[xmlsec] RES: how verify sig using xmlAddID and local certs!
Aleksey Sanin
aleksey at aleksey.com
Mon Jun 11 09:22:18 PDT 2012
xmlsec1 --help
Aleksey
On 6/11/12 7:09 AM, Renato Tegon Forti wrote:
> Hi
>
>>> xmlAddID - look at LibXML2 documentation for the function, it's pretty
> simple.
> OK
>
>>> Actually default trusted certs are loaded in the xmlsec-openssl init
> function.
> Then I don't need load certs in "xmlSecKeysMngrPtr"?
>
> I am trying to use sample "Verifying a signature with X 509 certificates."
>
> And I changed load_trusted_certs to accept a vector with keys file, like:
>
> ----------------------------------------------------------------------------
> ---------------------------------
> std::vector<std::string> certs;
>
> certs.push_back("/usr/lib/ssl/certs/Serasa_Certificadora_Digital_v2.pem");
> certs.push_back("/usr/lib/ssl/certs/Serasa_Autoridade_Certificadora_Principa
> l_v2.pem");
> certs.push_back("/usr/lib/ssl/certs/Autoridade_Certificadora_Raiz_Brasileira
> _v2.pem");
>
> mngr = load_trusted_certs(certs);
>
> ----------------------------------------------------------------------------
> ---------------------------------
>
> And for now, I using DTD on xml file:
>
> ----------------------------------------------------------------------------
> ---------------------------------
> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [
> <!ATTLIST infNFe Id ID #IMPLIED>
> ]>
> ----------------------------------------------------------------------------
> ---------------------------------
>
> But always I received: "Signature is INVALID"!
>
> If I use xmlsec1 command, its work in some file!
>
> ----------------------------------------------------------------------------
> ---------------------------------
> afe/engine/libs/xmldsig/test$ xmlsec1 --verify mt-embedded-id-dtd-attr.xml
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> ----------------------------------------------------------------------------
> ---------------------------------
>
> How I can print debug into to try see what's happening?
>
> My current code, and file that I need check is attached!
>
> Thanks again, and again, and again ...!
>
> -----Mensagem original-----
> De: Aleksey Sanin [mailto:aleksey at aleksey.com]
> Enviada em: segunda-feira, 11 de junho de 2012 10:46
> Para: Renato Tegon Forti
> Cc: xmlsec at aleksey.com
> Assunto: Re: [xmlsec] how verify sig using xmlAddID and local certs!
>
> 1) xmlAddID - look at LibXML2 documentation for the function, it's pretty
> simple.
>
> 2) Actually default trusted certs are loaded in the xmlsec-openssl init
> function.
>
> Aleksey
>
> On 6/11/12 5:39 AM, Renato Tegon Forti wrote:
>> Hi All,
>>
>>
>>
>> I'm trying to understand how the xmlsec tool interprets this command:
>>
>>
>>
>> xmlsec1 --verify --id-attr:Id infNFe file.xml
>>
>>
>>
>> which parts of code are activated! Need to reproduce this behavior in
>> my code
>>
>>
>>
>> Can someone explain to me?
>>
>>
>>
>> In special how "xmlSecAppLoadKeys" load CA 's files of
>> /usr/lib/ssl/certs/ : (for sample. openssl ssl files folder) !
>>
>>
>>
>> I need use "xmlAddID" to add "infNFe" like an id! Ok? How?
>>
>>
>>
>> Anything else!
>>
>>
>>
>> My test code:
>>
>>
>>
>> // Copyright 2011-2012 Renato Tegon Forti
>>
>>
>>
>> #define BOOST_ALL_DYN_LINK
>>
>> #define BOOST_THREAD_USE_DLL //thread header not compliant with
>> 'BOOST_ALL_DYN_LINK'
>>
>> #define BOOST_LIB_DIAGNOSTIC
>>
>>
>>
>> #include <boost/test/minimal.hpp>
>>
>> #include <dsafe/xmlsig.hpp>
>>
>>
>>
>> #define XMLSEC_CRYPTO_OPENSSL
>>
>>
>>
>> #include <libxml/tree.h>
>>
>> #include <libxml/xmlmemory.h>
>>
>> #include <libxml/parser.h>
>>
>>
>>
>> #ifndef XMLSEC_NO_XSLT
>>
>> #include <libxslt/xslt.h>
>>
>> #endif /* XMLSEC_NO_XSLT */
>>
>>
>>
>> #include <xmlsec/xmlsec.h>
>>
>> #include <xmlsec/xmltree.h>
>>
>> #include <xmlsec/xmldsig.h>
>>
>> #include <xmlsec/xmlenc.h>
>>
>> #include <xmlsec/templates.h>
>>
>> #include <xmlsec/crypto.h>
>>
>>
>>
>>
>>
>> /**
>>
>> * verify_file:
>>
>> * @mngr: the pointer to keys manager.
>>
>> * @xml_file: the signed XML file name.
>>
>> *
>>
>> * Verifies XML signature in #xml_file.
>>
>> *
>>
>> * Returns 0 on success or a negative value if an error occurs.
>>
>> */
>>
>> int
>>
>> verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file)
>>
>> {
>>
>> xmlDocPtr doc = NULL;
>>
>> xmlNodePtr node = NULL;
>>
>> xmlSecDSigCtxPtr dsigCtx = NULL;
>>
>> int res = -1;
>>
>>
>>
>> assert(mngr);
>>
>> assert(xml_file);
>>
>>
>>
>> /* load file */
>>
>> doc = xmlParseFile(xml_file);
>>
>> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
>>
>> fprintf(stderr, "Error: unable to parse file
>> \"%s\"\n", xml_file);
>>
>> goto done;
>>
>> }
>>
>>
>>
>> /* find start node */
>>
>> node = xmlSecFindNode(xmlDocGetRootElement(doc),
>> xmlSecNodeSignature, xmlSecDSigNs);
>>
>> if(node == NULL) {
>>
>> fprintf(stderr, "Error: start node not found in
>> \"%s\"\n", xml_file);
>>
>> goto done;
>>
>> }
>>
>>
>>
>> /* create signature context */
>>
>> dsigCtx = xmlSecDSigCtxCreate(mngr);
>>
>> if(dsigCtx == NULL) {
>>
>> fprintf(stderr,"Error: failed to create signature context\n");
>>
>> goto done;
>>
>> }
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> /* limit the Reference URI attributes to empty or NULL */
>>
>> dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
>>
>>
>>
>> /* limit allowed transforms for siganture and reference processing
>> */
>>
>> if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>> xmlSecTransformInclC14NId) < 0) ||
>>
>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>> xmlSecTransformExclC14NId) < 0) ||
>>
>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>> xmlSecTransformSha1Id) < 0) ||
>>
>> (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>> xmlSecTransformRsaSha1Id) < 0)) {
>>
>>
>>
>> fprintf(stderr,"Error: failed to limit allowed siganture
>> transforms\n");
>>
>> goto done;
>>
>> }
>>
>> if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>> xmlSecTransformInclC14NId) < 0) ||
>>
>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>> xmlSecTransformExclC14NId) < 0) ||
>>
>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>> xmlSecTransformSha1Id) < 0) ||
>>
>> (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>> xmlSecTransformEnvelopedId) < 0)) {
>>
>>
>>
>> fprintf(stderr,"Error: failed to limit allowed reference
>> transforms\n");
>>
>> goto done;
>>
>> }
>>
>>
>>
>> /* in addition, limit possible key data to valid X509 certificates
>> only */
>>
>> if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
>> BAD_CAST xmlSecKeyDataX509Id) < 0) {
>>
>> fprintf(stderr,"Error: failed to limit allowed key data\n");
>>
>> goto done;
>>
>> }
>>
>>
>>
>> /* Verify signature */
>>
>> if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
>>
>> fprintf(stderr,"Error: signature verify\n");
>>
>> goto done;
>>
>> }
>>
>>
>>
>> /* check that we have only one Reference */
>>
>> if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
>>
>> (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1))
>> {
>>
>>
>>
>> fprintf(stderr,"Error: only one reference is allowed\n");
>>
>> goto done;
>>
>> }
>>
>>
>>
>> /* print verification result to stdout */
>>
>> if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>>
>> fprintf(stdout, "Signature is OK\n");
>>
>> } else {
>>
>> fprintf(stdout, "Signature is INVALID\n");
>>
>> }
>>
>>
>>
>> /* success */
>>
>> res = 0;
>>
>>
>>
>> done:
>>
>> /* cleanup */
>>
>> if(dsigCtx != NULL) {
>>
>> xmlSecDSigCtxDestroy(dsigCtx);
>>
>> }
>>
>>
>>
>> if(doc != NULL) {
>>
>> xmlFreeDoc(doc);
>>
>> }
>>
>> return(res);
>>
>>
>>
>> }
>>
>>
>>
>> int
>>
>> init_allxml_lib()
>>
>> {
>>
>> // Init libxml and libxslt libraries
>>
>> xmlInitParser();
>>
>>
>>
>> LIBXML_TEST_VERSION
>>
>> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
>>
>> xmlSubstituteEntitiesDefault(1);
>>
>> #ifndef XMLSEC_NO_XSLT
>>
>> xmlIndentTreeOutput = 1;
>>
>> #endif // XMLSEC_NO_XSLT
>>
>>
>>
>> // Init xmlsec library
>>
>> if(xmlSecInit() < 0) {
>>
>> fprintf(stderr, "Error: xmlsec initialization failed.\n");
>>
>> return(-1);
>>
>> }
>>
>>
>>
>> // Check loaded library version
>>
>> if(xmlSecCheckVersion() != 1) {
>>
>> fprintf(stderr, "Error: loaded xmlsec library version is not
>> compatible.\n");
>>
>> return(-1);
>>
>> }
>>
>>
>>
>> // Load default crypto engine if we are supporting dynamic
>>
>> // loading for xmlsec-crypto libraries. Use the crypto library
>>
>> // name ("openssl", "nss", etc.) to load corresponding
>>
>> // xmlsec-crypto library.
>>
>>
>>
>> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>>
>> if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
>>
>> fprintf(stderr, "Error: unable to load default xmlsec-crypto library.
>> Make sure\n"
>>
>> "that you have it
>> installed and check shared libraries path\n"
>>
>> "(LD_LIBRARY_PATH)
>> envornment variable.\n");
>>
>> return(-1);
>>
>> }
>>
>> #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
>>
>>
>>
>> // Init crypto library
>>
>> if(xmlSecCryptoAppInit(NULL) < 0) {
>>
>> fprintf(stderr, "Error: crypto initialization failed.\n");
>>
>> return(-1);
>>
>> }
>>
>>
>>
>> // Init xmlsec-crypto library
>>
>> if(xmlSecCryptoInit() < 0) {
>>
>> fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
>>
>> return(-1);
>>
>> }
>>
>>
>>
>> return 0;
>>
>> }
>>
>>
>>
>> void
>>
>> fnit_allxml_lib()
>>
>> {
>>
>> // Shutdown xmlsec-crypto library
>>
>> xmlSecCryptoShutdown();
>>
>>
>>
>> //Shutdown crypto library
>>
>> xmlSecCryptoAppShutdown();
>>
>>
>>
>> //Shutdown xmlsec library
>>
>> xmlSecShutdown();
>>
>>
>>
>> // Shutdown libxslt/libxml
>>
>> #ifndef XMLSEC_NO_XSLT
>>
>> xsltCleanupGlobals();
>>
>> #endif //XMLSEC_NO_XSLT
>>
>>
>>
>> xmlCleanupParser();
>>
>> }
>>
>>
>>
>> const std::string XML_FILE =
>>
> "/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/libs/xml
> dsig/test/"
>>
>> "mt-embedded-id-dtd-attr.xml";
>>
>>
>
>> // "mt.xml";
>>
>>
>>
>> // Unit Tests
>>
>>
>>
>> void do_0()
>>
>> {
>>
>> xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate();
>>
>> if(mngr == NULL)
>>
>> {
>>
>> fprintf(stderr, "Error: failed to create keys manager.\n");
>>
>> }
>>
>>
>>
>> if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0)
>>
>> {
>>
>> fprintf(stderr, "Error: failed to initialize keys manager.\n");
>>
>> xmlSecKeysMngrDestroy(mngr);
>>
>> }
>>
>>
>>
>> BOOST_CHECK(init_allxml_lib() == 0);
>>
>> BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0);
>>
>>
>>
>> fnit_allxml_lib();
>>
>> }
>>
>>
>>
>> // -
>>
>>
>>
>> int test_main(int, char*[])
>>
>> {
>>
>> do_0();
>>
>>
>>
>> return 0;
>>
>> }
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list