[xmlsec] RES: how verify sig using xmlAddID and local certs!
Renato Tegon Forti
re.tf at acm.org
Mon Jun 11 07:09:58 PDT 2012
Hi
>> xmlAddID - look at LibXML2 documentation for the function, it's pretty
simple.
OK
>> Actually default trusted certs are loaded in the xmlsec-openssl init
function.
Then I don't need load certs in "xmlSecKeysMngrPtr"?
I am trying to use sample "Verifying a signature with X 509 certificates."
And I changed load_trusted_certs to accept a vector with keys file, like:
----------------------------------------------------------------------------
---------------------------------
std::vector<std::string> certs;
certs.push_back("/usr/lib/ssl/certs/Serasa_Certificadora_Digital_v2.pem");
certs.push_back("/usr/lib/ssl/certs/Serasa_Autoridade_Certificadora_Principa
l_v2.pem");
certs.push_back("/usr/lib/ssl/certs/Autoridade_Certificadora_Raiz_Brasileira
_v2.pem");
mngr = load_trusted_certs(certs);
----------------------------------------------------------------------------
---------------------------------
And for now, I using DTD on xml file:
----------------------------------------------------------------------------
---------------------------------
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [
<!ATTLIST infNFe Id ID #IMPLIED>
]>
----------------------------------------------------------------------------
---------------------------------
But always I received: "Signature is INVALID"!
If I use xmlsec1 command, its work in some file!
----------------------------------------------------------------------------
---------------------------------
afe/engine/libs/xmldsig/test$ xmlsec1 --verify mt-embedded-id-dtd-attr.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
----------------------------------------------------------------------------
---------------------------------
How I can print debug into to try see what's happening?
My current code, and file that I need check is attached!
Thanks again, and again, and again ...!
-----Mensagem original-----
De: Aleksey Sanin [mailto:aleksey at aleksey.com]
Enviada em: segunda-feira, 11 de junho de 2012 10:46
Para: Renato Tegon Forti
Cc: xmlsec at aleksey.com
Assunto: Re: [xmlsec] how verify sig using xmlAddID and local certs!
1) xmlAddID - look at LibXML2 documentation for the function, it's pretty
simple.
2) Actually default trusted certs are loaded in the xmlsec-openssl init
function.
Aleksey
On 6/11/12 5:39 AM, Renato Tegon Forti wrote:
> Hi All,
>
>
>
> I'm trying to understand how the xmlsec tool interprets this command:
>
>
>
> xmlsec1 --verify --id-attr:Id infNFe file.xml
>
>
>
> which parts of code are activated! Need to reproduce this behavior in
> my code
>
>
>
> Can someone explain to me?
>
>
>
> In special how "xmlSecAppLoadKeys" load CA 's files of
> /usr/lib/ssl/certs/ : (for sample. openssl ssl files folder) !
>
>
>
> I need use "xmlAddID" to add "infNFe" like an id! Ok? How?
>
>
>
> Anything else!
>
>
>
> My test code:
>
>
>
> // Copyright 2011-2012 Renato Tegon Forti
>
>
>
> #define BOOST_ALL_DYN_LINK
>
> #define BOOST_THREAD_USE_DLL //thread header not compliant with
> 'BOOST_ALL_DYN_LINK'
>
> #define BOOST_LIB_DIAGNOSTIC
>
>
>
> #include <boost/test/minimal.hpp>
>
> #include <dsafe/xmlsig.hpp>
>
>
>
> #define XMLSEC_CRYPTO_OPENSSL
>
>
>
> #include <libxml/tree.h>
>
> #include <libxml/xmlmemory.h>
>
> #include <libxml/parser.h>
>
>
>
> #ifndef XMLSEC_NO_XSLT
>
> #include <libxslt/xslt.h>
>
> #endif /* XMLSEC_NO_XSLT */
>
>
>
> #include <xmlsec/xmlsec.h>
>
> #include <xmlsec/xmltree.h>
>
> #include <xmlsec/xmldsig.h>
>
> #include <xmlsec/xmlenc.h>
>
> #include <xmlsec/templates.h>
>
> #include <xmlsec/crypto.h>
>
>
>
>
>
> /**
>
> * verify_file:
>
> * @mngr: the pointer to keys manager.
>
> * @xml_file: the signed XML file name.
>
> *
>
> * Verifies XML signature in #xml_file.
>
> *
>
> * Returns 0 on success or a negative value if an error occurs.
>
> */
>
> int
>
> verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file)
>
> {
>
> xmlDocPtr doc = NULL;
>
> xmlNodePtr node = NULL;
>
> xmlSecDSigCtxPtr dsigCtx = NULL;
>
> int res = -1;
>
>
>
> assert(mngr);
>
> assert(xml_file);
>
>
>
> /* load file */
>
> doc = xmlParseFile(xml_file);
>
> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
>
> fprintf(stderr, "Error: unable to parse file
> \"%s\"\n", xml_file);
>
> goto done;
>
> }
>
>
>
> /* find start node */
>
> node = xmlSecFindNode(xmlDocGetRootElement(doc),
> xmlSecNodeSignature, xmlSecDSigNs);
>
> if(node == NULL) {
>
> fprintf(stderr, "Error: start node not found in
> \"%s\"\n", xml_file);
>
> goto done;
>
> }
>
>
>
> /* create signature context */
>
> dsigCtx = xmlSecDSigCtxCreate(mngr);
>
> if(dsigCtx == NULL) {
>
> fprintf(stderr,"Error: failed to create signature context\n");
>
> goto done;
>
> }
>
>
>
>
>
>
>
>
>
> /* limit the Reference URI attributes to empty or NULL */
>
> dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
>
>
>
> /* limit allowed transforms for siganture and reference processing
> */
>
> if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformInclC14NId) < 0) ||
>
> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformExclC14NId) < 0) ||
>
> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformSha1Id) < 0) ||
>
> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
> xmlSecTransformRsaSha1Id) < 0)) {
>
>
>
> fprintf(stderr,"Error: failed to limit allowed siganture
> transforms\n");
>
> goto done;
>
> }
>
> if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformInclC14NId) < 0) ||
>
> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformExclC14NId) < 0) ||
>
> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformSha1Id) < 0) ||
>
> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
> xmlSecTransformEnvelopedId) < 0)) {
>
>
>
> fprintf(stderr,"Error: failed to limit allowed reference
> transforms\n");
>
> goto done;
>
> }
>
>
>
> /* in addition, limit possible key data to valid X509 certificates
> only */
>
> if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
> BAD_CAST xmlSecKeyDataX509Id) < 0) {
>
> fprintf(stderr,"Error: failed to limit allowed key data\n");
>
> goto done;
>
> }
>
>
>
> /* Verify signature */
>
> if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
>
> fprintf(stderr,"Error: signature verify\n");
>
> goto done;
>
> }
>
>
>
> /* check that we have only one Reference */
>
> if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
>
> (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1))
> {
>
>
>
> fprintf(stderr,"Error: only one reference is allowed\n");
>
> goto done;
>
> }
>
>
>
> /* print verification result to stdout */
>
> if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>
> fprintf(stdout, "Signature is OK\n");
>
> } else {
>
> fprintf(stdout, "Signature is INVALID\n");
>
> }
>
>
>
> /* success */
>
> res = 0;
>
>
>
> done:
>
> /* cleanup */
>
> if(dsigCtx != NULL) {
>
> xmlSecDSigCtxDestroy(dsigCtx);
>
> }
>
>
>
> if(doc != NULL) {
>
> xmlFreeDoc(doc);
>
> }
>
> return(res);
>
>
>
> }
>
>
>
> int
>
> init_allxml_lib()
>
> {
>
> // Init libxml and libxslt libraries
>
> xmlInitParser();
>
>
>
> LIBXML_TEST_VERSION
>
> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
>
> xmlSubstituteEntitiesDefault(1);
>
> #ifndef XMLSEC_NO_XSLT
>
> xmlIndentTreeOutput = 1;
>
> #endif // XMLSEC_NO_XSLT
>
>
>
> // Init xmlsec library
>
> if(xmlSecInit() < 0) {
>
> fprintf(stderr, "Error: xmlsec initialization failed.\n");
>
> return(-1);
>
> }
>
>
>
> // Check loaded library version
>
> if(xmlSecCheckVersion() != 1) {
>
> fprintf(stderr, "Error: loaded xmlsec library version is not
> compatible.\n");
>
> return(-1);
>
> }
>
>
>
> // Load default crypto engine if we are supporting dynamic
>
> // loading for xmlsec-crypto libraries. Use the crypto library
>
> // name ("openssl", "nss", etc.) to load corresponding
>
> // xmlsec-crypto library.
>
>
>
> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>
> if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
>
> fprintf(stderr, "Error: unable to load default xmlsec-crypto library.
> Make sure\n"
>
> "that you have it
> installed and check shared libraries path\n"
>
> "(LD_LIBRARY_PATH)
> envornment variable.\n");
>
> return(-1);
>
> }
>
> #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
>
>
>
> // Init crypto library
>
> if(xmlSecCryptoAppInit(NULL) < 0) {
>
> fprintf(stderr, "Error: crypto initialization failed.\n");
>
> return(-1);
>
> }
>
>
>
> // Init xmlsec-crypto library
>
> if(xmlSecCryptoInit() < 0) {
>
> fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
>
> return(-1);
>
> }
>
>
>
> return 0;
>
> }
>
>
>
> void
>
> fnit_allxml_lib()
>
> {
>
> // Shutdown xmlsec-crypto library
>
> xmlSecCryptoShutdown();
>
>
>
> //Shutdown crypto library
>
> xmlSecCryptoAppShutdown();
>
>
>
> //Shutdown xmlsec library
>
> xmlSecShutdown();
>
>
>
> // Shutdown libxslt/libxml
>
> #ifndef XMLSEC_NO_XSLT
>
> xsltCleanupGlobals();
>
> #endif //XMLSEC_NO_XSLT
>
>
>
> xmlCleanupParser();
>
> }
>
>
>
> const std::string XML_FILE =
>
"/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/libs/xml
dsig/test/"
>
> "mt-embedded-id-dtd-attr.xml";
>
>
> // "mt.xml";
>
>
>
> // Unit Tests
>
>
>
> void do_0()
>
> {
>
> xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate();
>
> if(mngr == NULL)
>
> {
>
> fprintf(stderr, "Error: failed to create keys manager.\n");
>
> }
>
>
>
> if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0)
>
> {
>
> fprintf(stderr, "Error: failed to initialize keys manager.\n");
>
> xmlSecKeysMngrDestroy(mngr);
>
> }
>
>
>
> BOOST_CHECK(init_allxml_lib() == 0);
>
> BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0);
>
>
>
> fnit_allxml_lib();
>
> }
>
>
>
> // -
>
>
>
> int test_main(int, char*[])
>
> {
>
> do_0();
>
>
>
> return 0;
>
> }
>
>
>
>
>
>
>
>
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mt-embedded-id-dtd-attr.xml
Type: text/xml
Size: 7527 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120611/dd726390/attachment-0001.xml>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: xmldsig_test.cpp
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120611/dd726390/attachment-0001.ksh>
More information about the xmlsec
mailing list