Hallo, I am writing a thesis on AAI security and have been using xmlsec1 for verifying the signatures of the federation metadata.
If I understand the output correctly, verifying the signed metadata works fine (besides warnings regarding the self-signed certificate): shiblenny:~/idem# xmlsec1 --verify --pubkey-cert-pem signer_bundle.pem signed-metadata.xml func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=IT/O=GARR/CN=GARR Certification Authority;err=19;msg=self signed certificate in certificate chain func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=19;msg=self signed certificate in certificate chain OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Next, I've tried to throw away the valid signature, sign the bare metadata with a different certificate, embed it and verify the tampered metadata. Verification works fine either by specifying the new certificate or letting xmlsec1 retrieve it from the xml file. shiblenny:~/idem# xmlsec1 --verify tamperedmetadata.xml func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd;err=18;msg=self signed certificate func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 shiblenny:~/idem# xmlsec1 --verify --pubkey-cert-pem roguecert.pem tamperedmetadata.xml func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd;err=18;msg=self signed certificate func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 The problem is the following: shiblenny:~/idem# xmlsec1 --verify --pubkey-cert-pem signer_bundle.pem roguemetadata.xml func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd;err=18;msg=self signed certificate func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Apparently, the embedded certificate takes precedence over the one specified in the command line! Since I am new to concepts related to xml signing, there may be something I'm overlooking here, but if my analysis is correct, this is a serious issue as users would be misled into thinking that roguemetadata.xml is signed by signer_bundle.pem while it is not. Thanks, Andrea Ieri _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
