[xmlsec] corrupt context after verify call

Erik Smith cruisercoder at gmail.com
Wed Oct 13 12:07:54 PDT 2010


I'm not specifying any directories in the code, only two files in the CWD.
 Did something change in recent version that requires a cert directory for
openssl?

erik

On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> The dir might not exists?
>
> Aleksey
>
>
> On 10/13/10 10:56 AM, Erik Smith wrote:
>
>> I rebuilt libxml, xmlsec, and libxslt to the latest and I get an x509
>> error for some reason.  Any ideas on this?
>>
>> libxml version: 2.7.7
>> xmlsec version: 1.2.16
>> libxslt version: 1.1.26
>>
>> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto
>> library function failed:
>>
>> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec
>> library function failed:xmlSecOpenSSLX509StoreId
>>
>> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec
>> library function failed:
>>
>>
>>
>> 2010/10/13 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com
>> >>
>>
>>
>>    Sounds like you are compiling your application with different flags
>>    compared to xmlsec. Something like structure members alignment
>>    or debug vs. release.
>>
>>    Aleksey
>>
>>
>>    On 10/13/10 7:32 AM, Erik Smith wrote:
>>
>>        xmlsec output:
>>
>>        OK
>>        SignedInfo References (ok/all): 1/1
>>        Manifests References (ok/all): 0/0
>>        = VERIFICATION CONTEXT
>>        == Status: succeeded
>>        == flags: 0x00000006
>>        == flags2: 0x00000000
>>        == Key Info Read Ctx:
>>        = KEY INFO READ CONTEXT
>>        == flags: 0x00000000
>>        == flags2: 0x00000000
>>        == enabled key data: all
>>        == RetrievalMethod level (cur/max): 0/1
>>        == TRANSFORMS CTX (status=0)
>>        == flags: 0x00000000
>>        == flags2: 0x00000000
>>        == enabled transforms: all
>>        === uri: NULL
>>        === uri xpointer expr: NULL
>>        == EncryptedKey level (cur/max): 0/1
>>        === KeyReq:
>>        ==== keyId: rsa
>>        ==== keyType: 0x00000001
>>        ==== keyUsage: 0x00000002
>>        ==== keyBitsSize: 0
>>        === list size: 0
>>        == Key Info Write Ctx:
>>        = KEY INFO WRITE CONTEXT
>>        == flags: 0x00000000
>>        == flags2: 0x00000000
>>        == enabled key data: all
>>        == RetrievalMethod level (cur/max): 0/1
>>        == TRANSFORMS CTX (status=0)
>>        == flags: 0x00000000
>>        == flags2: 0x00000000
>>        == enabled transforms: all
>>        === uri: NULL
>>        === uri xpointer expr: NULL
>>        == EncryptedKey level (cur/max): 0/1
>>        === KeyReq:
>>        ==== keyId: NULL
>>        ==== keyType: 0x00000001
>>        ==== keyUsage: 0xffffffff
>>        ==== keyBitsSize: 0
>>        === list size: 0
>>        == Signature Transform Ctx:
>>        == TRANSFORMS CTX (status=2)
>>        == flags: 0x00000000
>>        == flags2: 0x00000000
>>        == enabled transforms: all
>>        === uri: NULL
>>        === uri xpointer expr: NULL
>>        === Transform: exc-c14n
>>        (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>        === Transform: rsa-sha1
>>        (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>        === Transform: membuf-transform (href=NULL)
>>        == Signature Method:
>>        === Transform: rsa-sha1
>>        (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>        == Signature Key:
>>        == KEY
>>        === method: RSAKeyValue
>>        === key type: Public
>>        === key usage: -1
>>        === rsa key: size = 1024
>>        === list size: 1
>>        === X509 Data:
>>        ==== Certificate:
>>        ==== Subject Name:
>>        /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>>        ==== Issuer Name:
>>        /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>>        ==== Issuer Serial: 4CAB2D3B
>>        == SignedInfo References List:
>>        === list size: 1
>>        = REFERENCE VERIFICATION CONTEXT
>>        == Status: succeeded
>>        == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
>>        == Reference Transform Ctx:
>>        == TRANSFORMS CTX (status=2)
>>        == flags: 0x00000000
>>        == flags2: 0x00000000
>>        == enabled transforms: all
>>        === uri:
>>        === uri xpointer expr:
>>        #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
>>        === Transform: xpointer
>>        (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>        === Transform: enveloped-signature
>>        (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>        === Transform: exc-c14n
>>        (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>        === Transform: membuf-transform (href=NULL)
>>        === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>        === Transform: membuf-transform (href=NULL)
>>        == Digest Method:
>>        === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>        == PreDigest data - start buffer:
>>        <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
>>        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>>        xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
>>        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>        IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1"
>>        MinorVersion="1" Recipient="http://amgr.emdeon.com"
>>
>>  ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
>>        Value="samlp:Success"></StatusCode></Status><Assertion
>>        xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
>>        AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
>>        IssueInstant="2010-10-06T16:15:38.906Z"
>>        Issuer="http://access.emdeon.com" MajorVersion="1"
>>        MinorVersion="1"><Conditions NotBefore="2010-10-06T21:15:38.905Z"
>>
>>  NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
>>        AuthenticationInstant="2010-10-06T16:15:38.906Z"
>>
>>  AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
>>        == PreDigest data - end buffer
>>        == Manifest References List:
>>        === list size: 0
>>
>>
>>        On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin
>>        <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>>
>>            What is the output of the xmlsec1 command?
>>
>>            Aleksey
>>
>>
>>            On 10/12/10 11:36 PM, Erik Smith wrote:
>>
>>                After I call xmlSecDSigCtxVerify, the status in the
>>        contex is
>>                corrupted
>>                with a large number.   However xmlsec1 reports
>>        validation as OK.
>>
>>                xmlsec1 --verify --pubkey-cert-pem cert.crt
>>        --store-references
>>                --id-attr:ResponseID
>>                urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml
>>
>>                Also xmlSecDSigCtxDebugDump output is exactly the same for
>>                xmlsec1 and
>>                my program.
>>
>>                I've reduced the code down to what is below and I'm
>>        having trouble
>>                seeing what could be wrong.
>>
>>                libxml version: 2.6.27
>>                xmlsec version: 1.2.11
>>
>>                Thanks for any help.
>>
>>
>>
>>                #include <iostream>
>>                #include <xmlsec/xmltree.h>
>>                #include <xmlsec/xmldsig.h>
>>                #include <xmlsec/crypto.h>
>>                #include <xmlsec/errors.h>
>>
>>                #ifndef XMLSEC_NO_XSLT
>>                #include <libxslt/xslt.h>
>>                #endif
>>
>>                void error(const char *);
>>
>>                int main(int argc, char **argv) {
>>                     using namespace std;
>>                     int status(0);
>>
>>                     xmlSecKeysMngrPtr mngr_;
>>                     xmlSecDSigCtxPtr dsigCtx;
>>                     xmlDocPtr doc_;
>>
>>                     cout << "libxml version: " << LIBXML_DOTTED_VERSION
>>        << endl;
>>                     cout << "xmlsec version: " << XMLSEC_VERSION << endl;
>>
>>                     xmlInitParser();
>>                     LIBXML_TEST_VERSION;
>>                     xmlLoadExtDtdDefaultValue = XML_DETECT_IDS |
>>                XML_COMPLETE_ATTRS;
>>                     xmlSubstituteEntitiesDefault(1);
>>
>>                #ifndef XMLSEC_NO_XSLT
>>                     xmlIndentTreeOutput = 1;
>>                #endif
>>                     // Init xmlsec library
>>                     if (xmlSecInit() < 0) error("xmlSecInit");
>>                     if (xmlSecCheckVersion() != 1)
>>        error("xmlSecCheckVersion");
>>
>>                #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>>                     if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0)
>>                error("xmlSecCryptoDLLoadLibrary");
>>                #endif
>>
>>                     if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto
>>                initialization failed.");
>>                     if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto
>>                initialization failed.");
>>
>>                     mngr_ = xmlSecKeysMngrCreate();
>>                     if (!mngr_) error("bad");
>>
>>                     if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)
>>                error("bad");
>>
>>                     xmlSecKeyDataFormat
>> format(xmlSecKeyDataFormatCertPem);
>>                     xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt",
>>                format, NULL,
>>                NULL, NULL);
>>                     if (!key) error("key load error");
>>
>>                     if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_,
>>        key) < 0)
>>                error("could not add key");
>>
>>                     doc_ = xmlParseFile("saml.xml");
>>                     if (!doc_ || !xmlDocGetRootElement(doc_))
>> error("bad");
>>
>>                     set_id(doc_);
>>
>>                     xmlNodePtr node =
>>        xmlSecFindNode(xmlDocGetRootElement(doc_),
>>                xmlSecNodeSignature, xmlSecDSigNs);
>>                     if (!node) error("start node not found");
>>
>>                     dsigCtx = xmlSecDSigCtxCreate(mngr_);
>>                     if (!dsigCtx) error("failed to create signature
>>        context");
>>
>>                     std::cout << "status before: " << dsigCtx->status
>>        << std::endl;
>>                     if (xmlSecDSigCtxVerify(dsigCtx, node) < 0)
>>                error("signature verify
>>                error");
>>                     std::cout << "status: " << dsigCtx->status <<
>>        std::endl;
>>                     //xmlSecDSigCtxDebugDump(dsigCtx, stdout);
>>
>>                     return status;
>>                }
>>
>>                void set_id(xmlDocPtr doc) {
>>                     using namespace std;
>>
>>                     xmlNodePtr node = xmlSecFindNode(
>>                             xmlDocGetRootElement(doc),
>>                             BAD_CAST "Response",
>>                             BAD_CAST
>>        "urn:oasis:names:tc:SAML:1.0:protocol");
>>
>>                     cout << "element name: " << node->name<< endl;
>>                     xmlAttrPtr attr = xmlHasProp(node, BAD_CAST
>>        "ResponseID");
>>                     if (!attr) error("attribute not found");
>>                     cout << "attribute name: " << attr->name<< endl;
>>
>>                     xmlChar *value = xmlNodeListGetString(node->doc,
>>                attr->children, 1);
>>                     if (!value) error("xmlNodeListGetString");
>>                     cout << "value: " << value << endl;
>>
>>                     xmlAttrPtr tmp(xmlGetID(node->doc, value));
>>                     if (tmp) {
>>                         cout << "id already registered" << endl;
>>                     } else {
>>                         xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST
>>        value, attr);
>>                         if (!id) {
>>                             xmlFree(value); // fix
>>                             error("xmlAddID error");
>>                         }
>>                         cout << "id added" << endl;
>>                     }
>>
>>                     //xmlFree(value); // fix
>>                }
>>
>>                void error(const char *e) {
>>                     std::cout << e << std::endl;
>>                     std::cout << "exiting" << std::endl;
>>                     exit(0);
>>                }
>>
>>
>>
>>
>>
>>
>>
>>
>>                _______________________________________________
>>                xmlsec mailing list
>>        xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>
>>
>>        http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20101013/ad598c78/attachment-0001.html>


More information about the xmlsec mailing list