[xmlsec] Custom CRL
Francisco Obispo
fobispo at isc.org
Tue May 21 21:15:47 PDT 2013
This is the one that I'm currently using..
I also have the same file signed with a revoked cert for testing purposes.
<?xml version="1.0" encoding="UTF-8"?>
<!--
XML Security Library example: Simple signature template file for sign1 example.
-->
<demo id="test">
<Data>
Hello, World!
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>LdhuGRwbntos7k+Bi5zGpZg8alY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>1NGlGwove0a1cyGySo8AUkQqXCGCyyKJIA6+JjVGQtgFZJ//DbLf+da5w32KBlRg
YAh+vMOH3455nZudj4exL14pVtFXlvLPTSsRRYSKf9E3KH2B5CI21vCgto8e85t+
47bQyoodvqPKyq21o94qwAvSKPkyibUYdqmSvU/s8Cg=</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
5ql5wGtT/5uxGcjeUxbCoA9VVFYer4BF7IbPcQg4BNbu9e3iXiNe+nKCXXEg+vAp
e6zjIc6ZwgVMVXBms+gCMdsKkOl4MmmPyWgew0JLbURq19qEFFfvWu4VpigcGYMM
/9BCp8wSNxck4bRqNTpt0CB+fPxdkEqjHi2/YSWynuk=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>
MIIC1TCCAb2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADAAMB4XDTEzMDUyMTAyNDUw
MFoXDTE0MDUyMTAyNDUwMFowgYoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEV
MBMGA1UEBxMMUmVkd29vZCBDaXR5MQwwCgYDVQQKEwNJU0MxETAPBgNVBAsTCFNl
cnZpY2VzMRUwEwYDVQQDEwxpc2Mtc2VydmljZXMxHzAdBgkqhkiG9w0BCQEWEHNl
cnZpY2VzQGlzYy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOapecBr
U/+bsRnI3lMWwqAPVVRWHq+AReyGz3EIOATW7vXt4l4jXvpygl1xIPrwKXus4yHO
mcIFTFVwZrPoAjHbCpDpeDJpj8loHsNCS21EatfahBRX71ruFaYoHBmDDP/QQqfM
EjcXJOG0ajU6bdAgfnz8XZBKox4tv2Elsp7pAgMBAAGjUzBRMA8GA1UdEwEB/wQF
MAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhC
AQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4IBAQDUJPIsQSmN
3bEBvSfQUSoo0wswVzSBjdAzFw03br06V22GZqYn9lyItvZYLBu6k1C/aOUALod5
eaXmtxkJ4lKzgsV6o1OryQmlXYQImVR1mYHoGjtg+m/0vJn44xaw2+krfjjz4/3m
g9XgS7ylnijhCWIipYOHbr2hcS1Bk5UgLXL/Dca/9q/qy43aVaj7B5TQt+m6jI5K
BckFk4tGz3nQHnvTqURMG/yMBvGZjEL5eTZCd8CmtlHsdTfN6dxPJC0FJ/Ua7v+x
wuB8dfRggEImIjZpT1qoH6J6FLvFamc8Fv0888H7vcjTKAYka1QTe2svFa246svN
8cwhfzbaztws
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</demo>
On May 21, 2013, at 9:12 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Hm... Something is really wrong. How is you signed document looks like?
> Does it have the public key in it by a chance?
>
> Aleksey
>
> On 5/21/13 9:10 PM, Francisco Obispo wrote:
>> Mhm,
>>
>> It doesn't break there either:
>>
>> $ gdb verify
>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC 2012)
>> Copyright 2004 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you are
>> welcome to change it and/or distribute copies of it under certain conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB. Type "show warranty" for details.
>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done
>>
>> (gdb) break xmlSecOpenSSLX509StoreVerify
>> Breakpoint 1 at 0x3126e978d442cb
>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>> Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>> Reading symbols for shared libraries ++++++++++.............................. done
>> VALIDATING!!!!!
>> = KEY INFO READ CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: rsa
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0x00000002
>> ==== keyBitsSize: 0
>> === list size: 0
>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK
>>
>> Program exited normally.
>> (gdb)
>>
>>
>>
>>
>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>
>>> It should do the check. I am surprised it doesn't.
>>>
>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is
>>> a piece of code that checks against in-document crl and then store crl.
>>> Curious to find out why it doesn't do the expected thing.
>>>
>>>
>>> Aleksey
>>>
>>> On 5/21/13 8:32 PM, Francisco Obispo wrote:
>>>> Tried it,
>>>>
>>>> It never gets called, so I'm wondering if I'm missing something. :-(
>>>>
>>>> So, besides adding the CRL to the key store, is there anything else I need to call to verify the cert?
>>>>
>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another function separately?
>>>>
>>>> thanks
>>>>
>>>>
>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>
>>>>> Well, the code clearly uses the crls (it's the same function that
>>>>> process crls in the signature). If you have debug version, put
>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
>>>>> to see if it is called and what's happening inside it.
>>>>
>>>> Francisco Obispo
>>>> Director of Applications and Services - ISC
>>>> email: fobispo at isc.org
>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>> PGP KeyID = B38DB1BE
>>>>
>>
>> Francisco Obispo
>> Director of Applications and Services - ISC
>> email: fobispo at isc.org
>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>> PGP KeyID = B38DB1BE
>>
Francisco Obispo
Director of Applications and Services - ISC
email: fobispo at isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE
More information about the xmlsec
mailing list