[xmlsec] corrupt context after verify call

Aleksey Sanin aleksey at aleksey.com
Wed Oct 13 09:29:24 PDT 2010 

Sounds like you are compiling your application with different flags
compared to xmlsec. Something like structure members alignment
or debug vs. release.

Aleksey

On 10/13/10 7:32 AM, Erik Smith wrote:
> xmlsec output:
>
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> = VERIFICATION CONTEXT
> == Status: succeeded
> == flags: 0x00000006
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL)
> == Signature Method:
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key usage: -1
> === rsa key: size = 1024
> === list size: 1
> === X509 Data:
> ==== Certificate:
> ==== Subject Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
> ==== Issuer Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
> ==== Issuer Serial: 4CAB2D3B
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri:
> === uri xpointer expr: #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1"
> MinorVersion="1" Recipient="http://amgr.emdeon.com"
> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
> Value="samlp:Success"></StatusCode></Status><Assertion
> xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
> IssueInstant="2010-10-06T16:15:38.906Z"
> Issuer="http://access.emdeon.com" MajorVersion="1"
> MinorVersion="1"><Conditions NotBefore="2010-10-06T21:15:38.905Z"
> NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
> AuthenticationInstant="2010-10-06T16:15:38.906Z"
> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
> == PreDigest data - end buffer
> == Manifest References List:
> === list size: 0
>
>
> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
>     What is the output of the xmlsec1 command?
>
>     Aleksey
>
>
>     On 10/12/10 11:36 PM, Erik Smith wrote:
>
>         After I call xmlSecDSigCtxVerify, the status in the contex is
>         corrupted
>         with a large number.   However xmlsec1 reports validation as OK.
>
>         xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references
>         --id-attr:ResponseID
>         urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml
>
>         Also xmlSecDSigCtxDebugDump output is exactly the same for
>         xmlsec1 and
>         my program.
>
>         I've reduced the code down to what is below and I'm having trouble
>         seeing what could be wrong.
>
>         libxml version: 2.6.27
>         xmlsec version: 1.2.11
>
>         Thanks for any help.
>
>
>
>         #include <iostream>
>         #include <xmlsec/xmltree.h>
>         #include <xmlsec/xmldsig.h>
>         #include <xmlsec/crypto.h>
>         #include <xmlsec/errors.h>
>
>         #ifndef XMLSEC_NO_XSLT
>         #include <libxslt/xslt.h>
>         #endif
>
>         void error(const char *);
>
>         int main(int argc, char **argv) {
>              using namespace std;
>              int status(0);
>
>              xmlSecKeysMngrPtr mngr_;
>              xmlSecDSigCtxPtr dsigCtx;
>              xmlDocPtr doc_;
>
>              cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl;
>              cout << "xmlsec version: " << XMLSEC_VERSION << endl;
>
>              xmlInitParser();
>              LIBXML_TEST_VERSION;
>              xmlLoadExtDtdDefaultValue = XML_DETECT_IDS |
>         XML_COMPLETE_ATTRS;
>              xmlSubstituteEntitiesDefault(1);
>
>         #ifndef XMLSEC_NO_XSLT
>              xmlIndentTreeOutput = 1;
>         #endif
>              // Init xmlsec library
>              if (xmlSecInit() < 0) error("xmlSecInit");
>              if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion");
>
>         #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>              if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0)
>         error("xmlSecCryptoDLLoadLibrary");
>         #endif
>
>              if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto
>         initialization failed.");
>              if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto
>         initialization failed.");
>
>              mngr_ = xmlSecKeysMngrCreate();
>              if (!mngr_) error("bad");
>
>              if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)
>         error("bad");
>
>              xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem);
>              xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt",
>         format, NULL,
>         NULL, NULL);
>              if (!key) error("key load error");
>
>              if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0)
>         error("could not add key");
>
>              doc_ = xmlParseFile("saml.xml");
>              if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad");
>
>              set_id(doc_);
>
>              xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_),
>         xmlSecNodeSignature, xmlSecDSigNs);
>              if (!node) error("start node not found");
>
>              dsigCtx = xmlSecDSigCtxCreate(mngr_);
>              if (!dsigCtx) error("failed to create signature context");
>
>              std::cout << "status before: " << dsigCtx->status << std::endl;
>              if (xmlSecDSigCtxVerify(dsigCtx, node) < 0)
>         error("signature verify
>         error");
>              std::cout << "status: " << dsigCtx->status << std::endl;
>              //xmlSecDSigCtxDebugDump(dsigCtx, stdout);
>
>              return status;
>         }
>
>         void set_id(xmlDocPtr doc) {
>              using namespace std;
>
>              xmlNodePtr node = xmlSecFindNode(
>                      xmlDocGetRootElement(doc),
>                      BAD_CAST "Response",
>                      BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol");
>
>              cout << "element name: " << node->name<< endl;
>              xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID");
>              if (!attr) error("attribute not found");
>              cout << "attribute name: " << attr->name<< endl;
>
>              xmlChar *value = xmlNodeListGetString(node->doc,
>         attr->children, 1);
>              if (!value) error("xmlNodeListGetString");
>              cout << "value: " << value << endl;
>
>              xmlAttrPtr tmp(xmlGetID(node->doc, value));
>              if (tmp) {
>                  cout << "id already registered" << endl;
>              } else {
>                  xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr);
>                  if (!id) {
>                      xmlFree(value); // fix
>                      error("xmlAddID error");
>                  }
>                  cout << "id added" << endl;
>              }
>
>              //xmlFree(value); // fix
>         }
>
>         void error(const char *e) {
>              std::cout << e << std::endl;
>              std::cout << "exiting" << std::endl;
>              exit(0);
>         }
>
>
>
>
>
>
>
>
>         _______________________________________________
>         xmlsec mailing list
>         xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         http://www.aleksey.com/mailman/listinfo/xmlsec
>
>

More information about the xmlsec mailing list