[xmlsec] Encrypt and Decrypt
Doug Royer
Doug at Royer.com
Sun Jan 26 11:44:50 PST 2003
Aleksey Sanin wrote:
> Hi, Doug!
>
> One of the warnings (about key origin) you get during encryption could
> be safely
> ignored and another one (doc != NULL) was already fixed in CVS but it also
> should not cause problems. Bottom line, you should have valid encrypted
> document on stdout as the result.
Thanks.
This makes my application look busted. I have looked at the source and
I can not find a way to turn the warning off. Is there a way?
What do I point CVSROOT at to get the correct CVS tree?
I am not a CVS expert, so I tried:
cvs update -d -P -j XMLSEC_0_0_X_BRANCH xmlsec
However when I try to build the results I get:
(RedHat-8.0)
./autogen.sh
...
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
...
...
checking for LibXML2 libraries >= 2.4.24... yes ('2.5.1')
checking for LibXSLT libraries >= 1.0.20... yes ('1.0.24')
checking for NSS libraries >= 0.0.0... no
checking for OpenSSL libraries >= 0.9.6... yes ('0.9.7' )
checking for SHA1 support... yes
checking for RIPEMD-160 support... yes
checking for HMAC support... yes
checking for DSA support... yes
checking for RSA support... yes
checking for DES support... yes
checking for AES support... yes
checking for X509 support... yes
checking for PGP support... no
checking for XMLDSig support... yes
checking for XMLEnc support... yes
checking for Simple Keys Manager testing... yes
checking for pedantic compilation... ./configure: line 10109: syntax error
near unexpected token `<<<'
./configure: line 10109: `<<<<<<< configure.in'
> However, decryption fails because decrypted session DES key is NULL.
> The big surprise to me is that you could not decrypted the test.xml file
> from the package as well. I am really puzzled.
> Can you please run 'make check' in the top level xmlsec folder, please?
> It will be great to do this when xmlsec is compiled with openSSL 0.9.7
> because 0.9.6 misses some features and half of test will fail because
> of it. The expected results are:
>
> OK for positive tests and FAIL for negative tests.
(From the configurable 0.0.11 tree == NOT - XMLSEC_0_0_X_BRANCH)
The only failure is at the end of the run:
# make check
...
--------- Negative Testing: Following tests MUST FAIL ----------
--- detailed log is written to /tmp/testEnc.20030126_121627-871.log
01-phaos-xmlenc-3/bad-alg-enc-element-aes128-kw-3des
Decrypt existing document Error
--- testEnc finished
Yet log file has three (or five) failures (from the logs I can not tell
which fails, the text after 'failed:' or the text before 'failed:'
or both):
../apps/xmlsec decrypt --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
../tests/merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5.xml
xmlSecX509StoreVerify (x509.c:1090): error 41: cert verification failed :
error=20 (unable to get local issuer certificate)
xmlSecX509DataNodeRead (keyinfo.c:1196): error 41: cert verification
failed:
../apps/xmlsec encrypt --keys ../tests/merlin-xmlenc-five/keys.xml
--session-key-aes128 --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
--xml ../tests/merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5.data
--node-id Purchase
../tests/merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5.tmpl
../apps/xmlsec decrypt --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
/tmp/testEnc.20030126_121627-871.tmp
../apps/xmlsec decrypt --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
../tests/merlin-xmlenc-five/encrypt-data-tripledes-cbc-rsa-oaep-mgf1p.xml
xmlSecX509StoreVerify (x509.c:1090): error 41: cert verification failed :
error=20 (unable to get local issuer certificate)
xmlSecX509DataNodeRead (keyinfo.c:1196): error 41: cert verification
failed:
../apps/xmlsec encrypt --keys ../tests/merlin-xmlenc-five/keys.xml
--session-key-des3 --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
--binary
../tests/merlin-xmlenc-five/encrypt-data-tripledes-cbc-rsa-oaep-mgf1p.data
../tests/merlin-xmlenc-five/encrypt-data-tripledes-cbc-rsa-oaep-mgf1p.tmpl
../apps/xmlsec decrypt --keys ../tests/01-phaos-xmlenc-3/keys.xml
../tests/01-phaos-xmlenc-3/bad-alg-enc-element-aes128-kw-3des.xml
xmlSecEvpCipherFinal (ciphers.c:454): error 3: crypto operation failed :
EVP_DecryptFinal - 0
xmlSecCipherTransformFlush (ciphers.c:316): error 2: xmlsec
operation failed : xmlSecCipherFinal - -1
xmlSecCipherTransformFlush (ciphers.c:335): error 2: xmlsec
operation failed : xmlSecBinTransformFlush - -1
xmlSecCipherValueNodeRead (xmlenc.c:1758): error 2: xmlsec
operation failed : xmlSecBinTransformWFlush - -1
xmlSecCipherDataNodeRead (xmlenc.c:1614): error 2: xmlsec operation
failed : xmlSecCipherValueNodeRead - -1
xmlSecDecrypt (xmlenc.c:1036): error 2: xmlsec operation failed :
xmlSecCipherDataNodeRead - -1
Error: xmlSecDecrypt() failed
Error: operation failed
--- testEnc finished
> If it's not the case then I would suspect libraries mismatch.
> Check 'xmlsec-config --cflags' and 'xmlsec-config --libs' output
> and make sure that it matches your expectation (especially about
> OpenSSL!).
They look valid:
# xml2-config -cflags (--version == 2.5.1)
-I/usr/local/try1/include/libxml2
# xslt-config --cflags (--version == 1.0.24)
-I/usr/local/try1/include -I/usr/local/try1/include/libxml2
# xslt-config --cflags
-I/usr/local/try1/include/xmlsec -I/usr/local/try1/include/libxml2
# xmlsec-config --libs (--version == 0.0.11)
-L/usr/local/try1/lib -Wl,-rpath=/usr/local/try1/lib
-lxmlsec -lxslt -lxml2 -lz -liconv -lm -lcrypto
Notes:
(1) OPENSSL is not in the flags for xmlsec-config
--libs or --cflags. It is also not in xmlsec-config.in
in the XMLSEC_0_0_X_BRANCH.
(2) I added '-Wl,-rpath...' to xmlsec-config to ensure
that I got the correct libraries at run time and
not the system libaries. I did he same for xml2-config
and xslt-config.
(3) I had to remove -static from the 'doc/examples' makefiles
because my system only has shared objects for -liconv
(no libiconv.a) .
An 'ldd' of xmlsec produced what I expected:
libcrypto.so.0.9.7 => /usr/local/try1/lib/libcrypto.so.0.9.7
(0x40013000)
libxslt.so.1 => /usr/local/try1/lib/libxslt.so.1 (0x4010c000)
libxml2.so.2 => /usr/local/try1/lib/libxml2.so.2 (0x40135000)
libz.so.1 => /usr/lib/libz.so.1 (0x4020c000)
libiconv.so.2 => /usr/local/lib/libiconv.so.2 (0x4021a000)
libm.so.6 => /lib/i686/libm.so.6 (0x402ef000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libdl.so.2 => /lib/libdl.so.2 (0x40312000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
And ./enc2 rsakey.pem test.xml, produces:
(ciphers.c:445): error 19: invalid data : padding is greater than buffer
(ciphers.c:316): error 2: xmlsec operation failed : xmlSecCipherFinal - -1
(ciphers.c:335): error 2: xmlsec operation failed : xmlSecBinTransformFlush
- -1
(xmlenc.c:1758): error 2: xmlsec operation failed : xmlSecBinTransformWFlush
- -1
(xmlenc.c:1614): error 2: xmlsec operation failed :
xmlSecCipherValueNodeRead - -1
(xmlenc.c:1036): error 2: xmlsec operation failed : xmlSecCipherDataNodeRead
- -1
Error: decryption failed
--
Doug Royer | http://INET-Consulting.com
-------------------------------|-----------------------------
Doug at Royer.com | Office: (208)612-INET
http://Royer.com/People/Doug | Fax: (866)594-8574
| Cell: (208)520-4044
We Do Standards - You Need Standards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4411 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030126/169149e1/smime.bin
More information about the xmlsec
mailing list