[xmlsec] Loading publickeys from KeyInfo/X509Data
Aleksey Sanin
aleksey at aleksey.com
Wed Feb 10 09:24:41 PST 2010
Right. There is a problem that the DONT_VERIFY_CERTS
flag disables both certs verification and key extraction.
The problem is that w/o verification you can't build certs
chain and you don't know which certificate is the "top" one
to use for key extraction.
Aleksey
On 2/10/2010 8:48 AM, Benjamin Dauvergne wrote:
> Hi,
>
> We are using XMLSec inside the library Lasso
> (http://lasso.entrouvert.org) to handle XML signature and encryption in
> SAML 1.0 and 2.0 protocols. I recently changed our ad-hoc (and wrong ;)
> ) code for reading KeyInfo nodes for using xmlSecKeyInfoNodeRead in
> order to support all the KeyInfo content out there (RSAKeyValue and all)
> correctly.
>
> My problem is that if we disable certificate validation (as SAML advice
> us to do when consuming service metadatas) with
> XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS then the public key of
> the certificate is not loaded only the certificate is attached to the
> xmlSecKey structure. I do not think that this is the behaviour expected.
> I tried setting certsVerificationDepth to 0, in order to at least accept
> self-signed certificate (which would be a beginning) but I discovered
> this flag is of no-use since it is not propagated to backends (here we
> use OpenSSL) verification context.
>
> So for the moment I'm forced to load the key by hand but it adds a
> strong coupling between our library and OpenSSL (that we expected xmlsec
> could hide). Here is the code for fixing badly loaded public keys:
>
> xmlSecErrorsDefaultCallbackEnableOutput(FALSE);
> rc = xmlSecKeyInfoNodeRead(key_info, key, &ctx);
> xmlSecErrorsDefaultCallbackEnableOutput(TRUE);
> xmlSecKeyInfoCtxFinalize(&ctx);
>
> if (rc == 0) {
> xmlSecKeyDataPtr cert_data;
>
> cert_data = xmlSecKeyGetData(key, xmlSecOpenSSLKeyDataX509Id);
>
> if (cert_data) {
> cert = xmlSecOpenSSLKeyDataX509GetCert(cert_data, 0);
> if (cert) {
> xmlSecKeyDataPtr cert_key;
>
> cert_key = xmlSecOpenSSLX509CertGetKey(cert);
> rc = xmlSecKeySetValue(key, cert_key);
> if (rc < 0) {
> xmlSecKeyDataDestroy(cert_key);
> goto next;
> }
> }
> }
> }
>
> The full code of the function is at:
> http://perso.entrouvert.org/~bdauvergne/git/cgit.cgi?url=lasso-perso/tree/lasso/xml/tools.c#n2003
>
>
> I'm thinking of making patch to xmlsec to load the key anyway when
> validation is disabled, and to support certsVerificationDepth for
> OpenSSL. What do you think of this program ?
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list