[Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vs mscrypto

Edward Shallow ed.shallow at rogers.com
Wed Jan 11 19:29:26 PST 2006


Aleksey wrote:

Please, try to reproduce the problem with xmlsec command line utility.




Good suggestion ... 

Here are the results using xmlsec 1.2.8 ...

With trusted certs loaded
*************************

C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der
inout/edsigned-enveloped.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0


Without trusted certs loaded
****************************

C:\XMLSec>xmlsec verify --crypto mscrypto inout/edsigned-enveloped.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

This is the same as what I am seeing programmatically with mscrypto. No cert
chain checking with 1.2.8 mscrypto ???

Ed


Here is the verbose output using --store-references for both tests ...


C:\XMLSec>xmlsec verify --crypto mscrypto --store-references --trusted-der
keys/upu-cacert.der inout/edsigned-enveloped.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key name: E=CAAdmin at upu.int,CN=Test User 1,OU=Electronic Post Mark,O=For
Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH
=== key usage: -1
=== rsa key: size = 1024
=== list size: 1
=== X509 Data:
==== Key Certificate:
=== X509 Certificate
==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int
==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
CAAdmin at upu.int

06
==== Certificate:
=== X509 Certificate
==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int
==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
CAAdmin at upu.int

06
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<Document>
        <Data>
                <SubData1>
                        <SubSubData1 MimeType="text/plain">This is the data
to be signed.</SubSubData1>
                        <SubSubData2 MimeType="text/plain">This is the data
to be signed.</SubSubData2>
                        <SubSubData3 MimeType="text/plain">This is the data
to be signed.</SubSubData3>
                </SubData1>
                <SubData2>This is the data to be signed.</SubData2>
                <SubData3>This is the data to be signed.</SubData3>
        </Data>

</Document>
== PreDigest data - end buffer
== Manifest References List:
=== list size: 0






C:\XMLSec>xmlsec verify --crypto mscrypto --store-references
inout/edsigned-enveloped.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key name: E=CAAdmin at upu.int,CN=Test User 1,OU=Electronic Post Mark,O=For
Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH
=== key usage: -1
=== rsa key: size = 1024
=== list size: 1
=== X509 Data:
==== Key Certificate:
=== X509 Certificate
==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int
==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
CAAdmin at upu.int

06
==== Certificate:
=== X509 Certificate
==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int
==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
CAAdmin at upu.int

06
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<Document>
        <Data>
                <SubData1>
                        <SubSubData1 MimeType="text/plain">This is the data
to be signed.</SubSubData1>
                        <SubSubData2 MimeType="text/plain">This is the data
to be signed.</SubSubData2>
                        <SubSubData3 MimeType="text/plain">This is the data
to be signed.</SubSubData3>
                </SubData1>
                <SubData2>This is the data to be signed.</SubData2>
                <SubData3>This is the data to be signed.</SubData3>
        </Data>

</Document>
== PreDigest data - end buffer
== Manifest References List:
=== list size: 0 

 

-----Original Message-----
From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Aleksey Sanin
Sent: January 11, 2006 2:26 PM
To: ed.shallow at rogers.com
Cc: xmlsec at aleksey.com
Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vs
mscrypto

Please, try to reproduce the problem with xmlsec command line utility.

Aleksey

Edward Shallow wrote:
> Aleksey wrote ... 
> 
> I do believe that the xmlsec-mscrypto code *does* build the chain and 
> it
> *does* verify it against the "trusted" certificates installed by the app. 
> With Dmitry's patch, xmlsec-mscrypto *also* uses trusted certificates 
> from the MSCrypto certificates store.
> 
> 
> 
> Yes this is what I thought too. But my test on 1.2.8 (shown in 
> previous post and included below) never checks whether I load the trusted
certs or not ???
> 2nd last line.
> 
> I don't mind waiting for Dmitry's patch, I was just trying to get it 
> going now.
> 
> Ed
> 
>  
> 
> xmlsec.xmlSecInit()
> xmlsec.xmlSecCryptoDLInit()
> xmlsec.xmlSecCryptoDLLoadLibrary('mscrypto')
> xmlsec.xmlSecCryptoAppInit('MY')
> xmlsec.xmlSecCryptoInit()
> parsedDoc = libxml2.xmlParseFile('c:/xmlsec/inout/edsigned-enveloped.xml')
> trustedDer = 'c:/xmlsec/keys/cacert.der'
<===
> trusted root in der format
> rootNode = libxml2.xmlDocGetRootElement(parsedDoc)
> sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature',
> 'http://www.w3.org/2000/09/xmldsig#')
> keysMngr = xmlsec.xmlSecKeysMngrCreate()
> xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
> dsigCtx = xmlsec.xmlSecDSigCtxCreate() 
> xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr) 
> xmlsec.xmlSecCryptoAppKeysMngrCertLoad(keysMngr, trustedDer, 3, 256)
> <===    load trusted root
> xmlsec.xmlSecDSigCtxVerify(dsigCtx, sigNode)
> 
> 
> 
_______________________________________________
xmlsec mailing list
xmlsec at aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec





More information about the xmlsec mailing list