[xmlsec] how verify sig using xmlAddID and local certs!
Renato Tegon Forti
re.tf at acm.org
Mon Jun 11 05:39:19 PDT 2012
Hi All,
I'm trying to understand how the xmlsec tool interprets this command:
xmlsec1 --verify --id-attr:Id infNFe file.xml
which parts of code are activated! Need to reproduce this behavior in my
code
Can someone explain to me?
In special how "xmlSecAppLoadKeys" load CA 's files of /usr/lib/ssl/certs/ :
(for sample. openssl ssl files folder) !
I need use "xmlAddID" to add "infNFe" like an id! Ok? How?
Anything else!
My test code:
// Copyright 2011-2012 Renato Tegon Forti
#define BOOST_ALL_DYN_LINK
#define BOOST_THREAD_USE_DLL //thread header not compliant with
'BOOST_ALL_DYN_LINK'
#define BOOST_LIB_DIAGNOSTIC
#include <boost/test/minimal.hpp>
#include <dsafe/xmlsig.hpp>
#define XMLSEC_CRYPTO_OPENSSL
#include <libxml/tree.h>
#include <libxml/xmlmemory.h>
#include <libxml/parser.h>
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
#include <xmlsec/xmltree.h>
#include <xmlsec/xmldsig.h>
#include <xmlsec/xmlenc.h>
#include <xmlsec/templates.h>
#include <xmlsec/crypto.h>
/**
* verify_file:
* @mngr: the pointer to keys manager.
* @xml_file: the signed XML file name.
*
* Verifies XML signature in #xml_file.
*
* Returns 0 on success or a negative value if an error occurs.
*/
int
verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file)
{
xmlDocPtr doc = NULL;
xmlNodePtr node = NULL;
xmlSecDSigCtxPtr dsigCtx = NULL;
int res = -1;
assert(mngr);
assert(xml_file);
/* load file */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
fprintf(stderr, "Error: unable to parse file \"%s\"\n",
xml_file);
goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature,
xmlSecDSigNs);
if(node == NULL) {
fprintf(stderr, "Error: start node not found in \"%s\"\n",
xml_file);
goto done;
}
/* create signature context */
dsigCtx = xmlSecDSigCtxCreate(mngr);
if(dsigCtx == NULL) {
fprintf(stderr,"Error: failed to create signature context\n");
goto done;
}
/* limit the Reference URI attributes to empty or NULL */
dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
/* limit allowed transforms for siganture and reference processing */
if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
xmlSecTransformInclC14NId) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
xmlSecTransformExclC14NId) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
xmlSecTransformSha1Id) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
xmlSecTransformRsaSha1Id) < 0)) {
fprintf(stderr,"Error: failed to limit allowed siganture
transforms\n");
goto done;
}
if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
xmlSecTransformInclC14NId) < 0) ||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
xmlSecTransformExclC14NId) < 0) ||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
xmlSecTransformSha1Id) < 0) ||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
xmlSecTransformEnvelopedId) < 0)) {
fprintf(stderr,"Error: failed to limit allowed reference
transforms\n");
goto done;
}
/* in addition, limit possible key data to valid X509 certificates only
*/
if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST
xmlSecKeyDataX509Id) < 0) {
fprintf(stderr,"Error: failed to limit allowed key data\n");
goto done;
}
/* Verify signature */
if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
fprintf(stderr,"Error: signature verify\n");
goto done;
}
/* check that we have only one Reference */
if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
(xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1)) {
fprintf(stderr,"Error: only one reference is allowed\n");
goto done;
}
/* print verification result to stdout */
if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
fprintf(stdout, "Signature is OK\n");
} else {
fprintf(stdout, "Signature is INVALID\n");
}
/* success */
res = 0;
done:
/* cleanup */
if(dsigCtx != NULL) {
xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
xmlFreeDoc(doc);
}
return(res);
}
int
init_allxml_lib()
{
// Init libxml and libxslt libraries
xmlInitParser();
LIBXML_TEST_VERSION
xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
xmlSubstituteEntitiesDefault(1);
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif // XMLSEC_NO_XSLT
// Init xmlsec library
if(xmlSecInit() < 0) {
fprintf(stderr, "Error: xmlsec initialization failed.\n");
return(-1);
}
// Check loaded library version
if(xmlSecCheckVersion() != 1) {
fprintf(stderr, "Error: loaded xmlsec library version is not
compatible.\n");
return(-1);
}
// Load default crypto engine if we are supporting dynamic
// loading for xmlsec-crypto libraries. Use the crypto library
// name ("openssl", "nss", etc.) to load corresponding
// xmlsec-crypto library.
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
fprintf(stderr, "Error: unable to load default xmlsec-crypto library.
Make sure\n"
"that you have it installed
and check shared libraries path\n"
"(LD_LIBRARY_PATH) envornment
variable.\n");
return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
// Init crypto library
if(xmlSecCryptoAppInit(NULL) < 0) {
fprintf(stderr, "Error: crypto initialization failed.\n");
return(-1);
}
// Init xmlsec-crypto library
if(xmlSecCryptoInit() < 0) {
fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
return(-1);
}
return 0;
}
void
fnit_allxml_lib()
{
// Shutdown xmlsec-crypto library
xmlSecCryptoShutdown();
//Shutdown crypto library
xmlSecCryptoAppShutdown();
//Shutdown xmlsec library
xmlSecShutdown();
// Shutdown libxslt/libxml
#ifndef XMLSEC_NO_XSLT
xsltCleanupGlobals();
#endif //XMLSEC_NO_XSLT
xmlCleanupParser();
}
const std::string XML_FILE =
"/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/libs/xml
dsig/test/"
"mt-embedded-id-dtd-attr.xml";
// "mt.xml";
// Unit Tests
void do_0()
{
xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate();
if(mngr == NULL)
{
fprintf(stderr, "Error: failed to create keys manager.\n");
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0)
{
fprintf(stderr, "Error: failed to initialize keys manager.\n");
xmlSecKeysMngrDestroy(mngr);
}
BOOST_CHECK(init_allxml_lib() == 0);
BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0);
fnit_allxml_lib();
}
// -
int test_main(int, char*[])
{
do_0();
return 0;
}
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120611/239523b2/attachment-0001.html>
More information about the xmlsec
mailing list