[xmlsec] Custom CRL

Aleksey Sanin aleksey at aleksey.com
Tue May 21 21:12:46 PDT 2013


Hm... Something is really wrong. How is you signed document looks like?
Does it have the public key in it by a chance?

Aleksey

On 5/21/13 9:10 PM, Francisco Obispo wrote:
> Mhm,
> 
> It doesn't break there either:
> 
> $ gdb verify
> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug  5 03:00:42 UTC 2012)
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done
> 
> (gdb) break xmlSecOpenSSLX509StoreVerify
> Breakpoint 1 at 0x3126e978d442cb
> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
> Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
> Reading symbols for shared libraries ++++++++++.............................. done
> VALIDATING!!!!!
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK
> 
> Program exited normally.
> (gdb) 
> 
> 
> 
> 
> On May 21, 2013, at 9:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> 
>> It should do the check. I am surprised it doesn't.
>>
>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is
>> a piece of code that checks against in-document crl and then store crl.
>> Curious to find out why it doesn't do the expected thing.
>>
>>
>> Aleksey
>>
>> On 5/21/13 8:32 PM, Francisco Obispo wrote:
>>> Tried it,
>>>
>>> It never gets called, so I'm wondering if I'm missing something. :-(
>>>
>>> So, besides adding the CRL to the key store, is there anything else I need to call to verify the cert? 
>>>
>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another function separately?
>>>
>>> thanks
>>>
>>>
>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>
>>>> Well, the code clearly uses the crls (it's the same function that
>>>> process crls in the signature). If you have debug version, put
>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
>>>> to see if it is called and what's happening inside it.
>>>
>>> Francisco Obispo 
>>> Director of Applications and Services - ISC
>>> email: fobispo at isc.org
>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>> PGP KeyID = B38DB1BE
>>>
> 
> Francisco Obispo 
> Director of Applications and Services - ISC
> email: fobispo at isc.org
> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
> PGP KeyID = B38DB1BE
> 


More information about the xmlsec mailing list