Thanks, Aleksey. It's exactly what I wanted. 2012/8/17 Aleksey Sanin <[email protected]>
> That makes sense. If you have KeyValue then xmlsec happily pick it up. > You can limit the key data used by xmlsec for looking up the key. > With xmlsec command line tool, try "--enabled-key-data" option > (use --list-key-data to see the list). > > Aleksey > > On 8/17/12 5:38 AM, Roman Khlystik wrote: > > Thanks, Aleksey. > > > > Really, I had RSA key in signature file. > > > > I made some investigation, I may be wrong, but I don't understand the > > security guarantee of xml signature. > > I'll try to explain my view on it, please indicate where I'm wrong. > > > > As I've understood during signature verification xmlsec might choose key > > for verification from KeyValue field or from certificate in X509Data > > field. There isn't any check that public key from KeyValue is the same > > as public key from certificate. > > Key selection algorithm is the next: > > - Xmlsec is trying to build certificate chain from certificate in the > > file up to a trusted cert. > > - if it successed, key from certificate is used > > - if it failed, xmlsec is looking for the KeyValue field. > > - if KeyValue field is found, xmlsec uses it for verification. > > - if KeyValue isn't found xmlsec reports an error. > > > > So, lets assume that I'm a bad guy and I want to substitute a signed xml > > file. > > All I have to do is just sign a file only with KeyValue field and > > without any X509Data field. > > Thus, user of signed document can't be sure that this document was sent > > by expected sender. > > > > I think that there is some misunderstanding in application of xml > > signature or I've just missed something. > > Maybe it's possible to force xmlsec perform verification using key only > > from X509 field? Or maybe I just may ask xmlsec to ignore key from > > KeyValue field? > > > > Thanks. > > > > 2012/8/15 Aleksey Sanin <[email protected] <mailto:[email protected] > >> > > > > That shouldn't be the case. The only possibility is that there > > is a key in the signature file (not in certificate). > > > > Run xmlsec with debug output to find out where it finds key > > > > Aleksey > > > > On 8/15/12 1:21 AM, Roman Khlystik wrote: > > > Thanks for your answer, Aleksey. > > > > > > I think I've understood behaviour of xmlsec in this situation. > > > And according to this logic I assume (and actually I checked it) > that > > > when there isn't any > > > valid certificate chain result code of signature verification is > still > > > succeeded. Why? > > > > > > Here is example using command-line tool. > > > ca.crt isn't related to the certificate > > > in license-signed-ca1-server1.xml. So, there isn't any valid > > certificate > > > chain. Why verification status is OK? > > > > > > #xmlsec1 --verify --trusted-pem cas/ca2/ca/certs/ca.crt > > > license-signed-ca1-server1.xml > > > > > > > > > > > > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > > > library function failed:subj=/C=UA/ST=Kyiv > > > region/L=Kyiv/O=test/OU=Ukraine > > > Department/CN=server1/[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>>;err=20;msg=unable to get local issuer > > > certificate > > > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate > > > verification failed:err=20;msg=unable to get local issuer > > certificate > > > OK > > > SignedInfo References (ok/all): 1/1 > > > Manifests References (ok/all): 0/0 > > > > > > > > > > > > So, I have another question: Is it possibe to detect with xmlsec > that > > > there is no one valid certificate chain up to the one of the > trusted > > > certificates? I want to reject signed xml file if there isn't any > > valid > > > vertificate chain. > > > > > > Thanks. > > > > > > 2012/8/14 Aleksey Sanin <[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>> > > > > > > Roman, > > > > > > During the verification, xmlsec tries to verify the signature > > using > > > all possible certificate chains. It is enough to have one of > them > > > succeed. The errors you see are from ones that failed. Safe to > > ignore > > > as long, just check the result code. > > > > > > Aleksey > > > > > > On 8/14/12 8:38 AM, Roman Khlystik wrote: > > > > Hi Aleksey! > > > > > > > > I'm trying to develop simple license system using xmlsec > > library. > > > > My idea was to build simple private PKI with one CA key pair > and > > > > separate key-pair for each customer. > > > > Then I planned to sign xml license file with client > certificate > > > for each > > > > client. > > > > > > > > I decided to embbed CA certificate in our app and verify > > certificate > > > > chain from xml file up to CA certificate. > > > > But I have a problem with xmlsec library. I can't find how > > to verify > > > > full certificate chain with it. > > > > I used example from here > > > > > > http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html· > > < > http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7> > > > > > < > http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7> > > > > > > < > http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7> > > > > and I have a problem when certificate chain is invalid. > > > > I got error to console: > > > > > > > > > > > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > > > > library function failed:subj=/C=UA/ST=Kyiv > > > > region/L=Kyiv/O=test/OU=test/CN=server1/emailAddress=s > > > > > > > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate > > > > verification failed:err=20;msg=unable to get local issuer > > certificate > > > > OK > > > > SignedInfo References (ok/all): 1/1· > > > > Manifests References (ok/all): 0/0· > > > > > > > > but verification result dsigCtx->status has > > > xmlSecDSigStatusSucceeded value. > > > > > > > > Can you tell me how can I verify that certificate chain is > > invalid > > > with > > > > xmlsec api? > > > > > > > > > > > > _______________________________________________ > > > > xmlsec mailing list > > > > [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
