<div>It looks like the open SSL Dir issue was a bad library interaction. So I made sure all relavant libs were up-to-date and dynamically loaded.</div><div><br></div><div><div>libxml version: 2.7.7</div><div>xmlsec version: 1.2.16</div>
<div>libxslt version: 1.1.26</div></div><div><br></div><div>When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not found", which I think has to do with it looking for a cert as a key in the document. I had tried this to address the open SSL Dir issue which appears to have been resolve as stated above.</div>
<div><br></div><div>Going back to xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is seen originally in the code below gets me back to the same error with the corrupted status:</div><div><br></div><div>
<div>status before xmlSecDSigCtxVerify: 0</div><div>status after xmlSecDSigCtxVerify: 5361840</div></div><div><br></div><div>compilation is simple:</div><div><br></div><div><div>export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH</div>
<div><br></div><div>g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I. -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1</div>
<div><br></div><div>g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1 -lxmlsec1-openssl -m64</div><div><br></div></div><div><div>erik</div><div><br></div></div><br><br><div class="gmail_quote">On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">It might be hard coded from OpenSSL during compilation<div class="im"><br>
<br>
On 10/13/10 12:11 PM, Erik Smith wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
The same code run on the earlier library versions did not have this<br>
issue (see code below). Do I need to specify a directory if I'm just<br>
loading a cert in a manger?<br>
<br>
erik<br>
<br>
On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br></div><div class="im">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>> wrote:<br>
<br>
No changes, it is a part of xmlsec-openssl init process.<br>
<br>
<br>
On 10/13/10 12:07 PM, Erik Smith wrote:<br>
<br>
I'm not specifying any directories in the code, only two files<br>
in the<br>
CWD. Did something change in recent version that requires a cert<br>
directory for openssl?<br>
<br>
erik<br>
<br>
On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin<br>
<<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br></div><div class="im">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>> wrote:<br>
<br></div><div class="im">
The dir might not exists?<br>
<br>
Aleksey<br>
<br>
<br>
On 10/13/10 10:56 AM, Erik Smith wrote:<br>
<br>
I rebuilt libxml, xmlsec, and libxslt to the latest and<br>
I get an<br>
x509<br>
error for some reason. Any ideas on this?<br>
<br>
libxml version: 2.7.7<br>
xmlsec version: 1.2.16<br>
libxslt version: 1.1.26<br>
<br>
func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto<br>
library function failed:<br>
<br>
func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec<br>
library function failed:<br>
<br>
func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec<br>
library function failed:xmlSecOpenSSLX509StoreId<br>
<br>
func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec<br>
library function failed:<br>
<br>
<br>
<br>
2010/10/13 Aleksey Sanin <<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br></div><div><div></div><div class="h5">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>><br>
<br>
<br>
Sounds like you are compiling your application with<br>
different flags<br>
compared to xmlsec. Something like structure members<br>
alignment<br>
or debug vs. release.<br>
<br>
Aleksey<br>
<br>
<br>
On 10/13/10 7:32 AM, Erik Smith wrote:<br>
<br>
xmlsec output:<br>
<br>
OK<br>
SignedInfo References (ok/all): 1/1<br>
Manifests References (ok/all): 0/0<br>
= VERIFICATION CONTEXT<br>
== Status: succeeded<br>
== flags: 0x00000006<br>
== flags2: 0x00000000<br>
== Key Info Read Ctx:<br>
= KEY INFO READ CONTEXT<br>
== flags: 0x00000000<br>
== flags2: 0x00000000<br>
== enabled key data: all<br>
== RetrievalMethod level (cur/max): 0/1<br>
== TRANSFORMS CTX (status=0)<br>
== flags: 0x00000000<br>
== flags2: 0x00000000<br>
== enabled transforms: all<br>
=== uri: NULL<br>
=== uri xpointer expr: NULL<br>
== EncryptedKey level (cur/max): 0/1<br>
=== KeyReq:<br>
==== keyId: rsa<br>
==== keyType: 0x00000001<br>
==== keyUsage: 0x00000002<br>
==== keyBitsSize: 0<br>
=== list size: 0<br>
== Key Info Write Ctx:<br>
= KEY INFO WRITE CONTEXT<br>
== flags: 0x00000000<br>
== flags2: 0x00000000<br>
== enabled key data: all<br>
== RetrievalMethod level (cur/max): 0/1<br>
== TRANSFORMS CTX (status=0)<br>
== flags: 0x00000000<br>
== flags2: 0x00000000<br>
== enabled transforms: all<br>
=== uri: NULL<br>
=== uri xpointer expr: NULL<br>
== EncryptedKey level (cur/max): 0/1<br>
=== KeyReq:<br>
==== keyId: NULL<br>
==== keyType: 0x00000001<br>
==== keyUsage: 0xffffffff<br>
==== keyBitsSize: 0<br>
=== list size: 0<br>
== Signature Transform Ctx:<br>
== TRANSFORMS CTX (status=2)<br>
== flags: 0x00000000<br>
== flags2: 0x00000000<br>
== enabled transforms: all<br>
=== uri: NULL<br>
=== uri xpointer expr: NULL<br>
=== Transform: exc-c14n<br>
(href=<a href="http://www.w3.org/2001/10/xml-exc-c14n#" target="_blank">http://www.w3.org/2001/10/xml-exc-c14n#</a>)<br>
=== Transform: rsa-sha1<br>
(href=<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>)<br>
=== Transform: membuf-transform (href=NULL)<br>
== Signature Method:<br>
=== Transform: rsa-sha1<br>
(href=<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>)<br>
== Signature Key:<br>
== KEY<br>
=== method: RSAKeyValue<br>
=== key type: Public<br>
=== key usage: -1<br>
=== rsa key: size = 1024<br>
=== list size: 1<br>
=== X509 Data:<br>
==== Certificate:<br>
==== Subject Name:<br>
/C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon<br>
==== Issuer Name:<br>
/C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon<br>
==== Issuer Serial: 4CAB2D3B<br>
== SignedInfo References List:<br>
=== list size: 1<br>
= REFERENCE VERIFICATION CONTEXT<br>
== Status: succeeded<br>
== URI:<br>
"#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"<br>
== Reference Transform Ctx:<br>
== TRANSFORMS CTX (status=2)<br>
== flags: 0x00000000<br>
== flags2: 0x00000000<br>
== enabled transforms: all<br>
=== uri:<br>
=== uri xpointer expr:<br>
#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404<br>
=== Transform: xpointer<br>
(href=<a href="http://www.w3.org/2001/04/xmldsig-more/xptr" target="_blank">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)<br>
=== Transform: enveloped-signature<br>
<br>
(href=<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature" target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)<br>
=== Transform: exc-c14n<br>
(href=<a href="http://www.w3.org/2001/10/xml-exc-c14n#" target="_blank">http://www.w3.org/2001/10/xml-exc-c14n#</a>)<br>
=== Transform: membuf-transform (href=NULL)<br>
=== Transform: sha1<br>
(href=<a href="http://www.w3.org/2000/09/xmldsig#sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>)<br>
=== Transform: membuf-transform (href=NULL)<br>
== Digest Method:<br>
=== Transform: sha1<br>
(href=<a href="http://www.w3.org/2000/09/xmldsig#sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>)<br>
== PreDigest data - start buffer:<br>
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"<br>
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"<br>
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"<br>
xmlns:xsd="<a href="http://www.w3.org/2001/XMLSchema" target="_blank">http://www.w3.org/2001/XMLSchema</a>"<br>
<br>
xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>"<br>
IssueInstant="2010-10-06T21:15:38.906Z"<br>
MajorVersion="1"<br>
MinorVersion="1" Recipient="<a href="http://amgr.emdeon.com" target="_blank">http://amgr.emdeon.com</a>"<br>
<br>
<br>
ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode<br>
<br>
Value="samlp:Success"></StatusCode></Status><Assertion<br>
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"<br>
<br>
AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"<br>
IssueInstant="2010-10-06T16:15:38.906Z"<br>
Issuer="<a href="http://access.emdeon.com" target="_blank">http://access.emdeon.com</a>" MajorVersion="1"<br>
MinorVersion="1"><Conditions<br>
NotBefore="2010-10-06T21:15:38.905Z"<br>
<br>
<br>
NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement<br>
AuthenticationInstant="2010-10-06T16:15:38.906Z"<br>
<br>
<br>
AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response><br>
== PreDigest data - end buffer<br>
== Manifest References List:<br>
=== list size: 0<br>
<br>
<br>
On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin<br>
<<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>>> wrote:<br>
<br>
What is the output of the xmlsec1 command?<br>
<br>
Aleksey<br>
<br>
<br>
On 10/12/10 11:36 PM, Erik Smith wrote:<br>
<br>
After I call xmlSecDSigCtxVerify, the<br>
status in the<br>
contex is<br>
corrupted<br>
with a large number. However xmlsec1<br>
reports<br>
validation as OK.<br>
<br>
xmlsec1 --verify --pubkey-cert-pem cert.crt<br>
--store-references<br>
--id-attr:ResponseID<br>
<br>
urn:oasis:names:tc:SAML:1.0:protocol:Response<br>
/saml.xml<br>
<br>
Also xmlSecDSigCtxDebugDump output is<br>
exactly<br>
the same for<br>
xmlsec1 and<br>
my program.<br>
<br>
I've reduced the code down to what is<br>
below and I'm<br>
having trouble<br>
seeing what could be wrong.<br>
<br>
libxml version: 2.6.27<br>
xmlsec version: 1.2.11<br>
<br>
Thanks for any help.<br>
<br>
<br>
<br>
#include <iostream><br>
#include <xmlsec/xmltree.h><br>
#include <xmlsec/xmldsig.h><br>
#include <xmlsec/crypto.h><br>
#include <xmlsec/errors.h><br>
<br>
#ifndef XMLSEC_NO_XSLT<br>
#include <libxslt/xslt.h><br>
#endif<br>
<br>
void error(const char *);<br>
<br>
int main(int argc, char **argv) {<br>
using namespace std;<br>
int status(0);<br>
<br>
xmlSecKeysMngrPtr mngr_;<br>
xmlSecDSigCtxPtr dsigCtx;<br>
xmlDocPtr doc_;<br>
<br>
cout << "libxml version: " <<<br>
LIBXML_DOTTED_VERSION<br>
<< endl;<br>
cout << "xmlsec version: " <<<br>
XMLSEC_VERSION << endl;<br>
<br>
xmlInitParser();<br>
LIBXML_TEST_VERSION;<br>
xmlLoadExtDtdDefaultValue =<br>
XML_DETECT_IDS |<br>
XML_COMPLETE_ATTRS;<br>
xmlSubstituteEntitiesDefault(1);<br>
<br>
#ifndef XMLSEC_NO_XSLT<br>
xmlIndentTreeOutput = 1;<br>
#endif<br>
// Init xmlsec library<br>
if (xmlSecInit() < 0)<br>
error("xmlSecInit");<br>
if (xmlSecCheckVersion() != 1)<br>
error("xmlSecCheckVersion");<br>
<br>
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING<br>
if(xmlSecCryptoDLLoadLibrary(BAD_CAST<br>
"openssl") < 0)<br>
error("xmlSecCryptoDLLoadLibrary");<br>
#endif<br>
<br>
if(xmlSecCryptoAppInit(NULL) < 0)<br>
error("Error: crypto<br>
initialization failed.");<br>
if(xmlSecCryptoInit() < 0)<br>
error("Error:<br>
xmlsec-crypto<br>
initialization failed.");<br>
<br>
mngr_ = xmlSecKeysMngrCreate();<br>
if (!mngr_) error("bad");<br>
<br>
if<br>
(xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)<br>
error("bad");<br>
<br>
xmlSecKeyDataFormat<br>
format(xmlSecKeyDataFormatCertPem);<br>
xmlSecKeyPtr key =<br>
xmlSecCryptoAppKeyLoad("cert.crt",<br>
format, NULL,<br>
NULL, NULL);<br>
if (!key) error("key load error");<br>
<br>
<br>
if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_,<br>
key) < 0)<br>
error("could not add key");<br>
<br>
doc_ = xmlParseFile("saml.xml");<br>
if (!doc_ ||<br>
!xmlDocGetRootElement(doc_))<br>
error("bad");<br>
<br>
set_id(doc_);<br>
<br>
xmlNodePtr node =<br>
xmlSecFindNode(xmlDocGetRootElement(doc_),<br>
xmlSecNodeSignature, xmlSecDSigNs);<br>
if (!node) error("start node not<br>
found");<br>
<br>
dsigCtx = xmlSecDSigCtxCreate(mngr_);<br>
if (!dsigCtx) error("failed to<br>
create signature<br>
context");<br>
<br>
std::cout << "status before: " <<<br>
dsigCtx->status<br>
<< std::endl;<br>
if (xmlSecDSigCtxVerify(dsigCtx,<br>
node) < 0)<br>
error("signature verify<br>
error");<br>
std::cout << "status: " <<<br>
dsigCtx->status <<<br>
std::endl;<br>
//xmlSecDSigCtxDebugDump(dsigCtx,<br>
stdout);<br>
<br>
return status;<br>
}<br>
<br>
void set_id(xmlDocPtr doc) {<br>
using namespace std;<br>
<br>
xmlNodePtr node = xmlSecFindNode(<br>
xmlDocGetRootElement(doc),<br>
BAD_CAST "Response",<br>
BAD_CAST<br>
"urn:oasis:names:tc:SAML:1.0:protocol");<br>
<br>
cout << "element name: " <<<br>
node->name<< endl;<br>
xmlAttrPtr attr = xmlHasProp(node,<br>
BAD_CAST<br>
"ResponseID");<br>
if (!attr) error("attribute not<br>
found");<br>
cout << "attribute name: " <<<br>
attr->name<<<br>
endl;<br>
<br>
xmlChar *value =<br>
xmlNodeListGetString(node->doc,<br>
attr->children, 1);<br>
if (!value)<br>
error("xmlNodeListGetString");<br>
cout << "value: " << value << endl;<br>
<br>
xmlAttrPtr tmp(xmlGetID(node->doc,<br>
value));<br>
if (tmp) {<br>
cout << "id already registered"<br>
<< endl;<br>
} else {<br>
xmlIDPtr id = xmlAddID(NULL,<br>
doc, BAD_CAST<br>
value, attr);<br>
if (!id) {<br>
xmlFree(value); // fix<br>
error("xmlAddID error");<br>
}<br>
cout << "id added" << endl;<br>
}<br>
<br>
//xmlFree(value); // fix<br>
}<br>
<br>
void error(const char *e) {<br>
std::cout << e << std::endl;<br>
std::cout << "exiting" << std::endl;<br>
exit(0);<br>
}<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>>><br>
<br>
<br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
<br>
<br>
</div></div></blockquote>
</blockquote></div><br>