[xmlsec] nss -- xmlSecNssX509StoreVerify question

Aleksey Sanin aleksey at aleksey.com
Thu Dec 8 13:26:27 PST 2016


Could you please confirm that xmlsec-nss gets the key from the
certificate and not from another place?

I am not very familiar with this code unfortunately. It might
have happen that the NSS API changed since xmlsec-nss was
written :)

Aleksey

On 12/8/16 1:06 PM, Miklos Vajna wrote:
> Hi,
> 
> Context: currently we patch xmlsec in LibreOffice with
> <https://cgit.freedesktop.org/libreoffice/core/tree/external/libxmlsec/xmlsec1-noverify.patch.1>,
> and I'm trying to find out if it would be possible to avoid that patch.
> As far as I understand, using the
> XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS flag makes this possible
> when calling xmlSecDSigCtxVerify(), but I wanted to first see
> xmlSecDSigCtxVerify() failing without using that flag (when the above
> patch is not applied).
> 
> However, for some reason xmlSecDSigCtxVerify() doesn't fail with my test
> "self-signed" certificate (when the NSS DB doesn't contain the
> root/intermediate CA), even when I'm not using that flag. Reading
> xmlSecNssX509StoreVerify(), it seems that it calls NSS
> CERT_VerifyCertificate() with requiredUsages=0:
> 
> https://github.com/lsh123/xmlsec/blob/master/src/nss/x509vfy.c#L217
> 
> And when that happens, CERT_VerifyCertificate() just iterates over the
> usages of the certificicate, and on each iteration it returns
> ("continues") early, as "i & requiredUsages" is false. The result is
> that later functions like cert_CheckLeafTrust() and
> cert_VerifyCertChain() are not called:
> 
> https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certhigh/certvfy.c#1220
> 
> Now the question: is this expected? I'm not sure if this is a bug in
> xmlsec or I generate my self-signed certificate in an incorrect way.
> 
> FWIW, here is my script to generate 1) a root CA 2) an intermediate CA
> and 3) an actual certificate:
> 
> https://cgit.freedesktop.org/libreoffice/core/tree/xmlsecurity/qa/create-certs/create-certs.sh
> 
> Thanks,
> 
> Miklos
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: OpenPGP digital signature
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20161208/c7187553/attachment.sig>


More information about the xmlsec mailing list