[Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vs mscrypto

Aleksey Sanin aleksey at aleksey.com
Wed Jan 11 22:01:25 PST 2006


Can you share the designed-enveloped.xml and upu-cacert.der, please?

Aleksey

Edward Shallow wrote:
> Aleksey wrote:
> 
> Please, try to reproduce the problem with xmlsec command line utility.
> 
> 
> 
> 
> Good suggestion ... 
> 
> Here are the results using xmlsec 1.2.8 ...
> 
> With trusted certs loaded
> *************************
> 
> C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der
> inout/edsigned-enveloped.xml
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> 
> 
> Without trusted certs loaded
> ****************************
> 
> C:\XMLSec>xmlsec verify --crypto mscrypto inout/edsigned-enveloped.xml
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> 
> This is the same as what I am seeing programmatically with mscrypto. No cert
> chain checking with 1.2.8 mscrypto ???
> 
> Ed
> 
> 
> Here is the verbose output using --store-references for both tests ...
> 
> 
> C:\XMLSec>xmlsec verify --crypto mscrypto --store-references --trusted-der
> keys/upu-cacert.der inout/edsigned-enveloped.xml
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> = VERIFICATION CONTEXT
> == Status: succeeded
> == flags: 0x00000006
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL)
> == Signature Method:
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key name: E=CAAdmin at upu.int,CN=Test User 1,OU=Electronic Post Mark,O=For
> Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH
> === key usage: -1
> === rsa key: size = 1024
> === list size: 1
> === X509 Data:
> ==== Key Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int
> ==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
> CAAdmin at upu.int
> 
> 06
> ==== Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int
> ==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
> CAAdmin at upu.int
> 
> 06
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: ""
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Document>
>         <Data>
>                 <SubData1>
>                         <SubSubData1 MimeType="text/plain">This is the data
> to be signed.</SubSubData1>
>                         <SubSubData2 MimeType="text/plain">This is the data
> to be signed.</SubSubData2>
>                         <SubSubData3 MimeType="text/plain">This is the data
> to be signed.</SubSubData3>
>                 </SubData1>
>                 <SubData2>This is the data to be signed.</SubData2>
>                 <SubData3>This is the data to be signed.</SubData3>
>         </Data>
> 
> </Document>
> == PreDigest data - end buffer
> == Manifest References List:
> === list size: 0
> 
> 
> 
> 
> 
> 
> C:\XMLSec>xmlsec verify --crypto mscrypto --store-references
> inout/edsigned-enveloped.xml
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> = VERIFICATION CONTEXT
> == Status: succeeded
> == flags: 0x00000006
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL)
> == Signature Method:
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key name: E=CAAdmin at upu.int,CN=Test User 1,OU=Electronic Post Mark,O=For
> Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH
> === key usage: -1
> === rsa key: size = 1024
> === list size: 1
> === X509 Data:
> ==== Key Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int
> ==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
> CAAdmin at upu.int
> 
> 06
> ==== Certificate:
> === X509 Certificate
> ==== Subject Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Test User 1, CAAdmin at upu.int
> ==== Issuer Name: CH, Berne, Berne, Universal Postal Union, For Test Use
> Only, Electronic Post Mark, Universal Postal Union Pilot EPM Authority,
> CAAdmin at upu.int
> 
> 06
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: ""
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Document>
>         <Data>
>                 <SubData1>
>                         <SubSubData1 MimeType="text/plain">This is the data
> to be signed.</SubSubData1>
>                         <SubSubData2 MimeType="text/plain">This is the data
> to be signed.</SubSubData2>
>                         <SubSubData3 MimeType="text/plain">This is the data
> to be signed.</SubSubData3>
>                 </SubData1>
>                 <SubData2>This is the data to be signed.</SubData2>
>                 <SubData3>This is the data to be signed.</SubData3>
>         </Data>
> 
> </Document>
> == PreDigest data - end buffer
> == Manifest References List:
> === list size: 0 
> 
>  
> 
> -----Original Message-----
> From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
> Behalf Of Aleksey Sanin
> Sent: January 11, 2006 2:26 PM
> To: ed.shallow at rogers.com
> Cc: xmlsec at aleksey.com
> Subject: [Bulk] Re: [Bulk] Re: [Bulk] Re: [xmlsec] Verify - OpenSSL vs
> mscrypto
> 
> Please, try to reproduce the problem with xmlsec command line utility.
> 
> Aleksey
> 
> Edward Shallow wrote:
>> Aleksey wrote ... 
>>
>> I do believe that the xmlsec-mscrypto code *does* build the chain and 
>> it
>> *does* verify it against the "trusted" certificates installed by the app. 
>> With Dmitry's patch, xmlsec-mscrypto *also* uses trusted certificates 
>> from the MSCrypto certificates store.
>>
>>
>>
>> Yes this is what I thought too. But my test on 1.2.8 (shown in 
>> previous post and included below) never checks whether I load the trusted
> certs or not ???
>> 2nd last line.
>>
>> I don't mind waiting for Dmitry's patch, I was just trying to get it 
>> going now.
>>
>> Ed
>>
>>  
>>
>> xmlsec.xmlSecInit()
>> xmlsec.xmlSecCryptoDLInit()
>> xmlsec.xmlSecCryptoDLLoadLibrary('mscrypto')
>> xmlsec.xmlSecCryptoAppInit('MY')
>> xmlsec.xmlSecCryptoInit()
>> parsedDoc = libxml2.xmlParseFile('c:/xmlsec/inout/edsigned-enveloped.xml')
>> trustedDer = 'c:/xmlsec/keys/cacert.der'
> <===
>> trusted root in der format
>> rootNode = libxml2.xmlDocGetRootElement(parsedDoc)
>> sigNode = xmlsec.xmlSecFindNode(rootNode, 'Signature',
>> 'http://www.w3.org/2000/09/xmldsig#')
>> keysMngr = xmlsec.xmlSecKeysMngrCreate()
>> xmlsec.xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
>> dsigCtx = xmlsec.xmlSecDSigCtxCreate() 
>> xmlsec.xmlSecDSigCtxInitialize(dsigCtx, keysMngr) 
>> xmlsec.xmlSecCryptoAppKeysMngrCertLoad(keysMngr, trustedDer, 3, 256)
>> <===    load trusted root
>> xmlsec.xmlSecDSigCtxVerify(dsigCtx, sigNode)
>>
>>
>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list