Hi,
On Sun, Jan 22, 2017 at 01:50:05PM -0800, Aleksey Sanin <[email protected]>
wrote:
> Thanks, looks good -- merged. I'll test all other crypto engines
> when I am back to make sure everything works the same way.
Ah yes, that's a good idea. I've tested the mscrypto backend, and it
seems there the this flag doesn't work there as expected either:
----
Miklos@Miklos-PC /cygdrive/c/lo/xmlsec/tests/aleksey-xmldsig-01
$ ../../win32/binaries/xmlsec.exe verify --trusted-der ../keys/cacert.der
--enabled-key-data x509 enveloping-sha256-rsa-sha256-verify.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Miklos@Miklos-PC /cygdrive/c/lo/xmlsec/tests/aleksey-xmldsig-01
$ ../../win32/binaries/xmlsec.exe verify --enabled-key-data x509
enveloping-sha256-rsa-sha256-verify.xml
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1246:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key
is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "enveloping-sha256-rsa-sha256-verify.xml"
Miklos@Miklos-PC /cygdrive/c/lo/xmlsec/tests/aleksey-xmldsig-01
$ ../../win32/binaries/xmlsec.exe verify --insecure --enabled-key-data x509
enveloping-sha256-rsa-sha256-verify.xml
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1246:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key
is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "enveloping-sha256-rsa-sha256-verify.xml"
----
So I understand that:
1) It works properly if the relevant --trusted-... option is used.
2) It fails when --insecure is not used, though it complains about "key
is not found", not NSS-style "certificate verification failed".
3) It still fails with --insecure -> unexpected.
I'll try to find time to look into what's the problem there & fix it
unless somebody beats me to it. :-)
Regards,
Miklos
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
