else {
+ for(over = -delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0);) {
+ xmlSecAssert2(data != NULL, -1);
+
+ tmp = data[--i];
+ if(tmp < over) {
+ data[i] = 0;
+ over = (over - tmp) / 256;
+ } else {
+ data[i] = tmp - over;
+ over = 0;
+ }
+ }
}
-
return(0);
}
Index: src/mscrypto/crypto.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/crypto.c,v
retrieving revision 1.5
diff -u -r1.5 crypto.c
--- src/mscrypto/crypto.c 12 Nov 2003 02:38:51 -0000 1.5
+++ src/mscrypto/crypto.c 22 Feb 2005 09:16:51 -0000
@@ -330,13 +330,15 @@
BYTE*
xmlSecMSCryptoCertStrToName(DWORD dwCertEncodingType, LPCTSTR pszX500, DWORD dwStrType, DWORD* len) {
BYTE* str = NULL;
-
+ LPCTSTR ppszError = NULL;
+
xmlSecAssert2(pszX500 != NULL, NULL);
xmlSecAssert2(len != NULL, NULL);
if (!CertStrToName(dwCertEncodingType, pszX500, dwStrType,
- NULL, NULL, len, NULL)) {
+ NULL, NULL, len, &ppszError)) {
/* this might not be an error, string might just not exist */
+ DWORD dw = GetLastError();
return(NULL);
}
Index: src/mscrypto/x509.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509.c,v
retrieving revision 1.2
diff -u -r1.2 x509.c
--- src/mscrypto/x509.c 26 Sep 2003 00:58:13 -0000 1.2
+++ src/mscrypto/x509.c 22 Feb 2005 09:16:52 -0000
@@ -1882,7 +1882,7 @@
xmlSecAssert2(nm->pbData != NULL, NULL);
xmlSecAssert2(nm->cbData > 0, NULL);
- csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, NULL, 0);
+ csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, 0);
str = (char *)xmlMalloc(csz);
if (NULL == str) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1893,7 +1893,7 @@
return (NULL);
}
- csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, str, csz);
+ csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, str, csz);
if (csz < 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -1904,17 +1904,37 @@
return(NULL);
}
- res = xmlStrdup(BAD_CAST str);
- if(res == NULL) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlStrdup",
- XMLSEC_ERRORS_R_MALLOC_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- xmlFree(str);
- return(NULL);
- }
+ /* aleksey: this is a hack, but mscrypto can not read E= flag and wants Email= instead.
+ * don't ask me how is it possible not to read something you wrote yourself but also
+ * see comment in the xmlSecMSCryptoX509FindCert function.
+ */
+ if(strncmp(str, "E=", 2) == 0) {
+ res = xmlMalloc(strlen(str) + 13 + 1);
+ if(res == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlMalloc",
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "size=%d",
+ strlen(str) + 13 + 1);
+ xmlFree(str);
+ return(NULL);
+ }
+ memcpy(res, "emailAddress=", 13);
+ strcpy(res + 13, BAD_CAST (str + 2));
+ } else {
+ res = xmlStrdup(BAD_CAST str);
+ if(res == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlStrdup",
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ xmlFree(str);
+ return(NULL);
+ }
+ }
xmlFree(str);
return(res);
}
Index: src/mscrypto/x509vfy.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509vfy.c,v
retrieving revision 1.3
diff -u -r1.3 x509vfy.c
--- src/mscrypto/x509vfy.c 27 Sep 2003 03:12:22 -0000 1.3
+++ src/mscrypto/x509vfy.c 22 Feb 2005 09:16:52 -0000
@@ -567,10 +567,41 @@
if((pCert == NULL) && (NULL != issuerName) && (NULL != issuerSerial)) {
xmlSecBn issuerSerialBn;
+ xmlChar * p;
CERT_NAME_BLOB cnb;
+ CRYPT_INTEGER_BLOB cib;
BYTE *cName = NULL;
DWORD cNameLen = 0;
+
+ /* aleksey: for some unknown to me reasons, mscrypto wants Email
+ * instead of emailAddress. This code is not bullet proof and may
+ * produce incorrect results if someone has "emailAddress=" string
+ * in one of the fields, but it is best I can suggest to fix this problem.
+ * Also see xmlSecMSCryptoX509NameWrite function.
+ */
+ while( (p = (xmlChar*)xmlStrstr(issuerName, BAD_CAST "emailAddress=")) != NULL) {
+ memcpy(p, " Email=", 13);
+ }
+
+
+ /* get issuer name */
+ cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+ issuerName,
+ CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG | CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
+ &cNameLen);
+ if(cName == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecMSCryptoCertStrToName",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ return (NULL);
+ }
+ cnb.pbData = cName;
+ cnb.cbData = cNameLen;
+
+ /* get serial number */
ret = xmlSecBnInitialize(&issuerSerialBn, 0);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -578,6 +609,7 @@
"xmlSecBnInitialize",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
+ xmlFree(cName);
return(NULL);
}
@@ -589,26 +621,30 @@
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
xmlSecBnFinalize(&issuerSerialBn);
- return(NULL);
+ xmlFree(cName);
+ return(NULL);
}
- cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- issuerName,
- CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
- &cNameLen);
- if(cName == NULL) {
+ /* I have no clue why at a sudden a swap is needed to
+ * convert from lsb... This code is purely based upon
+ * trial and error :( WK
+ */
+ ret = xmlSecBnReverse(&issuerSerialBn);
+ if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- "xmlSecMSCryptoCertStrToName",
+ "xmlSecBnReverse",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
xmlSecBnFinalize(&issuerSerialBn);
- return (NULL);
+ xmlFree(cName);
+ return(NULL);
}
- cnb.pbData = cName;
- cnb.cbData = cNameLen;
- while((pCert = CertFindCertificateInStore(store,
+ cib.pbData = xmlSecBufferGetData(&issuerSerialBn);
+ cib.cbData = xmlSecBufferGetSize(&issuerSerialBn);
+
+ while((pCert = CertFindCertificateInStore(store,
PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
0,
CERT_FIND_ISSUER_NAME,
@@ -622,10 +658,9 @@
if((pCert->pCertInfo != NULL) &&
(pCert->pCertInfo->SerialNumber.pbData != NULL) &&
(pCert->pCertInfo->SerialNumber.cbData > 0) &&
- (0 == xmlSecBnCompareReverse(&issuerSerialBn, pCert->pCertInfo->SerialNumber.pbData,
- pCert->pCertInfo->SerialNumber.cbData))) {
-
- break;
+ (CertCompareIntegerBlob(&(pCert->pCertInfo->SerialNumber), &cib) == TRUE)
+ ) {
+ break;
}
}
xmlFree(cName);
Index: tests/testDSig.sh
===================================================================
RCS file: /cvs/gnome/xmlsec/tests/testDSig.sh,v
retrieving revision 1.35
diff -u -r1.35 testDSig.sh
--- tests/testDSig.sh 17 Mar 2004 05:06:48 -0000 1.35
+++ tests/testDSig.sh 22 Feb 2005 09:16:53 -0000
@@ -1,8 +1,15 @@
#!/bin/sh
+OS_ARCH=`uname -o`
+
+if [ "z$OS_ARCH" = "zCygwin" ] ; then
+ topfolder=`cygpath -wa $2`
+ xmlsec_app=`cygpath -a $3`
+else
+ topfolder=$2
+ xmlsec_app=$3
+fi
crypto=$1
-topfolder=$2
-xmlsec_app=$3
file_format=$4
pub_key_format=$file_format
@@ -13,10 +20,15 @@
if [ "z$TMPFOLDER" = "z" ] ; then
TMPFOLDER=/tmp
fi
-
timestamp=`date +%Y%m%d_%H%M%S`
-tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
-logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
+if [ "z$OS_ARCH" = "zCygwin" ] ; then
+ tmpfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.tmp`
+ logfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.log`
+else
+ tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
+ logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
+fi
+
script="$0"
# prepate crypto config folder
@@ -104,7 +116,6 @@
echo "--- testDSig started for xmlsec-$crypto library ($timestamp)" >> $logfile
echo "--- LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> $logfile
-
execDSigTest "" "merlin-xmldsig-twenty-three/signature-enveloped-dsa" \
" " \
"$priv_key_option $topfolder/keys/dsakey.$priv_key_format --pwd secret" \
@@ -238,6 +249,11 @@
"$priv_key_option tests/keys/rsakey.$priv_key_format --pwd secret" \
"--trusted-$cert_format $topfolder/keys/cacert.$cert_format"
+execDSigTest "" "aleksey-xmldsig-01/x509data-sn-test" \
+ "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509" \
+ "$priv_key_option tests/keys/rsa2key.$priv_key_format --pwd secret" \
+ "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509"
+
execDSigTest "" "merlin-exc-c14n-one/exc-signature" \
""
@@ -249,6 +265,7 @@
execDSigTest "" "merlin-xpath-filter2-three/sign-spec" \
""
+
execDSigTest "phaos-xmldsig-three" "signature-big" \
"--pubkey-cert-$cert_format certs/rsa-cert.$cert_format"
Index: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
===================================================================
RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
diff -N tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tests/aleksey-xmldsig-01/x509data-sn-test.tmpl 22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Document>
+ <ToBeSigned>
+ Some very secret data
+ </ToBeSigned>
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+ <SignedInfo>
+ <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
+ <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
+ <Reference URI="">
+ <Transforms>
+ <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
+ <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect"> //ToBeSigned </XPath>
+ </Transform>
+ </Transforms>
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
+ <DigestValue/>
+ </Reference>
+ </SignedInfo>
+ <SignatureValue/>
+ <KeyInfo>
+ <X509Data>
+ <X509IssuerSerial/>
+ </X509Data>
+ </KeyInfo>
+ </Signature>
+</Document>
Index: tests/aleksey-xmldsig-01/x509data-sn-test.xml
===================================================================
RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.xml
diff -N tests/aleksey-xmldsig-01/x509data-sn-test.xml
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tests/aleksey-xmldsig-01/x509data-sn-test.xml 22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Document>
+ <ToBeSigned>
+ Some very secret data
+ </ToBeSigned>
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+ <SignedInfo>
+ <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+ <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+ <Reference URI="">
+ <Transforms>
+ <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
+ <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect"> //ToBeSigned </XPath>
+ </Transform>
+ </Transforms>
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <DigestValue>3om1gINPzaogcdLuDdjIQlls4NE=</DigestValue>
+ </Reference>
+ </SignedInfo>
+ <SignatureValue>pcsM3Uz0+85OJTV28sg+mQ5khOCxeToam9ojj5F7D5IVXoQAnCNDuyDbKLsn0UKv
+I06RXzlb4MXb88fBJaFd4ygfpy3Ude8n6erjwxtwU6tPiesHyJB64GSD9yeSGDZt
+UnD0EYB9ammZxoqVUlZR5FiqG/vTUtjHN+Fo6DTuY+g=</SignatureValue>
+ <KeyInfo>
+ <X509Data>
+
+ <X509IssuerSerial>
+<X509IssuerName>emailAddress=xmlsec at aleksey.com,CN=Aleksey Sanin,OU=Second Level Certificate,O=XML Security Library (http://www.aleksey.com/xmlsec),ST=California,C=US</X509IssuerName>
+<X509SerialNumber>-1</X509SerialNumber>
+</X509IssuerSerial>
+</X509Data>
+ </KeyInfo>
+ </Signature>
+</Document>
Index: tests/keys/README
===================================================================
RCS file: /cvs/gnome/xmlsec/tests/keys/README,v
retrieving revision 1.6
diff -u -r1.6 README
--- tests/keys/README 30 Jul 2003 02:47:22 -0000 1.6
+++ tests/keys/README 22 Feb 2005 09:16:53 -0000
@@ -17,6 +17,8 @@
hmackey.bin HMAC key ('secret')
expired.key key for expired cert
expired.crt expired certificate
+ rsa2key.pem RSA private key
+ rsa2cert.pem Self signed RSA certificate with negative serial number
2. How certificates were generated:
@@ -66,6 +68,9 @@
Convert PEM cert file to DER file
> openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der
+
+ Convert DER cert file to PEM file
+ > openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
4. Converting an unencrypted PEM or DER file containing a private key
to an encrypted PEM or DER file containing the same private key but
Index: tests/keys/rsa2cert.der
===================================================================
RCS file: tests/keys/rsa2cert.der
diff -N tests/keys/rsa2cert.der
Binary files /dev/null and rsa2cert.der differ
Index: tests/keys/rsa2cert.pem
===================================================================
RCS file: tests/keys/rsa2cert.pem
diff -N tests/keys/rsa2cert.pem
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tests/keys/rsa2cert.pem 22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAmQCAf8wDQYJKoZIhvcNAQEEBQAwgb8xCzAJBgNVBAYTAlVTMRMwEQYD
+VQQIEwpDYWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFyeSAo
+aHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMSEwHwYDVQQLExhTZWNvbmQg
+TGV2ZWwgQ2VydGlmaWNhdGUxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAfBgkq
+hkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTAeFw0wNTAyMjIwODAxNDJaFw0x
+NTAyMjAwODAxNDJaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTESMBAGA1UEBxMJU3Vubnl2YWxlMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGli
+cmFyeSAoaHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMTwwOgYDVQQLEzNU
+aGlyZCBsZXZlbCBjZXJ0aWZpY2F0ZSB3aXRoIG5lZ2F0aXZlIHNlcmlhbCBudW1i
+ZXIxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAONHVDP5sBVclV0pClZYjcB6Os70uGmKZzAFgq8+lUZmu9utk78ZCK0A
+NtvxjQ/C+/17plevhXFGeWgjGGbEq6OpEkAjDyXX+j5ZMI6b6zYwVEo0+Eh15Sbb
+LIYat1m4kR5A7/gIhsVKT8GfWAYzamPYrPmsa9JVDKEqsh9PPaz7AgMBAAEwDQYJ
+KoZIhvcNAQEEBQADQQAOTj9O30MjCt8darphiTDSYaLof5IvJiDfu38UnSukH/Ut
+t5C7EU+1X5/uKacfYnHs/0UQYbmq5Zsm4Zky+ht9
+-----END CERTIFICATE-----
Index: tests/keys/rsa2key.der
===================================================================
RCS file: tests/keys/rsa2key.der
diff -N tests/keys/rsa2key.der
Binary files /dev/null and rsa2key.der differ
Index: tests/keys/rsa2key.p12
===================================================================
RCS file: tests/keys/rsa2key.p12
diff -N tests/keys/rsa2key.p12
Binary files /dev/null and rsa2key.p12 differ
Index: tests/keys/rsa2key.pem
===================================================================
RCS file: tests/keys/rsa2key.pem
diff -N tests/keys/rsa2key.pem
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tests/keys/rsa2key.pem 22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,4500DDD8194CE192
+
+E1FQxiq6hX9GbvWm2HyzvfgDvFXFLjruys4cL6gCXLl7kNPBEUsi3geICO3bFVsk
+XTI/JYZQosR3mhglydDQU/JJ0JXid6T9wxdRxokr8K2O2KGFjN2n95RZ2gkDyYfd
+4/4OmGymm1g8VFUqeJuR6x2Lwh9ML2k2R8dqJqLhuoLlfp14fqlMRvzni53aTDSU
+xxLYQ0SphGpE2gdEbowZDKLx8v+w7tZvTES/4jZQL3rosPJgcSy4Hif9pSHYDK91
+e3N8rz/lyrQ1sb0z808GXVrK2h8nrJiuBAcS3S4smvKbV3fl0nu2um/ZFZPqAjiQ
+4rNa77a+uA0FmRHrtb4zL6aRwoybkaO7TwwKhCjDtM1OdCia5+sINXBdswtBwvGf
+lURgIBiORsdDNjmk4TYb3g9V3cAccnWzA80GqefiokzFteATl02c2aN+AsV2BCxv
+fBCV/mX/+ygzctK0W/auaVl/qN0kezbkrZiCr7FB/Im2IRsVJ+NZoe7BW5/LiC+F
+5mn6ExkuLwQ6o7OZpUkjQunFFE+hwiCvObSv3dhTBRn3iQg/0i7Ufb8FcQfF7Mfy
+4oK1yZqvnHoH8BbeTuGYY/PRFIdXwM+mEJy1Sk8pBcGwMNlJf6UdTCvRoQ1SB+a0
+EpMP1/AgZ2F4MVOuZLYOp7OOLTaB9Yu92Gtm9g0YbMg6OKkkoW5SVuk+Kvo8tv/3
+ITY8bLfSn2T0MRRwds71uW9vo4IhN/IT6Js+xEteY4kaufXtcSIZ+h6XrmjuoxZR
+voBxkA4KgGUKKU1aemeHUCxzdqYlhrLvlXcjxvPmCjKdFjc9PX1/Ag==
+-----END RSA PRIVATE KEY-----
Index: win32/Makefile.msvc
===================================================================
RCS file: /cvs/gnome/xmlsec/win32/Makefile.msvc,v
retrieving revision 1.27
diff -u -r1.27 Makefile.msvc
--- win32/Makefile.msvc 9 Jun 2004 14:35:12 -0000 1.27
+++ win32/Makefile.msvc 22 Feb 2005 09:16:54 -0000
@@ -456,21 +456,21 @@
check-keys : $(BINDIR)\$(APP_NAME)
cd ..
if not exist win32\tmp mkdir win32\tmp
- set TMPFOLDER=win32\tmp
+ set TMPFOLDER=win32/tmp
sh ./tests/testKeys.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
cd win32
check-dsig : $(BINDIR)\$(APP_NAME)
cd ..
if not exist win32\tmp mkdir win32\tmp
- set TMPFOLDER=win32\tmp
+ set TMPFOLDER=win32/tmp
sh ./tests/testDSig.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
cd win32
check-enc : $(BINDIR)\$(APP_NAME)
cd ..
if not exist win32\tmp mkdir win32\tmp
- set TMPFOLDER=win32\tmp
+ set TMPFOLDER=win32/tmp
sh ./tests/testEnc.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
cd win32
More information about the xmlsec
mailing list