[xmlsec] Custom CRL
Aleksey Sanin
aleksey at aleksey.com
Tue May 21 21:36:55 PDT 2013
Again, certificates are not used. See my other email.
Aleksey
On 5/21/13 9:35 PM, Francisco Obispo wrote:
> tried with another XML file, and same result :-(,
>
>
>
>
> On May 21, 2013, at 9:10 PM, Francisco Obispo <fobispo at isc.org> wrote:
>
>> Mhm,
>>
>> It doesn't break there either:
>>
>> $ gdb verify
>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC 2012)
>> Copyright 2004 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you are
>> welcome to change it and/or distribute copies of it under certain conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB. Type "show warranty" for details.
>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done
>>
>> (gdb) break xmlSecOpenSSLX509StoreVerify
>> Breakpoint 1 at 0x3126e978d442cb
>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>> Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>> Reading symbols for shared libraries ++++++++++.............................. done
>> VALIDATING!!!!!
>> = KEY INFO READ CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: rsa
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0x00000002
>> ==== keyBitsSize: 0
>> === list size: 0
>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK
>>
>> Program exited normally.
>> (gdb)
>>
>>
>>
>>
>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>
>>> It should do the check. I am surprised it doesn't.
>>>
>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is
>>> a piece of code that checks against in-document crl and then store crl.
>>> Curious to find out why it doesn't do the expected thing.
>>>
>>>
>>> Aleksey
>>>
>>> On 5/21/13 8:32 PM, Francisco Obispo wrote:
>>>> Tried it,
>>>>
>>>> It never gets called, so I'm wondering if I'm missing something. :-(
>>>>
>>>> So, besides adding the CRL to the key store, is there anything else I need to call to verify the cert?
>>>>
>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another function separately?
>>>>
>>>> thanks
>>>>
>>>>
>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>
>>>>> Well, the code clearly uses the crls (it's the same function that
>>>>> process crls in the signature). If you have debug version, put
>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
>>>>> to see if it is called and what's happening inside it.
>>>>
>>>> Francisco Obispo
>>>> Director of Applications and Services - ISC
>>>> email: fobispo at isc.org
>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>> PGP KeyID = B38DB1BE
>>>>
>>
>> Francisco Obispo
>> Director of Applications and Services - ISC
>> email: fobispo at isc.org
>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>> PGP KeyID = B38DB1BE
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
> Francisco Obispo
> Director of Applications and Services - ISC
> email: fobispo at isc.org
> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
> PGP KeyID = B38DB1BE
>
More information about the xmlsec
mailing list