[xmlsec] Verify - OpenSSL vs mscrypto

Dmitry Belyavsky beldmit at cryptocom.ru
Wed Jan 11 00:29:22 PST 2006


Greetings!

On Tue, 10 Jan 2006, Edward Shallow wrote:

> Hi Folks,
>
>    I need direction to sort through the differing requirements of
> verification across openssl versus mscrypto. I innocently assume that the
> code should be identical except the DL loading itself.
>
> Here is the rough call sequence for openssl Test 1 ... It works perfectly
>
> xmlsec.xmlSecInit()
> xmlsec.xmlSecCryptoDLInit()
> xmlsec.xmlSecCryptoDLLoadLibrary('openssl')
> xmlsec.xmlSecCryptoAppInit()
> xmlsec.xmlSecCryptoInit()
> parsedDoc = libxml2.xmlParseFile('c:/xmlsec/inout/edsigned-enveloped.xml')
> trustedDer = 'c:/xmlsec/keys/cacert.der'
> rootNode = libxml2.xmlDocGetRootElement(parsedDoc)
> sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature',
> 'http://www.w3.org/2000/09/xmldsig#')
> keysMngr = xmlsec.xmlSecKeysMngrCreate()
> xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
> dsigCtx = xmlsec.xmlSecDSigCtxCreate()
> xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr)
> xmlsec.xmlSecCryptoAppKeysMngrCertLoad(keysMngr, trustedDer, 3, 256)
> xmlsec.xmlSecDSigCtxVerify(dsigCtx, sigNode)
>
> Test 3: When I do the above and only change
> xmlSecCryptoDLLoadLibrary('mscrypto') and xmlsec.xmlSecCryptoAppInit('MY')
> it always returns success. That is, xmlSecMSX509StoreVerify does not seem to
> be checking the certificate chain.
>
> Dmitry's patch aside ... What am I supposed to do to get mscrypto to check
> the cert chain ? To check the CRL ?

Edward, when you verify the signature using your own certs ('MY' cert
storage), the library doesn't verify chain using my patch. To see my
patch really works you need to verify the signature from the other
user's account with signer's CA cert and CRL installed.

Thank you!

-- 
SY, Dmitry Belyavsky (ICQ UIN 11116575)




More information about the xmlsec mailing list