[xmlsec] Custom CRL

Francisco Obispo fobispo at isc.org
Tue May 21 21:49:26 PDT 2013 

So basically, if I want to check the X509 certificate in the XML against the CRL, I'm going to have to decode the <X509Certificate> node and compare it with OpenSSL directly?

I have a requirement to check the cert against the CRL.

Any suggestions?


On May 21, 2013, at 9:36 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> Again, certificates are not used. See my other email.
> 
> Aleksey
> 
> On 5/21/13 9:35 PM, Francisco Obispo wrote:
>> tried with another XML file, and same result :-(,
>> 
>> 
>> 
>> 
>> On May 21, 2013, at 9:10 PM, Francisco Obispo <fobispo at isc.org> wrote:
>> 
>>> Mhm,
>>> 
>>> It doesn't break there either:
>>> 
>>> $ gdb verify
>>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug  5 03:00:42 UTC 2012)
>>> Copyright 2004 Free Software Foundation, Inc.
>>> GDB is free software, covered by the GNU General Public License, and you are
>>> welcome to change it and/or distribute copies of it under certain conditions.
>>> Type "show copying" to see the conditions.
>>> There is absolutely no warranty for GDB.  Type "show warranty" for details.
>>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done
>>> 
>>> (gdb) break xmlSecOpenSSLX509StoreVerify
>>> Breakpoint 1 at 0x3126e978d442cb
>>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>>> Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>>> Reading symbols for shared libraries ++++++++++.............................. done
>>> VALIDATING!!!!!
>>> = KEY INFO READ CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: rsa
>>> ==== keyType: 0x00000001
>>> ==== keyUsage: 0x00000002
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK
>>> 
>>> Program exited normally.
>>> (gdb) 
>>> 
>>> 
>>> 
>>> 
>>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>> 
>>>> It should do the check. I am surprised it doesn't.
>>>> 
>>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is
>>>> a piece of code that checks against in-document crl and then store crl.
>>>> Curious to find out why it doesn't do the expected thing.
>>>> 
>>>> 
>>>> Aleksey
>>>> 
>>>> On 5/21/13 8:32 PM, Francisco Obispo wrote:
>>>>> Tried it,
>>>>> 
>>>>> It never gets called, so I'm wondering if I'm missing something. :-(
>>>>> 
>>>>> So, besides adding the CRL to the key store, is there anything else I need to call to verify the cert? 
>>>>> 
>>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another function separately?
>>>>> 
>>>>> thanks
>>>>> 
>>>>> 
>>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>> 
>>>>>> Well, the code clearly uses the crls (it's the same function that
>>>>>> process crls in the signature). If you have debug version, put
>>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
>>>>>> to see if it is called and what's happening inside it.
>>>>> 
>>>>> Francisco Obispo 
>>>>> Director of Applications and Services - ISC
>>>>> email: fobispo at isc.org
>>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>>> PGP KeyID = B38DB1BE
>>>>> 
>>> 
>>> Francisco Obispo 
>>> Director of Applications and Services - ISC
>>> email: fobispo at isc.org
>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>> PGP KeyID = B38DB1BE
>>> 
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>> 
>> Francisco Obispo 
>> Director of Applications and Services - ISC
>> email: fobispo at isc.org
>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>> PGP KeyID = B38DB1BE
>> 

Francisco Obispo 
Director of Applications and Services - ISC
email: fobispo at isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE

More information about the xmlsec mailing list