[xmlsec] Unable to verify Multiple <X509Certificate> in a single signed XML
Aleksey Sanin
aleksey at aleksey.com
Tue Dec 28 14:39:13 PST 2010
I think this is a bad idea as you already understood.
Aleksey
On 12/28/10 8:27 AM, Naval Patel wrote:
> Hi Aleksey,
>
> I tried to verify the test file which is placed on your website at
> [http://www.aleksey.com/xmlsec/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml]
> using online tool present on your site as well as using a locally placed
> xmlsec.exe. The command i am using locally is
>
> xmlsec.exe --verify signature.xml [Please tell me if I am not using the
> command correctly]
>
> I error I get is still the same after all the different efforts i have
> put in.
>
> The current procedure i am following is:
>
> 1. Read the signature.xml file and add each certificate as trusted pem.
> 2. in X509_vfy.c, i would delete all the certs which are not self-signed
> or intermediate CA.
>
> The verification succeeds in this way of verification.
> The risk i see in this process is that I am simply trusting any
> certificates that are present in the signature.xml which is a big threat.
>
> Will be extremely glad to know your response at your earliest.
>
> Regards,
> Naval.
>
>
> On Wed, Dec 22, 2010 at 11:32 AM, Naval Patel <www.naval.com
> <http://www.naval.com>@gmail.com <http://gmail.com>> wrote:
>
> This is the error when root CA is in the signed xml
>
> func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy
> .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
> failed:subj=/C=IN/ST=Mah/L=Pune/O=Agreeya/OU=Almond/CN=rootca/emailAd
> dress=rootca at agreeya.com <mailto:rootca at agreeya.com>;err=19;msg=self
> signed certificate in certificate chain
> func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy
> .c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=19;msg=self signed certificate in
> certificate chain
>
> this is the error when root ca is not in the signed xml, but passed
> explicitly as trusted.
>
> func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy
> .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
> failed:subj=/C=IN/ST=Maharashtra/L=Pune/O=Agreeya/OU=Almond/CN=ca1/em
> ailAddress=ca1 at agreeya.com
> <mailto:ca1 at agreeya.com>;err=24;msg=invalid CA certificate
> func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy
> .c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=24;msg=invalid CA certificate
>
>
> Thanks,
> Naval.
>
>
> On Wed, Dec 22, 2010 at 11:27 AM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> Could you please copy/paste the complete error?
>
> Aleksey
>
>
> On 12/21/10 9:56 PM, Naval Patel wrote:
>
> If the entire cert chain is in the signed document the error
> i get is
> msg=self signed certificate in certificate chain
>
> if i remove the Root certificate from the chain in the
> signed xml file,
> and pass a root certificate as trusted, then i get the error as
> msg=invalid CA certificate
>
> is there something that i am missing or this is not the
> right way to do?
>
> thanks :)
>
> Naval.
>
> On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> wrote:
>
> What errors do you get?
>
> Aleksey
>
>
> On 12/21/10 12:38 AM, Naval Patel wrote:
>
> Hi,
>
> Its been quite some time i am modifying my code to
> allow a
> signed xml
> document containing the entire chain of certificates
> from "Local
> cert"
> through CAs and ultimately the Root CA. I have
> debugged the code
> till
> the call goes to *X509_verify_cert(&xsc)*. I have
> observed that
> for each
> *<X509Certificate> *the xmlsec adds the certificate
> to the
> X509_STACK.
> The function call
> (*xmlSecOpenSSLX509FindNextChainCert*) inside
> the *for
> loop* inside the function
> *xmlSecOpenSSLX509StoreVerify* with the
> comment [/* get one cert after another and try to
> verify */] returns
> NULL only when it finds that the certificate does
> not extend any
> other
> certificates.
>
> I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem.
>
> If i simply execute the signeddoc.xml, I am
> receiving the error
> [*msg=invalid CA certificate* for CA2.pem] ... the
> command used is
> *xmlsec.exe verify --trusted-pem RootCa.pem
> signeddoc.xml*
> I broke the certificate chain by removing RootCa.pem
> from the
> signeddoc.xml and the error i received is same as of
> the above case
> *xmlsec.exe verify --trusted-pem RootCa.pem
> signeddoc.xml
> *I changed the command for the above file as
> *xmlsec.exe verify
> --trusted-pem RootCa.pem --trusted-pem CA2.pem
> signeddoc.xml*,
> still the
> error was same
> I maintained only CA1, CA2 and signerCert.pem in
> signeddoc.xml
> and used
> the command *xmlsec.exe verify --trusted-pem RootCa.pem
> --trusted-pem
> CA1.pem --trusted-pem CA2.pem signeddoc.xml
> *Now I removed CA2 from the signeddoc.xml and kept
> only CA1 and
> signerCert.pem, and used the command *xmlsec.exe verify
> --trusted-pem
> RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem
> signeddoc.xml ...
> *i could see that the verification was passing.
>
> I have deviced another way too to make this work,
> but i am not
> sure how
> good this way is...
>
> before passing the signeddoc.xml to xmlsec, I load the
> x509certificate
> as trusted using the api
> *xmlSecCryptoAppKeysMngrCertLoadMemory*
> but the
> problem is not solved because the same document
> continues to be
> evaluated by xmlsec later and the results produced
> are same.
>
> Another alternative i thought was once the function
> *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I
> would
> remove the
> other certificates from the STACK. That way, i will
> have trusted
> certs
> loaded to the global stack and while signerCert.pem
> is verified.
>
> Please let me know your suggestions, I will try your
> suggested
> methods.
>
> And thanks a lot for this library, it had done
> wonders for my
> work till
> now :)
>
> I had read an email from the archive
>
> [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i
> could not get the break through yet :(
>
> Regards,
> Naval
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> --
> Naval Patel
> ~ have fun ~
>
>
>
>
> --
> Naval Patel
> ~ have fun ~
>
>
>
>
> --
> Naval Patel
> ~ have fun ~
More information about the xmlsec
mailing list