Aleksey:
Thanks!! Built/tested on Win32 and it now works like 0.0.10+. This
makes it easy to use and it works .. both nice traits.
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 19, 2003 2:07 PM
To: Aleksey Sanin
Cc: Moultrie, Ferrell
the specified node, then I don't have to change what
I'm already doing. Give me a clue as to how it can/should be
fixed/changed and I'll go take a shot at fixing it and sending you the
diff's.
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROT
findStartNode()
but I wanted to see why you changed this before I mucked with the code.
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 18, 2003 7:26 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] signing
Aleksey:
I've been using 0.0.10 successfully for a while now and decided to
upgrade to xmlsec 0.0.13 prior to upgrading to openssl 0.9.7a. In runing
one of my tests however using the xmlsec utility, I'm getting a failure
that doesn't occur with the exact same input on 0.0.10. Did you tighten
up t
Sorry -- I wish my mua would warn me when it sees the word "attached"
but there's no attachment! Both files attached now.
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 11:57 AM
To: Moultrie, Ferrell (ISSAtla
maller
and removes some (possibly gratuitous) white-space editing I'd done
while implementing the code. Your choice as to which to check-in.
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 4:50 AM
To: Moultrie, Ferrell (ISSAtla
Aleksey:
My xml documents that I'm signing/verifying contain repeated nodes of
the same name so any beyond the first node are not addressable by the
--node-name construct supported by xmlsec. Additionally, I'm not using a
dtd so the --node-id doesn't help me out either. Finally, the
sign/verify c
Hi:
More from the OpenSSL doc I quoted earlier:
The ApacheSSL documentation, and the docs for the SSLeay toolkit, refer to
certificates and certificate requests as "PEM" files. They are not. ApacheSSL, like
all SSL secure servers, uses the (standard) X.509 certificate format. X.509
certificat
Title: Message
The
keys manager does like/take the certs in the format you described. In fact, it
requires them in that format rather than the binary format. OpenSSL is quite
picky about this as the following snipped from some OpenSSL FAQ shows. I don't
recall exactly where I clipped this fr
al Message-
From: Aleksey Sanin [mailto:aleksey@;aleksey.com]
Sent: Friday, October 11, 2002 3:08 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] Verify signature after certificate expired
Hm.. I just pulled out the fresh copy from CVS and the changes are
the
hanks!
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 11, 2002 12:30 PM
To: Aleksey Sanin
Cc: Moultrie, Ferrell (ISSAtlanta); [EMAIL PROTECTED]
Subject: Re: [xmlsec] Verify signature after certificate expired
I've removed strptime() usage an
LSEC_NO_STRPTIME */
>
1022a1057,1062
> #else /* XMLSEC_NO_STRPTIME */
> if (ParseDateString(str, &tm) < 0) {
> fprintf(stderr, "Error: the local system time in \"YYYY-MM-DD
HH:MM:SS\" is expected isntead of \"%s\"\n", str);
>
platform.
Ferrell
-Original Message-
From: Igor Zlatkovic [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 10:46 PM
To: Aleksey Sanin
Cc: Moultrie, Ferrell (ISSAtlanta); [EMAIL PROTECTED]
Subject: Re: [xmlsec] Verify signature after certificate expired
Hi there,
You are
OTECTED]]
Sent: Thursday, October 10, 2002 3:53 AM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] Verify signature after certificate expired
I understand the problem with using 0.9.7 and I am waiting for it
for a very long time myself :) I've changed XMLSec l
but if we'd missed it, it
would have been very painful.
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 2:02 AM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] Verify signature after certifica
Aleksey:
Since OpenSSL 0.9.7 is still in beta, I'm a bit reluctant to use it in
a release version of my products. We're very close to release right now
and I hate to have to revisit most of the QA process just because I need
to upgrade OpenSSL -- and to an unreleased version also. Can you point
...
Please check on this and reconsider if it's at all an optional behavior (which I
strongly believe it is).
Thanks!
Ferrell
-Original Message-From: Aleksey Sanin
[mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002
11:48 AMTo: Moultrie, Ferrell (ISSA
Aleksey:
Very important question here -- I want to make sure I understand your
reply. In general, it is not permitted to *sign* data after the signing
certificate has expired but it is allowed to *verify* data after
expiration. An example:
I sign my code today allowing the user to verify that i
ng term I'm sure. I'd appreciate any suggestions on the reasonableness of this
scheme and what you might consider as a reasonable way to implement it without
violating your designed interfaces.
Thanks!
Ferrell
-Original Message-From: Aleksey Sanin
[mailto:[EMAIL PROTECTE
request? Otherwise, shouldn't this be moved into x509.h so
that callers can access that data using the result structure?
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 05, 2002 12:01 AM
To: Moultrie, Ferrell (ISSAtlanta
How does one go about getting a list of "standard" trusted root certs
(e.g., Verisign, Thawte, Entrust, etc.) that can be used to validate a
public key certificate included with a signed document? Obviously there
is an issue of who do you trust here -- but assuming for these purposes
you trust a
s, it looks like it's not an uncommon coding practice so I'd guess
it's not going to be trivial for them to change.
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 05, 2002 1:02 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAI
Aleksey:
One difficulty I'm having with the new error handler and using the
OpenSSL error stack is that the OpenSSL crypto library frequently uses
the error stack to capture "expected" errors. When one of those occurs,
it calls ERR_clear() which removes not only the OpenSSL error info but
any pr
-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 05, 2002 10:48 AM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] strange error verifying cert
Have called magic OpenSSL_add_all_algorithms(); function during
initialization?
Aleksey
Moultrie
Hi:
I'm getting the following OpenSSL error from deep down in certificate
verification (call stack is below).
error:0D07908D:asn1 encoding routines:ASN1_verify:unknown message digest
algorithm
It works correctly if I use xmlsec.exe to verify the xml file, i.e.,
xmlsec verify --allowed x509 --t
Hi:
I'd like to control what public keys and/or certs are used or usable
for verifying data. In particular, I'd like to require that the public
key be validated by a cert (i.e., that supplied
unvalidated keys not be usable,and, I'd like to impose certain
contraints on any cert used (e.g., valid
Hi:
I've switched over to using the OpenSSL error stack to retrieve xmlsec
error information. One thing I've noticed is that ERR_error_string_n()
is returning a numeric value for the library name rather than a string
value for xmlsec. It appears that you need to perform two more
string/value pai
Aleksey:
I've validated a bunch of signatures with 0.0.8 and that's working
well. However, I've found one signature that won't validate -- it
appears to be an xpath failure -- xpath is selecting the wrong data. I
can make a 1-character change *outside* of the data being signed (as
verified by th
cely. Thanks for the consideration .. your
existing plan is adequate, just not what I had mentally expected based
on my experience with other libraries.
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 28, 2002 9:39 PM
To: Moultrie, Fer
Aleksey:
Ok .. I'm trying to use the new xmlsec error reporting feature.
There's one thing that was apparently overlooked -- I can only register
one global static function and there's no context reported to that
function (only file, line, func, reason, and msg -- none of which I
control). So, wh
rt chain -- as I
thought was happening before. Sorry for the bogus bug report -- it's
been quite a day.
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 28, 2002 9:04 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subj
ted by
a trusted cert chain.
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 28, 2002 7:59 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] 0.0.8a build error on Win32
Not necessary. Suppose yo
n invalid cert really isn't validation of the
signature, IMO.
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 28, 2002 7:36 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] 0.0.8a build erro
When I try to build 0.0.8a, I get an error:
D:\xmlsec-0.0.8\src\enveloped.c(24) : fatal error C1083: Cannot open
include file: 'xmlsec/xpath.h': No such file or directory
I don't see an xmlsec/xpath.h in the xmlsec distribution (there is one
in libxml2 -- but this specifically asks for xmlsec/xpa
Hi:
I downloaded the 0.0.8 archive from the link:
http://www.aleksey.com/xmlsec/download/xmlsec-0.0.8.tar.gz
Unfortunately, the latest dates in that archive are 7/11/02 -- it
appears this is still the 0.0.7 version? It doesn't have any of the
updated documentation or the error handling stuff ..
In the example init code, you allocate two structures: a xmlSecKeysMngr
and a xmlSecDSigCtx. After the verification you free those objects. If
I'm going to verify multiple signatures in multiple seperate documents,
are those objects "reusable" or should they be allocated/used/free'd for
each cycle
Aleksey:
In xpath.c [line 594] you check if the result of the XPath Transform is
NULL. Should it not also check if the node set is empty, i.e.,
if((*nodes) == NULL || (*nodes)->nodeNr == 0) {
It's quite possible (easy even) to mistakenly code an XPath Transform that
selects nothing. The re
y 25, 2002 3:10
PMTo: Moultrie, Ferrell (ISSAtlanta)Cc:
'[EMAIL PROTECTED]'; Dodd, Tim (ISS Atlanta)Subject: Re: [xmlsec]
XMLSEC Reference URI questionAccording to C14N spec all
whitespaces and eol symbols are preserved.For example, take a look
here: http://www.w3.org/TR/2
ks).
-Original Message-From: Aleksey Sanin
[mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 11:43
AMTo: Moultrie, Ferrell (ISSAtlanta)Cc:
'[EMAIL PROTECTED]'; Dodd, Tim (ISS Atlanta)Subject: Re: [xmlsec]
XMLSEC Reference URI questionAfter quick look, the
OTECTED]] Sent: Wednesday, July 24, 2002 10:23
PMTo: Moultrie, Ferrell (ISSAtlanta)Cc:
'[EMAIL PROTECTED]'; Dodd, Tim (ISS Atlanta)Subject: Re: [xmlsec]
XMLSEC Reference URI questionWell, "failing to validate
reference" simply means that the digests values do n
matted public key, the XML test document and the
output captured from running the 07/12/02 build of xmlsec plus the one fix
you sent me earlier. Let me know if you need anything else.
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 24
rrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 24, 2002 5:48 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: '[EMAIL PROTECTED]'; Dodd, Tim (ISS Atlanta)
Subject: Re: [xmlsec] XMLSEC Reference URI question
I am not sure I clear understa
Aleksey:
Ok, I've tried to use an XPath Transform to limit the data being verified.
Unfortunately, it doesn't appear to work. Here's what I see happening in the
code:
xmlSecTransformXPathReadNode( ) [xpath.c:203] takes the input
xmlSecTransformPtr and upcasts it to a xmlSecXmlTransformPtr. It t
in [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 23, 2002 6:48 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: '[EMAIL PROTECTED]'; Dodd, Tim (ISS Atlanta)
Subject: Re: [xmlsec] XMLSEC Reference URI question
Hi, Ferrell!
The current XMLDSig does not require full XInclude support and limits t
Aleksey:
Looking in xmlSecTransformStateParseUri() [transforms.c:1069] it appears
that your support of current-document URI references is limited to:
o URI="" (empty URI, whole document signed/verified)
o URI="#xpointer(/)"
o URI="#xpointer(id('tag'))"
Further, it looks like the id('tag') a
Aleksey:
I'm to the point of trying to use the xmlsec utility to verify a signed
document produced by our test web server and signed with a private key whose
public key is certified by a self-signed root cert (i.e., the CA isn't in
the trusted list, it's just our self-signed cert for this purpos
46 matches
Mail list logo
