[xmlsec] RES: RES: how verify sig using xmlAddID and local certs!

Aleksey Sanin aleksey at aleksey.com
Mon Jun 11 11:46:00 PDT 2012


I am really sorry but this goes beyond the support I provide.

Aleksey


On 6/11/12 11:40 AM, Renato Tegon Forti wrote:
> Hi Again,
> 
> I write one new code, but I can put it to work! Please you can point me what
> I forgot! 
> 
> The verify function is : verify_f
> 
> Output:
> 
> ========================================================================
> verify_f
> ========================================================================
> Signature is ***INVALID***
> func=xmlSecDSigCtxDebugXmlDump:file=xmldsig.c:line=1148:obj=unknown:subj=out
> put != NULL:error=100:assertion:
> func=xmlSecDSigCtxDebugDump:file=xmldsig.c:line=1068:obj=unknown:subj=output
> != NULL:error=100:assertion:
> 
> Thanks
> 
> -----Mensagem original-----
> De: Aleksey Sanin [mailto:aleksey at aleksey.com] 
> Enviada em: segunda-feira, 11 de junho de 2012 13:22
> Para: Renato Tegon Forti
> Cc: xmlsec at aleksey.com
> Assunto: Re: RES: [xmlsec] how verify sig using xmlAddID and local certs!
> 
> xmlsec1 --help
> 
> Aleksey
> 
> On 6/11/12 7:09 AM, Renato Tegon Forti wrote:
>> Hi
>>
>>>>  xmlAddID - look at LibXML2 documentation for the function, it's 
>>>> pretty
>> simple.
>> OK
>>
>>>> Actually default trusted certs are loaded in the xmlsec-openssl init
>> function.
>> Then I don't need load certs in "xmlSecKeysMngrPtr"?
>>
>> I am trying to use sample "Verifying a signature with X 509 certificates."
>>
>> And I changed load_trusted_certs  to accept a vector with keys file, like:
>>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>> std::vector<std::string> certs;
>>    
>> certs.push_back("/usr/lib/ssl/certs/Serasa_Certificadora_Digital_v2.pe
>> m"); 
>> certs.push_back("/usr/lib/ssl/certs/Serasa_Autoridade_Certificadora_Pr
>> incipa
>> l_v2.pem");
>> certs.push_back("/usr/lib/ssl/certs/Autoridade_Certificadora_Raiz_Bras
>> ileira
>> _v2.pem");
>> 	
>> mngr = load_trusted_certs(certs);
>>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>>
>> And for now, I using DTD on xml file:
>>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [ <!ATTLIST 
>> infNFe Id ID #IMPLIED> ]>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>>
>> But always I received: "Signature is INVALID"!
>>
>> If I use xmlsec1 command, its work in some file!
>>
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>> afe/engine/libs/xmldsig/test$ xmlsec1 --verify 
>> mt-embedded-id-dtd-attr.xml OK SignedInfo References (ok/all): 1/1 
>> Manifests References (ok/all): 0/0
>> ----------------------------------------------------------------------
>> ------
>> ---------------------------------
>>
>> How I can print debug into to try see what's happening?
>>
>> My current code, and file that I need check is attached!
>>
>> Thanks again, and again, and again ...!
>>
>> -----Mensagem original-----
>> De: Aleksey Sanin [mailto:aleksey at aleksey.com] Enviada em: 
>> segunda-feira, 11 de junho de 2012 10:46
>> Para: Renato Tegon Forti
>> Cc: xmlsec at aleksey.com
>> Assunto: Re: [xmlsec] how verify sig using xmlAddID and local certs!
>>
>> 1) xmlAddID - look at LibXML2 documentation for the function, it's 
>> pretty simple.
>>
>> 2) Actually default trusted certs are loaded in the xmlsec-openssl 
>> init function.
>>
>> Aleksey
>>
>> On 6/11/12 5:39 AM, Renato Tegon Forti wrote:
>>> Hi All,
>>>
>>>  
>>>
>>> I'm trying to understand how the xmlsec tool interprets this command:
>>>
>>>  
>>>
>>> xmlsec1 --verify --id-attr:Id infNFe file.xml
>>>
>>>  
>>>
>>> which parts of code are activated! Need to reproduce this behavior in 
>>> my code
>>>
>>>  
>>>
>>> Can someone explain to me?
>>>
>>>  
>>>
>>> In special how "xmlSecAppLoadKeys" load CA 's files of 
>>> /usr/lib/ssl/certs/ : (for sample. openssl  ssl files folder) !
>>>
>>>  
>>>
>>> I need use "xmlAddID" to add "infNFe" like an id! Ok? How?
>>>
>>>  
>>>
>>> Anything else!
>>>
>>>  
>>>
>>> My test code:
>>>
>>>  
>>>
>>> // Copyright 2011-2012 Renato Tegon Forti
>>>
>>>  
>>>
>>> #define BOOST_ALL_DYN_LINK
>>>
>>> #define BOOST_THREAD_USE_DLL  //thread header not compliant with 
>>> 'BOOST_ALL_DYN_LINK'
>>>
>>> #define BOOST_LIB_DIAGNOSTIC
>>>
>>>  
>>>
>>> #include <boost/test/minimal.hpp>
>>>
>>> #include <dsafe/xmlsig.hpp>
>>>
>>>  
>>>
>>> #define XMLSEC_CRYPTO_OPENSSL
>>>
>>>  
>>>
>>> #include <libxml/tree.h>
>>>
>>> #include <libxml/xmlmemory.h>
>>>
>>> #include <libxml/parser.h>
>>>
>>>  
>>>
>>> #ifndef XMLSEC_NO_XSLT
>>>
>>> #include <libxslt/xslt.h>
>>>
>>> #endif /* XMLSEC_NO_XSLT */
>>>
>>>  
>>>
>>> #include <xmlsec/xmlsec.h>
>>>
>>> #include <xmlsec/xmltree.h>
>>>
>>> #include <xmlsec/xmldsig.h>
>>>
>>> #include <xmlsec/xmlenc.h>
>>>
>>> #include <xmlsec/templates.h>
>>>
>>> #include <xmlsec/crypto.h>
>>>
>>>  
>>>
>>>  
>>>
>>> /**
>>>
>>>  * verify_file:
>>>
>>> * @mngr:                              the pointer to keys manager.
>>>
>>> * @xml_file:                    the signed XML file name.
>>>
>>> *
>>>
>>> * Verifies XML signature in #xml_file.
>>>
>>> *
>>>
>>> * Returns 0 on success or a negative value if an error occurs.
>>>
>>> */
>>>
>>> int
>>>
>>> verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file)
>>>
>>> {
>>>
>>>    xmlDocPtr doc = NULL;
>>>
>>>    xmlNodePtr node = NULL;
>>>
>>>    xmlSecDSigCtxPtr dsigCtx = NULL;
>>>
>>>     int res = -1;
>>>
>>>    
>>>
>>>     assert(mngr);
>>>
>>>     assert(xml_file);
>>>
>>>  
>>>
>>>     /* load file */
>>>
>>>     doc = xmlParseFile(xml_file);
>>>
>>>     if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
>>>
>>>                 fprintf(stderr, "Error: unable to parse file 
>>> \"%s\"\n", xml_file);
>>>
>>>                 goto done;        
>>>
>>>     }
>>>
>>>    
>>>
>>>     /* find start node */
>>>
>>>     node = xmlSecFindNode(xmlDocGetRootElement(doc),
>>> xmlSecNodeSignature, xmlSecDSigNs);
>>>
>>>     if(node == NULL) {
>>>
>>>                 fprintf(stderr, "Error: start node not found in 
>>> \"%s\"\n", xml_file);
>>>
>>>                 goto done;        
>>>
>>>     }
>>>
>>>  
>>>
>>>     /* create signature context */
>>>
>>>     dsigCtx = xmlSecDSigCtxCreate(mngr);
>>>
>>>     if(dsigCtx == NULL) {
>>>
>>>         fprintf(stderr,"Error: failed to create signature 
>>> context\n");
>>>
>>>                 goto done;
>>>
>>>     }
>>>
>>>                
>>>
>>>  
>>>
>>>    
>>>
>>>  
>>>
>>>     /* limit the Reference URI attributes to empty or NULL */
>>>
>>>     dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
>>>
>>>    
>>>
>>>     /* limit allowed transforms for siganture and reference 
>>> processing */
>>>
>>>     if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>>> xmlSecTransformInclC14NId) < 0) ||
>>>
>>>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>>> xmlSecTransformExclC14NId) < 0) ||
>>>
>>>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>>> xmlSecTransformSha1Id) < 0) ||
>>>
>>>        (xmlSecDSigCtxEnableSignatureTransform(dsigCtx,
>>> xmlSecTransformRsaSha1Id) < 0)) {
>>>
>>>  
>>>
>>>         fprintf(stderr,"Error: failed to limit allowed siganture 
>>> transforms\n");
>>>
>>>                 goto done;
>>>
>>>     }
>>>
>>>     if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>>> xmlSecTransformInclC14NId) < 0) ||
>>>
>>>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>>> xmlSecTransformExclC14NId) < 0) ||
>>>
>>>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>>> xmlSecTransformSha1Id) < 0) ||
>>>
>>>        (xmlSecDSigCtxEnableReferenceTransform(dsigCtx,
>>> xmlSecTransformEnvelopedId) < 0)) {
>>>
>>>  
>>>
>>>         fprintf(stderr,"Error: failed to limit allowed reference 
>>> transforms\n");
>>>
>>>                 goto done;
>>>
>>>     }
>>>
>>>  
>>>
>>>     /* in addition, limit possible key data to valid X509 
>>> certificates only */
>>>
>>>     if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
>>> BAD_CAST xmlSecKeyDataX509Id) < 0) {
>>>
>>>         fprintf(stderr,"Error: failed to limit allowed key data\n");
>>>
>>>                 goto done;
>>>
>>>     }
>>>
>>>    
>>>
>>>     /* Verify signature */
>>>
>>>     if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
>>>
>>>         fprintf(stderr,"Error: signature verify\n");
>>>
>>>                 goto done;
>>>
>>>     }
>>>
>>>  
>>>
>>>     /* check that we have only one Reference */
>>>
>>>     if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
>>>
>>>         (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 
>>> 1)) {
>>>
>>>                
>>>
>>>         fprintf(stderr,"Error: only one reference is allowed\n");
>>>
>>>                 goto done;
>>>
>>>     }
>>>
>>>        
>>>
>>>     /* print verification result to stdout */
>>>
>>>     if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>>>
>>>                 fprintf(stdout, "Signature is OK\n");
>>>
>>>     } else {
>>>
>>>                 fprintf(stdout, "Signature is INVALID\n");
>>>
>>>     }   
>>>
>>>  
>>>
>>>     /* success */
>>>
>>>     res = 0;
>>>
>>>  
>>>
>>> done:   
>>>
>>>     /* cleanup */
>>>
>>>     if(dsigCtx != NULL) {
>>>
>>>                 xmlSecDSigCtxDestroy(dsigCtx);
>>>
>>>     }
>>>
>>>    
>>>
>>>     if(doc != NULL) {
>>>
>>>                 xmlFreeDoc(doc);
>>>
>>>     }
>>>
>>>     return(res);
>>>
>>>  
>>>
>>> }
>>>
>>>  
>>>
>>> int
>>>
>>> init_allxml_lib()
>>>
>>> {   
>>>
>>>    // Init libxml and libxslt libraries
>>>
>>>    xmlInitParser();
>>>
>>>   
>>>
>>>    LIBXML_TEST_VERSION
>>>
>>>    xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
>>>
>>>    xmlSubstituteEntitiesDefault(1);
>>>
>>> #ifndef XMLSEC_NO_XSLT
>>>
>>>    xmlIndentTreeOutput = 1;
>>>
>>> #endif // XMLSEC_NO_XSLT
>>>
>>>                
>>>
>>>    // Init xmlsec library
>>>
>>>    if(xmlSecInit() < 0) {
>>>
>>>    fprintf(stderr, "Error: xmlsec initialization failed.\n");
>>>
>>>    return(-1);
>>>
>>>    }
>>>
>>>  
>>>
>>>    // Check loaded library version
>>>
>>>    if(xmlSecCheckVersion() != 1) {
>>>
>>>    fprintf(stderr, "Error: loaded xmlsec library version is not 
>>> compatible.\n");
>>>
>>>    return(-1);
>>>
>>>    }   
>>>
>>>    
>>>
>>>    // Load default crypto engine if we are supporting dynamic
>>>
>>>    // loading for xmlsec-crypto libraries. Use the crypto library
>>>
>>>    // name ("openssl", "nss", etc.) to load corresponding
>>>
>>>    // xmlsec-crypto library.
>>>
>>>  
>>>
>>> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>>>
>>>    if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
>>>
>>>    fprintf(stderr, "Error: unable to load default xmlsec-crypto library.
>>> Make sure\n"
>>>
>>>                                                "that you have it 
>>> installed and check shared libraries path\n"
>>>
>>>                                                "(LD_LIBRARY_PATH) 
>>> envornment variable.\n");
>>>
>>>    return(-1);      
>>>
>>>    }
>>>
>>> #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
>>>
>>>  
>>>
>>>    // Init crypto library
>>>
>>>    if(xmlSecCryptoAppInit(NULL) < 0) {
>>>
>>>       fprintf(stderr, "Error: crypto initialization failed.\n");
>>>
>>>       return(-1);
>>>
>>>    }
>>>
>>>  
>>>
>>>    // Init xmlsec-crypto library
>>>
>>>    if(xmlSecCryptoInit() < 0) {
>>>
>>>    fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
>>>
>>>    return(-1);
>>>
>>>    }
>>>
>>>                               
>>>
>>>    return 0;
>>>
>>> }
>>>
>>>  
>>>
>>> void
>>>
>>> fnit_allxml_lib()
>>>
>>> {
>>>
>>>    // Shutdown xmlsec-crypto library
>>>
>>>    xmlSecCryptoShutdown();
>>>
>>>    
>>>
>>>    //Shutdown crypto library
>>>
>>>    xmlSecCryptoAppShutdown();
>>>
>>>    
>>>
>>>    //Shutdown xmlsec library
>>>
>>>    xmlSecShutdown();
>>>
>>>  
>>>
>>>    // Shutdown libxslt/libxml
>>>
>>> #ifndef XMLSEC_NO_XSLT
>>>
>>>    xsltCleanupGlobals();           
>>>
>>> #endif //XMLSEC_NO_XSLT
>>>
>>>  
>>>
>>>    xmlCleanupParser();
>>>
>>> }
>>>
>>>  
>>>
>>> const std::string XML_FILE =
>>>
>> "/Projects/project.dokfile.vses/hades/trunk/products/doksafe/engine/li
>> bs/xml
>> dsig/test/"
>>>
>>>                              "mt-embedded-id-dtd-attr.xml";
>>>
>>>
>>
>>> // "mt.xml";
>>>
>>>  
>>>
>>> // Unit Tests
>>>
>>>  
>>>
>>> void do_0()
>>>
>>> {
>>>
>>>    xmlSecKeysMngrPtr mngr = xmlSecKeysMngrCreate();
>>>
>>>    if(mngr == NULL)
>>>
>>>    {
>>>
>>>       fprintf(stderr, "Error: failed to create keys manager.\n");
>>>
>>>    }
>>>
>>>                
>>>
>>>    if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0)
>>>
>>>    {
>>>
>>>       fprintf(stderr, "Error: failed to initialize keys manager.\n");
>>>
>>>       xmlSecKeysMngrDestroy(mngr);
>>>
>>>    }
>>>
>>>                
>>>
>>>    BOOST_CHECK(init_allxml_lib() == 0);
>>>
>>>    BOOST_CHECK(verify_file(mngr, XML_FILE.c_str()) == 0);
>>>
>>>   
>>>
>>>    fnit_allxml_lib();
>>>
>>> }
>>>
>>>  
>>>
>>> // -
>>>
>>>  
>>>
>>> int test_main(int, char*[])
>>>
>>> {
>>>
>>>    do_0();
>>>
>>>  
>>>
>>>    return 0;
>>>
>>> }
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>> Thanks
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list