Again, certificates are not used. See my other email. Aleksey
On 5/21/13 9:35 PM, Francisco Obispo wrote: > tried with another XML file, and same result :-(, > > > > > On May 21, 2013, at 9:10 PM, Francisco Obispo <fobi...@isc.org> wrote: > >> Mhm, >> >> It doesn't break there either: >> >> $ gdb verify >> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC >> 2012) >> Copyright 2004 Free Software Foundation, Inc. >> GDB is free software, covered by the GNU General Public License, and you are >> welcome to change it and/or distribute copies of it under certain conditions. >> Type "show copying" to see the conditions. >> There is absolutely no warranty for GDB. Type "show warranty" for details. >> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for >> shared libraries ........... done >> >> (gdb) break xmlSecOpenSSLX509StoreVerify >> Breakpoint 1 at 0x3126e978d442cb >> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml >> Perl/ISC-XML-Signature/t/files/xca/TestCA.crt >> Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id >> Starting program: >> /Users/fobispo/code/registry/tools/isc-xml-signature/verify >> Perl/ISC-XML-Signature/t/files/sample-signed.xml >> Perl/ISC-XML-Signature/t/files/xca/TestCA.crt >> Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id >> Reading symbols for shared libraries >> ++++++++++.............................. done >> VALIDATING!!!!! >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK >> >> Program exited normally. >> (gdb) >> >> >> >> >> On May 21, 2013, at 9:09 PM, Aleksey Sanin <alek...@aleksey.com> wrote: >> >>> It should do the check. I am surprised it doesn't. >>> >>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is >>> a piece of code that checks against in-document crl and then store crl. >>> Curious to find out why it doesn't do the expected thing. >>> >>> >>> Aleksey >>> >>> On 5/21/13 8:32 PM, Francisco Obispo wrote: >>>> Tried it, >>>> >>>> It never gets called, so I'm wondering if I'm missing something. :-( >>>> >>>> So, besides adding the CRL to the key store, is there anything else I need >>>> to call to verify the cert? >>>> >>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another >>>> function separately? >>>> >>>> thanks >>>> >>>> >>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <alek...@aleksey.com> wrote: >>>> >>>>> Well, the code clearly uses the crls (it's the same function that >>>>> process crls in the signature). If you have debug version, put >>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function >>>>> to see if it is called and what's happening inside it. >>>> >>>> Francisco Obispo >>>> Director of Applications and Services - ISC >>>> email: fobi...@isc.org >>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >>>> PGP KeyID = B38DB1BE >>>> >> >> Francisco Obispo >> Director of Applications and Services - ISC >> email: fobi...@isc.org >> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >> PGP KeyID = B38DB1BE >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec@aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > > Francisco Obispo > Director of Applications and Services - ISC > email: fobi...@isc.org > Phone: +1 650 423 1374 || INOC-DBA *3557* NOC > PGP KeyID = B38DB1BE > _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
