From fg at 4js.com Wed Jan 6 05:21:54 2010 From: fg at 4js.com (Frank Gross) Date: Wed, 06 Jan 2010 14:21:54 +0100 Subject: [xmlsec] Valgrind reports an invalid read that can lead to crash Message-ID: <4B448E72.2070008@4js.com> Hi, I had some random crashes using the xmlsec library for signature, so I did a test with valgrind that reported an invalid read (see attached valgrind output). You can see that it happens in the 'xmlXPathFreeNodeSet' function that is called in 'xmlSecNodeSetDestroy'. After some investigations, I find out that it is related to the use of an XPath transformation that builds a list of 'xmlSecNodeSetPtr' in the 'xmlSecXPathDataListExecute' function. In that function a new 'xmlSecNodeSetPtr' is added at the end of the list but containing the nodes to be signed according to the XPath expression. Unfortunately, the first 'xmlSecNodeSetPtr' of that list has the 'destroyDoc' boolean set to 1 that tells the 'xmlSecNodeSetDestroy' function to release the whole document, and when it is the next 'xmlSecNodeSetPtr' of the list to be destroyed it tries to release the node resulting of the XPath expression, but they don't exist anymore because the document they belong to has been released just before. To solve the problem I set the 'destroyDoc' of the first element to 0, and put it to 1 on the last element of the list, so that the document is only released at the very end. Actually, I simply add following code at the end of the xmlSecXPathDataListExecute function just before the return instruction. ... if (res->destroyDoc) { /* force the releasing of the document at the end of the list otherwise xmlSecNodeSetDestroy can crash because it will release the doc in the first node set but the following ones have references to this document too */ res->destroyDoc = 0; res->prev->destroyDoc = 1; } return(res); ... I don't know if it is correct to do so or if there are some side effects but it seems to fix my issue. Regards, Frank -- Frank GROSS Software Engineer - Web Services Four J's Development Tools - http://www.4js.com -------------- next part -------------- A non-text attachment was scrubbed... Name: val.xml Type: text/xml Size: 11626 bytes Desc: not available URL: From hlenoir at axway.com Sat Jan 9 23:48:03 2010 From: hlenoir at axway.com (Lenoir Herve) Date: Sun, 10 Jan 2010 08:48:03 +0100 Subject: [xmlsec] C14n failure with relative namespace Message-ID: <31248_1263109738_4B49866A_31248_10241775_1_AF9E22FE36430447B0242D04CEB22A8D0F47DA@WBE03.ptx.fr.sopra> I, Aleksey, When, I try to Sign a XML Client file with transform exclusive canonicalization, I have this error : ^ C14N error : Relative namespace UR is invalid here : (null) It seems, it's a libxml2 C14n error... For libxml2 this namespace is a "relative namespace" (a deprecated namespace) When I modify the XML input file and add "urn:" to It works fine ! My problem is : 1) the Client can't modify the XML file provided (created by an external product) 2) I can't omit the canonicalization (my security policies doesn't permit it) Do you know other solution to resolve my problem ? Best regards, Herv? -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Jan 12 22:03:54 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 12 Jan 2010 22:03:54 -0800 Subject: [xmlsec] C14n failure with relative namespace In-Reply-To: <31248_1263109738_4B49866A_31248_10241775_1_AF9E22FE36430447B0242D04CEB22A8D0F47DA@WBE03.ptx.fr.sopra> References: <31248_1263109738_4B49866A_31248_10241775_1_AF9E22FE36430447B0242D04CEB22A8D0F47DA@WBE03.ptx.fr.sopra> Message-ID: <4B4D624A.3090207@aleksey.com> From XML C14N spec (http://www.w3.org/TR/xml-c14n) Note: This specification supports the recent XML plenary decision to deprecate relative namespace URIs as follows: implementations of XML canonicalization MUST report an operation failure on documents containing relative namespace URIs. XML canonicalization MUST NOT be implemented with an XML parser that converts relative URIs to absolute URIs. Sorry. Aleksey On 1/9/2010 11:48 PM, Lenoir Herve wrote: > * > ^ > C14N error : Relative namespace UR is invalid here : (null)* > It seems, it's a libxml2 *C14n* error... From aleksey at aleksey.com Tue Jan 12 22:06:14 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 12 Jan 2010 22:06:14 -0800 Subject: [xmlsec] Valgrind reports an invalid read that can lead to crash In-Reply-To: <4B448E72.2070008@4js.com> References: <4B448E72.2070008@4js.com> Message-ID: <4B4D62D6.2000501@aleksey.com> Hi Frank! Thanks for report and investigation! Do you have a repro test case that I can look at? Unfortunately, the ownership of the DOM nodes is not trivial and I can't say for sure if this is the right change or not. Thank you in advance, Aleksey On 1/6/2010 5:21 AM, Frank Gross wrote: > Hi, > > I had some random crashes using the xmlsec library for signature, so I > did a test with valgrind that reported an invalid read (see attached > valgrind output). You can see that it happens in the > 'xmlXPathFreeNodeSet' function that is called in 'xmlSecNodeSetDestroy'. > > After some investigations, I find out that it is related to the use of > an XPath transformation that builds a list of 'xmlSecNodeSetPtr' in the > 'xmlSecXPathDataListExecute' function. In that function a new > 'xmlSecNodeSetPtr' is added at the end of the list but containing the > nodes to be signed according to the XPath expression. Unfortunately, the > first 'xmlSecNodeSetPtr' of that list has the 'destroyDoc' boolean set > to 1 that tells the 'xmlSecNodeSetDestroy' function to release the whole > document, and when it is the next 'xmlSecNodeSetPtr' of the list to be > destroyed it tries to release the node resulting of the XPath > expression, but they don't exist anymore because the document they > belong to has been released just before. > > To solve the problem I set the 'destroyDoc' of the first element to 0, > and put it to 1 on the last element of the list, so that the document is > only released at the very end. Actually, I simply add following code at > the end of the xmlSecXPathDataListExecute function just before the > return instruction. > > ... > if (res->destroyDoc) { > /* force the releasing of the document at the end of the list otherwise > xmlSecNodeSetDestroy can crash > because it will release the doc in the first node set but the following > ones have references to this document too > */ > res->destroyDoc = 0; > res->prev->destroyDoc = 1; > } > > return(res); > ... > > I don't know if it is correct to do so or if there are some side effects > but it seems to fix my issue. > > Regards, > Frank > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed Jan 13 13:07:57 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 13 Jan 2010 13:07:57 -0800 Subject: [xmlsec] Valgrind reports an invalid read that can lead to crash In-Reply-To: <4B4D62D6.2000501@aleksey.com> References: <4B448E72.2070008@4js.com> <4B4D62D6.2000501@aleksey.com> Message-ID: <4B4E362D.5040105@aleksey.com> Actually, never mind. I think I created a test case myself: multiple chained XPath transforms after something like xslt transform. Could you please test the following patch: http://git.gnome.org/browse/xmlsec/diff/src/nodeset.c?id=8ee4fbabcd651f01c6ec1b6aef70853f27db65a8 to make sure it fixes your use case? Thanks again for your bug report and investigation! Aleksey On 1/12/2010 10:06 PM, Aleksey Sanin wrote: > Hi Frank! > > Thanks for report and investigation! Do you have a repro test > case that I can look at? Unfortunately, the ownership of the > DOM nodes is not trivial and I can't say for sure if this is > the right change or not. > > Thank you in advance, > > Aleksey > > On 1/6/2010 5:21 AM, Frank Gross wrote: >> Hi, >> >> I had some random crashes using the xmlsec library for signature, so I >> did a test with valgrind that reported an invalid read (see attached >> valgrind output). You can see that it happens in the >> 'xmlXPathFreeNodeSet' function that is called in 'xmlSecNodeSetDestroy'. >> >> After some investigations, I find out that it is related to the use of >> an XPath transformation that builds a list of 'xmlSecNodeSetPtr' in the >> 'xmlSecXPathDataListExecute' function. In that function a new >> 'xmlSecNodeSetPtr' is added at the end of the list but containing the >> nodes to be signed according to the XPath expression. Unfortunately, the >> first 'xmlSecNodeSetPtr' of that list has the 'destroyDoc' boolean set >> to 1 that tells the 'xmlSecNodeSetDestroy' function to release the whole >> document, and when it is the next 'xmlSecNodeSetPtr' of the list to be >> destroyed it tries to release the node resulting of the XPath >> expression, but they don't exist anymore because the document they >> belong to has been released just before. >> >> To solve the problem I set the 'destroyDoc' of the first element to 0, >> and put it to 1 on the last element of the list, so that the document is >> only released at the very end. Actually, I simply add following code at >> the end of the xmlSecXPathDataListExecute function just before the >> return instruction. >> >> ... >> if (res->destroyDoc) { >> /* force the releasing of the document at the end of the list otherwise >> xmlSecNodeSetDestroy can crash >> because it will release the doc in the first node set but the following >> ones have references to this document too >> */ >> res->destroyDoc = 0; >> res->prev->destroyDoc = 1; >> } >> >> return(res); >> ... >> >> I don't know if it is correct to do so or if there are some side effects >> but it seems to fix my issue. >> >> Regards, >> Frank >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From tom.stejskal at gmail.com Wed Jan 13 22:45:38 2010 From: tom.stejskal at gmail.com (=?ISO-8859-2?Q?Tom=E1=B9_Stejskal?=) Date: Thu, 14 Jan 2010 07:45:38 +0100 Subject: [xmlsec] mscrypto SHA-2 patch Message-ID: Hi, I added support for SHA-2 digests (SHA-256, SHA-384 and SHA-512) into the mscrypto module, the code works with Windows XP SP3 and higher. The attached patch is against version 1.2.14. Tom Stejskal -------------- next part -------------- A non-text attachment was scrubbed... Name: mscrypto_sha2.patch Type: text/x-patch Size: 29238 bytes Desc: not available URL: From tom.stejskal at gmail.com Wed Jan 13 22:56:26 2010 From: tom.stejskal at gmail.com (=?ISO-8859-2?Q?Tom=E1=B9_Stejskal?=) Date: Thu, 14 Jan 2010 07:56:26 +0100 Subject: [xmlsec] mscrypto SHA-2 patch In-Reply-To: References: Message-ID: The patch had mixed newlines, here is in CRLF format. 2010/1/14 Tom?? Stejskal : > Hi, > > I added support for SHA-2 digests (SHA-256, SHA-384 and SHA-512) into > the mscrypto module, the code works with Windows XP SP3 and higher. > The attached patch is against version 1.2.14. > > Tom Stejskal > -------------- next part -------------- A non-text attachment was scrubbed... Name: mscrypto_sha2.patch Type: text/x-patch Size: 29981 bytes Desc: not available URL: From fg at 4js.com Thu Jan 14 02:10:34 2010 From: fg at 4js.com (Frank Gross) Date: Thu, 14 Jan 2010 11:10:34 +0100 Subject: [xmlsec] Valgrind reports an invalid read that can lead to crash In-Reply-To: <4B4E362D.5040105@aleksey.com> References: <4B448E72.2070008@4js.com> <4B4D62D6.2000501@aleksey.com> <4B4E362D.5040105@aleksey.com> Message-ID: <4B4EED9A.2070600@4js.com> Hi Aleksey, Sorry for the delay, but I had a lot of work. I applied your patch and it fixes my issue, and all my tests passed successfully too. Thanks, Frank Aleksey Sanin a ?crit : > > Actually, never mind. I think I created a test case myself: > multiple chained XPath transforms after something like xslt > transform. Could you please test the following patch: > > http://git.gnome.org/browse/xmlsec/diff/src/nodeset.c?id=8ee4fbabcd651f01c6ec1b6aef70853f27db65a8 > > > to make sure it fixes your use case? > > Thanks again for your bug report and investigation! > > Aleksey > > > On 1/12/2010 10:06 PM, Aleksey Sanin wrote: >> Hi Frank! >> >> Thanks for report and investigation! Do you have a repro test >> case that I can look at? Unfortunately, the ownership of the >> DOM nodes is not trivial and I can't say for sure if this is >> the right change or not. >> >> Thank you in advance, >> >> Aleksey >> >> On 1/6/2010 5:21 AM, Frank Gross wrote: >>> Hi, >>> >>> I had some random crashes using the xmlsec library for signature, so I >>> did a test with valgrind that reported an invalid read (see attached >>> valgrind output). You can see that it happens in the >>> 'xmlXPathFreeNodeSet' function that is called in >>> 'xmlSecNodeSetDestroy'. >>> >>> After some investigations, I find out that it is related to the use of >>> an XPath transformation that builds a list of 'xmlSecNodeSetPtr' in the >>> 'xmlSecXPathDataListExecute' function. In that function a new >>> 'xmlSecNodeSetPtr' is added at the end of the list but containing the >>> nodes to be signed according to the XPath expression. Unfortunately, >>> the >>> first 'xmlSecNodeSetPtr' of that list has the 'destroyDoc' boolean set >>> to 1 that tells the 'xmlSecNodeSetDestroy' function to release the >>> whole >>> document, and when it is the next 'xmlSecNodeSetPtr' of the list to be >>> destroyed it tries to release the node resulting of the XPath >>> expression, but they don't exist anymore because the document they >>> belong to has been released just before. >>> >>> To solve the problem I set the 'destroyDoc' of the first element to 0, >>> and put it to 1 on the last element of the list, so that the >>> document is >>> only released at the very end. Actually, I simply add following code at >>> the end of the xmlSecXPathDataListExecute function just before the >>> return instruction. >>> >>> ... >>> if (res->destroyDoc) { >>> /* force the releasing of the document at the end of the list otherwise >>> xmlSecNodeSetDestroy can crash >>> because it will release the doc in the first node set but the following >>> ones have references to this document too >>> */ >>> res->destroyDoc = 0; >>> res->prev->destroyDoc = 1; >>> } >>> >>> return(res); >>> ... >>> >>> I don't know if it is correct to do so or if there are some side >>> effects >>> but it seems to fix my issue. >>> >>> Regards, >>> Frank >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> http://www.aleksey.com/mailman/listinfo/xmlsec >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > -- Frank GROSS Software Engineer - Web Services Four J's Development Tools - http://www.4js.com From aleksey at aleksey.com Thu Jan 14 07:49:22 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 14 Jan 2010 07:49:22 -0800 Subject: [xmlsec] Valgrind reports an invalid read that can lead to crash In-Reply-To: <4B4EED9A.2070600@4js.com> References: <4B448E72.2070008@4js.com> <4B4D62D6.2000501@aleksey.com> <4B4E362D.5040105@aleksey.com> <4B4EED9A.2070600@4js.com> Message-ID: <4B4F3D02.6040407@aleksey.com> Cool! Thanks for testing and letting me know! Aleksey On 1/14/2010 2:10 AM, Frank Gross wrote: > Hi Aleksey, > > Sorry for the delay, but I had a lot of work. > I applied your patch and it fixes my issue, and all my tests passed > successfully too. > > Thanks, > Frank > > Aleksey Sanin a ?crit : >> >> Actually, never mind. I think I created a test case myself: >> multiple chained XPath transforms after something like xslt >> transform. Could you please test the following patch: >> >> http://git.gnome.org/browse/xmlsec/diff/src/nodeset.c?id=8ee4fbabcd651f01c6ec1b6aef70853f27db65a8 >> >> >> to make sure it fixes your use case? >> >> Thanks again for your bug report and investigation! >> >> Aleksey >> >> >> On 1/12/2010 10:06 PM, Aleksey Sanin wrote: >>> Hi Frank! >>> >>> Thanks for report and investigation! Do you have a repro test >>> case that I can look at? Unfortunately, the ownership of the >>> DOM nodes is not trivial and I can't say for sure if this is >>> the right change or not. >>> >>> Thank you in advance, >>> >>> Aleksey >>> >>> On 1/6/2010 5:21 AM, Frank Gross wrote: >>>> Hi, >>>> >>>> I had some random crashes using the xmlsec library for signature, so I >>>> did a test with valgrind that reported an invalid read (see attached >>>> valgrind output). You can see that it happens in the >>>> 'xmlXPathFreeNodeSet' function that is called in >>>> 'xmlSecNodeSetDestroy'. >>>> >>>> After some investigations, I find out that it is related to the use of >>>> an XPath transformation that builds a list of 'xmlSecNodeSetPtr' in the >>>> 'xmlSecXPathDataListExecute' function. In that function a new >>>> 'xmlSecNodeSetPtr' is added at the end of the list but containing the >>>> nodes to be signed according to the XPath expression. Unfortunately, >>>> the >>>> first 'xmlSecNodeSetPtr' of that list has the 'destroyDoc' boolean set >>>> to 1 that tells the 'xmlSecNodeSetDestroy' function to release the >>>> whole >>>> document, and when it is the next 'xmlSecNodeSetPtr' of the list to be >>>> destroyed it tries to release the node resulting of the XPath >>>> expression, but they don't exist anymore because the document they >>>> belong to has been released just before. >>>> >>>> To solve the problem I set the 'destroyDoc' of the first element to 0, >>>> and put it to 1 on the last element of the list, so that the >>>> document is >>>> only released at the very end. Actually, I simply add following code at >>>> the end of the xmlSecXPathDataListExecute function just before the >>>> return instruction. >>>> >>>> ... >>>> if (res->destroyDoc) { >>>> /* force the releasing of the document at the end of the list otherwise >>>> xmlSecNodeSetDestroy can crash >>>> because it will release the doc in the first node set but the following >>>> ones have references to this document too >>>> */ >>>> res->destroyDoc = 0; >>>> res->prev->destroyDoc = 1; >>>> } >>>> >>>> return(res); >>>> ... >>>> >>>> I don't know if it is correct to do so or if there are some side >>>> effects >>>> but it seems to fix my issue. >>>> >>>> Regards, >>>> Frank >>>> >>>> >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> xmlsec at aleksey.com >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> http://www.aleksey.com/mailman/listinfo/xmlsec >> > From xmlsec at roumenpetrov.info Thu Jan 14 14:59:49 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Fri, 15 Jan 2010 00:59:49 +0200 Subject: [xmlsec] mscrypto SHA-2 patch In-Reply-To: References: Message-ID: <4B4FA1E5.2070304@roumenpetrov.info> Tom?? Stejskal wrote: > The patch had mixed newlines, here is in CRLF format. > > 2010/1/14 Tom?? Stejskal: >> Hi, >> >> I added support for SHA-2 digests (SHA-256, SHA-384 and SHA-512) into >> the mscrypto module, the code works with Windows XP SP3 and higher. >> The attached patch is against version 1.2.14. >> >> Tom Stejskal about defines #define CALG_XXX why is not in form #define CALG_XXX (ALG_CLASS_HASH|ALG_TYPE_ANY|ALG_SID_XXX) ? #define MS_ENH_RSA_AES_PROV_XP and MS_ENH_RSA_AES_PROV_VISTA why ? What are MSDN define for those ? I guess just MS_ENH_RSA_AES_PROV defined to MS_ENH_RSA_AES_PROV_{A|W} . Also why _VISTA what about 2003 ? For windows 5.1 (XP) the name is "XXX (Prototype)" and for subsequent release just "XXX". How is better to implement this - command line parameter , automatically to detect ? Based on you post MSDN is not correct for _SHA_XXX where XXX is 256 384 512. MSDN say for XP and W2K - algorithm is not supported. Did provider name "Microsoft Enhanced RSA and AES Cryptographic Provider" work on XP SP3 ? Based on this may be is better if not defined to define only MS_ENH_RSA_AES_PROV_{A|W} depending from value of _WIN32_WINNT(?) , i.e.: ============== #if (_WIN32_WINNT == 0x0501) #define MS_ENH_RSA_AES_PROV_A "XXX (Prototype)" #define MS_ENH_RSA_AES_PROV_W L"XXX (Prototype)" #elif (_WIN32_WINNT > 0x0501) #define MS_ENH_RSA_AES_PROV_A "XXX" #define MS_ENH_RSA_AES_PROV_W L"XXX" #endif #if (_WIN32_WINNT >= 0x0501) #ifdef UNICODE #define MS_ENH_RSA_AES_PROV MS_ENH_RSA_AES_PROV_W #else #define MS_ENH_RSA_AES_PROV MS_ENH_RSA_AES_PROV_A #endif ============== Other comments: ------------------ - if (!CryptAcquireContext(&hProv, + if (ctx->providerType = 1) + { + if (!CryptAcquireContext(&hProv, NULL, MS_ENH_RSA_AES_PROV_XP, + 24, CRYPT_VERIFYCONTEXT)) + { + CryptAcquireContext(&hProv, NULL, MS_ENH_RSA_AES_PROV_VISTA, + 24, CRYPT_VERIFYCONTEXT); + } + } + if ((hProv == 0) && !CryptAcquireContext(&hProv, ------------------ Where providerType is set to value different from PROV_RSA_FULL (i.e. 1) ? Return value is not checked (one same is above) ! Conversion from wide to ansi for container name . This may be is valid only if is not defined UNICODE. Roumen From juan.prieto at atosresearch.eu Mon Jan 25 08:52:20 2010 From: juan.prieto at atosresearch.eu (Juan Luis Prieto Martinez) Date: Mon, 25 Jan 2010 17:52:20 +0100 Subject: [xmlsec] PEM Keys comparison Message-ID: Hi all, I am building a library for a project using xmlSec as the main API. The main problem I am facing is the comparison of 2 keys extracted from a pem certificates. To do so I try to extract a key from a file and the other is passed to me by a parameter of my funciton, the parameter is already a xmlSecKey structure. To get the first Key I do this: nCert0 = xmlSecCryptoAppKeyCertLoad(key0, certfile, xmlSecKeyDataFormatPem); I am not able to handle the crypto material inside the key. So it is the case with the parameter that I use to compare with. I have tried different approaches to this issue with no success, please have you ever had this issue before? If not can you tell me once you get the xmlSecKeyDataPtr how to extract the value to see the key? Kind Regards Juan Luis ------------------------------------------------------------------ This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. Este mensaje y los ficheros adjuntos pueden contener informacion confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente pueden estar protegidos por secreto profesional. Si usted recibe este correo electronico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. Al no estar asegurada la integridad de este mensaje sobre la red, Atos Origin no se hace responsable por su contenido. Su contenido no constituye ningun compromiso para el grupo Atos Origin, salvo ratificacion escrita por ambas partes. Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no sera responsable de cualesquiera danos que puedan resultar de una transmision de virus. ------------------------------------------------------------------ From aleksey at aleksey.com Mon Jan 25 09:06:30 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 25 Jan 2010 09:06:30 -0800 Subject: [xmlsec] PEM Keys comparison In-Reply-To: References: Message-ID: <4B5DCF96.2030700@aleksey.com> You can't always extract the key material for security reasons (e.g. if key is stored on a hardware token). If you are using OpenSSL, then you need to get EVP_PKEY pointer and then use something like EVP_PKEY_cmp() function: http://www.openssl.org/docs/crypto/EVP_PKEY_cmp.html Aleksey On 1/25/2010 8:52 AM, Juan Luis Prieto Martinez wrote: > Hi all, > > I am building a library for a project using xmlSec as the main API. > The main problem I am facing is the comparison of 2 keys extracted from a pem certificates. To do so I try to extract a key from a file and the other is passed to me by a parameter of my funciton, the parameter is already a xmlSecKey structure. > To get the first Key I do this: > nCert0 = xmlSecCryptoAppKeyCertLoad(key0, certfile, xmlSecKeyDataFormatPem); > I am not able to handle the crypto material inside the key. So it is the case with the parameter that I use to compare with. > > I have tried different approaches to this issue with no success, please have you ever had this issue before? > If not can you tell me once you get the xmlSecKeyDataPtr how to extract the value to see the key? > > Kind Regards > Juan Luis > ------------------------------------------------------------------ > This e-mail and the documents attached are confidential and intended > solely for the addressee; it may also be privileged. If you receive > this e-mail in error, please notify the sender immediately and destroy it. > As its integrity cannot be secured on the Internet, the Atos Origin > group liability cannot be triggered for the message content. Although > the sender endeavours to maintain a computer virus-free network, > the sender does not warrant that this transmission is virus-free and > will not be liable for any damages resulting from any virus transmitted. > > Este mensaje y los ficheros adjuntos pueden contener informacion confidencial > destinada solamente a la(s) persona(s) mencionadas anteriormente > pueden estar protegidos por secreto profesional. > Si usted recibe este correo electronico por error, gracias por informar > inmediatamente al remitente y destruir el mensaje. > Al no estar asegurada la integridad de este mensaje sobre la red, Atos Origin > no se hace responsable por su contenido. Su contenido no constituye ningun > compromiso para el grupo Atos Origin, salvo ratificacion escrita por ambas partes. > Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor > no puede garantizar nada al respecto y no sera responsable de cualesquiera > danos que puedan resultar de una transmision de virus. > ------------------------------------------------------------------ > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From mahendra0203 at gmail.com Thu Jan 28 03:45:06 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Thu, 28 Jan 2010 17:15:06 +0530 Subject: [xmlsec] xmlSecDSigCtxVerify fails Message-ID: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> Hi, We are using xmlSecDSigCtxVerify API to check whether a license file is tampered. . The license file is in w3 XML format. Shouldn the status element of xmlSecDSigCtxPtr structure capture the error if the license file is tampered. but ,its happening, but the error is caught by signKey element on x86, but the signKey accesses a wrong pointer in mips. how should we go about the issue.. Thanks and Reagrds, Mahendra Naik -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Thu Jan 28 07:39:56 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 28 Jan 2010 07:39:56 -0800 Subject: [xmlsec] xmlSecDSigCtxVerify fails In-Reply-To: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> References: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> Message-ID: <4B61AFCC.1030202@aleksey.com> Sorry, I don't understand. Can you provide an example? Aleksey On 1/28/2010 3:45 AM, mahendra N wrote: > Hi, > We are using xmlSecDSigCtxVerify API to check whether a license > file is tampered. . The license file is in w3 XML format. Shouldn the > status element of xmlSecDSigCtxPtr structure capture the error if the > license file is tampered. but ,its happening, but the error is caught by > signKey element on x86, but the signKey accesses a wrong pointer in > mips. how should we go about the issue.. > Thanks and Reagrds, > Mahendra Naik > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Thu Jan 28 20:42:50 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 28 Jan 2010 20:42:50 -0800 Subject: [xmlsec] xmlSecDSigCtxVerify fails In-Reply-To: <8641742c1001282032w3b28ddaao7712ec5596bba9af@mail.gmail.com> References: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> <4B61AFCC.1030202@aleksey.com> <8641742c1001282032w3b28ddaao7712ec5596bba9af@mail.gmail.com> Message-ID: <4B62674A.4060205@aleksey.com> Can you reproduce the problem with xmlsec command line utility? Unfortunately, I don't have mips around and I can't debug this. It smells like some compilation issue either in xmlsec or openssl. Try to compile openssl from C code, don't use assembler. And also try to disable all the optimizations in the openssl and gcc. Aleksey On 1/28/2010 8:32 PM, mahendra N wrote: > we are using xmlsec 1.2.12 to check whether a license file is tampered. > Were are tesing it on x86, SPARC and mips. xmlSecDSigCtxVerify function > is used to check whether the signature is valid or not. on x86 and > SPARC i get the logs as : > > xmlSecOpenSSLEvpDigestVerify: XmlSec Error data and digest do > not match (12) > > xmlSecDSigCtxPtr->status = xmlSecDSigStatusInvalid; > > but in case of mips the logs are; > > xmlSecOpenSSLEvpDigestVerify: XmlSec Error data and digest do > not match (12) > > xmlSecDSigCtxPtr->status = xmlSecDSigStatusSucceeded; > > so tampering of license is undetected on mips. > > > 2010/1/28 Aleksey Sanin > > > Sorry, I don't understand. Can you provide an example? > > Aleksey > > > On 1/28/2010 3:45 AM, mahendra N wrote: > > Hi, > We are using xmlSecDSigCtxVerify API to check whether a > license > file is tampered. . The license file is in w3 XML format. > Shouldn the > status element of xmlSecDSigCtxPtr structure capture the error > if the > license file is tampered. but ,its happening, but the error is > caught by > signKey element on x86, but the signKey accesses a wrong pointer in > mips. how should we go about the issue.. > Thanks and Reagrds, > Mahendra Naik > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > > From aleksey at aleksey.com Fri Jan 29 07:39:30 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 29 Jan 2010 07:39:30 -0800 Subject: [xmlsec] xmlSecDSigCtxVerify fails In-Reply-To: <8641742c1001290124l2e91170bqa3e0b285a1aec452@mail.gmail.com> References: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> <4B61AFCC.1030202@aleksey.com> <8641742c1001282032w3b28ddaao7712ec5596bba9af@mail.gmail.com> <4B62674A.4060205@aleksey.com> <8641742c1001290124l2e91170bqa3e0b285a1aec452@mail.gmail.com> Message-ID: <4B630132.4070904@aleksey.com> You have multiple versions of the library on your system. Incorrect LD_LIBRARY_PATH? Aleksey On 1/29/2010 1:24 AM, mahendra N wrote: > Hi Aleksey, > when i try to reproduce the error , i get the > following error > func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec > library function failed:mode=abi compatible;expected minor > version=2;real minor version=2;expected subminor version=12;real > subminor version=11 > > Error: loaded xmlsec library version is not compatible. > Error: initialization failed > > > Thanks and Regards, > Mahendra Naik > 2010/1/29 Aleksey Sanin > > > Can you reproduce the problem with xmlsec command line utility? > Unfortunately, I don't have mips around and I can't debug this. It > smells like some compilation issue either in xmlsec or openssl. > Try to compile openssl from C code, don't use assembler. And also > try to disable all the optimizations in the openssl and gcc. > > Aleksey > > > > On 1/28/2010 8:32 PM, mahendra N wrote: > > we are using xmlsec 1.2.12 to check whether a license file is > tampered. > Were are tesing it on x86, SPARC and mips. xmlSecDSigCtxVerify > function > is used to check whether the signature is valid or not. on x86 and > SPARC i get the logs as : > > xmlSecOpenSSLEvpDigestVerify: XmlSec Error data and > digest do > not match (12) > > xmlSecDSigCtxPtr->status = xmlSecDSigStatusInvalid; > > but in case of mips the logs are; > > xmlSecOpenSSLEvpDigestVerify: XmlSec Error data and > digest do > not match (12) > > xmlSecDSigCtxPtr->status = xmlSecDSigStatusSucceeded; > > so tampering of license is undetected on mips. > > > 2010/1/28 Aleksey Sanin >> > > > Sorry, I don't understand. Can you provide an example? > > Aleksey > > > On 1/28/2010 3:45 AM, mahendra N wrote: > > Hi, > We are using xmlSecDSigCtxVerify API to check > whether a > license > file is tampered. . The license file is in w3 XML format. > Shouldn the > status element of xmlSecDSigCtxPtr structure capture the > error > if the > license file is tampered. but ,its happening, but the > error is > caught by > signKey element on x86, but the signKey accesses a wrong > pointer in > mips. how should we go about the issue.. > Thanks and Reagrds, > Mahendra Naik > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > From aleksey at aleksey.com Mon Feb 1 07:35:53 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 01 Feb 2010 07:35:53 -0800 Subject: [xmlsec] xmlSecDSigCtxVerify fails In-Reply-To: <8641742c1002010411u1da82bb4m9be6ec5da8d839e7@mail.gmail.com> References: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> <4B61AFCC.1030202@aleksey.com> <8641742c1001282032w3b28ddaao7712ec5596bba9af@mail.gmail.com> <4B62674A.4060205@aleksey.com> <8641742c1001290124l2e91170bqa3e0b285a1aec452@mail.gmail.com> <4B630132.4070904@aleksey.com> <8641742c1002010411u1da82bb4m9be6ec5da8d839e7@mail.gmail.com> Message-ID: <4B66F4D9.4050103@aleksey.com> The symbol lookup problem is again related to multiple version of xmlsec library. This makes me suspicious that the second problem is also caused by mismatch of between headers and actual loaded .so library. One more idea - try to compile xmlsec as static library w/o dynamic loading for crypto library. Aleksey On 2/1/2010 4:11 AM, mahendra N wrote: > Hi aleksey, > Yes, there were multiple versions of library on my > system. I have resolved the issue now. Now i get the following error > > xmlsec1: symbol lookup error: /usr/lib64/libxmlsec1.so.1: undefined > symbol: xmlSecNameAESKeyValue > > And one more observation: > when i try to access the following value > dsigCtx->signMethod->status ; i get a segmentation fault on windriver > linux(mips). but it works fine on red hat linux(x86). > Regards, > Mahendra Naik > > 2010/1/29 Aleksey Sanin > > > You have multiple versions of the library on your system. > Incorrect LD_LIBRARY_PATH? > > Aleksey > > > On 1/29/2010 1:24 AM, mahendra N wrote: > > Hi Aleksey, > when i try to reproduce the error , i get the > following error > func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec > library function failed:mode=abi compatible;expected minor > version=2;real minor version=2;expected subminor version=12;real > subminor version=11 > > Error: loaded xmlsec library version is not compatible. > Error: initialization failed > > > Thanks and Regards, > Mahendra Naik > 2010/1/29 Aleksey Sanin >> > > > Can you reproduce the problem with xmlsec command line utility? > Unfortunately, I don't have mips around and I can't debug > this. It > smells like some compilation issue either in xmlsec or openssl. > Try to compile openssl from C code, don't use assembler. And > also > try to disable all the optimizations in the openssl and gcc. > > Aleksey > > > > On 1/28/2010 8:32 PM, mahendra N wrote: > > we are using xmlsec 1.2.12 to check whether a license > file is > tampered. > Were are tesing it on x86, SPARC and mips. > xmlSecDSigCtxVerify > function > is used to check whether the signature is valid or not. > on x86 and > SPARC i get the logs as : > > xmlSecOpenSSLEvpDigestVerify: XmlSec Error data and > digest do > not match (12) > > xmlSecDSigCtxPtr->status = xmlSecDSigStatusInvalid; > > but in case of mips the logs are; > > xmlSecOpenSSLEvpDigestVerify: XmlSec Error data and > digest do > not match (12) > > xmlSecDSigCtxPtr->status = xmlSecDSigStatusSucceeded; > > so tampering of license is undetected on mips. > > > 2010/1/28 Aleksey Sanin > > > > > >>> > > > Sorry, I don't understand. Can you provide an example? > > Aleksey > > > On 1/28/2010 3:45 AM, mahendra N wrote: > > Hi, > We are using xmlSecDSigCtxVerify API to > check > whether a > license > file is tampered. . The license file is in w3 > XML format. > Shouldn the > status element of xmlSecDSigCtxPtr structure > capture the > error > if the > license file is tampered. but ,its happening, > but the > error is > caught by > signKey element on x86, but the signKey accesses > a wrong > pointer in > mips. how should we go about the issue.. > Thanks and Reagrds, > Mahendra Naik > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > >> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > From aleksey at aleksey.com Wed Feb 3 08:37:41 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 03 Feb 2010 08:37:41 -0800 Subject: [xmlsec] xmlSecDSigCtxVerify fails In-Reply-To: <8641742c1002022334j6526720di7a14c05842364fd7@mail.gmail.com> References: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> <4B61AFCC.1030202@aleksey.com> <8641742c1001282032w3b28ddaao7712ec5596bba9af@mail.gmail.com> <4B62674A.4060205@aleksey.com> <8641742c1001290124l2e91170bqa3e0b285a1aec452@mail.gmail.com> <4B630132.4070904@aleksey.com> <8641742c1002010411u1da82bb4m9be6ec5da8d839e7@mail.gmail.com> <4B66F4D9.4050103@aleksey.com> <8641742c1002022334j6526720di7a14c05842364fd7@mail.gmail.com> Message-ID: <4B69A655.4080905@aleksey.com> IMHO, you have data corruption somewhere in your program. The fact that you can't reproduce the problem with xmlsec command line tool indicates to me that this is somewhere in your code. Did you try valgrind? Aleksey On 2/2/2010 11:34 PM, mahendra N wrote: > Hi Aleksey, > Still I am not able to reproduce the error on command > line. I have done some further analysis on the topic. > > I was looking through the xmlsec-1.2.12 code, > We verify the signature using /xmlSecDSigCtxVerify/ function in xmldsig.c > > There is a very strange behavior observed, /xmlSecDSigCtxVerify > /returns/ xmlSecDSigStatusInvalid / when an XML file is tampered. the > function works perfectly fine , but some how the value of status is > always /xmlSecDSigStatusSucceeded /when it returns from > /xmlSecDSigCtxVerify / > I put some print statements in the xmlsec code in /xmlSecDSigCtxVerify > /function. > the function returns dSigCtx->status = /xmlSecDSigStatusInvalid but the > it is always / > /dSigCtx->status = /xmlSecDSigStatusSucceeded /when we try to print the > value of /dSigCtx->status after return from > x/mlSecDSigCtxVerify/ function. even when I modified the code and set > /dSigCtx->status = /xmlSecDSigStatusUnknown /, the value of > /dSigCtx->status was //xmlSecDSigStatusSucceeded after return form //// > /xmlSecDSigCtxVerify /function.////////// > // > // > //Some how the value of /dSigCtx->status is being set to > //xmlSecDSigStatusSucceeded /always.Any help would be greatly > appreciated.//// > //// > //// > ////Thanks in advance,//// > ////Mahendra Naik//// > > > 2010/2/1 Aleksey Sanin > > > The symbol lookup problem is again related to multiple version of > xmlsec library. > > This makes me suspicious that the second problem is also caused by > mismatch of between headers and actual loaded .so library. > > One more idea - try to compile xmlsec as static library w/o > dynamic loading for crypto library. > > Aleksey > > > On 2/1/2010 4:11 AM, mahendra N wrote: > > Hi aleksey, > Yes, there were multiple versions of library on my > system. I have resolved the issue now. Now i get the following error > > xmlsec1: symbol lookup error: /usr/lib64/libxmlsec1.so.1: undefined > symbol: xmlSecNameAESKeyValue > > And one more observation: > when i try to access the following value > dsigCtx->signMethod->status ; i get a segmentation fault on > windriver > linux(mips). but it works fine on red hat linux(x86). > Regards, > Mahendra Naik > > 2010/1/29 Aleksey Sanin >> > > > You have multiple versions of the library on your system. > Incorrect LD_LIBRARY_PATH? > > Aleksey > > > On 1/29/2010 1:24 AM, mahendra N wrote: > > Hi Aleksey, > when i try to reproduce the error , i > get the > following error > > func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec > library function failed:mode=abi compatible;expected minor > version=2;real minor version=2;expected subminor > version=12;real > subminor version=11 > > Error: loaded xmlsec library version is not compatible. > Error: initialization failed > > > Thanks and Regards, > Mahendra Naik > 2010/1/29 Aleksey Sanin > > > > > >>> > > > Can you reproduce the problem with xmlsec command > line utility? > Unfortunately, I don't have mips around and I can't > debug > this. It > smells like some compilation issue either in xmlsec > or openssl. > Try to compile openssl from C code, don't use > assembler. And > also > try to disable all the optimizations in the openssl > and gcc. > > Aleksey > > > > On 1/28/2010 8:32 PM, mahendra N wrote: > > we are using xmlsec 1.2.12 to check whether a > license > file is > tampered. > Were are tesing it on x86, SPARC and mips. > xmlSecDSigCtxVerify > function > is used to check whether the signature is valid > or not. > on x86 and > SPARC i get the logs as : > > xmlSecOpenSSLEvpDigestVerify: XmlSec > Error data and > digest do > not match (12) > > xmlSecDSigCtxPtr->status = xmlSecDSigStatusInvalid; > > but in case of mips the logs are; > > xmlSecOpenSSLEvpDigestVerify: XmlSec > Error data and > digest do > not match (12) > > xmlSecDSigCtxPtr->status = > xmlSecDSigStatusSucceeded; > > so tampering of license is undetected on mips. > > > 2010/1/28 Aleksey Sanin > > > > >> > > > > > > >>>> > > > > Sorry, I don't understand. Can you provide > an example? > > Aleksey > > > On 1/28/2010 3:45 AM, mahendra N wrote: > > Hi, > We are using > xmlSecDSigCtxVerify API to > check > whether a > license > file is tampered. . The license file is > in w3 > XML format. > Shouldn the > status element of xmlSecDSigCtxPtr structure > capture the > error > if the > license file is tampered. but ,its > happening, > but the > error is > caught by > signKey element on x86, but the signKey > accesses > a wrong > pointer in > mips. how should we go about the issue.. > Thanks and Reagrds, > Mahendra Naik > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > >> > > > > > >>> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > From aleksey at aleksey.com Wed Feb 3 22:40:45 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 03 Feb 2010 22:40:45 -0800 Subject: [xmlsec] xmlSecDSigCtxVerify fails In-Reply-To: <8641742c1002032215l31b4817ej501bbffd320ea86f@mail.gmail.com> References: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> <4B61AFCC.1030202@aleksey.com> <8641742c1001282032w3b28ddaao7712ec5596bba9af@mail.gmail.com> <4B62674A.4060205@aleksey.com> <8641742c1001290124l2e91170bqa3e0b285a1aec452@mail.gmail.com> <4B630132.4070904@aleksey.com> <8641742c1002010411u1da82bb4m9be6ec5da8d839e7@mail.gmail.com> <4B66F4D9.4050103@aleksey.com> <8641742c1002022334j6526720di7a14c05842364fd7@mail.gmail.com> <4B69A655.4080905@aleksey.com> <8641742c1002032215l31b4817ej501bbffd320ea86f@mail.gmail.com> Message-ID: <4B6A6BED.7010409@aleksey.com> See my answers inline. Aleksey On 2/3/2010 10:15 PM, mahendra N wrote: > Hi Aleksey, > In /xmlSecDSigCtxVerify/ there are calls to two functions > /xmlSecDSigCtxProcessSignatureNode/ and /xmlSecTransformVerifyNodeContent/ > / After the call to x/mlSecDSigCtxProcessSignatureNode /there is a check > placed for / > / dSigCtx->status!=xmlSecDSigStatusUnknown .If there is a success > then the function returns 0. Is this check absolutely necessary at that > point in the code?. Because when we comment the check and proceed > further, then /xmlSecTransformVerifyNodeContent /returns -1 for any XML > file that is tampered./ [Aleksey] The check there returns -1 if the status is NOT equal to xmlSecDSigStatusUnknown. This is a check to make sure that we don't have unexpected state in the signature. One of the possible cases where it might happen is if you are re-using the *same* xmlDsigCtx for multiple signatures w/o calling xmlSecDSigCtxFinalize(). > / > / > / > / > /And I tried with purify tool, there was no memory corruption reported/ > /./ > /Aleksey the system where this error is reproduced is a 64-bit, MIPS > architecture ,Windriver linux/ > / > / > /.Are there any specific compiler flags to be set for the above > mentioned configuration./ > / [Aleksey] No idea. Never used such a setup. > / > / > / > Some more investigation that was done: > (i) The unpredictable behaviour is due to mismatch of memory location > of status member of the structure struct xmlSecDSigCtx. > (ii) I tried to get the adress of each of the member variable of > structure xmlSecDSigCtx. Please find it below. > Inside the ImplLibXml(our local file) > > dsigCtx Address ( 4832286288) + size (8) > Address of userData(4832286288) + size(8) > Address of flags(4832286296) + size(4) > Address of flags2(4832286300) + size(4) > Address of keyInfoReadCtx(4832286304) + size(368) > Address of keyInfoWriteCtx(4832286672) + size(368) > Address of transformCtx(4832287040) + size(136) > Address of enabledReferenceUris(4832287176) + size(4) > Address of enabledReferenceTransforms(4832287184) + size(8) > Address of referencePreExecuteCallback(4832287192) + size(8) > Address of defSignMethodId(4832287200) + size(8) > Address of defC14NMethodId(4832287208) + size(8) > Address of defDigestMethodId(4832287216) + size(8) > Address of signKey(4832287224) + size(8) > Address of operation(4832287232) + size(4) > Address of result(4832287240) + size(8) > Address of status(4832287248) + size(4) > Address of signMethod(4832287256) + size(8) > Address of preSignMemBufMethod(4832287272) + size(8) > Address of signValueNode(4832287280) + size(8) > Address of id(4832287288) + size(8) > Address of signedInfoReferences(4832287296) + size(40) > Address of manifestReferences(4832287336) + size(40) > Address of reserved0(4832287376) + size(8) > Address of reserved1(4832287384) + size(8) > > ImplLibXml **END** > > Inside xmlsec > > dsigCtx Address ( 4832286288) + size (8) > Address of userData(4832286288) + size(8) > Address of flags(4832286296) + size(4) > Address of flags2(4832286300) + size(4) > Address of keyInfoReadCtx(4832286304) + size(344) > Address of keyInfoWriteCtx(4832286648) + size(344) > Address of transformCtx(4832286992) + size(128) > Address of enabledReferenceUris(4832287120) + size(4) > Address of enabledReferenceTransforms(4832287128) + size(8) > Address of referencePreExecuteCallback(4832287136) + size(8) > Address of defSignMethodId(4832287144) + size(8) > Address of defC14NMethodId(4832287152) + size(8) > Address of defDigestMethodId(4832287160) + size(8) > Address of signKey(4832287168) + size(8) > Address of operation(4832287176) + size(4) > Address of result(4832287184) + size(8) > Address of status(4832287192) + size(4) > Address of signMethod(4832287200) + size(8) > Address of preSignMemBufMethod(4832287216) + size(8) > Address of signValueNode(4832287224) + size(8) > Address of id(4832287232) + size(8) > Address of signedInfoReferences(4832287240) + size(32) > Address of manifestReferences(4832287272) + size(32) > Address of reserved0(4832287304) + size(8) > Address of reserved1(4832287312) + size(8) > > xmlSecDSigCtxVerify****************END********** > > Please observe that the main culprit for mismatch of memory location are > three user defined data members > Address of keyInfoReadCtx(4832286304) + size(368) -- more 24 bytes > Address of keyInfoWriteCtx(4832286672) + size(368) -- more 24 bytes > Address of transformCtx(4832287040) + size(136) -- more 8 bytes. > > But I find the consistency in case of status member is that the > difference of location (i.e. between the status member in xmlsec and in > ImplLibXml )is always 56 bytes as above the memory difference is also 56 > bytes.I feel issue on MIPS is somehow related to memory mapping issues. > [Aleksey] Bingo! As I said, it feels like you have a problem with compiler flags. Check data alignment related flags for xmlsec compilation vs. your program compilation. This obviously explains why you can't reproduce this problem with xmlsec command line tool. From bdauvergne at entrouvert.com Wed Feb 10 08:48:55 2010 From: bdauvergne at entrouvert.com (Benjamin Dauvergne) Date: Wed, 10 Feb 2010 17:48:55 +0100 Subject: [xmlsec] Loading publickeys from KeyInfo/X509Data Message-ID: <4B72E377.6040606@entrouvert.com> Hi, We are using XMLSec inside the library Lasso (http://lasso.entrouvert.org) to handle XML signature and encryption in SAML 1.0 and 2.0 protocols. I recently changed our ad-hoc (and wrong ;) ) code for reading KeyInfo nodes for using xmlSecKeyInfoNodeRead in order to support all the KeyInfo content out there (RSAKeyValue and all) correctly. My problem is that if we disable certificate validation (as SAML advice us to do when consuming service metadatas) with XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS then the public key of the certificate is not loaded only the certificate is attached to the xmlSecKey structure. I do not think that this is the behaviour expected. I tried setting certsVerificationDepth to 0, in order to at least accept self-signed certificate (which would be a beginning) but I discovered this flag is of no-use since it is not propagated to backends (here we use OpenSSL) verification context. So for the moment I'm forced to load the key by hand but it adds a strong coupling between our library and OpenSSL (that we expected xmlsec could hide). Here is the code for fixing badly loaded public keys: xmlSecErrorsDefaultCallbackEnableOutput(FALSE); rc = xmlSecKeyInfoNodeRead(key_info, key, &ctx); xmlSecErrorsDefaultCallbackEnableOutput(TRUE); xmlSecKeyInfoCtxFinalize(&ctx); if (rc == 0) { xmlSecKeyDataPtr cert_data; cert_data = xmlSecKeyGetData(key, xmlSecOpenSSLKeyDataX509Id); if (cert_data) { cert = xmlSecOpenSSLKeyDataX509GetCert(cert_data, 0); if (cert) { xmlSecKeyDataPtr cert_key; cert_key = xmlSecOpenSSLX509CertGetKey(cert); rc = xmlSecKeySetValue(key, cert_key); if (rc < 0) { xmlSecKeyDataDestroy(cert_key); goto next; } } } } The full code of the function is at: http://perso.entrouvert.org/~bdauvergne/git/cgit.cgi?url=lasso-perso/tree/lasso/xml/tools.c#n2003 I'm thinking of making patch to xmlsec to load the key anyway when validation is disabled, and to support certsVerificationDepth for OpenSSL. What do you think of this program ? From aleksey at aleksey.com Wed Feb 10 09:24:41 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 10 Feb 2010 09:24:41 -0800 Subject: [xmlsec] Loading publickeys from KeyInfo/X509Data In-Reply-To: <4B72E377.6040606@entrouvert.com> References: <4B72E377.6040606@entrouvert.com> Message-ID: <4B72EBD9.9010000@aleksey.com> Right. There is a problem that the DONT_VERIFY_CERTS flag disables both certs verification and key extraction. The problem is that w/o verification you can't build certs chain and you don't know which certificate is the "top" one to use for key extraction. Aleksey On 2/10/2010 8:48 AM, Benjamin Dauvergne wrote: > Hi, > > We are using XMLSec inside the library Lasso > (http://lasso.entrouvert.org) to handle XML signature and encryption in > SAML 1.0 and 2.0 protocols. I recently changed our ad-hoc (and wrong ;) > ) code for reading KeyInfo nodes for using xmlSecKeyInfoNodeRead in > order to support all the KeyInfo content out there (RSAKeyValue and all) > correctly. > > My problem is that if we disable certificate validation (as SAML advice > us to do when consuming service metadatas) with > XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS then the public key of > the certificate is not loaded only the certificate is attached to the > xmlSecKey structure. I do not think that this is the behaviour expected. > I tried setting certsVerificationDepth to 0, in order to at least accept > self-signed certificate (which would be a beginning) but I discovered > this flag is of no-use since it is not propagated to backends (here we > use OpenSSL) verification context. > > So for the moment I'm forced to load the key by hand but it adds a > strong coupling between our library and OpenSSL (that we expected xmlsec > could hide). Here is the code for fixing badly loaded public keys: > > xmlSecErrorsDefaultCallbackEnableOutput(FALSE); > rc = xmlSecKeyInfoNodeRead(key_info, key, &ctx); > xmlSecErrorsDefaultCallbackEnableOutput(TRUE); > xmlSecKeyInfoCtxFinalize(&ctx); > > if (rc == 0) { > xmlSecKeyDataPtr cert_data; > > cert_data = xmlSecKeyGetData(key, xmlSecOpenSSLKeyDataX509Id); > > if (cert_data) { > cert = xmlSecOpenSSLKeyDataX509GetCert(cert_data, 0); > if (cert) { > xmlSecKeyDataPtr cert_key; > > cert_key = xmlSecOpenSSLX509CertGetKey(cert); > rc = xmlSecKeySetValue(key, cert_key); > if (rc < 0) { > xmlSecKeyDataDestroy(cert_key); > goto next; > } > } > } > } > > The full code of the function is at: > http://perso.entrouvert.org/~bdauvergne/git/cgit.cgi?url=lasso-perso/tree/lasso/xml/tools.c#n2003 > > > I'm thinking of making patch to xmlsec to load the key anyway when > validation is disabled, and to support certsVerificationDepth for > OpenSSL. What do you think of this program ? > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From bdauvergne at entrouvert.com Wed Feb 10 09:36:05 2010 From: bdauvergne at entrouvert.com (Benjamin Dauvergne) Date: Wed, 10 Feb 2010 18:36:05 +0100 Subject: [xmlsec] Loading publickeys from KeyInfo/X509Data In-Reply-To: <4B72EBD9.9010000@aleksey.com> References: <4B72E377.6040606@entrouvert.com> <4B72EBD9.9010000@aleksey.com> Message-ID: <4B72EE85.5040808@entrouvert.com> Aleksey Sanin wrote: > Right. There is a problem that the DONT_VERIFY_CERTS > flag disables both certs verification and key extraction. > > The problem is that w/o verification you can't build certs > chain and you don't know which certificate is the "top" one > to use for key extraction. But if there is only one certificate (99,9% of our cases ;) ) it's easy. And what happens if you have two valid certificates but not related (not in child/parent relation) ? From which one do you take the key ? Would special casing for lone certificates with warning in other cases be acceptable ? From aleksey at aleksey.com Wed Feb 10 10:09:35 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 10 Feb 2010 10:09:35 -0800 Subject: [xmlsec] Loading publickeys from KeyInfo/X509Data In-Reply-To: <4B72EE85.5040808@entrouvert.com> References: <4B72E377.6040606@entrouvert.com> <4B72EBD9.9010000@aleksey.com> <4B72EE85.5040808@entrouvert.com> Message-ID: <4B72F65F.9010602@aleksey.com> This is exactly the point that it is hard to do in "generic" case. I hear you and I understand your pain but I also want to have a solution for a generic library. Aleksey On 2/10/2010 9:36 AM, Benjamin Dauvergne wrote: > Aleksey Sanin wrote: >> Right. There is a problem that the DONT_VERIFY_CERTS >> flag disables both certs verification and key extraction. >> >> The problem is that w/o verification you can't build certs >> chain and you don't know which certificate is the "top" one >> to use for key extraction. > But if there is only one certificate (99,9% of our cases ;) ) it's easy. > And what happens if you have two valid certificates but not related (not > in child/parent relation) ? From which one do you take the key ? > > Would special casing for lone certificates with warning in other cases > be acceptable ? > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed Feb 10 21:25:57 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 10 Feb 2010 21:25:57 -0800 Subject: [xmlsec] xmlSecDSigCtxVerify fails In-Reply-To: <8641742c1002102125i1091944ai93eadd283e349fde@mail.gmail.com> References: <8641742c1001280345w3e4c6fd0v2d30ce0d76312e04@mail.gmail.com> <8641742c1002010411u1da82bb4m9be6ec5da8d839e7@mail.gmail.com> <4B66F4D9.4050103@aleksey.com> <8641742c1002022334j6526720di7a14c05842364fd7@mail.gmail.com> <4B69A655.4080905@aleksey.com> <8641742c1002032215l31b4817ej501bbffd320ea86f@mail.gmail.com> <4B6A6BED.7010409@aleksey.com> <8641742c1002032303n3bd3c7e5oc5fe9e3fa9254fd3@mail.gmail.com> <4B6A7218.4080508@aleksey.com> <8641742c1002032313x179a812epa2a490ce40552120@mail.gmail.com> <8641742c1002102125i1091944ai93eadd283e349fde@mail.gmail.com> Message-ID: <4B7394E5.208@aleksey.com> Thanks! Great to know! Aleksey On 2/10/2010 9:25 PM, mahendra N wrote: > Hi Aleksey, > We were able to sort out the problem. We had to compile > our program with > XMLSEC_NO_SIZE_T flag before porting it to MIPS 64 bit system. Thanks > for all your time Aleksey. > Thanks and Regards, > Mahendra Naik > > 2010/2/4 mahendra N > > > Hi, > What should the function return. 0 or -1? Is the code piece > right..?.. > Thanks an Regards, > Mahendra Naik > > > 2010/2/4 Aleksey Sanin > > > Ah, OK. I was looking at the other place. > > Aleksey > > > On 2/3/2010 11:03 PM, mahendra N wrote: > > Hi, > > I have attached some comments inline > > Thanks and Regards, > Mahendra Naik > > 2010/2/4 Aleksey Sanin >> > > > See my answers inline. > > Aleksey > > > > On 2/3/2010 10:15 PM, mahendra N wrote: > > Hi Aleksey, > > In /xmlSecDSigCtxVerify/ there are > calls to two > functions > /xmlSecDSigCtxProcessSignatureNode/ and > /xmlSecTransformVerifyNodeContent/ > / After the call to > x/mlSecDSigCtxProcessSignatureNode /there is > a check > > placed for / > / dSigCtx->status!=xmlSecDSigStatusUnknown .If > there is a > success > then the function returns 0. Is this check > absolutely necessary > at that > point in the code?. Because when we comment the > check and proceed > further, then /xmlSecTransformVerifyNodeContent > /returns -1 for > any XML > file that is tampered./ > > > [Aleksey] The check there returns -1 if the status is > NOT equal to > xmlSecDSigStatusUnknown. This is a check to make sure > that we don't > have unexpected state in the signature. One of the > possible cases where > it might happen is if you are re-using the *same* > xmlDsigCtx for > multiple signatures w/o calling xmlSecDSigCtxFinalize(). > > The check returns 0 not -1. > I am attaching the code piece here.I've marked the > concerned part in > bold. > int xmlSecDSigCtxVerify(xmlSecDSigCtxPtr dsigCtx, > xmlNodePtr node) { > int ret; > > xmlSecAssert2(dsigCtx != NULL, -1); > xmlSecAssert2(node != NULL, -1); > xmlSecAssert2(node->doc != NULL, -1); > > /* add ids for Signature nodes */ > dsigCtx->operation = xmlSecTransformOperationVerify; > dsigCtx->status = xmlSecDSigStatusUnknown; > xmlSecAddIDs(node->doc, node, xmlSecDSigIds); > > /* read siganture info */ > ret = xmlSecDSigCtxProcessSignatureNode(dsigCtx, node); > if(ret < 0) { > xmlSecError(XMLSEC_ERRORS_HERE, > NULL, > "xmlSecDSigCtxSigantureProcessNode", > XMLSEC_ERRORS_R_XMLSEC_FAILED, > XMLSEC_ERRORS_NO_MESSAGE); > return(-1); > } > xmlSecAssert2(dsigCtx->signMethod != NULL, -1); > xmlSecAssert2(dsigCtx->signValueNode != NULL, -1); > > /* references processing might change the status */ > *if(dsigCtx->status != xmlSecDSigStatusUnknown) {* > * return(0); * > * }* > > /* verify SignatureValue node content */ > ret = xmlSecTransformVerifyNodeContent(dsigCtx->signMethod, > dsigCtx->signValueNode, > &(dsigCtx->transformCtx)); > if(ret < 0) { > xmlSecError(XMLSEC_ERRORS_HERE, > NULL, > "xmlSecTransformVerifyNodeContent", > XMLSEC_ERRORS_R_XMLSEC_FAILED, > XMLSEC_ERRORS_NO_MESSAGE); > return(-1); > } > > /* set status and we are done */ > if(dsigCtx->signMethod->status == > xmlSecTransformStatusOk) { > dsigCtx->status = xmlSecDSigStatusSucceeded; > } else { > dsigCtx->status = xmlSecDSigStatusInvalid; > } > return(0); > } > > > > / > / > / > / > /And I tried with purify tool, there was no memory > corruption > reported/ > > /./ > /Aleksey the system where this error is reproduced > is a 64-bit, MIPS > architecture ,Windriver linux/ > / > / > /.Are there any specific compiler flags to be set > for the above > mentioned configuration./ > / > > [Aleksey] No idea. Never used such a setup. > > / > / > > / > Some more investigation that was done: > (i) The unpredictable behaviour is due to mismatch > of memory > location > of status member of the structure struct xmlSecDSigCtx. > (ii) I tried to get the adress of each of the member > variable of > structure xmlSecDSigCtx. Please find it below. > Inside the ImplLibXml(our local file) > > dsigCtx Address ( 4832286288) + size (8) > Address of userData(4832286288) + size(8) > Address of flags(4832286296) + size(4) > Address of flags2(4832286300) + size(4) > Address of keyInfoReadCtx(4832286304) + size(368) > Address of keyInfoWriteCtx(4832286672) + size(368) > Address of transformCtx(4832287040) + size(136) > Address of enabledReferenceUris(4832287176) + size(4) > Address of enabledReferenceTransforms(4832287184) + > size(8) > Address of referencePreExecuteCallback(4832287192) + > size(8) > Address of defSignMethodId(4832287200) + size(8) > Address of defC14NMethodId(4832287208) + size(8) > Address of defDigestMethodId(4832287216) + size(8) > Address of signKey(4832287224) + size(8) > Address of operation(4832287232) + size(4) > Address of result(4832287240) + size(8) > Address of status(4832287248) + size(4) > Address of signMethod(4832287256) + size(8) > Address of preSignMemBufMethod(4832287272) + size(8) > Address of signValueNode(4832287280) + size(8) > Address of id(4832287288) + size(8) > Address of signedInfoReferences(4832287296) + size(40) > Address of manifestReferences(4832287336) + size(40) > Address of reserved0(4832287376) + size(8) > Address of reserved1(4832287384) + size(8) > > ImplLibXml **END** > > Inside xmlsec > > dsigCtx Address ( 4832286288) + size (8) > Address of userData(4832286288) + size(8) > Address of flags(4832286296) + size(4) > Address of flags2(4832286300) + size(4) > Address of keyInfoReadCtx(4832286304) + size(344) > Address of keyInfoWriteCtx(4832286648) + size(344) > Address of transformCtx(4832286992) + size(128) > Address of enabledReferenceUris(4832287120) + size(4) > Address of enabledReferenceTransforms(4832287128) + > size(8) > Address of referencePreExecuteCallback(4832287136) + > size(8) > Address of defSignMethodId(4832287144) + size(8) > Address of defC14NMethodId(4832287152) + size(8) > Address of defDigestMethodId(4832287160) + size(8) > Address of signKey(4832287168) + size(8) > Address of operation(4832287176) + size(4) > Address of result(4832287184) + size(8) > Address of status(4832287192) + size(4) > Address of signMethod(4832287200) + size(8) > Address of preSignMemBufMethod(4832287216) + size(8) > Address of signValueNode(4832287224) + size(8) > Address of id(4832287232) + size(8) > Address of signedInfoReferences(4832287240) + size(32) > Address of manifestReferences(4832287272) + size(32) > Address of reserved0(4832287304) + size(8) > Address of reserved1(4832287312) + size(8) > > xmlSecDSigCtxVerify****************END********** > > Please observe that the main culprit for mismatch of > memory > location are > three user defined data members > Address of keyInfoReadCtx(4832286304) + size(368) -- > more 24 bytes > Address of keyInfoWriteCtx(4832286672) + size(368) > -- more 24 bytes > Address of transformCtx(4832287040) + size(136) > -- more 8 bytes. > > But I find the consistency in case of status member > is that the > difference of location (i.e. between the status > member in xmlsec > and in > ImplLibXml )is always 56 bytes as above the memory > difference is > also 56 > bytes.I feel issue on MIPS is somehow related to > memory mapping > issues. > > > [Aleksey] Bingo! As I said, it feels like you have a problem > with compiler flags. Check data alignment related flags > for xmlsec > compilation vs. your program compilation. This obviously > explains > why you can't reproduce this problem with xmlsec command > line tool. > > > > From ccgenealogy at hotmail.com Thu Feb 11 14:26:41 2010 From: ccgenealogy at hotmail.com (Mark Young) Date: Thu, 11 Feb 2010 14:26:41 -0800 Subject: [xmlsec] Removing certificates from keys manager Message-ID: Is there a method to remove a certificate from the keys manager? Or would I just need to delete my keys manager, create a new one, and add the certs that I still want to use? The certs are being added with the xmlSecCryptoAppKeysMngrCertLoadMemory function. _________________________________________________________________ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/201469228/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Thu Feb 11 15:03:39 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 11 Feb 2010 15:03:39 -0800 Subject: [xmlsec] Removing certificates from keys manager In-Reply-To: References: Message-ID: <4B748CCB.3070102@aleksey.com> Hm... Good question! I think for some crypto libraries you can go directly to the certs in the library (e.g. mscrypto) but xmlsec doesn't expose generic interface for this (hint: I love patches :) ). Aleksey On 2/11/2010 2:26 PM, Mark Young wrote: > Is there a method to remove a certificate from the keys manager? Or > would I just need to delete my keys manager, create a new one, and add > the certs that I still want to use? The certs are being added with the > xmlSecCryptoAppKeysMngrCertLoadMemory function. > > ------------------------------------------------------------------------ > Hotmail: Free, trusted and rich email service. Get it now. > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From gauravgangwaar at gmail.com Thu Feb 18 05:57:19 2010 From: gauravgangwaar at gmail.com (Gaurav Gangwar) Date: Thu, 18 Feb 2010 19:27:19 +0530 Subject: [xmlsec] support for Message-ID: <33a2c3eb1002180557q3bf2d705q2e5593b6c30c73ed@mail.gmail.com> Hi Aleksey, I am verifying the signature file with following format from W3C spec ... .... .... ... MI... MI... J............ I am getting the signature verification failure Error is : func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match I am concluding that the problem is because of #prop is due to the fact that i am not getting any error with other signature files which don,t have #prop. So my question is does xmlsec supports ? If yes then to which version i have to update? If not please point me to where i have to make changes to support this. Thanks and Regards Gaurav -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Thu Feb 18 07:34:06 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 18 Feb 2010 07:34:06 -0800 Subject: [xmlsec] support for In-Reply-To: <33a2c3eb1002180557q3bf2d705q2e5593b6c30c73ed@mail.gmail.com> References: <33a2c3eb1002180557q3bf2d705q2e5593b6c30c73ed@mail.gmail.com> Message-ID: <4B7D5DEE.6070706@aleksey.com> The reference uris are supported by xmlsec from the very beginning and the fact that the first step of verification (digests check) succeeded shows that that part worked fine. Try to run xmlsec command line tool with --store-signatures and --store-references flags. This will print exact details of what was signed and verified. Aleksey On 2/18/2010 5:57 AM, Gaurav Gangwar wrote: > Hi Aleksey, > > I am verifying the signature file with following format from W3C spec > > > Id="DistributorASignature" > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > > ... > > > > .... > > > > .... > > > ... > > MI... > MI... > > > > > > > > URI="http://www.w3.org/ns/widgets-digsig#role-distributor" /> > > > J............ > > > > > I am getting the signature verification failure > Error is : > func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data > do not match:signature do not match > > I am concluding that the problem is because of #prop is due to the fact > that i am not getting any error with other signature files which don,t > have #prop. > > So my question is does xmlsec supports ? If yes > then to which version i have to update? > If not please point me to where i have to make changes to support this. > > > Thanks and Regards > Gaurav > > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From ccgenealogy at hotmail.com Tue Feb 23 14:01:10 2010 From: ccgenealogy at hotmail.com (Mark Young) Date: Tue, 23 Feb 2010 14:01:10 -0800 Subject: [xmlsec] Adding certificates to keys manager Message-ID: I have hard-coded a trusted root certificate and I can successfully add it to my keys manager using xmlSecCryptoAppKeysMngrCertLoadMemory. I'm receiving a chain of untrusted X509 certificates in an XML message, and I would like to add those certificates to the keys manager as well. However, xmlSecCryptoAppKeysMngrCertLoadMemory doesn't seem to work in this case. I'm still trying to pinpoint where it's failing - but should I be using a different function altogether? The certificates are base64-encoded X509 certificates. _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/201469229/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Feb 23 14:51:14 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 23 Feb 2010 14:51:14 -0800 Subject: [xmlsec] Adding certificates to keys manager In-Reply-To: References: Message-ID: <4B845BE2.3000707@aleksey.com> What error do you get? What crypto library do you use? Aleksey On 2/23/2010 2:01 PM, Mark Young wrote: > I have hard-coded a trusted root certificate and I can successfully add > it to my keys manager using xmlSecCryptoAppKeysMngrCertLoadMemory. > > I'm receiving a chain of untrusted X509 certificates in an XML message, > and I would like to add those certificates to the keys manager as well. > However, xmlSecCryptoAppKeysMngrCertLoadMemory doesn't seem to work in > this case. I'm still trying to pinpoint where it's failing - but should > I be using a different function altogether? > > The certificates are base64-encoded X509 certificates. > > ------------------------------------------------------------------------ > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up > now. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From ccgenealogy at hotmail.com Tue Feb 23 15:23:50 2010 From: ccgenealogy at hotmail.com (Mark Young) Date: Tue, 23 Feb 2010 15:23:50 -0800 Subject: [xmlsec] Adding certificates to keys manager In-Reply-To: <4B845BE2.3000707@aleksey.com> References: , <4B845BE2.3000707@aleksey.com> Message-ID: I'm using OpenSSL. After working on this all day I finally figured out where I was going wrong, though. Since the certificates were base64, and DER can be base64, I thought I could just load the base64 into the keys manager. Apparently, though, I had to decode the base64 first and then supply the decoded string to the keys manager as a DER-format certificate. Sorry to have taken up your time - but hopefully other people will read this and learn from my mistake. I do have another question. How long will a certificate of type xmlSecKeyDataTypeSession be kept by the keys manager? How does it decide when a session has ended? > Date: Tue, 23 Feb 2010 14:51:14 -0800 > From: aleksey at aleksey.com > To: ccgenealogy at hotmail.com > CC: xmlsec at aleksey.com > Subject: Re: [xmlsec] Adding certificates to keys manager > > What error do you get? What crypto library do you use? > > Aleksey > > On 2/23/2010 2:01 PM, Mark Young wrote: > > I have hard-coded a trusted root certificate and I can successfully add > > it to my keys manager using xmlSecCryptoAppKeysMngrCertLoadMemory. > > > > I'm receiving a chain of untrusted X509 certificates in an XML message, > > and I would like to add those certificates to the keys manager as well. > > However, xmlSecCryptoAppKeysMngrCertLoadMemory doesn't seem to work in > > this case. I'm still trying to pinpoint where it's failing - but should > > I be using a different function altogether? > > > > The certificates are base64-encoded X509 certificates. > > > > ------------------------------------------------------------------------ > > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up > > now. > > > > > > > > _______________________________________________ > > xmlsec mailing list > > xmlsec at aleksey.com > > http://www.aleksey.com/mailman/listinfo/xmlsec _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/201469229/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Feb 23 17:46:54 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 23 Feb 2010 17:46:54 -0800 Subject: [xmlsec] Adding certificates to keys manager In-Reply-To: References: , <4B845BE2.3000707@aleksey.com> Message-ID: <4B84850E.8080707@aleksey.com> Good that you figured it out! xmlSecKeyDataTypeSession is a key type, not the certificate type. Not sure how this applies to certificates. And after you load certificate into keys manager it will stay there forever. Aleksey On 2/23/2010 3:23 PM, Mark Young wrote: > I'm using OpenSSL. After working on this all day I finally figured out > where I was going wrong, though. Since the certificates were base64, and > DER can be base64, I thought I could just load the base64 into the keys > manager. Apparently, though, I had to decode the base64 first and then > supply the decoded string to the keys manager as a DER-format certificate. > > Sorry to have taken up your time - but hopefully other people will read > this and learn from my mistake. > > I do have another question. How long will a certificate of type > xmlSecKeyDataTypeSession be kept by the keys manager? How does it decide > when a session has ended? > > > Date: Tue, 23 Feb 2010 14:51:14 -0800 > > From: aleksey at aleksey.com > > To: ccgenealogy at hotmail.com > > CC: xmlsec at aleksey.com > > Subject: Re: [xmlsec] Adding certificates to keys manager > > > > What error do you get? What crypto library do you use? > > > > Aleksey > > > > On 2/23/2010 2:01 PM, Mark Young wrote: > > > I have hard-coded a trusted root certificate and I can successfully add > > > it to my keys manager using xmlSecCryptoAppKeysMngrCertLoadMemory. > > > > > > I'm receiving a chain of untrusted X509 certificates in an XML message, > > > and I would like to add those certificates to the keys manager as well. > > > However, xmlSecCryptoAppKeysMngrCertLoadMemory doesn't seem to work in > > > this case. I'm still trying to pinpoint where it's failing - but should > > > I be using a different function altogether? > > > > > > The certificates are base64-encoded X509 certificates. > > > > > > > ------------------------------------------------------------------------ > > > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up > > > now. > > > > > > > > > > > > _______________________________________________ > > > xmlsec mailing list > > > xmlsec at aleksey.com > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > ------------------------------------------------------------------------ > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up > now. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From kwatsen at juniper.net Wed Mar 3 15:05:21 2010 From: kwatsen at juniper.net (Kent Watsen) Date: Wed, 3 Mar 2010 15:05:21 -0800 Subject: [xmlsec] explicitly set key in decrypt3 example failing Message-ID: <84600D05C20FF943918238042D7670FD368B467D1D@EMBX01-HQ.jnpr.net> Hi, I'm trying to simplify decrypt3 example by explicitly setting encCtx->encKey instead of relying on a keys mngr. Specifically, I changed: encCtx = xmlSecEncCtxCreate(mngr); To: encCtx = xmlSecEncCtxCreate(NULL); encCtx->encKey = xmlSecCryptoAppKeyLoad("rsakey.pem", xmlSecKeyDataFormatPem, NULL, NULL, NULL); But I get errors: func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=885:obj=unknown:subj=unknown:error=45:key is not found: func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=643:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec library function failed: func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=582:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec library function failed: Error: decryption failed Should explicitly setting the key work? Thanks, Kent -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Mar 3 15:35:48 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 03 Mar 2010 15:35:48 -0800 Subject: [xmlsec] explicitly set key in decrypt3 example failing In-Reply-To: <84600D05C20FF943918238042D7670FD368B467D1D@EMBX01-HQ.jnpr.net> References: <84600D05C20FF943918238042D7670FD368B467D1D@EMBX01-HQ.jnpr.net> Message-ID: <4B8EF254.3050602@aleksey.com> The key needs to match the crypto algorithm you are using in xml. Aleksey On 3/3/2010 3:05 PM, Kent Watsen wrote: > Hi, > > I?m trying to simplify decrypt3 example by explicitly setting > encCtx->encKey instead of relying on a keys mngr. Specifically, I changed: > > encCtx = xmlSecEncCtxCreate(mngr); > > To: > > encCtx = xmlSecEncCtxCreate(NULL); > > encCtx->encKey = xmlSecCryptoAppKeyLoad(?rsakey.pem?, > xmlSecKeyDataFormatPem, NULL, NULL, NULL); > > But I get errors: > > func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=885:obj=unknown:subj=unknown:error=45:key > is not found: > > func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=643:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec > library function failed: > > func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=582:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec > library function failed: > > Error: decryption failed > > Should explicitly setting the key work? > > Thanks, > > Kent > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From kwatsen at juniper.net Wed Mar 3 15:48:24 2010 From: kwatsen at juniper.net (Kent Watsen) Date: Wed, 3 Mar 2010 15:48:24 -0800 Subject: [xmlsec] explicitly set key in decrypt3 example failing In-Reply-To: <4B8EF254.3050602@aleksey.com> References: <84600D05C20FF943918238042D7670FD368B467D1D@EMBX01-HQ.jnpr.net> <4B8EF254.3050602@aleksey.com> Message-ID: <84600D05C20FF943918238042D7670FD368B467D1F@EMBX01-HQ.jnpr.net> The decrypt3 example normally has the following KeyInfo: rsakey.pem So it is the same key in both cases. It's just that now the code is trying to use it without a key manager - any ideas? Thanks, Kent > -----Original Message----- > From: Aleksey Sanin [mailto:aleksey at aleksey.com] > Sent: Wednesday, March 03, 2010 6:36 PM > To: Kent Watsen > Cc: 'xmlsec at aleksey.com' > Subject: Re: [xmlsec] explicitly set key in decrypt3 example failing > > The key needs to match the crypto algorithm you are using in xml. > > Aleksey > > On 3/3/2010 3:05 PM, Kent Watsen wrote: > > Hi, > > > > I'm trying to simplify decrypt3 example by explicitly setting > > encCtx->encKey instead of relying on a keys mngr. Specifically, I > changed: > > > > encCtx = xmlSecEncCtxCreate(mngr); > > > > To: > > > > encCtx = xmlSecEncCtxCreate(NULL); > > > > encCtx->encKey = xmlSecCryptoAppKeyLoad("rsakey.pem", > > xmlSecKeyDataFormatPem, NULL, NULL, NULL); > > > > But I get errors: > > > > > func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=885:obj=unknown:subj=u > nknown:error=45:key > > is not found: > > > > > func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=643:obj=unknown:subj=x > mlSecEncCtxEncDataNodeRead:error=1:xmlsec > > library function failed: > > > > > func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=582:obj=unknown:subj=xmlSecEnc > CtxDecryptToBuffer:error=1:xmlsec > > library function failed: > > > > Error: decryption failed > > > > Should explicitly setting the key work? > > > > Thanks, > > > > Kent > > > > > > > > _______________________________________________ > > xmlsec mailing list > > xmlsec at aleksey.com > > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed Mar 3 16:11:32 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 03 Mar 2010 16:11:32 -0800 Subject: [xmlsec] explicitly set key in decrypt3 example failing In-Reply-To: <84600D05C20FF943918238042D7670FD368B467D1F@EMBX01-HQ.jnpr.net> References: <84600D05C20FF943918238042D7670FD368B467D1D@EMBX01-HQ.jnpr.net> <4B8EF254.3050602@aleksey.com> <84600D05C20FF943918238042D7670FD368B467D1F@EMBX01-HQ.jnpr.net> Message-ID: <4B8EFAB4.9030408@aleksey.com> Remove KeyName element from xml. Aleksey On 3/3/2010 3:48 PM, Kent Watsen wrote: > > The decrypt3 example normally has the following KeyInfo: > > > rsakey.pem > > > So it is the same key in both cases. It's just that now the code is trying to use it without a key manager - any ideas? > > Thanks, > Kent > > > >> -----Original Message----- >> From: Aleksey Sanin [mailto:aleksey at aleksey.com] >> Sent: Wednesday, March 03, 2010 6:36 PM >> To: Kent Watsen >> Cc: 'xmlsec at aleksey.com' >> Subject: Re: [xmlsec] explicitly set key in decrypt3 example failing >> >> The key needs to match the crypto algorithm you are using in xml. >> >> Aleksey >> >> On 3/3/2010 3:05 PM, Kent Watsen wrote: >>> Hi, >>> >>> I'm trying to simplify decrypt3 example by explicitly setting >>> encCtx->encKey instead of relying on a keys mngr. Specifically, I >> changed: >>> >>> encCtx = xmlSecEncCtxCreate(mngr); >>> >>> To: >>> >>> encCtx = xmlSecEncCtxCreate(NULL); >>> >>> encCtx->encKey = xmlSecCryptoAppKeyLoad("rsakey.pem", >>> xmlSecKeyDataFormatPem, NULL, NULL, NULL); >>> >>> But I get errors: >>> >>> >> func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=885:obj=unknown:subj=u >> nknown:error=45:key >>> is not found: >>> >>> >> func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=643:obj=unknown:subj=x >> mlSecEncCtxEncDataNodeRead:error=1:xmlsec >>> library function failed: >>> >>> >> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=582:obj=unknown:subj=xmlSecEnc >> CtxDecryptToBuffer:error=1:xmlsec >>> library function failed: >>> >>> Error: decryption failed >>> >>> Should explicitly setting the key work? >>> >>> Thanks, >>> >>> Kent >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From kwatsen at juniper.net Wed Mar 3 17:08:58 2010 From: kwatsen at juniper.net (Kent Watsen) Date: Wed, 3 Mar 2010 17:08:58 -0800 Subject: [xmlsec] explicitly set key in decrypt3 example failing In-Reply-To: <4B8EFAB4.9030408@aleksey.com> References: <84600D05C20FF943918238042D7670FD368B467D1D@EMBX01-HQ.jnpr.net> <4B8EF254.3050602@aleksey.com> <84600D05C20FF943918238042D7670FD368B467D1F@EMBX01-HQ.jnpr.net> <4B8EFAB4.9030408@aleksey.com> Message-ID: <84600D05C20FF943918238042D7670FD368B467D20@EMBX01-HQ.jnpr.net> I've tried both removing the KeyName element as well as the entire KeyInfo element - neither works, same error By your suggestions, I take it that you'd expect this to work too Thanks, Kent > -----Original Message----- > From: Aleksey Sanin [mailto:aleksey at aleksey.com] > Sent: Wednesday, March 03, 2010 7:12 PM > To: Kent Watsen > Cc: 'xmlsec at aleksey.com' > Subject: Re: [xmlsec] explicitly set key in decrypt3 example failing > > Remove KeyName element from xml. > > Aleksey > > On 3/3/2010 3:48 PM, Kent Watsen wrote: > > > > The decrypt3 example normally has the following KeyInfo: > > > > > > rsakey.pem > > > > > > So it is the same key in both cases. It's just that now the code is > trying to use it without a key manager - any ideas? > > > > Thanks, > > Kent > > > > > > > >> -----Original Message----- > >> From: Aleksey Sanin [mailto:aleksey at aleksey.com] > >> Sent: Wednesday, March 03, 2010 6:36 PM > >> To: Kent Watsen > >> Cc: 'xmlsec at aleksey.com' > >> Subject: Re: [xmlsec] explicitly set key in decrypt3 example failing > >> > >> The key needs to match the crypto algorithm you are using in xml. > >> > >> Aleksey > >> > >> On 3/3/2010 3:05 PM, Kent Watsen wrote: > >>> Hi, > >>> > >>> I'm trying to simplify decrypt3 example by explicitly setting > >>> encCtx->encKey instead of relying on a keys mngr. Specifically, I > >> changed: > >>> > >>> encCtx = xmlSecEncCtxCreate(mngr); > >>> > >>> To: > >>> > >>> encCtx = xmlSecEncCtxCreate(NULL); > >>> > >>> encCtx->encKey = xmlSecCryptoAppKeyLoad("rsakey.pem", > >>> xmlSecKeyDataFormatPem, NULL, NULL, NULL); > >>> > >>> But I get errors: > >>> > >>> > >> > func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=885:obj=unknown:subj=u > >> nknown:error=45:key > >>> is not found: > >>> > >>> > >> > func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=643:obj=unknown:subj=x > >> mlSecEncCtxEncDataNodeRead:error=1:xmlsec > >>> library function failed: > >>> > >>> > >> > func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=582:obj=unknown:subj=xmlSecEnc > >> CtxDecryptToBuffer:error=1:xmlsec > >>> library function failed: > >>> > >>> Error: decryption failed > >>> > >>> Should explicitly setting the key work? > >>> > >>> Thanks, > >>> > >>> Kent > >>> > >>> > >>> > >>> _______________________________________________ > >>> xmlsec mailing list > >>> xmlsec at aleksey.com > >>> http://www.aleksey.com/mailman/listinfo/xmlsec > > _______________________________________________ > > xmlsec mailing list > > xmlsec at aleksey.com > > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed Mar 3 19:38:39 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 03 Mar 2010 19:38:39 -0800 Subject: [xmlsec] explicitly set key in decrypt3 example failing In-Reply-To: <84600D05C20FF943918238042D7670FD368B467D20@EMBX01-HQ.jnpr.net> References: <84600D05C20FF943918238042D7670FD368B467D1D@EMBX01-HQ.jnpr.net> <4B8EF254.3050602@aleksey.com> <84600D05C20FF943918238042D7670FD368B467D1F@EMBX01-HQ.jnpr.net> <4B8EFAB4.9030408@aleksey.com> <84600D05C20FF943918238042D7670FD368B467D20@EMBX01-HQ.jnpr.net> Message-ID: <4B8F2B3F.4050406@aleksey.com> Sorry, I looked at the example - the decrypt3 example uses a *custom* keys manager, it is a simple example that doesn't do everything. Take a look at decrypt1 example - it does *exactly* what you want. Aleksey On 3/3/2010 5:08 PM, Kent Watsen wrote: > > I've tried both removing the KeyName element as well as the entire KeyInfo element - neither works, same error > > By your suggestions, I take it that you'd expect this to work too > > Thanks, > Kent > > > > >> -----Original Message----- >> From: Aleksey Sanin [mailto:aleksey at aleksey.com] >> Sent: Wednesday, March 03, 2010 7:12 PM >> To: Kent Watsen >> Cc: 'xmlsec at aleksey.com' >> Subject: Re: [xmlsec] explicitly set key in decrypt3 example failing >> >> Remove KeyName element from xml. >> >> Aleksey >> >> On 3/3/2010 3:48 PM, Kent Watsen wrote: >>> >>> The decrypt3 example normally has the following KeyInfo: >>> >>> >>> rsakey.pem >>> >>> >>> So it is the same key in both cases. It's just that now the code is >> trying to use it without a key manager - any ideas? >>> >>> Thanks, >>> Kent >>> >>> >>> >>>> -----Original Message----- >>>> From: Aleksey Sanin [mailto:aleksey at aleksey.com] >>>> Sent: Wednesday, March 03, 2010 6:36 PM >>>> To: Kent Watsen >>>> Cc: 'xmlsec at aleksey.com' >>>> Subject: Re: [xmlsec] explicitly set key in decrypt3 example failing >>>> >>>> The key needs to match the crypto algorithm you are using in xml. >>>> >>>> Aleksey >>>> >>>> On 3/3/2010 3:05 PM, Kent Watsen wrote: >>>>> Hi, >>>>> >>>>> I'm trying to simplify decrypt3 example by explicitly setting >>>>> encCtx->encKey instead of relying on a keys mngr. Specifically, I >>>> changed: >>>>> >>>>> encCtx = xmlSecEncCtxCreate(mngr); >>>>> >>>>> To: >>>>> >>>>> encCtx = xmlSecEncCtxCreate(NULL); >>>>> >>>>> encCtx->encKey = xmlSecCryptoAppKeyLoad("rsakey.pem", >>>>> xmlSecKeyDataFormatPem, NULL, NULL, NULL); >>>>> >>>>> But I get errors: >>>>> >>>>> >>>> >> func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=885:obj=unknown:subj=u >>>> nknown:error=45:key >>>>> is not found: >>>>> >>>>> >>>> >> func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=643:obj=unknown:subj=x >>>> mlSecEncCtxEncDataNodeRead:error=1:xmlsec >>>>> library function failed: >>>>> >>>>> >>>> >> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=582:obj=unknown:subj=xmlSecEnc >>>> CtxDecryptToBuffer:error=1:xmlsec >>>>> library function failed: >>>>> >>>>> Error: decryption failed >>>>> >>>>> Should explicitly setting the key work? >>>>> >>>>> Thanks, >>>>> >>>>> Kent >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> xmlsec mailing list >>>>> xmlsec at aleksey.com >>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> http://www.aleksey.com/mailman/listinfo/xmlsec From sbeard at verisign.com Thu Mar 18 12:00:28 2010 From: sbeard at verisign.com (Beard, Simon) Date: Thu, 18 Mar 2010 15:00:28 -0400 Subject: [xmlsec] Duplicate X509 certificates in signed template Message-ID: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FDBD@DUL1WNEXMB06.vcorp.ad.vrsn.com> Hello. I'm using the simple template below and signing with a .p12 cert. The resulting signed template contains 2 copies of the certificate. The signed template verifies OK. Can someone please tell me why 2 copies of the cert? Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12 webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml The unsigned template: U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ mI3NDgwMzdmYjk1Yzc3Ngo= The signed template (signatures shortened) : U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ mI3NDgwMzdmYjk1Yzc3Ngo= 3f5hn9NUkmRENNQb8SyrI5BsRsc= mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54O gEUq m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU= MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk= AQAB Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/ Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5484 bytes Desc: not available URL: From aleksey at aleksey.com Thu Mar 18 13:34:20 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 18 Mar 2010 13:34:20 -0700 Subject: [xmlsec] Duplicate X509 certificates in signed template In-Reply-To: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FDBD@DUL1WNEXMB06.vcorp.ad.vrsn.com> References: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FDBD@DUL1WNEXMB06.vcorp.ad.vrsn.com> Message-ID: <4BA28E4C.10806@aleksey.com> You don't need "--trusted-pem" for signatures. Aleksey On 3/18/2010 12:00 PM, Beard, Simon wrote: > Hello. > > I?m using the simple template below and signing with a .p12 cert. The > resulting signed template contains 2 copies of the certificate. The > signed template verifies OK. Can someone please tell me why 2 copies of > the cert? > > Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12 > webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml > > The unsigned template: > > > > > > U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZmI3NDgwMzdmYjk1Yzc3Ngo= > > > > > > > > > "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > > > > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The signed template (signatures shortened) : > > > > > > > > U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZmI3NDgwMzdmYjk1Yzc3Ngo= > > > > > > > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > > > > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > > > > > 3f5hn9NUkmRENNQb8SyrI5BsRsc= > > > > > > mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54OgEUq > > m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI > > wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU= > > > > > > MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= > > MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= > > > > > > > > > > wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ > > tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu > > qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk= > > > > > > AQAB > > > > > > > > > > > > > > Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/ > > Regards > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Thu Mar 18 16:41:21 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 18 Mar 2010 16:41:21 -0700 Subject: [xmlsec] Duplicate X509 certificates in signed template In-Reply-To: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FDBD@DUL1WNEXMB06.vcorp.ad.vrsn.com> References: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FDBD@DUL1WNEXMB06.vcorp.ad.vrsn.com> Message-ID: <4BA2BA21.80303@aleksey.com> OK, I see it too. I believe the problem is in the PKCS12_parse() function in the newer versions of openssl. The documentation states (http://www.openssl.org/docs/crypto/PKCS12_parse.html, highlighting is mine): If successful the private key will be written to *pkey, the corresponding certificate to *cert and *any additional* certificates to *ca. In reality, the function returns in the "ca" *all* the certificates including the one it is already returned in "cert". I believe the older version of openssl didn't return the "cert" in "ca" and xmlsec manually adds it to the chain. Let me see if I can workaround this and provide fall back for the older openssl versions. Aleksey On 3/18/2010 12:00 PM, Beard, Simon wrote: > Hello. > > I?m using the simple template below and signing with a .p12 cert. The > resulting signed template contains 2 copies of the certificate. The > signed template verifies OK. Can someone please tell me why 2 copies of > the cert? > > Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12 > webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml > > The unsigned template: > > > > > > U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZmI3NDgwMzdmYjk1Yzc3Ngo= > > > > > > > > > "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > > > > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The signed template (signatures shortened) : > > > > > > > > U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZmI3NDgwMzdmYjk1Yzc3Ngo= > > > > > > > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > > > > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > > > > > 3f5hn9NUkmRENNQb8SyrI5BsRsc= > > > > > > mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54OgEUq > > m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI > > wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU= > > > > > > MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= > > MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= > > > > > > > > > > wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ > > tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu > > qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk= > > > > > > AQAB > > > > > > > > > > > > > > Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/ > > Regards > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From igor at das.ufsc.br Thu Mar 18 18:15:08 2010 From: igor at das.ufsc.br (igor at das.ufsc.br) Date: Thu, 18 Mar 2010 22:15:08 -0300 (BRT) Subject: [xmlsec] Fail to verify symmetric sign Message-ID: Hello guys, I'm using xmlsec1 for encryption and signing, but I'm having trouble verifying the signature. I am signing only the Header of the SOAP message using HMAC with the same AES key to encrypt the message. Using the console, I can verify the signature with the following command: xmlsec1 verify --hmackey aeskey.bin Server-Recv-XMLCifrado.data My function in C that would verify the signature shows the following error: func=xmlSecKeyDataHmacGetKlass:file=app.c:line=211:obj=unknown:subj=keyDataHmacId:error=9:feature is not implemented: func=xmlSecKeyReadBinaryFile:file=keys.c:line=1219:obj=unknown:subj=dataId != xmlSecKeyDataIdUnknown:error=100:assertion: Error: failed to load des key from binary file "aeskey.bin" func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=1091:obj=unknown:subj=dataSize > 0:error=100:assertion: func=xmlSecEncCtxBinaryEncrypt:file=xmlenc.c:line=333:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec library function failed:dataSize=0 Error: encryption failed I am using a function of the examples with a slight modification: int verify_file(const char* xml_file, const char* key_file) { xmlDocPtr doc = NULL; xmlNodePtr node = NULL; xmlSecDSigCtxPtr dsigCtx = NULL; int res = -1; assert(xml_file); assert(key_file); /* load file */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); goto done; } /* create signature context, we don't need keys manager in this example */ dsigCtx = xmlSecDSigCtxCreate(NULL); if(dsigCtx == NULL) { fprintf(stderr,"Error: failed to create signature context\n"); goto done; } /* load AES key, assuming that there is not password */ dsigCtx->signKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataHmacId, key_file); if(dsigCtx->signKey == NULL) { fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file); goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) { fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); goto done; } /* Verify signature */ if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) { fprintf(stderr,"Error: signature verify\n"); goto done; } /* print verification result to stdout */ if(dsigCtx->status == xmlSecDSigStatusSucceeded) { fprintf(stdout, "Signature is OK\n"); } else { fprintf(stdout, "Signature is INVALID\n"); } /* success */ res = 0; done: /* cleanup */ if(dsigCtx != NULL) { xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { xmlFreeDoc(doc); } return(res); } Any help? BR, Igor From aleksey at aleksey.com Thu Mar 18 19:44:58 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 18 Mar 2010 19:44:58 -0700 Subject: [xmlsec] Fail to verify symmetric sign In-Reply-To: References: Message-ID: <4BA2E52A.1060905@aleksey.com> Please read the error carefully. Aleksey On 3/18/2010 6:15 PM, igor at das.ufsc.br wrote: > Hello guys, > > I'm using xmlsec1 for encryption and signing, but I'm having trouble > verifying the signature. I am signing only the Header of the SOAP message > using HMAC with the same AES key to encrypt the message. > > Using the console, I can verify the signature with the following command: > xmlsec1 verify --hmackey aeskey.bin Server-Recv-XMLCifrado.data > > My function in C that would verify the signature shows the following error: > > func=xmlSecKeyDataHmacGetKlass:file=app.c:line=211:obj=unknown:subj=keyDataHmacId:error=9:feature > is not implemented: > func=xmlSecKeyReadBinaryFile:file=keys.c:line=1219:obj=unknown:subj=dataId > != xmlSecKeyDataIdUnknown:error=100:assertion: > Error: failed to load des key from binary file "aeskey.bin" > func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=1091:obj=unknown:subj=dataSize >> 0:error=100:assertion: > func=xmlSecEncCtxBinaryEncrypt:file=xmlenc.c:line=333:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec > library function failed:dataSize=0 > Error: encryption failed > > > I am using a function of the examples with a slight modification: > > int > verify_file(const char* xml_file, const char* key_file) { > xmlDocPtr doc = NULL; > xmlNodePtr node = NULL; > xmlSecDSigCtxPtr dsigCtx = NULL; > int res = -1; > > assert(xml_file); > assert(key_file); > > /* load file */ > doc = xmlParseFile(xml_file); > if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ > fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); > goto done; > } > > /* find start node */ > node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, > xmlSecDSigNs); > if(node == NULL) { > fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); > goto done; > } > > /* create signature context, we don't need keys manager in this > example */ > dsigCtx = xmlSecDSigCtxCreate(NULL); > if(dsigCtx == NULL) { > fprintf(stderr,"Error: failed to create signature context\n"); > goto done; > } > > /* load AES key, assuming that there is not password */ > dsigCtx->signKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataHmacId, > key_file); > if(dsigCtx->signKey == NULL) { > fprintf(stderr,"Error: failed to load des key from binary file > \"%s\"\n", key_file); > goto done; > } > > /* set key name to the file name, this is just an example! */ > if(xmlSecKeySetName(dsigCtx->signKey, key_file)< 0) { > fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", > key_file); > goto done; > } > > /* Verify signature */ > if(xmlSecDSigCtxVerify(dsigCtx, node)< 0) { > fprintf(stderr,"Error: signature verify\n"); > goto done; > } > > /* print verification result to stdout */ > if(dsigCtx->status == xmlSecDSigStatusSucceeded) { > fprintf(stdout, "Signature is OK\n"); > } else { > fprintf(stdout, "Signature is INVALID\n"); > } > > /* success */ > res = 0; > > done: > /* cleanup */ > if(dsigCtx != NULL) { > xmlSecDSigCtxDestroy(dsigCtx); > } > > if(doc != NULL) { > xmlFreeDoc(doc); > } > return(res); > } > > Any help? > > BR, > Igor > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Thu Mar 18 20:47:20 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 18 Mar 2010 20:47:20 -0700 Subject: [xmlsec] Duplicate X509 certificates in signed template In-Reply-To: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FE18@DUL1WNEXMB06.vcorp.ad.vrsn.com> References: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FDBD@DUL1WNEXMB06.vcorp.ad.vrsn.com> <4BA2BA21.80303@aleksey.com> <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FE18@DUL1WNEXMB06.vcorp.ad.vrsn.com> Message-ID: <4BA2F3C8.5000107@aleksey.com> Fix in git. Could you please try it? BTW, which version of openssl do you use? Aleksey On 3/18/2010 4:43 PM, Beard, Simon wrote: > Thank you very much. > I appreciate your efforts. > > Simon > > -----Original Message----- > From: Aleksey Sanin [mailto:aleksey at aleksey.com] > Sent: Thursday, March 18, 2010 7:41 PM > To: Beard, Simon > Cc: xmlsec at aleksey.com > Subject: Re: [xmlsec] Duplicate X509 certificates in signed template > > OK, I see it too. I believe the problem is in the PKCS12_parse() > function in the newer versions of openssl. The documentation > states (http://www.openssl.org/docs/crypto/PKCS12_parse.html, > highlighting is mine): > > If successful the private key will be written to *pkey, the > corresponding certificate to *cert and *any additional* certificates > to *ca. > > In reality, the function returns in the "ca" *all* the certificates > including the one it is already returned in "cert". I believe the older > version of openssl didn't return the "cert" in "ca" and xmlsec > manually adds it to the chain. > > Let me see if I can workaround this and provide fall back for the > older openssl versions. > > Aleksey > > > On 3/18/2010 12:00 PM, Beard, Simon wrote: >> Hello. >> >> I'm using the simple template below and signing with a .p12 cert. The >> resulting signed template contains 2 copies of the certificate. The >> signed template verifies OK. Can someone please tell me why 2 copies of >> the cert? >> >> Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12 >> webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml >> >> The unsigned template: >> >> >> >> >> >> > U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ > mI3NDgwMzdmYjk1Yzc3Ngo= >> >> >> >> >> >> >> >> > >> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> >> >> >> >> >> >> >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> The signed template (signatures shortened) : >> >> >> >> >> >> >> >> > U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ > mI3NDgwMzdmYjk1Yzc3Ngo= >> >> >> >> >> >> >> >> > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> >> >> >> >> >> >> >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >> >> >> >> >> >> 3f5hn9NUkmRENNQb8SyrI5BsRsc= >> >> >> >> >> >> > mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54O > gEUq >> >> m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI >> >> wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU= >> >> >> >> >> >> MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= >> >> MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= >> >> >> >> >> >> >> >> >> >> wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ >> >> tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu >> >> qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk= >> >> >> >> >> >> AQAB >> >> >> >> >> >> >> >> >> >> >> >> >> >> Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/ >> >> Regards >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Fri Mar 19 08:34:06 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 19 Mar 2010 08:34:06 -0700 Subject: [xmlsec] Duplicate X509 certificates in signed template In-Reply-To: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FE64@DUL1WNEXMB06.vcorp.ad.vrsn.com> References: <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FDBD@DUL1WNEXMB06.vcorp.ad.vrsn.com> <4BA2BA21.80303@aleksey.com> <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FE18@DUL1WNEXMB06.vcorp.ad.vrsn.com> <4BA2F3C8.5000107@aleksey.com> <1496A7FEE071CD46BB9BFA8D709FFF9E03A0FE64@DUL1WNEXMB06.vcorp.ad.vrsn.com> Message-ID: <4BA3996E.2050007@aleksey.com> http://live.gnome.org/Git http://git.gnome.org/browse/xmlsec Aleksey On 3/19/2010 5:41 AM, Beard, Simon wrote: > Aleksey, > > Using OpenSSL 0.9.7c 30 Sep 2003. > Should I be using another? > > What do you mean by git? > > Regards > Simon > > -----Original Message----- > From: Aleksey Sanin [mailto:aleksey at aleksey.com] > Sent: Thursday, March 18, 2010 11:47 PM > To: Beard, Simon; xmlsec at aleksey.com > Subject: Re: [xmlsec] Duplicate X509 certificates in signed template > > > Fix in git. Could you please try it? BTW, which version of openssl > do you use? > > Aleksey > > > On 3/18/2010 4:43 PM, Beard, Simon wrote: >> Thank you very much. >> I appreciate your efforts. >> >> Simon >> >> -----Original Message----- >> From: Aleksey Sanin [mailto:aleksey at aleksey.com] >> Sent: Thursday, March 18, 2010 7:41 PM >> To: Beard, Simon >> Cc: xmlsec at aleksey.com >> Subject: Re: [xmlsec] Duplicate X509 certificates in signed template >> >> OK, I see it too. I believe the problem is in the PKCS12_parse() >> function in the newer versions of openssl. The documentation >> states (http://www.openssl.org/docs/crypto/PKCS12_parse.html, >> highlighting is mine): >> >> If successful the private key will be written to *pkey, the >> corresponding certificate to *cert and *any additional* certificates >> to *ca. >> >> In reality, the function returns in the "ca" *all* the certificates >> including the one it is already returned in "cert". I believe the older >> version of openssl didn't return the "cert" in "ca" and xmlsec >> manually adds it to the chain. >> >> Let me see if I can workaround this and provide fall back for the >> older openssl versions. >> >> Aleksey >> >> >> On 3/18/2010 12:00 PM, Beard, Simon wrote: >>> Hello. >>> >>> I'm using the simple template below and signing with a .p12 cert. The >>> resulting signed template contains 2 copies of the certificate. The >>> signed template verifies OK. Can someone please tell me why 2 copies of >>> the cert? >>> >>> Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12 >>> webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml >>> >>> The unsigned template: >>> >>> >>> >>> >>> >>> >> > U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ >> mI3NDgwMzdmYjk1Yzc3Ngo= >>> >>> >>> >>> >>> >>> >>> >>> >> >>> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> >>> >>> >>> >>> >>> >>> >>> >>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> The signed template (signatures shortened) : >>> >>> >>> >>> >>> >>> >>> >>> >> > U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ >> mI3NDgwMzdmYjk1Yzc3Ngo= >>> >>> >>> >>> >>> >>> >>> >>> >> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> >>> >>> >>> >>> >>> >>> >>> >>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>> >>> >>> >>> >>> >>> 3f5hn9NUkmRENNQb8SyrI5BsRsc= >>> >>> >>> >>> >>> >>> >> > mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54O >> gEUq >>> >>> m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI >>> >>> wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU= >>> >>> >>> >>> >>> >>> MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= >>> >>> MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho= >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ >>> >>> tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu >>> >>> qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk= >>> >>> >>> >>> >>> >>> AQAB >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/ >>> >>> Regards >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Mon Mar 22 08:47:52 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 22 Mar 2010 08:47:52 -0700 Subject: [xmlsec] Fail to verify symmetric sign In-Reply-To: <05e0734dd60f3b70299a353c0bfc4b1f@das.ufsc.br> References: <4BA2E52A.1060905@aleksey.com> <05e0734dd60f3b70299a353c0bfc4b1f@das.ufsc.br> Message-ID: <4BA79128.6060304@aleksey.com> I suggest to take a look at a good book on cryptography (e.g. Schneier's "Applied Cryptography"): https://www.aleksey.com/xmlsec/related.html Aleksey On 3/22/2010 7:09 AM, igor wrote: > > Aleksey, > > By your answer, seem obvious solve the problem. I'm feeling helpless and I > ask your help in identifying this problem. > > The error that appears is: failed to load des key from binary file > "aeskey.bin" > > But the key is not des, it is aes. > > Thank you in advance! > > BR, > Igor > > On Thu, 18 Mar 2010 19:44:58 -0700, Aleksey Sanin > wrote: >> Please read the error carefully. >> >> Aleksey >> >> On 3/18/2010 6:15 PM, igor at das.ufsc.br wrote: >>> Hello guys, >>> >>> I'm using xmlsec1 for encryption and signing, but I'm having trouble >>> verifying the signature. I am signing only the Header of the SOAP >> message >>> using HMAC with the same AES key to encrypt the message. >>> >>> Using the console, I can verify the signature with the following >> command: >>> xmlsec1 verify --hmackey aeskey.bin Server-Recv-XMLCifrado.data >>> >>> My function in C that would verify the signature shows the following >> error: >>> >>> >> > func=xmlSecKeyDataHmacGetKlass:file=app.c:line=211:obj=unknown:subj=keyDataHmacId:error=9:feature >>> is not implemented: >>> >> > func=xmlSecKeyReadBinaryFile:file=keys.c:line=1219:obj=unknown:subj=dataId >>> != xmlSecKeyDataIdUnknown:error=100:assertion: >>> Error: failed to load des key from binary file "aeskey.bin" >>> >> > func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=1091:obj=unknown:subj=dataSize >>>> 0:error=100:assertion: >>> >> > func=xmlSecEncCtxBinaryEncrypt:file=xmlenc.c:line=333:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec >>> library function failed:dataSize=0 >>> Error: encryption failed >>> >>> >>> I am using a function of the examples with a slight modification: >>> >>> int >>> verify_file(const char* xml_file, const char* key_file) { >>> xmlDocPtr doc = NULL; >>> xmlNodePtr node = NULL; >>> xmlSecDSigCtxPtr dsigCtx = NULL; >>> int res = -1; >>> >>> assert(xml_file); >>> assert(key_file); >>> >>> /* load file */ >>> doc = xmlParseFile(xml_file); >>> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ >>> fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); >>> goto done; >>> } >>> >>> /* find start node */ >>> node = xmlSecFindNode(xmlDocGetRootElement(doc), >> xmlSecNodeSignature, >>> xmlSecDSigNs); >>> if(node == NULL) { >>> fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); >>> goto done; >>> } >>> >>> /* create signature context, we don't need keys manager in this >>> example */ >>> dsigCtx = xmlSecDSigCtxCreate(NULL); >>> if(dsigCtx == NULL) { >>> fprintf(stderr,"Error: failed to create signature context\n"); >>> goto done; >>> } >>> >>> /* load AES key, assuming that there is not password */ >>> dsigCtx->signKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataHmacId, >>> key_file); >>> if(dsigCtx->signKey == NULL) { >>> fprintf(stderr,"Error: failed to load des key from binary file >>> \"%s\"\n", key_file); >>> goto done; >>> } >>> >>> /* set key name to the file name, this is just an example! */ >>> if(xmlSecKeySetName(dsigCtx->signKey, key_file)< 0) { >>> fprintf(stderr,"Error: failed to set key name for key from >> \"%s\"\n", >>> key_file); >>> goto done; >>> } >>> >>> /* Verify signature */ >>> if(xmlSecDSigCtxVerify(dsigCtx, node)< 0) { >>> fprintf(stderr,"Error: signature verify\n"); >>> goto done; >>> } >>> >>> /* print verification result to stdout */ >>> if(dsigCtx->status == xmlSecDSigStatusSucceeded) { >>> fprintf(stdout, "Signature is OK\n"); >>> } else { >>> fprintf(stdout, "Signature is INVALID\n"); >>> } >>> >>> /* success */ >>> res = 0; >>> >>> done: >>> /* cleanup */ >>> if(dsigCtx != NULL) { >>> xmlSecDSigCtxDestroy(dsigCtx); >>> } >>> >>> if(doc != NULL) { >>> xmlFreeDoc(doc); >>> } >>> return(res); >>> } >>> >>> Any help? >>> >>> BR, >>> Igor >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> http://www.aleksey.com/mailman/listinfo/xmlsec > From igor at das.ufsc.br Tue Mar 23 06:27:52 2010 From: igor at das.ufsc.br (igor at das.ufsc.br) Date: Tue, 23 Mar 2010 10:27:52 -0300 (BRT) Subject: [xmlsec] Fail to verify symmetric sign In-Reply-To: <4BA79128.6060304@aleksey.com> References: <4BA2E52A.1060905@aleksey.com> <05e0734dd60f3b70299a353c0bfc4b1f@das.ufsc.br> <4BA79128.6060304@aleksey.com> Message-ID: Aleksey, Does not make sense. Why it works on script console and not on c function? Why do you indicated a book? I think I have a specific problem and not a conceptual problem. Thank you! BR. > I suggest to take a look at a good book on cryptography > (e.g. Schneier's "Applied Cryptography"): > > https://www.aleksey.com/xmlsec/related.html > > Aleksey > > On 3/22/2010 7:09 AM, igor wrote: >> >> Aleksey, >> >> By your answer, seem obvious solve the problem. I'm feeling helpless and >> I >> ask your help in identifying this problem. >> >> The error that appears is: failed to load des key from binary file >> "aeskey.bin" >> >> But the key is not des, it is aes. >> >> Thank you in advance! >> >> BR, >> Igor >> >> On Thu, 18 Mar 2010 19:44:58 -0700, Aleksey Sanin >> wrote: >>> Please read the error carefully. >>> >>> Aleksey >>> >>> On 3/18/2010 6:15 PM, igor at das.ufsc.br wrote: >>>> Hello guys, >>>> >>>> I'm using xmlsec1 for encryption and signing, but I'm having trouble >>>> verifying the signature. I am signing only the Header of the SOAP >>> message >>>> using HMAC with the same AES key to encrypt the message. >>>> >>>> Using the console, I can verify the signature with the following >>> command: >>>> xmlsec1 verify --hmackey aeskey.bin Server-Recv-XMLCifrado.data >>>> >>>> My function in C that would verify the signature shows the following >>> error: >>>> >>>> >>> >> func=xmlSecKeyDataHmacGetKlass:file=app.c:line=211:obj=unknown:subj=keyDataHmacId:error=9:feature >>>> is not implemented: >>>> >>> >> func=xmlSecKeyReadBinaryFile:file=keys.c:line=1219:obj=unknown:subj=dataId >>>> != xmlSecKeyDataIdUnknown:error=100:assertion: >>>> Error: failed to load des key from binary file "aeskey.bin" >>>> >>> >> func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=1091:obj=unknown:subj=dataSize >>>>> 0:error=100:assertion: >>>> >>> >> func=xmlSecEncCtxBinaryEncrypt:file=xmlenc.c:line=333:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec >>>> library function failed:dataSize=0 >>>> Error: encryption failed >>>> >>>> >>>> I am using a function of the examples with a slight modification: >>>> >>>> int >>>> verify_file(const char* xml_file, const char* key_file) { >>>> xmlDocPtr doc = NULL; >>>> xmlNodePtr node = NULL; >>>> xmlSecDSigCtxPtr dsigCtx = NULL; >>>> int res = -1; >>>> >>>> assert(xml_file); >>>> assert(key_file); >>>> >>>> /* load file */ >>>> doc = xmlParseFile(xml_file); >>>> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ >>>> fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); >>>> goto done; >>>> } >>>> >>>> /* find start node */ >>>> node = xmlSecFindNode(xmlDocGetRootElement(doc), >>> xmlSecNodeSignature, >>>> xmlSecDSigNs); >>>> if(node == NULL) { >>>> fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); >>>> goto done; >>>> } >>>> >>>> /* create signature context, we don't need keys manager in this >>>> example */ >>>> dsigCtx = xmlSecDSigCtxCreate(NULL); >>>> if(dsigCtx == NULL) { >>>> fprintf(stderr,"Error: failed to create signature >>>> context\n"); >>>> goto done; >>>> } >>>> >>>> /* load AES key, assuming that there is not password */ >>>> dsigCtx->signKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataHmacId, >>>> key_file); >>>> if(dsigCtx->signKey == NULL) { >>>> fprintf(stderr,"Error: failed to load des key from binary >>>> file >>>> \"%s\"\n", key_file); >>>> goto done; >>>> } >>>> >>>> /* set key name to the file name, this is just an example! */ >>>> if(xmlSecKeySetName(dsigCtx->signKey, key_file)< 0) { >>>> fprintf(stderr,"Error: failed to set key name for key from >>> \"%s\"\n", >>>> key_file); >>>> goto done; >>>> } >>>> >>>> /* Verify signature */ >>>> if(xmlSecDSigCtxVerify(dsigCtx, node)< 0) { >>>> fprintf(stderr,"Error: signature verify\n"); >>>> goto done; >>>> } >>>> >>>> /* print verification result to stdout */ >>>> if(dsigCtx->status == xmlSecDSigStatusSucceeded) { >>>> fprintf(stdout, "Signature is OK\n"); >>>> } else { >>>> fprintf(stdout, "Signature is INVALID\n"); >>>> } >>>> >>>> /* success */ >>>> res = 0; >>>> >>>> done: >>>> /* cleanup */ >>>> if(dsigCtx != NULL) { >>>> xmlSecDSigCtxDestroy(dsigCtx); >>>> } >>>> >>>> if(doc != NULL) { >>>> xmlFreeDoc(doc); >>>> } >>>> return(res); >>>> } >>>> >>>> Any help? >>>> >>>> BR, >>>> Igor >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> xmlsec at aleksey.com >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >> > From igor at das.ufsc.br Tue Mar 23 07:05:16 2010 From: igor at das.ufsc.br (igor at das.ufsc.br) Date: Tue, 23 Mar 2010 11:05:16 -0300 (BRT) Subject: [xmlsec] [Fwd: Re: Fail to verify symmetric sign] Message-ID: <4c2a9ea6277e9542be7b76b7f75dc025.squirrel@webmail1.das.ufsc.br> Aleksey, I found my mistake! I was calling the function that checks the signature before loading the xmlsec own. Thank you for all! BR, ---------------------------- Original Message ---------------------------- Subject: Re: [xmlsec] Fail to verify symmetric sign From: igor at das.ufsc.br Date: Tue, March 23, 2010 10:27 am To: "Aleksey Sanin" Cc: "xmlsec at aleksey.com" -------------------------------------------------------------------------- Aleksey, Does not make sense. Why it works on script console and not on c function? Why do you indicated a book? I think I have a specific problem and not a conceptual problem. Thank you! BR. > I suggest to take a look at a good book on cryptography > (e.g. Schneier's "Applied Cryptography"): > > https://www.aleksey.com/xmlsec/related.html > > Aleksey > > On 3/22/2010 7:09 AM, igor wrote: >> >> Aleksey, >> >> By your answer, seem obvious solve the problem. I'm feeling helpless and >> I >> ask your help in identifying this problem. >> >> The error that appears is: failed to load des key from binary file >> "aeskey.bin" >> >> But the key is not des, it is aes. >> >> Thank you in advance! >> >> BR, >> Igor >> >> On Thu, 18 Mar 2010 19:44:58 -0700, Aleksey Sanin >> wrote: >>> Please read the error carefully. >>> >>> Aleksey >>> >>> On 3/18/2010 6:15 PM, igor at das.ufsc.br wrote: >>>> Hello guys, >>>> >>>> I'm using xmlsec1 for encryption and signing, but I'm having trouble >>>> verifying the signature. I am signing only the Header of the SOAP >>> message >>>> using HMAC with the same AES key to encrypt the message. >>>> >>>> Using the console, I can verify the signature with the following >>> command: >>>> xmlsec1 verify --hmackey aeskey.bin Server-Recv-XMLCifrado.data >>>> >>>> My function in C that would verify the signature shows the following >>> error: >>>> >>>> >>> >> func=xmlSecKeyDataHmacGetKlass:file=app.c:line=211:obj=unknown:subj=keyDataHmacId:error=9:feature >>>> is not implemented: >>>> >>> >> func=xmlSecKeyReadBinaryFile:file=keys.c:line=1219:obj=unknown:subj=dataId >>>> != xmlSecKeyDataIdUnknown:error=100:assertion: >>>> Error: failed to load des key from binary file "aeskey.bin" >>>> >>> >> func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=1091:obj=unknown:subj=dataSize >>>>> 0:error=100:assertion: >>>> >>> >> func=xmlSecEncCtxBinaryEncrypt:file=xmlenc.c:line=333:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec >>>> library function failed:dataSize=0 >>>> Error: encryption failed >>>> >>>> >>>> I am using a function of the examples with a slight modification: >>>> >>>> int >>>> verify_file(const char* xml_file, const char* key_file) { >>>> xmlDocPtr doc = NULL; >>>> xmlNodePtr node = NULL; >>>> xmlSecDSigCtxPtr dsigCtx = NULL; >>>> int res = -1; >>>> >>>> assert(xml_file); >>>> assert(key_file); >>>> >>>> /* load file */ >>>> doc = xmlParseFile(xml_file); >>>> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ >>>> fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); >>>> goto done; >>>> } >>>> >>>> /* find start node */ >>>> node = xmlSecFindNode(xmlDocGetRootElement(doc), >>> xmlSecNodeSignature, >>>> xmlSecDSigNs); >>>> if(node == NULL) { >>>> fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); >>>> goto done; >>>> } >>>> >>>> /* create signature context, we don't need keys manager in this >>>> example */ >>>> dsigCtx = xmlSecDSigCtxCreate(NULL); >>>> if(dsigCtx == NULL) { >>>> fprintf(stderr,"Error: failed to create signature >>>> context\n"); >>>> goto done; >>>> } >>>> >>>> /* load AES key, assuming that there is not password */ >>>> dsigCtx->signKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataHmacId, >>>> key_file); >>>> if(dsigCtx->signKey == NULL) { >>>> fprintf(stderr,"Error: failed to load des key from binary >>>> file >>>> \"%s\"\n", key_file); >>>> goto done; >>>> } >>>> >>>> /* set key name to the file name, this is just an example! */ >>>> if(xmlSecKeySetName(dsigCtx->signKey, key_file)< 0) { >>>> fprintf(stderr,"Error: failed to set key name for key from >>> \"%s\"\n", >>>> key_file); >>>> goto done; >>>> } >>>> >>>> /* Verify signature */ >>>> if(xmlSecDSigCtxVerify(dsigCtx, node)< 0) { >>>> fprintf(stderr,"Error: signature verify\n"); >>>> goto done; >>>> } >>>> >>>> /* print verification result to stdout */ >>>> if(dsigCtx->status == xmlSecDSigStatusSucceeded) { >>>> fprintf(stdout, "Signature is OK\n"); >>>> } else { >>>> fprintf(stdout, "Signature is INVALID\n"); >>>> } >>>> >>>> /* success */ >>>> res = 0; >>>> >>>> done: >>>> /* cleanup */ >>>> if(dsigCtx != NULL) { >>>> xmlSecDSigCtxDestroy(dsigCtx); >>>> } >>>> >>>> if(doc != NULL) { >>>> xmlFreeDoc(doc); >>>> } >>>> return(res); >>>> } >>>> >>>> Any help? >>>> >>>> BR, >>>> Igor >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> xmlsec at aleksey.com >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >> > From bpiccolo at pixelbridge.com Thu Mar 25 07:15:00 2010 From: bpiccolo at pixelbridge.com (Brian Piccolo) Date: Thu, 25 Mar 2010 10:15:00 -0400 Subject: [xmlsec] Problem with Id attributes and DTD Message-ID: Hello, I've be reading all of the archival messages about FAQ section 3.2 and creating a DTD to support an XML document with an "Id" attribute. I've tried adding the ATTLIST to an external DTD file using the --dtd-file option from the command line and also tried embedding the DTD into the XML document. In both cases I've tried using both the declarion as well as just the -------------- next part -------------- A non-text attachment was scrubbed... Name: XMLSEC_TEST.xml Type: application/octet-stream Size: 5042 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: test.dtd Type: application/octet-stream Size: 256 bytes Desc: not available URL: From aleksey at aleksey.com Thu Mar 25 07:35:37 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 25 Mar 2010 07:35:37 -0700 Subject: [xmlsec] Problem with Id attributes and DTD In-Reply-To: References: Message-ID: <4BAB74B9.50708@aleksey.com> You forgot about namespaces. Look at the errors: XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration for element Timestamp XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration for attribute Id of element Timestamp The DTD can't be matched to the xml file. Aleksey On 3/25/2010 7:15 AM, Brian Piccolo wrote: > Hello, > I've be reading all of the archival messages about FAQ section 3.2 and > creating a DTD to support an XML document with an "Id" attribute. I've > tried adding the ATTLIST to an external DTD file using the --dtd-file > option from the command line and also tried embedding the DTD into the > XML document. In both cases I've tried using both the > declarion as well as just the luck. > Attached is a sample of my XML template and the DTD file I'm using and > below is the error message that I'm receiving. > Any information you can provide would be greatly appreciated. > Thanks for your help! > Brian > xmlsec1 sign --dtd-file test.dtd --output output.xml --hmackey key.php > XMLSEC_TEST.xml > > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > element Envelope > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > attribute xmlns:soap of element Envelope > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > attribute xmlns:wsa of element Envelope > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > attribute xmlns:wsse of element Envelope > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > attribute xmlns:wsu of element Envelope > XMLSEC_TEST.xml:3: element Header: validity error : No declaration for > element Header > XMLSEC_TEST.xml:4: element Action: validity error : No declaration for > element Action > XMLSEC_TEST.xml:4: element Action: validity error : No declaration for > attribute Id of element Action > XMLSEC_TEST.xml:5: element MessageID: validity error : No declaration > for element MessageID > XMLSEC_TEST.xml:5: element MessageID: validity error : No declaration > for attribute Id of element MessageID > XMLSEC_TEST.xml:6: element ReplyTo: validity error : No declaration for > element ReplyTo > XMLSEC_TEST.xml:6: element ReplyTo: validity error : No declaration for > attribute Id of element ReplyTo > XMLSEC_TEST.xml:7: element Address: validity error : No declaration for > element Address > XMLSEC_TEST.xml:9: element To: validity error : No declaration for > element To > XMLSEC_TEST.xml:9: element To: validity error : No declaration for > attribute Id of element To > XMLSEC_TEST.xml:10: element Security: validity error : No declaration > for element Security > XMLSEC_TEST.xml:10: element Security: validity error : No declaration > for attribute mustUnderstand of element Security > XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration > for element Timestamp > XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration > for attribute Id of element Timestamp > XMLSEC_TEST.xml:12: element Created: validity error : No declaration for > element Created > XMLSEC_TEST.xml:13: element Expires: validity error : No declaration for > element Expires > XMLSEC_TEST.xml:15: element UsernameToken: validity error : No > declaration for element UsernameToken > XMLSEC_TEST.xml:15: element UsernameToken: validity error : No > declaration for attribute Id of element UsernameToken > XMLSEC_TEST.xml:15: element UsernameToken: validity error : No > declaration for attribute xmlns:wsse of element UsernameToken > XMLSEC_TEST.xml:15: element UsernameToken: validity error : No > declaration for attribute xmlns:wsu of element UsernameToken > XMLSEC_TEST.xml:16: element Username: validity error : No declaration > for element Username > XMLSEC_TEST.xml:17: element Password: validity error : No declaration > for element Password > XMLSEC_TEST.xml:17: element Password: validity error : No declaration > for attribute Type of element Password > XMLSEC_TEST.xml:18: element Nonce: validity error : No declaration for > element Nonce > XMLSEC_TEST.xml:19: element Created: validity error : No declaration for > element Created > XMLSEC_TEST.xml:20: element ApplicationName: validity error : No > declaration for element ApplicationName > XMLSEC_TEST.xml:22: element Signature: validity error : No declaration > for element Signature > XMLSEC_TEST.xml:22: element Signature: validity error : No declaration > for attribute xmlns of element Signature > XMLSEC_TEST.xml:23: element SignedInfo: validity error : No declaration > for element SignedInfo > XMLSEC_TEST.xml:24: element CanonicalizationMethod: validity error : No > declaration for element CanonicalizationMethod > XMLSEC_TEST.xml:24: element CanonicalizationMethod: validity error : No > declaration for attribute Algorithm of element CanonicalizationMethod > XMLSEC_TEST.xml:25: element SignatureMethod: validity error : No > declaration for element SignatureMethod > XMLSEC_TEST.xml:25: element SignatureMethod: validity error : No > declaration for attribute Algorithm of element SignatureMethod > XMLSEC_TEST.xml:26: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:26: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:27: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:28: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:28: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:30: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:30: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:31: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:33: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:33: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:34: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:35: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:35: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:37: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:37: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:38: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:40: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:40: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:41: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:42: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:42: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:44: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:44: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:45: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:47: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:47: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:48: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:49: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:49: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:51: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:51: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:52: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:54: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:54: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:55: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:56: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:56: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:58: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:58: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:59: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:61: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:61: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:62: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:63: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:63: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:65: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:65: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:66: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:69: element SignatureValue: validity error : No > declaration for element SignatureValue > XMLSEC_TEST.xml:70: element KeyInfo: validity error : No declaration for > element KeyInfo > XMLSEC_TEST.xml:71: element SecurityTokenReference: validity error : No > declaration for element SecurityTokenReference > XMLSEC_TEST.xml:72: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:72: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:72: element Reference: validity error : No declaration > for attribute ValueType of element Reference > XMLSEC_TEST.xml:78: element Body: validity error : No declaration for > element Body > XMLSEC_TEST.xml:78: element Body: validity error : No declaration for > attribute Id of element Body > XMLSEC_TEST.xml:79: element RequestSecurityToken: validity error : No > declaration for element RequestSecurityToken > XMLSEC_TEST.xml:79: element RequestSecurityToken: validity error : No > declaration for attribute xmlns:wst of element RequestSecurityToken > XMLSEC_TEST.xml:80: element TokenType: validity error : No declaration > for element TokenType > XMLSEC_TEST.xml:81: element RequestType: validity error : No declaration > for element RequestType > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > library function > failed:expr=xpointer(id('pfxfeb1d38a-a5f3-aa5a-e735-eba9501d6554')) > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec > library function failed:transform=xpointer > func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > Error: failed to sign file "XMLSEC_TEST.xml" > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From bpiccolo at pixelbridge.com Thu Mar 25 07:51:00 2010 From: bpiccolo at pixelbridge.com (Brian Piccolo) Date: Thu, 25 Mar 2010 10:51:00 -0400 Subject: [xmlsec] Problem with Id attributes and DTD In-Reply-To: <4BAB74B9.50708@aleksey.com> Message-ID: Thanks for the prompt response Aleksey! So adding the Namespace clears the issue with the validity error on the Id attribute, but I'm still receiving the error on all of the element attributes. Do I need to build out the DTD to include all of the elements in the XML document? Based on the FAQ and some of the previous archive posts, it seemed like I only need to add the Id ATTLISTS, but I'm somewhat of a noob with this stuff so I don't know if it was implied that I need to include the other Elements as well. Thanks again for your help. Brian -----Original Message----- From: Aleksey Sanin [mailto:aleksey at aleksey.com] Sent: Thursday, March 25, 2010 10:36 AM To: Brian Piccolo Cc: 'xmlsec at aleksey.com' Subject: Re: [xmlsec] Problem with Id attributes and DTD You forgot about namespaces. Look at the errors: XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration for element Timestamp XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration for attribute Id of element Timestamp The DTD can't be matched to the xml file. Aleksey On 3/25/2010 7:15 AM, Brian Piccolo wrote: > Hello, > I've be reading all of the archival messages about FAQ section 3.2 and > creating a DTD to support an XML document with an "Id" attribute. I've > tried adding the ATTLIST to an external DTD file using the --dtd-file > option from the command line and also tried embedding the DTD into the > XML document. In both cases I've tried using both the > declarion as well as just the luck. > Attached is a sample of my XML template and the DTD file I'm using and > below is the error message that I'm receiving. > Any information you can provide would be greatly appreciated. > Thanks for your help! > Brian > xmlsec1 sign --dtd-file test.dtd --output output.xml --hmackey key.php > XMLSEC_TEST.xml > > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > element Envelope > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > attribute xmlns:soap of element Envelope > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > attribute xmlns:wsa of element Envelope > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > attribute xmlns:wsse of element Envelope > XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for > attribute xmlns:wsu of element Envelope > XMLSEC_TEST.xml:3: element Header: validity error : No declaration for > element Header > XMLSEC_TEST.xml:4: element Action: validity error : No declaration for > element Action > XMLSEC_TEST.xml:4: element Action: validity error : No declaration for > attribute Id of element Action > XMLSEC_TEST.xml:5: element MessageID: validity error : No declaration > for element MessageID > XMLSEC_TEST.xml:5: element MessageID: validity error : No declaration > for attribute Id of element MessageID > XMLSEC_TEST.xml:6: element ReplyTo: validity error : No declaration for > element ReplyTo > XMLSEC_TEST.xml:6: element ReplyTo: validity error : No declaration for > attribute Id of element ReplyTo > XMLSEC_TEST.xml:7: element Address: validity error : No declaration for > element Address > XMLSEC_TEST.xml:9: element To: validity error : No declaration for > element To > XMLSEC_TEST.xml:9: element To: validity error : No declaration for > attribute Id of element To > XMLSEC_TEST.xml:10: element Security: validity error : No declaration > for element Security > XMLSEC_TEST.xml:10: element Security: validity error : No declaration > for attribute mustUnderstand of element Security > XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration > for element Timestamp > XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration > for attribute Id of element Timestamp > XMLSEC_TEST.xml:12: element Created: validity error : No declaration for > element Created > XMLSEC_TEST.xml:13: element Expires: validity error : No declaration for > element Expires > XMLSEC_TEST.xml:15: element UsernameToken: validity error : No > declaration for element UsernameToken > XMLSEC_TEST.xml:15: element UsernameToken: validity error : No > declaration for attribute Id of element UsernameToken > XMLSEC_TEST.xml:15: element UsernameToken: validity error : No > declaration for attribute xmlns:wsse of element UsernameToken > XMLSEC_TEST.xml:15: element UsernameToken: validity error : No > declaration for attribute xmlns:wsu of element UsernameToken > XMLSEC_TEST.xml:16: element Username: validity error : No declaration > for element Username > XMLSEC_TEST.xml:17: element Password: validity error : No declaration > for element Password > XMLSEC_TEST.xml:17: element Password: validity error : No declaration > for attribute Type of element Password > XMLSEC_TEST.xml:18: element Nonce: validity error : No declaration for > element Nonce > XMLSEC_TEST.xml:19: element Created: validity error : No declaration for > element Created > XMLSEC_TEST.xml:20: element ApplicationName: validity error : No > declaration for element ApplicationName > XMLSEC_TEST.xml:22: element Signature: validity error : No declaration > for element Signature > XMLSEC_TEST.xml:22: element Signature: validity error : No declaration > for attribute xmlns of element Signature > XMLSEC_TEST.xml:23: element SignedInfo: validity error : No declaration > for element SignedInfo > XMLSEC_TEST.xml:24: element CanonicalizationMethod: validity error : No > declaration for element CanonicalizationMethod > XMLSEC_TEST.xml:24: element CanonicalizationMethod: validity error : No > declaration for attribute Algorithm of element CanonicalizationMethod > XMLSEC_TEST.xml:25: element SignatureMethod: validity error : No > declaration for element SignatureMethod > XMLSEC_TEST.xml:25: element SignatureMethod: validity error : No > declaration for attribute Algorithm of element SignatureMethod > XMLSEC_TEST.xml:26: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:26: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:27: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:28: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:28: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:30: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:30: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:31: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:33: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:33: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:34: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:35: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:35: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:37: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:37: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:38: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:40: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:40: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:41: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:42: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:42: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:44: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:44: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:45: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:47: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:47: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:48: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:49: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:49: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:51: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:51: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:52: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:54: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:54: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:55: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:56: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:56: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:58: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:58: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:59: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:61: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:61: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:62: element Transforms: validity error : No declaration > for element Transforms > XMLSEC_TEST.xml:63: element Transform: validity error : No declaration > for element Transform > XMLSEC_TEST.xml:63: element Transform: validity error : No declaration > for attribute Algorithm of element Transform > XMLSEC_TEST.xml:65: element DigestMethod: validity error : No > declaration for element DigestMethod > XMLSEC_TEST.xml:65: element DigestMethod: validity error : No > declaration for attribute Algorithm of element DigestMethod > XMLSEC_TEST.xml:66: element DigestValue: validity error : No declaration > for element DigestValue > XMLSEC_TEST.xml:69: element SignatureValue: validity error : No > declaration for element SignatureValue > XMLSEC_TEST.xml:70: element KeyInfo: validity error : No declaration for > element KeyInfo > XMLSEC_TEST.xml:71: element SecurityTokenReference: validity error : No > declaration for element SecurityTokenReference > XMLSEC_TEST.xml:72: element Reference: validity error : No declaration > for element Reference > XMLSEC_TEST.xml:72: element Reference: validity error : No declaration > for attribute URI of element Reference > XMLSEC_TEST.xml:72: element Reference: validity error : No declaration > for attribute ValueType of element Reference > XMLSEC_TEST.xml:78: element Body: validity error : No declaration for > element Body > XMLSEC_TEST.xml:78: element Body: validity error : No declaration for > attribute Id of element Body > XMLSEC_TEST.xml:79: element RequestSecurityToken: validity error : No > declaration for element RequestSecurityToken > XMLSEC_TEST.xml:79: element RequestSecurityToken: validity error : No > declaration for attribute xmlns:wst of element RequestSecurityToken > XMLSEC_TEST.xml:80: element TokenType: validity error : No declaration > for element TokenType > XMLSEC_TEST.xml:81: element RequestType: validity error : No declaration > for element RequestType > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > library function > failed:expr=xpointer(id('pfxfeb1d38a-a5f3-aa5a-e735-eba9501d6554')) > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec > library function failed:transform=xpointer > func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > Error: failed to sign file "XMLSEC_TEST.xml" > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Thu Mar 25 09:06:19 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 25 Mar 2010 09:06:19 -0700 Subject: [xmlsec] Problem with Id attributes and DTD In-Reply-To: References: Message-ID: <4BAB89FB.8050409@aleksey.com> Well, validity errors come from DTD validation itself and have nothing to do with XMLDsig. You can clear or silence these errors if you don't care. Or you can use --id-attr option (again, don't forget about namespaces). Aleksey On 3/25/2010 7:51 AM, Brian Piccolo wrote: > Thanks for the prompt response Aleksey! > > So adding the Namespace clears the issue with the validity error on the Id attribute, but I'm still receiving the error on all of the element attributes. Do I need to build out the DTD to include all of the elements in the XML document? > > Based on the FAQ and some of the previous archive posts, it seemed like I only need to add the Id ATTLISTS, but I'm somewhat of a noob with this stuff so I don't know if it was implied that I need to include the other Elements as well. > > Thanks again for your help. > > Brian > > > > -----Original Message----- > From: Aleksey Sanin [mailto:aleksey at aleksey.com] > Sent: Thursday, March 25, 2010 10:36 AM > To: Brian Piccolo > Cc: 'xmlsec at aleksey.com' > Subject: Re: [xmlsec] Problem with Id attributes and DTD > > You forgot about namespaces. Look at the errors: > > XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration > for element Timestamp > XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration > for attribute Id of element Timestamp > > The DTD can't be matched to the xml file. > > Aleksey > > On 3/25/2010 7:15 AM, Brian Piccolo wrote: >> Hello, >> I've be reading all of the archival messages about FAQ section 3.2 and >> creating a DTD to support an XML document with an "Id" attribute. I've >> tried adding the ATTLIST to an external DTD file using the --dtd-file >> option from the command line and also tried embedding the DTD into the >> XML document. In both cases I've tried using both the >> declarion as well as just the> luck. >> Attached is a sample of my XML template and the DTD file I'm using and >> below is the error message that I'm receiving. >> Any information you can provide would be greatly appreciated. >> Thanks for your help! >> Brian >> xmlsec1 sign --dtd-file test.dtd --output output.xml --hmackey key.php >> XMLSEC_TEST.xml >> >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> element Envelope >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> attribute xmlns:soap of element Envelope >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> attribute xmlns:wsa of element Envelope >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> attribute xmlns:wsse of element Envelope >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> attribute xmlns:wsu of element Envelope >> XMLSEC_TEST.xml:3: element Header: validity error : No declaration for >> element Header >> XMLSEC_TEST.xml:4: element Action: validity error : No declaration for >> element Action >> XMLSEC_TEST.xml:4: element Action: validity error : No declaration for >> attribute Id of element Action >> XMLSEC_TEST.xml:5: element MessageID: validity error : No declaration >> for element MessageID >> XMLSEC_TEST.xml:5: element MessageID: validity error : No declaration >> for attribute Id of element MessageID >> XMLSEC_TEST.xml:6: element ReplyTo: validity error : No declaration for >> element ReplyTo >> XMLSEC_TEST.xml:6: element ReplyTo: validity error : No declaration for >> attribute Id of element ReplyTo >> XMLSEC_TEST.xml:7: element Address: validity error : No declaration for >> element Address >> XMLSEC_TEST.xml:9: element To: validity error : No declaration for >> element To >> XMLSEC_TEST.xml:9: element To: validity error : No declaration for >> attribute Id of element To >> XMLSEC_TEST.xml:10: element Security: validity error : No declaration >> for element Security >> XMLSEC_TEST.xml:10: element Security: validity error : No declaration >> for attribute mustUnderstand of element Security >> XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration >> for element Timestamp >> XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration >> for attribute Id of element Timestamp >> XMLSEC_TEST.xml:12: element Created: validity error : No declaration for >> element Created >> XMLSEC_TEST.xml:13: element Expires: validity error : No declaration for >> element Expires >> XMLSEC_TEST.xml:15: element UsernameToken: validity error : No >> declaration for element UsernameToken >> XMLSEC_TEST.xml:15: element UsernameToken: validity error : No >> declaration for attribute Id of element UsernameToken >> XMLSEC_TEST.xml:15: element UsernameToken: validity error : No >> declaration for attribute xmlns:wsse of element UsernameToken >> XMLSEC_TEST.xml:15: element UsernameToken: validity error : No >> declaration for attribute xmlns:wsu of element UsernameToken >> XMLSEC_TEST.xml:16: element Username: validity error : No declaration >> for element Username >> XMLSEC_TEST.xml:17: element Password: validity error : No declaration >> for element Password >> XMLSEC_TEST.xml:17: element Password: validity error : No declaration >> for attribute Type of element Password >> XMLSEC_TEST.xml:18: element Nonce: validity error : No declaration for >> element Nonce >> XMLSEC_TEST.xml:19: element Created: validity error : No declaration for >> element Created >> XMLSEC_TEST.xml:20: element ApplicationName: validity error : No >> declaration for element ApplicationName >> XMLSEC_TEST.xml:22: element Signature: validity error : No declaration >> for element Signature >> XMLSEC_TEST.xml:22: element Signature: validity error : No declaration >> for attribute xmlns of element Signature >> XMLSEC_TEST.xml:23: element SignedInfo: validity error : No declaration >> for element SignedInfo >> XMLSEC_TEST.xml:24: element CanonicalizationMethod: validity error : No >> declaration for element CanonicalizationMethod >> XMLSEC_TEST.xml:24: element CanonicalizationMethod: validity error : No >> declaration for attribute Algorithm of element CanonicalizationMethod >> XMLSEC_TEST.xml:25: element SignatureMethod: validity error : No >> declaration for element SignatureMethod >> XMLSEC_TEST.xml:25: element SignatureMethod: validity error : No >> declaration for attribute Algorithm of element SignatureMethod >> XMLSEC_TEST.xml:26: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:26: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:27: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:28: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:28: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:30: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:30: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:31: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:33: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:33: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:34: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:35: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:35: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:37: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:37: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:38: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:40: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:40: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:41: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:42: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:42: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:44: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:44: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:45: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:47: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:47: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:48: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:49: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:49: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:51: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:51: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:52: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:54: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:54: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:55: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:56: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:56: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:58: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:58: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:59: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:61: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:61: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:62: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:63: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:63: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:65: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:65: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:66: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:69: element SignatureValue: validity error : No >> declaration for element SignatureValue >> XMLSEC_TEST.xml:70: element KeyInfo: validity error : No declaration for >> element KeyInfo >> XMLSEC_TEST.xml:71: element SecurityTokenReference: validity error : No >> declaration for element SecurityTokenReference >> XMLSEC_TEST.xml:72: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:72: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:72: element Reference: validity error : No declaration >> for attribute ValueType of element Reference >> XMLSEC_TEST.xml:78: element Body: validity error : No declaration for >> element Body >> XMLSEC_TEST.xml:78: element Body: validity error : No declaration for >> attribute Id of element Body >> XMLSEC_TEST.xml:79: element RequestSecurityToken: validity error : No >> declaration for element RequestSecurityToken >> XMLSEC_TEST.xml:79: element RequestSecurityToken: validity error : No >> declaration for attribute xmlns:wst of element RequestSecurityToken >> XMLSEC_TEST.xml:80: element TokenType: validity error : No declaration >> for element TokenType >> XMLSEC_TEST.xml:81: element RequestType: validity error : No declaration >> for element RequestType >> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 >> library function >> failed:expr=xpointer(id('pfxfeb1d38a-a5f3-aa5a-e735-eba9501d6554')) >> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec >> library function failed: >> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec >> library function failed: >> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec >> library function failed: >> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec >> library function failed:transform=xpointer >> func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec >> library function failed: >> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec >> library function failed: >> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec >> library function failed:node=Reference >> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec >> library function failed: >> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >> library function failed: >> Error: signature failed >> Error: failed to sign file "XMLSEC_TEST.xml" >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > > From bpiccolo at pixelbridge.com Thu Mar 25 11:19:00 2010 From: bpiccolo at pixelbridge.com (Brian Piccolo) Date: Thu, 25 Mar 2010 14:19:00 -0400 Subject: [xmlsec] Problem with Id attributes and DTD In-Reply-To: <4BAB89FB.8050409@aleksey.com> Message-ID: Hi Aleksey, Thanks for your help! I was able to get this to work by building out a complete DTD using an XML to DTD generator. Works like a charm. Thanks again! Brian -----Original Message----- From: Aleksey Sanin [mailto:aleksey at aleksey.com] Sent: Thursday, March 25, 2010 12:06 PM To: Brian Piccolo Cc: 'xmlsec at aleksey.com' Subject: Re: [xmlsec] Problem with Id attributes and DTD Well, validity errors come from DTD validation itself and have nothing to do with XMLDsig. You can clear or silence these errors if you don't care. Or you can use --id-attr option (again, don't forget about namespaces). Aleksey On 3/25/2010 7:51 AM, Brian Piccolo wrote: > Thanks for the prompt response Aleksey! > > So adding the Namespace clears the issue with the validity error on the Id attribute, but I'm still receiving the error on all of the element attributes. Do I need to build out the DTD to include all of the elements in the XML document? > > Based on the FAQ and some of the previous archive posts, it seemed like I only need to add the Id ATTLISTS, but I'm somewhat of a noob with this stuff so I don't know if it was implied that I need to include the other Elements as well. > > Thanks again for your help. > > Brian > > > > -----Original Message----- > From: Aleksey Sanin [mailto:aleksey at aleksey.com] > Sent: Thursday, March 25, 2010 10:36 AM > To: Brian Piccolo > Cc: 'xmlsec at aleksey.com' > Subject: Re: [xmlsec] Problem with Id attributes and DTD > > You forgot about namespaces. Look at the errors: > > XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration > for element Timestamp > XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration > for attribute Id of element Timestamp > > The DTD can't be matched to the xml file. > > Aleksey > > On 3/25/2010 7:15 AM, Brian Piccolo wrote: >> Hello, >> I've be reading all of the archival messages about FAQ section 3.2 and >> creating a DTD to support an XML document with an "Id" attribute. I've >> tried adding the ATTLIST to an external DTD file using the --dtd-file >> option from the command line and also tried embedding the DTD into the >> XML document. In both cases I've tried using both the >> declarion as well as just the> luck. >> Attached is a sample of my XML template and the DTD file I'm using and >> below is the error message that I'm receiving. >> Any information you can provide would be greatly appreciated. >> Thanks for your help! >> Brian >> xmlsec1 sign --dtd-file test.dtd --output output.xml --hmackey key.php >> XMLSEC_TEST.xml >> >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> element Envelope >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> attribute xmlns:soap of element Envelope >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> attribute xmlns:wsa of element Envelope >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> attribute xmlns:wsse of element Envelope >> XMLSEC_TEST.xml:2: element Envelope: validity error : No declaration for >> attribute xmlns:wsu of element Envelope >> XMLSEC_TEST.xml:3: element Header: validity error : No declaration for >> element Header >> XMLSEC_TEST.xml:4: element Action: validity error : No declaration for >> element Action >> XMLSEC_TEST.xml:4: element Action: validity error : No declaration for >> attribute Id of element Action >> XMLSEC_TEST.xml:5: element MessageID: validity error : No declaration >> for element MessageID >> XMLSEC_TEST.xml:5: element MessageID: validity error : No declaration >> for attribute Id of element MessageID >> XMLSEC_TEST.xml:6: element ReplyTo: validity error : No declaration for >> element ReplyTo >> XMLSEC_TEST.xml:6: element ReplyTo: validity error : No declaration for >> attribute Id of element ReplyTo >> XMLSEC_TEST.xml:7: element Address: validity error : No declaration for >> element Address >> XMLSEC_TEST.xml:9: element To: validity error : No declaration for >> element To >> XMLSEC_TEST.xml:9: element To: validity error : No declaration for >> attribute Id of element To >> XMLSEC_TEST.xml:10: element Security: validity error : No declaration >> for element Security >> XMLSEC_TEST.xml:10: element Security: validity error : No declaration >> for attribute mustUnderstand of element Security >> XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration >> for element Timestamp >> XMLSEC_TEST.xml:11: element Timestamp: validity error : No declaration >> for attribute Id of element Timestamp >> XMLSEC_TEST.xml:12: element Created: validity error : No declaration for >> element Created >> XMLSEC_TEST.xml:13: element Expires: validity error : No declaration for >> element Expires >> XMLSEC_TEST.xml:15: element UsernameToken: validity error : No >> declaration for element UsernameToken >> XMLSEC_TEST.xml:15: element UsernameToken: validity error : No >> declaration for attribute Id of element UsernameToken >> XMLSEC_TEST.xml:15: element UsernameToken: validity error : No >> declaration for attribute xmlns:wsse of element UsernameToken >> XMLSEC_TEST.xml:15: element UsernameToken: validity error : No >> declaration for attribute xmlns:wsu of element UsernameToken >> XMLSEC_TEST.xml:16: element Username: validity error : No declaration >> for element Username >> XMLSEC_TEST.xml:17: element Password: validity error : No declaration >> for element Password >> XMLSEC_TEST.xml:17: element Password: validity error : No declaration >> for attribute Type of element Password >> XMLSEC_TEST.xml:18: element Nonce: validity error : No declaration for >> element Nonce >> XMLSEC_TEST.xml:19: element Created: validity error : No declaration for >> element Created >> XMLSEC_TEST.xml:20: element ApplicationName: validity error : No >> declaration for element ApplicationName >> XMLSEC_TEST.xml:22: element Signature: validity error : No declaration >> for element Signature >> XMLSEC_TEST.xml:22: element Signature: validity error : No declaration >> for attribute xmlns of element Signature >> XMLSEC_TEST.xml:23: element SignedInfo: validity error : No declaration >> for element SignedInfo >> XMLSEC_TEST.xml:24: element CanonicalizationMethod: validity error : No >> declaration for element CanonicalizationMethod >> XMLSEC_TEST.xml:24: element CanonicalizationMethod: validity error : No >> declaration for attribute Algorithm of element CanonicalizationMethod >> XMLSEC_TEST.xml:25: element SignatureMethod: validity error : No >> declaration for element SignatureMethod >> XMLSEC_TEST.xml:25: element SignatureMethod: validity error : No >> declaration for attribute Algorithm of element SignatureMethod >> XMLSEC_TEST.xml:26: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:26: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:27: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:28: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:28: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:30: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:30: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:31: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:33: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:33: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:34: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:35: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:35: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:37: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:37: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:38: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:40: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:40: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:41: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:42: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:42: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:44: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:44: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:45: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:47: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:47: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:48: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:49: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:49: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:51: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:51: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:52: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:54: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:54: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:55: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:56: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:56: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:58: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:58: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:59: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:61: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:61: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:62: element Transforms: validity error : No declaration >> for element Transforms >> XMLSEC_TEST.xml:63: element Transform: validity error : No declaration >> for element Transform >> XMLSEC_TEST.xml:63: element Transform: validity error : No declaration >> for attribute Algorithm of element Transform >> XMLSEC_TEST.xml:65: element DigestMethod: validity error : No >> declaration for element DigestMethod >> XMLSEC_TEST.xml:65: element DigestMethod: validity error : No >> declaration for attribute Algorithm of element DigestMethod >> XMLSEC_TEST.xml:66: element DigestValue: validity error : No declaration >> for element DigestValue >> XMLSEC_TEST.xml:69: element SignatureValue: validity error : No >> declaration for element SignatureValue >> XMLSEC_TEST.xml:70: element KeyInfo: validity error : No declaration for >> element KeyInfo >> XMLSEC_TEST.xml:71: element SecurityTokenReference: validity error : No >> declaration for element SecurityTokenReference >> XMLSEC_TEST.xml:72: element Reference: validity error : No declaration >> for element Reference >> XMLSEC_TEST.xml:72: element Reference: validity error : No declaration >> for attribute URI of element Reference >> XMLSEC_TEST.xml:72: element Reference: validity error : No declaration >> for attribute ValueType of element Reference >> XMLSEC_TEST.xml:78: element Body: validity error : No declaration for >> element Body >> XMLSEC_TEST.xml:78: element Body: validity error : No declaration for >> attribute Id of element Body >> XMLSEC_TEST.xml:79: element RequestSecurityToken: validity error : No >> declaration for element RequestSecurityToken >> XMLSEC_TEST.xml:79: element RequestSecurityToken: validity error : No >> declaration for attribute xmlns:wst of element RequestSecurityToken >> XMLSEC_TEST.xml:80: element TokenType: validity error : No declaration >> for element TokenType >> XMLSEC_TEST.xml:81: element RequestType: validity error : No declaration >> for element RequestType >> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 >> library function >> failed:expr=xpointer(id('pfxfeb1d38a-a5f3-aa5a-e735-eba9501d6554')) >> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec >> library function failed: >> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec >> library function failed: >> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec >> library function failed: >> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec >> library function failed:transform=xpointer >> func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec >> library function failed: >> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec >> library function failed: >> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec >> library function failed:node=Reference >> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec >> library function failed: >> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >> library function failed: >> Error: signature failed >> Error: failed to sign file "XMLSEC_TEST.xml" >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > > From mahendra0203 at gmail.com Tue Mar 30 23:08:45 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Wed, 31 Mar 2010 11:38:45 +0530 Subject: [xmlsec] xmlsec for 64 bit windows Message-ID: Hi , Are xmlsec binaries available for 64bit windows OS?. Or can we compile the xmlsec code for 64 bit windows machines.?.Any info on the subject would be of great help. Thanks in advance, Mahendra Naik. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Mar 31 07:32:42 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 31 Mar 2010 07:32:42 -0700 Subject: [xmlsec] xmlsec for 64 bit windows In-Reply-To: References: Message-ID: <4BB35D0A.6080203@aleksey.com> I don't see reasons why it will not compile. Aleksey On 3/30/2010 11:08 PM, mahendra N wrote: > Hi , > Are xmlsec binaries available for 64bit windows OS?. Or can we > compile the xmlsec code for 64 bit windows machines.?.Any info on the > subject would be of great help. > > Thanks in advance, > Mahendra Naik. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From danushka at wso2.com Wed Mar 31 08:02:19 2010 From: danushka at wso2.com (Danushka Menikkumbura) Date: Wed, 31 Mar 2010 20:32:19 +0530 Subject: [xmlsec] xmlsec for 64 bit windows In-Reply-To: <4BB35D0A.6080203@aleksey.com> References: <4BB35D0A.6080203@aleksey.com> Message-ID: It may compile but is it certain that there are no explicit casts to long, pointer etc?. Danushka On Wed, Mar 31, 2010 at 8:02 PM, Aleksey Sanin wrote: > I don't see reasons why it will not compile. > > Aleksey > > > On 3/30/2010 11:08 PM, mahendra N wrote: > >> Hi , >> Are xmlsec binaries available for 64bit windows OS?. Or can we >> compile the xmlsec code for 64 bit windows machines.?.Any info on the >> subject would be of great help. >> >> Thanks in advance, >> Mahendra Naik. >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > -- Danushka Menikkumbura Technical Lead & Product Manager, WSO2 SOA Enablement Server WSO2, Inc.; http://wso2.com Lean . Enterprise . Middleware phone : +94 77 364 1754 blog : http://danushka-menikkumbura.blogspot.com/ Disclaimer: This communication may contain privileged or other confidential information and is intended exclusively for the addressee/s. If you are not the intended recipient/s, or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received and in addition, you should not print, copy, retransmit, disseminate, or otherwise use the information contained in this communication. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Mar 31 08:55:52 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 31 Mar 2010 08:55:52 -0700 Subject: [xmlsec] xmlsec for 64 bit windows In-Reply-To: References: <4BB35D0A.6080203@aleksey.com> Message-ID: <4BB37088.40809@aleksey.com> It works on other 64 bit OS's Aleksey On 3/31/2010 8:02 AM, Danushka Menikkumbura wrote: > It may compile but is it certain that there are no explicit casts to > long, pointer etc?. > > Danushka > > On Wed, Mar 31, 2010 at 8:02 PM, Aleksey Sanin > wrote: > > I don't see reasons why it will not compile. > > Aleksey > > > On 3/30/2010 11:08 PM, mahendra N wrote: > > Hi , > Are xmlsec binaries available for 64bit windows OS?. Or > can we > compile the xmlsec code for 64 bit windows machines.?.Any info > on the > subject would be of great help. > > Thanks in advance, > Mahendra Naik. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > -- > Danushka Menikkumbura > Technical Lead & Product Manager, WSO2 SOA Enablement Server > > WSO2, Inc.; http://wso2.com > Lean . Enterprise . Middleware > > phone : +94 77 364 1754 > blog : http://danushka-menikkumbura.blogspot.com/ > > Disclaimer: This communication may contain privileged or other > confidential information and is intended exclusively for the > addressee/s. If you are not the intended recipient/s, or believe that > you may have received this communication in error, please reply to the > sender indicating that fact and delete the copy you received and in > addition, you should not print, copy, retransmit, disseminate, or > otherwise use the information contained in this communication. Internet > communications cannot be guaranteed to be timely, secure, error or > virus-free. The sender does not accept liability for any errors or > omissions. From danushka at wso2.com Wed Mar 31 09:08:51 2010 From: danushka at wso2.com (Danushka Menikkumbura) Date: Wed, 31 Mar 2010 21:38:51 +0530 Subject: [xmlsec] xmlsec for 64 bit windows In-Reply-To: <4BB37088.40809@aleksey.com> References: <4BB35D0A.6080203@aleksey.com> <4BB37088.40809@aleksey.com> Message-ID: But Windows 64 bit is different. On 64 bit Linux long is 64 bit whereas on 64 bit Windows its 32 bit. Therefore when you do an explicit cast from pointer to a long, it works on 32 bit Windows and on Linux (both 32 bit and 64 bit) but not on 64 bit Windows as pointer is 64 bit but long is still 32 bit. Danushka On Wed, Mar 31, 2010 at 9:25 PM, Aleksey Sanin wrote: > It works on other 64 bit OS's > > Aleksey > > > On 3/31/2010 8:02 AM, Danushka Menikkumbura wrote: > >> It may compile but is it certain that there are no explicit casts to >> long, pointer etc?. >> >> Danushka >> >> On Wed, Mar 31, 2010 at 8:02 PM, Aleksey Sanin > > wrote: >> >> I don't see reasons why it will not compile. >> >> Aleksey >> >> >> On 3/30/2010 11:08 PM, mahendra N wrote: >> >> Hi , >> Are xmlsec binaries available for 64bit windows OS?. Or >> can we >> compile the xmlsec code for 64 bit windows machines.?.Any info >> on the >> subject would be of great help. >> >> Thanks in advance, >> Mahendra Naik. >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> -- >> Danushka Menikkumbura >> Technical Lead & Product Manager, WSO2 SOA Enablement Server >> >> WSO2, Inc.; http://wso2.com >> Lean . Enterprise . Middleware >> >> phone : +94 77 364 1754 >> blog : http://danushka-menikkumbura.blogspot.com/ >> >> Disclaimer: This communication may contain privileged or other >> confidential information and is intended exclusively for the >> addressee/s. If you are not the intended recipient/s, or believe that >> you may have received this communication in error, please reply to the >> sender indicating that fact and delete the copy you received and in >> addition, you should not print, copy, retransmit, disseminate, or >> otherwise use the information contained in this communication. Internet >> communications cannot be guaranteed to be timely, secure, error or >> virus-free. The sender does not accept liability for any errors or >> omissions. >> > -- Danushka Menikkumbura Technical Lead & Product Manager, WSO2 SOA Enablement Server WSO2, Inc.; http://wso2.com Lean . Enterprise . Middleware phone : +94 77 364 1754 blog : http://danushka-menikkumbura.blogspot.com/ Disclaimer: This communication may contain privileged or other confidential information and is intended exclusively for the addressee/s. If you are not the intended recipient/s, or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received and in addition, you should not print, copy, retransmit, disseminate, or otherwise use the information contained in this communication. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mahendra0203 at gmail.com Wed Mar 31 09:14:37 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Wed, 31 Mar 2010 21:44:37 +0530 Subject: [xmlsec] xmlsec for 64 bit windows In-Reply-To: References: <4BB35D0A.6080203@aleksey.com> <4BB37088.40809@aleksey.com> Message-ID: Hi, Can i get reference to any document or a article where such differences are mentioned?.. What would be the optimum way to resolve these differences.? Thanks and Regards, Mahendra Naik 2010/3/31 Danushka Menikkumbura > But Windows 64 bit is different. On 64 bit Linux long is 64 bit whereas on > 64 bit Windows its 32 bit. Therefore when you do an explicit cast from > pointer to a long, it works on 32 bit Windows and on Linux (both 32 bit and > 64 bit) but not on 64 bit Windows as pointer is 64 bit but long is still 32 > bit. > > Danushka > > > On Wed, Mar 31, 2010 at 9:25 PM, Aleksey Sanin wrote: > >> It works on other 64 bit OS's >> >> Aleksey >> >> >> On 3/31/2010 8:02 AM, Danushka Menikkumbura wrote: >> >>> It may compile but is it certain that there are no explicit casts to >>> long, pointer etc?. >>> >>> Danushka >>> >>> On Wed, Mar 31, 2010 at 8:02 PM, Aleksey Sanin >> > wrote: >>> >>> I don't see reasons why it will not compile. >>> >>> Aleksey >>> >>> >>> On 3/30/2010 11:08 PM, mahendra N wrote: >>> >>> Hi , >>> Are xmlsec binaries available for 64bit windows OS?. Or >>> can we >>> compile the xmlsec code for 64 bit windows machines.?.Any info >>> on the >>> subject would be of great help. >>> >>> Thanks in advance, >>> Mahendra Naik. >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> >>> -- >>> Danushka Menikkumbura >>> Technical Lead & Product Manager, WSO2 SOA Enablement Server >>> >>> WSO2, Inc.; http://wso2.com >>> Lean . Enterprise . Middleware >>> >>> phone : +94 77 364 1754 >>> blog : http://danushka-menikkumbura.blogspot.com/ >>> >>> Disclaimer: This communication may contain privileged or other >>> confidential information and is intended exclusively for the >>> addressee/s. If you are not the intended recipient/s, or believe that >>> you may have received this communication in error, please reply to the >>> sender indicating that fact and delete the copy you received and in >>> addition, you should not print, copy, retransmit, disseminate, or >>> otherwise use the information contained in this communication. Internet >>> communications cannot be guaranteed to be timely, secure, error or >>> virus-free. The sender does not accept liability for any errors or >>> omissions. >>> >> > > > -- > Danushka Menikkumbura > Technical Lead & Product Manager, WSO2 SOA Enablement Server > > WSO2, Inc.; http://wso2.com > Lean . Enterprise . Middleware > > phone : +94 77 364 1754 > blog : http://danushka-menikkumbura.blogspot.com/ > > Disclaimer: This communication may contain privileged or other confidential > information and is intended exclusively for the addressee/s. If you are not > the intended recipient/s, or believe that you may have received this > communication in error, please reply to the sender indicating that fact and > delete the copy you received and in addition, you should not print, copy, > retransmit, disseminate, or otherwise use the information contained in this > communication. Internet communications cannot be guaranteed to be timely, > secure, error or virus-free. The sender does not accept liability for any > errors or omissions. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danushka at wso2.com Wed Mar 31 09:22:05 2010 From: danushka at wso2.com (Danushka Menikkumbura) Date: Wed, 31 Mar 2010 21:52:05 +0530 Subject: [xmlsec] xmlsec for 64 bit windows In-Reply-To: References: <4BB35D0A.6080203@aleksey.com> <4BB37088.40809@aleksey.com> Message-ID: Well I can not recall any such resource at the moment. If you Google you will be able to find a number of docs, articles. But the only difference when you move from 32 bit to 64 bit is the sizes of pointer and size_t types. They are 32 bit on 32 bit platforms and 64 bit on 64 bit platforms. Only exception is long which is still 32 bit on 64 bit Windows. Danushka On Wed, Mar 31, 2010 at 9:44 PM, mahendra N wrote: > Hi, > Can i get reference to any document or a article where such > differences are mentioned?.. What would be the optimum way to resolve these > differences.? > Thanks and Regards, > Mahendra Naik > > 2010/3/31 Danushka Menikkumbura > > But Windows 64 bit is different. On 64 bit Linux long is 64 bit whereas on >> 64 bit Windows its 32 bit. Therefore when you do an explicit cast from >> pointer to a long, it works on 32 bit Windows and on Linux (both 32 bit and >> 64 bit) but not on 64 bit Windows as pointer is 64 bit but long is still 32 >> bit. >> >> Danushka >> >> >> On Wed, Mar 31, 2010 at 9:25 PM, Aleksey Sanin wrote: >> >>> It works on other 64 bit OS's >>> >>> Aleksey >>> >>> >>> On 3/31/2010 8:02 AM, Danushka Menikkumbura wrote: >>> >>>> It may compile but is it certain that there are no explicit casts to >>>> long, pointer etc?. >>>> >>>> Danushka >>>> >>>> On Wed, Mar 31, 2010 at 8:02 PM, Aleksey Sanin >>> > wrote: >>>> >>>> I don't see reasons why it will not compile. >>>> >>>> Aleksey >>>> >>>> >>>> On 3/30/2010 11:08 PM, mahendra N wrote: >>>> >>>> Hi , >>>> Are xmlsec binaries available for 64bit windows OS?. Or >>>> can we >>>> compile the xmlsec code for 64 bit windows machines.?.Any info >>>> on the >>>> subject would be of great help. >>>> >>>> Thanks in advance, >>>> Mahendra Naik. >>>> >>>> >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> xmlsec at aleksey.com >>>> >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> xmlsec at aleksey.com >>>> >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>> >>>> >>>> >>>> >>>> -- >>>> Danushka Menikkumbura >>>> Technical Lead & Product Manager, WSO2 SOA Enablement Server >>>> >>>> WSO2, Inc.; http://wso2.com >>>> Lean . Enterprise . Middleware >>>> >>>> phone : +94 77 364 1754 >>>> blog : http://danushka-menikkumbura.blogspot.com/ >>>> >>>> Disclaimer: This communication may contain privileged or other >>>> confidential information and is intended exclusively for the >>>> addressee/s. If you are not the intended recipient/s, or believe that >>>> you may have received this communication in error, please reply to the >>>> sender indicating that fact and delete the copy you received and in >>>> addition, you should not print, copy, retransmit, disseminate, or >>>> otherwise use the information contained in this communication. Internet >>>> communications cannot be guaranteed to be timely, secure, error or >>>> virus-free. The sender does not accept liability for any errors or >>>> omissions. >>>> >>> >> >> >> -- >> Danushka Menikkumbura >> Technical Lead & Product Manager, WSO2 SOA Enablement Server >> >> WSO2, Inc.; http://wso2.com >> Lean . Enterprise . Middleware >> >> phone : +94 77 364 1754 >> blog : http://danushka-menikkumbura.blogspot.com/ >> >> Disclaimer: This communication may contain privileged or other >> confidential information and is intended exclusively for the addressee/s. If >> you are not the intended recipient/s, or believe that you may have received >> this communication in error, please reply to the sender indicating that fact >> and delete the copy you received and in addition, you should not print, >> copy, retransmit, disseminate, or otherwise use the information contained in >> this communication. Internet communications cannot be guaranteed to be >> timely, secure, error or virus-free. The sender does not accept liability >> for any errors or omissions. >> > > -- Danushka Menikkumbura Technical Lead & Product Manager, WSO2 SOA Enablement Server WSO2, Inc.; http://wso2.com Lean . Enterprise . Middleware phone : +94 77 364 1754 blog : http://danushka-menikkumbura.blogspot.com/ Disclaimer: This communication may contain privileged or other confidential information and is intended exclusively for the addressee/s. If you are not the intended recipient/s, or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received and in addition, you should not print, copy, retransmit, disseminate, or otherwise use the information contained in this communication. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. -------------- next part -------------- An HTML attachment was scrubbed... URL: From waterfall at inbox.ru Mon Apr 5 23:52:44 2010 From: waterfall at inbox.ru (waterfall at inbox.ru) Date: Tue, 6 Apr 2010 10:52:44 +0400 Subject: [xmlsec] xmlsec, openssl , gost In-Reply-To: References: Message-ID: --- ???????? ????????? --- ??: "waterfall at evol.ru" ??????????: 06.04.2010 01:23:14 ????: xmlsec, openssl , gost 1. i install openssl 1.0 (use ./config shared ), xmlsec 1.2.4 (use ./configure --enable-gost --with-openssl="/usr/local/ssl") in slax 2. generate key : openssl genpkey -algorithm gost2001 -pkeyopt paramset:A -out seckey.pem sign1-tmpl-rus.xml (from test) Hello, World! not(ancestor-or-self::dsig:Signature) sign1 - one of examples (by default it use openssl engine) command ./sign1 sign1-tmpl-rus.xml seckey.pem get this func=xmlSecOpenSSLEvpKeyAdopt:file=evp.c:line=241:obj=unknown:subj=unknown:error=14:invalid type:evp key type 811 not supported func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=333:obj=unknown:subj=xmlSecOpenSSLEvpKeyAdopt:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=143:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=seckey.pem;errno=0 Error: failed to load private pem key from "seckey.pem" what should I do?:) -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Apr 6 08:41:32 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 06 Apr 2010 08:41:32 -0700 Subject: [xmlsec] xmlsec, openssl , gost In-Reply-To: References: Message-ID: <4BBB562C.4030900@aleksey.com> I believe that today GOST only supported on Windows through mscrypto. To add GOST support for openssl, you will need to implement GOST keys and encryption/decryption support. It should be straightforward copy/paste/replace from, for example, RSA keys/encryption implementation. Hint: I love patches :) Aleksey On 4/5/2010 11:52 PM, waterfall at inbox.ru wrote: > *--- ???????? ????????? ---* > > *??:* "waterfall at evol.ru" > > *??????????:* 06.04.2010 01:23:14 > > *????:* xmlsec, openssl , gost > > 1. i install openssl 1.0 (use ./config shared ), xmlsec 1.2.4 (use > ./configure --enable-gost --with-openssl="/usr/local/ssl") in slax > > 2. generate key : openssl genpkey -algorithm gost2001 -pkeyopt > paramset:A -out seckey.pem > > *sign1-tmpl-rus.xml (from test)* > > * * > > ** > > ** > > ** > > * * > > *Hello, World!* > > * * > > * * > > * * > > * Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />* > > * Algorithm="http://www.w3.org/2001/04/xmldsig-more#gostr34102001-gostr3411"/>* > > * * > > * * > > * Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />* > > ** > > * xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">not(ancestor-or-self::dsig:Signature)* > > ** > > * * > > * Algorithm="http://www.w3.org/2001/04/xmldsig-more#gostr3411"/>* > > * * > > * * > > * * > > * * > > * * > > ** > > ** > > ** > > ** > > ** > > ** > > * * > > sign1 - one of examples (by default it use openssl engine) > > command ./sign1 sign1-tmpl-rus.xml seckey.pem > > get this > > func=xmlSecOpenSSLEvpKeyAdopt:file=evp.c:line=241:obj=unknown:subj=unknown:error=14:invalid > type:evp key type 811 not supported > > func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=333:obj=unknown:subj=xmlSecOpenSSLEvpKeyAdopt:error=1:xmlsec > library function failed: > > func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=143:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec > library function failed:filename=seckey.pem;errno=0 > > Error: failed to load private pem key from "seckey.pem" > > what should I do?:) > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From roland.hedberg at adm.umu.se Wed Apr 7 01:52:27 2010 From: roland.hedberg at adm.umu.se (Roland Hedberg) Date: Wed, 7 Apr 2010 10:52:27 +0200 Subject: [xmlsec] multiple signatures Message-ID: <6FE0F688-3FFA-499F-B665-A725E2E6D1B6@adm.umu.se> Hi! I work on a SAML implementation in Python and have stumbled over the following: What if a XML file contains several signatures, can I verify them in one go or do I have to do N verifications one per signature ? If the later how do I specify which part I want checked ? So, I may get a signed response which contains one or more signed assertions. All of them might or might not be signed with the same key. What to do ? --Roland From roland.hedberg at adm.umu.se Wed Apr 7 02:34:56 2010 From: roland.hedberg at adm.umu.se (Roland Hedberg) Date: Wed, 7 Apr 2010 11:34:56 +0200 Subject: [xmlsec] Why can't I use node-id ? Message-ID: <31952BCD-2D32-4491-940F-67060FD1659F@adm.umu.se> Hi again! I'm trying to use --node-id 'Signature1' but it fails on me due to: Error: parameter "--node-id "Signature1"" is not supported or the requested feature might have been disabled during compilation. I just did the normal configure, make, make install and have not knowingly disabled anything. $ xmlsec1 --version xmlsec1 1.2.14 (openssl) Should I have enabled something ? --Roland From bdauvergne at entrouvert.com Wed Apr 7 02:43:55 2010 From: bdauvergne at entrouvert.com (Benjamin Dauvergne) Date: Wed, 07 Apr 2010 11:43:55 +0200 Subject: [xmlsec] multiple signatures In-Reply-To: <6FE0F688-3FFA-499F-B665-A725E2E6D1B6@adm.umu.se> References: <6FE0F688-3FFA-499F-B665-A725E2E6D1B6@adm.umu.se> Message-ID: <4BBC53DB.9080401@entrouvert.com> Roland Hedberg wrote: > Hi! > > I work on a SAML implementation in Python and have stumbled over the following: Not completely out of context, I would like to adverise the GPL Lasso library (http://lasso.entrouvert.org) which already supports SAML 1.1, ID-FF 1.2 and SAML 2.0 using libxmlsec. Every participation is welcome. > What if a XML file contains several signatures, can I verify them in one go or do I have to do N verifications one per signature ? > If the later how do I specify which part I want checked ? You normally give the Signature node as the second argument to xmlSecDSigCtxVerify. > So, I may get a signed response which contains one or more signed assertions. > All of them might or might not be signed with the same key. > What to do ? Lookup the Issuer attribute of each assertion, find the public key for it and check the assertion signature with it. This use case is not currenlty supported by Lasso (IdP usually send only one assertion in authentication responses), but all building blocks for it are present. From roland.hedberg at adm.umu.se Wed Apr 7 05:57:59 2010 From: roland.hedberg at adm.umu.se (Roland Hedberg) Date: Wed, 7 Apr 2010 14:57:59 +0200 Subject: [xmlsec] Why can't I use node-id ? In-Reply-To: <31952BCD-2D32-4491-940F-67060FD1659F@adm.umu.se> References: <31952BCD-2D32-4491-940F-67060FD1659F@adm.umu.se> Message-ID: On Apr 7, 2010, at 11:34, Roland Hedberg wrote: > Hi again! > > I'm trying to use --node-id 'Signature1' but it fails on me due to: > > Error: parameter "--node-id "Signature1"" is not supported or the requested > feature might have been disabled during compilation. Fixed, PBKAC !!! --Roland From mahendra0203 at gmail.com Thu Apr 8 01:01:34 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Thu, 8 Apr 2010 13:31:34 +0530 Subject: [xmlsec] Compiling xmlsec on windows In-Reply-To: References: Message-ID: - Hi, I am tryin to compile xmlsec on windows. I am getting the following error. NMAKE : fatal error U1073: don't know how to make 'apps_a.int\crypto.obj' Any pointers to this issue would be of great help. Thanks in advance, Mahendra Naik -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Thu Apr 8 07:28:02 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 08 Apr 2010 07:28:02 -0700 Subject: [xmlsec] Compiling xmlsec on windows In-Reply-To: References: Message-ID: <4BBDE7F2.70702@aleksey.com> Are you using the Makefile from win32/ subfolder? Aleksey On 4/8/2010 1:01 AM, mahendra N wrote: > > > - > Hi, > I am tryin to compile xmlsec on windows. I am getting the following > error. > > NMAKE : fatal error U1073: don't know how to make 'apps_a.int > \crypto.obj' > > Any pointers to this issue would be of great help. > > Thanks in advance, > Mahendra Naik > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From xmlsec at roumenpetrov.info Fri Apr 16 14:25:53 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Sat, 17 Apr 2010 00:25:53 +0300 Subject: [xmlsec] trunk build with libraries from non-standard location Message-ID: <4BC8D5E1.4080504@roumenpetrov.info> Hi , Now I'm testing xmlsec with openssl 1.0.0 in following linux build environment: - libxml (trunk) build outside source tree; - libxslt (trunk) build outside source tree; - openssl (1.0.0, non patched source) installed in non-default path, i.e. linker search paths and not listed in /etc/ld.so.conf; - xmlsec (trunk) build outside source tree The xmlsec build system is regenerated with : - libtool 2.2.6 - automake 1.11 - autoconf 2.65 FSF version fo GNU autotools, i.e. without patches. Note that is above build system libxml, libxslt and xmlsec directories contains libtool la-files.The OS is with installed la-file for libltdl.la. Openssl and libz don't use libtool. ..../configure \ --with-libxml-src=path_to_libxml_build_dir \ --with-libxslt-src=path_to_libxml_build_dir \ --with-openssl=/usr/local/openssl/1.0.0 \ CPPFLAGS=paths_to_libxml&libxslt_sources \ LDFLAGS=-Rpaths_to_openssl LDFLAGS is my test to avoid issue without to update makefiles - don't help After build expected is libxmlsec1-openssl.so to list in Dynamic Section: NEEDED libcrypto.so.1.0.0 Instead this xmlsec openssl crypto is linked with library found in system default search path. It seems to this is issue with order of dependent libraries for crypto modules. To resolve issue (see attached file xmlsec-test-liborder.patch) The original xxx_LIBADD list: - ../libxmlsec1.la (first) - crypto library (second) - libxml and libxslt The file libxmlsec1.la list as dependent library ltdl and libtool add to search path /usr/lib (!). Next is path for crypto library but as path /usr/lib is before xmlsec module is linked to system library. If ../libxmlsec1.la is moved to the end of xxx_LIBADD list module is linked to correct openssl library. The exact link commands are visible in attached file xmlsec-origin-library-order-issue.diff a) long lines are split for easy reading b) XXX-before.txt is with non-patched Makefile.am c) XXX-after.txt is with patched Makefile.am d) the path /usr/local/lib : this path is not expected . May be is from libxslt.la as is listed in dependency_libs before -lxml2 e) the path /usr/lib : this break correct link and I cannot found why is in the list. May be from libltdl ? d) and e) look like issue with libtool as /usr/local/lib is listed in /etc/ld.so.conf /usr/local/lib and /usr/lib is in compiler(linker) default search path. It is very difficult to me to understand where is problem as all libtool 2.2.6 regression tests pass. Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: xmlsec-test-liborder.patch Type: text/x-diff Size: 1628 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: xmlsec-origin-library-order-issue.diff URL: From jirka at kosek.cz Tue Apr 20 05:43:48 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Tue, 20 Apr 2010 14:43:48 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider Message-ID: <4BCDA184.3040402@kosek.cz> Hi, I would like to sign XML files using xmlsec command line utility using certificates stored inside Windows certificate store. What is the proper way to reference certificate from signature template. I though that something like (note reference to certificate in X509SubjectName element): ... ... CN=Jan Tester would be sufficient. But when I run xmlsec with: xmlsec --sign --crypto mscrypto --output signed.xml template.xml I got: func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1370:obj=unknown:subj=xmlSecKe ysMngrFindKey:error=1:xmlsec library function failed: ;last error=-2146885628 (0 x80092004);last error msg=Cannot find object or property. It seems that xmlsec is unable to find certificate for signing. What's the proper way of referencing certificate? (Note that I'm able to sign document if I dump complete certificate inside X509Certificate element, but this element is then duplicated in the output. Not speaking about inconvenience of such method.) Thanks in advance, Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Tue Apr 20 11:49:20 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 20 Apr 2010 11:49:20 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCDA184.3040402@kosek.cz> References: <4BCDA184.3040402@kosek.cz> Message-ID: <4BCDF730.2000805@aleksey.com> Sorry, I am not very familiar with mscrypto... Could you please try to put the certificate subject into "KeyName" element? I recall xmlsec-mscrypto is using it to search for certificate/private key pair. Also I believe there is a notion of "friendly name" that is also can be used as "KeyName" to refer to the key. Aleksey On 4/20/2010 5:43 AM, Jirka Kosek wrote: > Hi, > > I would like to sign XML files using xmlsec command line utility using > certificates stored inside Windows certificate store. > > What is the proper way to reference certificate from signature template. > I though that something like (note reference to certificate in > X509SubjectName element): > > > ... > > > ... > > > > > CN=Jan Tester > > > > > > would be sufficient. But when I run xmlsec with: > > xmlsec --sign --crypto mscrypto --output signed.xml template.xml > > I got: > > func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1370:obj=unknown:subj=xmlSecKe > ysMngrFindKey:error=1:xmlsec library function failed: ;last > error=-2146885628 (0 > x80092004);last error msg=Cannot find object or property. > > It seems that xmlsec is unable to find certificate for signing. What's > the proper way of referencing certificate? (Note that I'm able to sign > document if I dump complete certificate inside X509Certificate element, > but this element is then duplicated in the output. Not speaking about > inconvenience of such method.) > > Thanks in advance, > > Jirka > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Tue Apr 20 12:37:20 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 20 Apr 2010 12:37:20 -0700 Subject: [xmlsec] trunk build with libraries from non-standard location In-Reply-To: <4BC8D5E1.4080504@roumenpetrov.info> References: <4BC8D5E1.4080504@roumenpetrov.info> Message-ID: <4BCE0270.10504@aleksey.com> Roumen, Sorry for delay with the response. I was out-of-town and just got back. Let me take a look at it tonight. Aleksey On 4/16/2010 2:25 PM, Roumen Petrov wrote: > Hi , > > Now I'm testing xmlsec with openssl 1.0.0 in following linux build > environment: > - libxml (trunk) build outside source tree; > - libxslt (trunk) build outside source tree; > - openssl (1.0.0, non patched source) installed in non-default path, > i.e. linker search paths and not listed in /etc/ld.so.conf; > - xmlsec (trunk) build outside source tree > > The xmlsec build system is regenerated with : > - libtool 2.2.6 > - automake 1.11 > - autoconf 2.65 > FSF version fo GNU autotools, i.e. without patches. > Note that is above build system libxml, libxslt and xmlsec directories > contains libtool la-files.The OS is with installed la-file for > libltdl.la. Openssl and libz don't use libtool. > > ..../configure \ > --with-libxml-src=path_to_libxml_build_dir \ > --with-libxslt-src=path_to_libxml_build_dir \ > --with-openssl=/usr/local/openssl/1.0.0 \ > CPPFLAGS=paths_to_libxml&libxslt_sources \ > LDFLAGS=-Rpaths_to_openssl > > LDFLAGS is my test to avoid issue without to update makefiles - don't help > > > After build expected is libxmlsec1-openssl.so to list in Dynamic Section: > NEEDED libcrypto.so.1.0.0 > Instead this xmlsec openssl crypto is linked with library found in > system default search path. > > It seems to this is issue with order of dependent libraries for crypto > modules. > To resolve issue (see attached file xmlsec-test-liborder.patch) > The original xxx_LIBADD list: > - ../libxmlsec1.la (first) > - crypto library (second) > - libxml and libxslt > The file libxmlsec1.la list as dependent library ltdl and libtool add to > search path /usr/lib (!). Next is path for crypto library but as path > /usr/lib is before xmlsec module is linked to system library. If > ../libxmlsec1.la is moved to the end of xxx_LIBADD list module is linked > to correct openssl library. > > > The exact link commands are visible in attached file > xmlsec-origin-library-order-issue.diff > a) long lines are split for easy reading > b) XXX-before.txt is with non-patched Makefile.am > c) XXX-after.txt is with patched Makefile.am > d) the path /usr/local/lib : this path is not expected . May be is from > libxslt.la as is listed in dependency_libs before -lxml2 > e) the path /usr/lib : this break correct link and I cannot found why is > in the list. May be from libltdl ? > > d) and e) look like issue with libtool as /usr/local/lib is listed in > /etc/ld.so.conf /usr/local/lib and /usr/lib is in compiler(linker) > default search path. > > It is very difficult to me to understand where is problem as all libtool > 2.2.6 regression tests pass. > > > Roumen > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From jirka at kosek.cz Tue Apr 20 15:23:55 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Wed, 21 Apr 2010 00:23:55 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCDF730.2000805@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> Message-ID: <4BCE297B.1040102@kosek.cz> Aleksey Sanin wrote: > Sorry, I am not very familiar with mscrypto... I think that it is better to not be familiar with any MS crypto stuff ;-) But anyway, is there any list specific for xmlsec and mscrypto? I haven't found many information specific to usage of xmlsec with MS crypto providers. > Could you please try to put the certificate subject into > "KeyName" element? I recall xmlsec-mscrypto is using it > to search for certificate/private key pair. Also I believe > there is a notion of "friendly name" that is also can be > used as "KeyName" to refer to the key. Thanks for the tip. I investigated it little bit and in general both ways you suggested work. The only glitch is that this doesn't work if I use non-ASCII characters in name. This is problem because certificates here in Czech usually contain first and last name inside certificate subject and there are almost always some characters with accents. So it seems that there is a bug related to processing non-ASCII characters. Also if I ask for certificate subject and issuer in a signature template and these fields contain non-ASCII characters, I get the following error from xmlsec: output error : invalid character value output error : string is not in UTF-8 Should I record this in the Bugzilla or is it sufficient to report it here? As a workaround I have tried to escape accented characters, i.e. use: serialNumber=P111870,CN=Ing. Ji\C5\99\C3\AD Kosek,OU=1,O=Ing. Ji\C5\99\C3\AD Kosek [I\C4\8C 71612998],C=CZ instead of SERIALNUMBER=P111870,CN=Ing. Ji?? Kosek,OU=1,O=Ing. Ji?? Kosek [I? 71612998],C=CZ I don't know whether this escaping is syntactically correct from X.509 point of view, but I have seen it in output of message signed with openssl provider. Anyway this has not been working. But working solution is to set "friendly name" to use non-ASCII characters. This is a small burden to user, but it works for now. Many thanks for this tip. Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Tue Apr 20 15:32:31 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 20 Apr 2010 15:32:31 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCE297B.1040102@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> Message-ID: <4BCE2B7F.3010509@aleksey.com> > Thanks for the tip. I investigated it little bit and in general both > ways you suggested work. The only glitch is that this doesn't work if I > use non-ASCII characters in name. This is problem because certificates > here in Czech usually contain first and last name inside certificate > subject and there are almost always some characters with accents. Yeah, xmlsec utility is smart enough to convert command line parameters from code page to utf8 as expected on windows. I'll take a look, should be trivial fix. > > So it seems that there is a bug related to processing non-ASCII > characters. Also if I ask for certificate subject and issuer in a > signature template and these fields contain non-ASCII characters, I get > the following error from xmlsec: > > output error : invalid character value > output error : string is not in UTF-8 > This is not a bug. By default, all data in XML file are expected to be in UTF8 encoding. If you use different encoding, then you need to specify the encoding you use in XML prolog. > Should I record this in the Bugzilla or is it sufficient to report it here? > > As a workaround I have tried to escape accented characters, i.e. use: > > serialNumber=P111870,CN=Ing. Ji\C5\99\C3\AD Kosek,OU=1,O=Ing. > Ji\C5\99\C3\AD Kosek [I\C4\8C 71612998],C=CZ > > instead of > > SERIALNUMBER=P111870,CN=Ing. Ji?? Kosek,OU=1,O=Ing. Ji?? Kosek [I? > 71612998],C=CZ > Good workaround! > I don't know whether this escaping is syntactically correct from X.509 > point of view, but I have seen it in output of message signed with > openssl provider. Anyway this has not been working. > > But working solution is to set "friendly name" to use non-ASCII > characters. This is a small burden to user, but it works for now. Many > thanks for this tip. I believe you should be able to make it work through template by either converting names to utf8 or specifying encoding for the xml file. I'll also take a look at command line parameters conversion :) Aleksey From jirka at kosek.cz Tue Apr 20 15:41:58 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Wed, 21 Apr 2010 00:41:58 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCE2B7F.3010509@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> Message-ID: <4BCE2DB6.2030801@kosek.cz> Aleksey Sanin wrote: >> Thanks for the tip. I investigated it little bit and in general both >> ways you suggested work. The only glitch is that this doesn't work if I >> use non-ASCII characters in name. This is problem because certificates >> here in Czech usually contain first and last name inside certificate >> subject and there are almost always some characters with accents. > > Yeah, xmlsec utility is smart enough to convert command line parameters > from code page to utf8 as expected on windows. I'll take a look, should > be trivial fix. I haven't used command line parameters, but signature template file in XML. >> So it seems that there is a bug related to processing non-ASCII >> characters. Also if I ask for certificate subject and issuer in a >> signature template and these fields contain non-ASCII characters, I get >> the following error from xmlsec: >> >> output error : invalid character value >> output error : string is not in UTF-8 > > This is not a bug. By default, all data in XML file are expected to be > in UTF8 encoding. If you use different encoding, then you need to > specify the encoding you use in XML prolog. Then there is probably another problem. My files were in UTF-8 with proper declaration. But xmlsec was unable to find matching key (last error msg=Cannot find object or property). I even tried to escape Czech characters using &#...; notation, but without success. I'm not familiar with xmlsec internals, but I suppose that it uses libxml2 for parsing, so input encoding should be converted to UTF-8 for in-memory storage. So encoding of XML file shouldn't matter? >> As a workaround I have tried to escape accented characters, i.e. use: >> >> serialNumber=P111870,CN=Ing. Ji\C5\99\C3\AD Kosek,OU=1,O=Ing. >> Ji\C5\99\C3\AD Kosek [I\C4\8C 71612998],C=CZ > > Good workaround! Unfortunatelly, it was *not working*. > I believe you should be able to make it work through template by either > converting names to utf8 or specifying encoding for the xml file. Still no success, but many thanks for help. Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Tue Apr 20 16:06:18 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 20 Apr 2010 16:06:18 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCE2DB6.2030801@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> Message-ID: <4BCE336A.6030208@aleksey.com> >> Yeah, xmlsec utility is smart enough to convert command line parameters >> from code page to utf8 as expected on windows. I'll take a look, should >> be trivial fix. > > I haven't used command line parameters, but signature template file in XML. Ah, sorry I missed that. > >>> So it seems that there is a bug related to processing non-ASCII >>> characters. Also if I ask for certificate subject and issuer in a >>> signature template and these fields contain non-ASCII characters, I get >>> the following error from xmlsec: >>> >>> output error : invalid character value >>> output error : string is not in UTF-8 >> >> This is not a bug. By default, all data in XML file are expected to be >> in UTF8 encoding. If you use different encoding, then you need to >> specify the encoding you use in XML prolog. > > Then there is probably another problem. My files were in UTF-8 with > proper declaration. But xmlsec > was unable to find matching key (last error msg=Cannot find object or > property). I even tried to escape Czech characters using&#...; > notation, but without success. > > I'm not familiar with xmlsec internals, but I suppose that it uses > libxml2 for parsing, so input encoding should be converted to UTF-8 for > in-memory storage. So encoding of XML file shouldn't matter? > You need to tell xml parser (libxml2) what is the file encoding. It can't convert correctly to UTF8 unless it knows the source encoding. BTW, libxml2 simply skips unknown characters in the input and this explains the error you got ("key not found" from xmlsec) - the key name was mangled. Set the correct in the xml prolog and it will work. Aleksey From xmlsec at roumenpetrov.info Tue Apr 20 16:22:22 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Wed, 21 Apr 2010 02:22:22 +0300 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCE2DB6.2030801@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> Message-ID: <4BCE372E.6000800@roumenpetrov.info> Jirka Kosek wrote: > Aleksey Sanin wrote: >>> Thanks for the tip. I investigated it little bit and in general both >>> ways you suggested work. The only glitch is that this doesn't work if I >>> use non-ASCII characters in name. This is problem because certificates >>> here in Czech usually contain first and last name inside certificate >>> subject and there are almost always some characters with accents. >> >> Yeah, xmlsec utility is smart enough to convert command line parameters >> from code page to utf8 as expected on windows. I'll take a look, should >> be trivial fix. > > I haven't used command line parameters, but signature template file in XML. > >>> So it seems that there is a bug related to processing non-ASCII >>> characters. Also if I ask for certificate subject and issuer in a >>> signature template and these fields contain non-ASCII characters, I get >>> the following error from xmlsec: >>> >>> output error : invalid character value >>> output error : string is not in UTF-8 >> >> This is not a bug. By default, all data in XML file are expected to be >> in UTF8 encoding. If you use different encoding, then you need to >> specify the encoding you use in XML prolog. > > Then there is probably another problem. My files were in UTF-8 with > proper declaration. But xmlsec > was unable to find matching key (last error msg=Cannot find object or > property). I even tried to escape Czech characters using&#...; > notation, but without success. > > I'm not familiar with xmlsec internals, but I suppose that it uses > libxml2 for parsing, so input encoding should be converted to UTF-8 for > in-memory storage. So encoding of XML file shouldn't matter? > >>> As a workaround I have tried to escape accented characters, i.e. use: >>> >>> serialNumber=P111870,CN=Ing. Ji\C5\99\C3\AD Kosek,OU=1,O=Ing. >>> Ji\C5\99\C3\AD Kosek [I\C4\8C 71612998],C=CZ >> >> Good workaround! > > Unfortunatelly, it was *not working*. I'm not sure that crypto libraries understand "escaping". >> I believe you should be able to make it work through template by either >> converting names to utf8 or specifying encoding for the xml file. > > Still no success, but many thanks for help. > > Jirka May be issue is with conversion in MultiByteToWideChar. No Idea why is CP_ACP and I don't know enough how portable is CP_UTF8 for windows OS-es. Roumen From aleksey at aleksey.com Tue Apr 20 16:50:51 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 20 Apr 2010 16:50:51 -0700 Subject: [xmlsec] trunk build with libraries from non-standard location In-Reply-To: <4BC8D5E1.4080504@roumenpetrov.info> References: <4BC8D5E1.4080504@roumenpetrov.info> Message-ID: <4BCE3DDB.4030005@aleksey.com> Thanks a lot for the bug report, investigation and the patch. I confirmed the problem on my machine and also confirmed that the patch fixes it. I've added also similar changes for xmlsec command line tool as well :) The patch is in gnome git. Thanks again! Aleksey On 4/16/2010 2:25 PM, Roumen Petrov wrote: > Hi , > > Now I'm testing xmlsec with openssl 1.0.0 in following linux build > environment: > - libxml (trunk) build outside source tree; > - libxslt (trunk) build outside source tree; > - openssl (1.0.0, non patched source) installed in non-default path, > i.e. linker search paths and not listed in /etc/ld.so.conf; > - xmlsec (trunk) build outside source tree > > The xmlsec build system is regenerated with : > - libtool 2.2.6 > - automake 1.11 > - autoconf 2.65 > FSF version fo GNU autotools, i.e. without patches. > Note that is above build system libxml, libxslt and xmlsec directories > contains libtool la-files.The OS is with installed la-file for > libltdl.la. Openssl and libz don't use libtool. > > ..../configure \ > --with-libxml-src=path_to_libxml_build_dir \ > --with-libxslt-src=path_to_libxml_build_dir \ > --with-openssl=/usr/local/openssl/1.0.0 \ > CPPFLAGS=paths_to_libxml&libxslt_sources \ > LDFLAGS=-Rpaths_to_openssl > > LDFLAGS is my test to avoid issue without to update makefiles - don't help > > > After build expected is libxmlsec1-openssl.so to list in Dynamic Section: > NEEDED libcrypto.so.1.0.0 > Instead this xmlsec openssl crypto is linked with library found in > system default search path. > > It seems to this is issue with order of dependent libraries for crypto > modules. > To resolve issue (see attached file xmlsec-test-liborder.patch) > The original xxx_LIBADD list: > - ../libxmlsec1.la (first) > - crypto library (second) > - libxml and libxslt > The file libxmlsec1.la list as dependent library ltdl and libtool add to > search path /usr/lib (!). Next is path for crypto library but as path > /usr/lib is before xmlsec module is linked to system library. If > ../libxmlsec1.la is moved to the end of xxx_LIBADD list module is linked > to correct openssl library. > > > The exact link commands are visible in attached file > xmlsec-origin-library-order-issue.diff > a) long lines are split for easy reading > b) XXX-before.txt is with non-patched Makefile.am > c) XXX-after.txt is with patched Makefile.am > d) the path /usr/local/lib : this path is not expected . May be is from > libxslt.la as is listed in dependency_libs before -lxml2 > e) the path /usr/lib : this break correct link and I cannot found why is > in the list. May be from libltdl ? > > d) and e) look like issue with libtool as /usr/local/lib is listed in > /etc/ld.so.conf /usr/local/lib and /usr/lib is in compiler(linker) > default search path. > > It is very difficult to me to understand where is problem as all libtool > 2.2.6 regression tests pass. > > > Roumen > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From mahendra0203 at gmail.com Tue Apr 20 21:42:11 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Wed, 21 Apr 2010 10:12:11 +0530 Subject: [xmlsec] xmlsec on windows Message-ID: Hi , compilation of xmlsec on windows was successful. Now i get the following linker errors.. Creating library binaries\libxmlsec-openssl.lib and object binaries\libxmlsec -openssl.exp ciphers.obj : error LNK2019: unresolved external symbol _EVP_CIPHER_iv_length re ferenced in function _xmlSecOpenSSLEvpBlockCipherCtxInit kw_des.obj : error LNK2001: unresolved external symbol _EVP_CIPHER_iv_length ciphers.obj : error LNK2019: unresolved external symbol _EVP_CIPHER_block_size r eferenced in function _xmlSecOpenSSLEvpBlockCipherCtxUpdate ciphers.obj : error LNK2019: unresolved external symbol _EVP_CIPHER_key_length r eferenced in function _xmlSecOpenSSLEvpBlockCipherSetKeyReq kw_des.obj : error LNK2001: unresolved external symbol _EVP_CIPHER_key_length digests.obj : error LNK2019: unresolved external symbol _EVP_MD_size referenced in function _xmlSecOpenSSLEvpDigestExecute binaries\libxmlsec-openssl.dll : fatal error LNK1120: 4 unresolved externals NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio 9.0\VC\bin \link.exe"' : return code '0x460' Stop. which library am i missing? Any pointers would be of great help.. Thanks and Regards, Mahendra Naik -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Apr 20 21:48:56 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 20 Apr 2010 21:48:56 -0700 Subject: [xmlsec] xmlsec on windows In-Reply-To: References: Message-ID: <4BCE83B8.5030909@aleksey.com> It looks like you have a problem with openssl library. Either a different version or a different compilation mode (more likely). Aleksey On 4/20/2010 9:42 PM, mahendra N wrote: > Hi , > compilation of xmlsec on windows was successful. Now i get the > following linker errors.. > > Creating library binaries\libxmlsec-openssl.lib and object > binaries\libxmlsec > -openssl.exp > ciphers.obj : error LNK2019: unresolved external symbol > _EVP_CIPHER_iv_length re > ferenced in function _xmlSecOpenSSLEvpBlockCipherCtxInit > kw_des.obj : error LNK2001: unresolved external symbol _EVP_CIPHER_iv_length > ciphers.obj : error LNK2019: unresolved external symbol > _EVP_CIPHER_block_size r > eferenced in function _xmlSecOpenSSLEvpBlockCipherCtxUpdate > ciphers.obj : error LNK2019: unresolved external symbol > _EVP_CIPHER_key_length r > eferenced in function _xmlSecOpenSSLEvpBlockCipherSetKeyReq > kw_des.obj : error LNK2001: unresolved external symbol > _EVP_CIPHER_key_length > digests.obj : error LNK2019: unresolved external symbol _EVP_MD_size > referenced > in function _xmlSecOpenSSLEvpDigestExecute > binaries\libxmlsec-openssl.dll : fatal error LNK1120: 4 unresolved externals > NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio > 9.0\VC\bin > \link.exe"' : return code '0x460' > Stop. > > which library am i missing? > > Any pointers would be of great help.. > Thanks and Regards, > Mahendra Naik > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From jirka at kosek.cz Wed Apr 21 01:00:27 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Wed, 21 Apr 2010 10:00:27 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCE336A.6030208@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> Message-ID: <4BCEB09B.1080109@kosek.cz> Aleksey Sanin wrote: > You need to tell xml parser (libxml2) what is the file encoding. > It can't convert correctly to UTF8 unless it knows the source encoding. > BTW, libxml2 simply skips unknown characters in the input and this > explains the error you got ("key not found" from xmlsec) - the key name > was mangled. Set the correct in the xml prolog and it will work. Prolog and encoding was correct (I think that I have pretty deep knowledge of Unicode and its encodings). I even tried UTF-8 with and without BOM character and still have no success. If you have access to Windows box, you can very easily reproduce bug. Create self-signed certificate by using makecert tool (part of .NET SDK) and use some accented characters (or cyrillic, I expect same problems) in subject, eg.: makecert -r -pe -n "CN=Ji?? Nov?k" -e 12/31/2020 -ss My and then try to sign with template containing: ... CN=Ji?? Nov?k ... Thanks, Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Wed Apr 21 07:37:16 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 21 Apr 2010 07:37:16 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCEB09B.1080109@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> Message-ID: <4BCF0D9C.2010904@aleksey.com> What encoding did you use for this file? > > CN=Ji?? Nov?k > > > > Aleksey On 4/21/2010 1:00 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: > >> You need to tell xml parser (libxml2) what is the file encoding. >> It can't convert correctly to UTF8 unless it knows the source encoding. >> BTW, libxml2 simply skips unknown characters in the input and this >> explains the error you got ("key not found" from xmlsec) - the key name >> was mangled. Set the correct in the xml prolog and it will work. > > Prolog and encoding was correct (I think that I have pretty deep > knowledge of Unicode and its encodings). I even tried UTF-8 with and > without BOM character and still have no success. > > If you have access to Windows box, you can very easily reproduce bug. > Create self-signed certificate by using makecert tool (part of .NET SDK) > and use some accented characters (or cyrillic, I expect same problems) > in subject, eg.: > > makecert -r -pe -n "CN=Ji?? Nov?k" -e 12/31/2020 -ss My > > and then try to sign with template containing: > > ... > > CN=Ji?? Nov?k > > > > > ... > > Thanks, > > Jirka > From aleksey at aleksey.com Wed Apr 21 07:39:51 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 21 Apr 2010 07:39:51 -0700 Subject: [xmlsec] xmlsec install on Snow Leopard In-Reply-To: References: Message-ID: <4BCF0E37.2000004@aleksey.com> Roy, Unfortunately, you need to have some basic knowledge of how shared libraries work. I suggest you take a look here: http://www.network-theory.co.uk/docs/gccintro/gccintro_25.html I think this article has everything you need. Aleksey On 4/21/2010 4:14 AM, Roy Shay wrote: > Hi Aleksey, > > I've been trying for the better part of this week to get xmlsec working > on my machine. I'm no sys-admin (God knows, I'm far, far from it), but > I've managed to narrow it down to this: > > Error: unable to load xmlsec-openssl library. Make sure that you have > this it installed, check shared libraries path (LD_LIBRARY_PATH) > envornment variable or use "--crypto" option to specify different > crypto engine. > Error: initialization failed > > I've seen you address this issue on several different boards but I > simply could not make sense of the solutions you gave to people as you > had assumed a certain knowledge level in your responses that I simply do > not have. > > Can you help me out? > > Thanks, > Roy From aleksey at aleksey.com Wed Apr 21 07:42:39 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 21 Apr 2010 07:42:39 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCF0DCA.6000203@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> Message-ID: <4BCF0EDF.5020808@aleksey.com> Bingo! "CN=Ji?? Nov?k" is *not* UTF8 encoding. This is why you got these errors from LibXML2 parser. You need to either manually convert the string to UTF8 (e.g. using iconv) or simply specify the native code page (wild guess, it is 1250 or 1252). Aleksey On 4/21/2010 7:38 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: >> What encoding did you use for this file? > > UTF-8 > > From jirka at kosek.cz Wed Apr 21 07:56:15 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Wed, 21 Apr 2010 16:56:15 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCF0EDF.5020808@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> Message-ID: <4BCF120F.3040609@kosek.cz> Aleksey Sanin wrote: > Bingo! "CN=Ji?? Nov?k" is *not* UTF8 encoding. This is > why you got these errors from LibXML2 parser. You need > to either manually convert the string to UTF8 (e.g. using > iconv) or simply specify the native code page (wild guess, > it is 1250 or 1252). I'm confused. Are you talking about XML file with signature template? What else should I do then just safe file in UTF-8 and provide correct encoding declaration at the top of the file? I have attached real document I have used for testing, so you can see that it is properly encoded in UTF-8. I'm also attaching exported key, password is "test". Thanks, Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: jannovak.pfx Type: application/x-pkcs12 Size: 1736 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dsig-template2.xml Type: text/xml Size: 942 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Wed Apr 21 08:31:33 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 21 Apr 2010 08:31:33 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCF120F.3040609@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> Message-ID: <4BCF1A55.4000302@aleksey.com> Yes, I see it now - I should have asked for a repro material long time ago :) Let me take a look tonight. Aleksey On 4/21/2010 7:56 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: >> Bingo! "CN=Ji?? Nov?k" is *not* UTF8 encoding. This is >> why you got these errors from LibXML2 parser. You need >> to either manually convert the string to UTF8 (e.g. using >> iconv) or simply specify the native code page (wild guess, >> it is 1250 or 1252). > > I'm confused. Are you talking about XML file with signature template? > What else should I do then just safe file in UTF-8 and provide correct > encoding declaration at the top of the file? > > I have attached real document I have used for testing, so you can see > that it is properly encoded in UTF-8. I'm also attaching exported key, > password is "test". > > Thanks, > > Jirka > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed Apr 21 23:00:33 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 21 Apr 2010 23:00:33 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCF120F.3040609@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> Message-ID: <4BCFE601.4050606@aleksey.com> Fixed. There was a mistake in the code - instead of conversion from UTF8 the code was trying to convert from current locale. Please try the version from Gnome GIT and let me know if you still have a problem. Thanks again for bug report and sorry that I didn't ask for a repro material (xml template) right away. Aleksey On 4/21/2010 7:56 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: >> Bingo! "CN=Ji?? Nov?k" is *not* UTF8 encoding. This is >> why you got these errors from LibXML2 parser. You need >> to either manually convert the string to UTF8 (e.g. using >> iconv) or simply specify the native code page (wild guess, >> it is 1250 or 1252). > > I'm confused. Are you talking about XML file with signature template? > What else should I do then just safe file in UTF-8 and provide correct > encoding declaration at the top of the file? > > I have attached real document I have used for testing, so you can see > that it is properly encoded in UTF-8. I'm also attaching exported key, > password is "test". > > Thanks, > > Jirka > From jirka at kosek.cz Thu Apr 22 01:17:23 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Thu, 22 Apr 2010 10:17:23 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCFE601.4050606@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BCFE601.4050606@aleksey.com> Message-ID: <4BD00613.5070601@kosek.cz> Aleksey Sanin wrote: > Fixed. There was a mistake in the code - instead of conversion > from UTF8 the code was trying to convert from current locale. > Please try the version from Gnome GIT and let me know if you > still have a problem. Great, many thanks! I suppose that there are no "nightly builds" for Windows, so I have to build it myself. OK, lets have fun with git and build on windows. Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jirka at kosek.cz Thu Apr 22 02:36:44 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Thu, 22 Apr 2010 11:36:44 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD00613.5070601@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BCFE601.4050606@aleksey.com> <4BD00613.5070601@kosek.cz> Message-ID: <4BD018AC.5080905@kosek.cz> Jirka Kosek wrote: > I suppose that there are no "nightly builds" for Windows, so I have to > build it myself. OK, lets have fun with git and build on windows. I'm giving up with build on Windows. Even when I have compiled everything myself (libxml2, libxslt, xmlsec) resulting .exe fails and complains about wrong C runtime library. Let's hope that Igor will release new binaries shortly. Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Thu Apr 22 07:33:06 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 22 Apr 2010 07:33:06 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BCF120F.3040609@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> Message-ID: <4BD05E22.5000308@aleksey.com> Could you please try the "unofficial" build? http://www.aleksey.com/public/xmlsec-20100422.tar.gz It's not test and it is better not to use it in production :) Aleksey On 4/21/2010 7:56 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: >> Bingo! "CN=Ji?? Nov?k" is *not* UTF8 encoding. This is >> why you got these errors from LibXML2 parser. You need >> to either manually convert the string to UTF8 (e.g. using >> iconv) or simply specify the native code page (wild guess, >> it is 1250 or 1252). > > I'm confused. Are you talking about XML file with signature template? > What else should I do then just safe file in UTF-8 and provide correct > encoding declaration at the top of the file? > > I have attached real document I have used for testing, so you can see > that it is properly encoded in UTF-8. I'm also attaching exported key, > password is "test". > > Thanks, > > Jirka > From jirka at kosek.cz Thu Apr 22 08:09:15 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Thu, 22 Apr 2010 17:09:15 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD05E22.5000308@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> Message-ID: <4BD0669B.60907@kosek.cz> Aleksey Sanin wrote: > Could you please try the "unofficial" build? > > http://www.aleksey.com/public/xmlsec-20100422.tar.gz Thanks. Unfortunatelly, I was unable to run code on Win7 machine, it was complaining about missing MSVCR90.DLL and adding this library to path caused another strange error message. I have tried also on WinXP. I had similar problems, but I managed to run code after putting xmlsec.exe.manifest linking to MSVCR90 library into the same directory as xmlsec.exe. But, after that change xmlsec.exe you have provided crashed on KeyName without accented letters. When I have tried to use key I have sent you (one with accented letters) it was unable to find key. So it seems that bug is either not resolved, or that Windows build of xmlsec.exe went wrong and utility shows completely crazy results. My knowledge of Windows C based development is very limited. Are you able to built code against msvcrt.dll instead of msvcr90.dll? This should resolve this nasty library mismatch stuff and I could test it properly. Many thanks, Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Thu Apr 22 08:59:45 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 22 Apr 2010 08:59:45 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD0669B.60907@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> Message-ID: <4BD07271.5080702@aleksey.com> Probably the build went wrong. Let me take a look tonight, I hate Windows libraries problems. Aleksey On 4/22/2010 8:09 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: >> Could you please try the "unofficial" build? >> >> http://www.aleksey.com/public/xmlsec-20100422.tar.gz > > Thanks. > > Unfortunatelly, I was unable to run code on Win7 machine, it was > complaining about missing MSVCR90.DLL and adding this library to path > caused another strange error message. > > I have tried also on WinXP. I had similar problems, but I managed to run > code after putting xmlsec.exe.manifest linking to MSVCR90 library into > the same directory as xmlsec.exe. > > But, after that change xmlsec.exe you have provided crashed on KeyName > without accented letters. When I have tried to use key I have sent you > (one with accented letters) it was unable to find key. So it seems that > bug is either not resolved, or that Windows build of xmlsec.exe went > wrong and utility shows completely crazy results. > > My knowledge of Windows C based development is very limited. Are you > able to built code against msvcrt.dll instead of msvcr90.dll? This > should resolve this nasty library mismatch stuff and I could test it > properly. > > Many thanks, > > Jirka > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Thu Apr 22 10:39:05 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 22 Apr 2010 10:39:05 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD0669B.60907@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> Message-ID: <4BD089B9.50904@aleksey.com> Could you please try this one? I packaged everything I have - all the binaries and libraries. This way we can avoid version incompatibilities in libxml2 and everything else :) http://www.aleksey.com/public/xmlsec-20100422.2.tar.gz Thank you! Aleksey On 4/22/2010 8:09 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: >> Could you please try the "unofficial" build? >> >> http://www.aleksey.com/public/xmlsec-20100422.tar.gz > > Thanks. > > Unfortunatelly, I was unable to run code on Win7 machine, it was > complaining about missing MSVCR90.DLL and adding this library to path > caused another strange error message. > > I have tried also on WinXP. I had similar problems, but I managed to run > code after putting xmlsec.exe.manifest linking to MSVCR90 library into > the same directory as xmlsec.exe. > > But, after that change xmlsec.exe you have provided crashed on KeyName > without accented letters. When I have tried to use key I have sent you > (one with accented letters) it was unable to find key. So it seems that > bug is either not resolved, or that Windows build of xmlsec.exe went > wrong and utility shows completely crazy results. > > My knowledge of Windows C based development is very limited. Are you > able to built code against msvcrt.dll instead of msvcr90.dll? This > should resolve this nasty library mismatch stuff and I could test it > properly. > > Many thanks, > > Jirka > From jirka at kosek.cz Thu Apr 22 15:20:23 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Fri, 23 Apr 2010 00:20:23 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD089B9.50904@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> Message-ID: <4BD0CBA7.6030501@kosek.cz> Aleksey Sanin wrote: > Could you please try this one? I packaged everything I have - > all the binaries and libraries. This way we can avoid version > incompatibilities in libxml2 and everything else :) > > http://www.aleksey.com/public/xmlsec-20100422.2.tar.gz Thanks. I was able to run code after I have added also xmlsec.exe.manifet file -- not sure why it is required. But anyway back to the issue. I can confirm that it is now possible to correctly sign files with certificate which is referenced by "friendly name" within KeyName, eg. Ji?? Nov?k But even this patched version is not able to find key when it is referenced using its subject (given subject contains accented letters, with unaccented it works), eg. CN=Ji?? Nov?k still doesn't work. So it seems that there is still some encoding issue in dealing with certificate subjects. Thanks for your invaluable help, Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Thu Apr 22 22:34:18 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 22 Apr 2010 22:34:18 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD0CBA7.6030501@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> Message-ID: <4BD1315A.7090705@aleksey.com> > Thanks. I was able to run code after I have added also > xmlsec.exe.manifet file -- not sure why it is required. Ops. Forgot it. Fixed now. > > But anyway back to the issue. I can confirm that it is now possible to > correctly sign files with certificate which is referenced by "friendly > name" within KeyName, eg. > > Ji?? Nov?k > > But even this patched version is not able to find key when it is > referenced using its subject (given subject contains accented letters, > with unaccented it works), eg. > > CN=Ji?? Nov?k > > still doesn't work. So it seems that there is still some encoding issue > in dealing with certificate subjects. Don't ask me "why", I know but can't explain :) And one more try... hopefully the last one http://www.aleksey.com/public/xmlsec-20100422.3.tar.gz Aleksey From jirka at kosek.cz Fri Apr 23 01:33:22 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Fri, 23 Apr 2010 10:33:22 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD1315A.7090705@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> Message-ID: <4BD15B52.6080800@kosek.cz> Aleksey Sanin wrote: >> CN=Ji?? Nov?k >> >> still doesn't work. So it seems that there is still some encoding issue >> in dealing with certificate subjects. > > Don't ask me "why", I know but can't explain :) > > And one more try... hopefully the last one Many thanks, it works now for self signed certificates. I don't know whether it is related to this bug or whether this is a separate issue, but xmlsec is still unable to find real issued certificates with subject like: SERIALNUMBER=P111870, CN=Ing. Ji?? Kosek, OU=1, O=Ing. Ji?? Kosek [I? 71612998], C=CZ Is this supposed to work? Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Fri Apr 23 07:19:11 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 23 Apr 2010 07:19:11 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD15B52.6080800@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> Message-ID: <4BD1AC5F.3080200@aleksey.com> Yes, it should. Any chance you can generate an example cert for me to test it? Aleksey On 4/23/2010 1:33 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: > >>> CN=Ji?? Nov?k >>> >>> still doesn't work. So it seems that there is still some encoding issue >>> in dealing with certificate subjects. >> >> Don't ask me "why", I know but can't explain :) >> >> And one more try... hopefully the last one > > Many thanks, it works now for self signed certificates. > > I don't know whether it is related to this bug or whether this is a > separate issue, but xmlsec is still unable to find real issued > certificates with subject like: > > SERIALNUMBER=P111870, CN=Ing. Ji?? Kosek, OU=1, O=Ing. Ji?? Kosek [I? > 71612998], C=CZ > > Is this supposed to work? > > Jirka > From aleksey at aleksey.com Fri Apr 23 21:54:52 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 23 Apr 2010 21:54:52 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD1AC5F.3080200@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> <4BD1AC5F.3080200@aleksey.com> Message-ID: <4BD2799C.2080001@aleksey.com> Jirka, Thanks a lot for sending me the example certs to me! Could you please try one more version? http://www.aleksey.com/public/xmlsec-20100423.tar.gz The problem was caused by the difference in the certificates: one that worked has subject encoded in Unicode CN=\x00J\x00i\x01Y\x00\xED\x00 \x00N\x00o\x00v\x00\xE1\x00k and one that did not work has subject encoded in UTF8: C=CZ, O=12345678 [I\xC4\x8C ], OU=1, CN=Ji\xC5\x99\xC3\xAD Nov\xC3\xA1k/serialNumber=P123456/title=Title Unfortunately, MSCrypto is not smart enough to always normalize the certificates subjects in its internal store and I had to add one more option in the certificate search chain: try with UTF8 encoded subject. Hope it covers all the cases now :) Aleksey On 4/23/2010 7:19 AM, Aleksey Sanin wrote: > Yes, it should. Any chance you can generate an example cert for me > to test it? > > Aleksey > > > On 4/23/2010 1:33 AM, Jirka Kosek wrote: >> Aleksey Sanin wrote: >> >>>> CN=Ji?? Nov?k >>>> >>>> still doesn't work. So it seems that there is still some encoding issue >>>> in dealing with certificate subjects. >>> >>> Don't ask me "why", I know but can't explain :) >>> >>> And one more try... hopefully the last one >> >> Many thanks, it works now for self signed certificates. >> >> I don't know whether it is related to this bug or whether this is a >> separate issue, but xmlsec is still unable to find real issued >> certificates with subject like: >> >> SERIALNUMBER=P111870, CN=Ing. Ji?? Kosek, OU=1, O=Ing. Ji?? Kosek [I? >> 71612998], C=CZ >> >> Is this supposed to work? >> >> Jirka >> > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From jirka at kosek.cz Fri Apr 23 23:44:03 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Sat, 24 Apr 2010 08:44:03 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD2799C.2080001@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> <4BD1AC5F.3080200@aleksey.com> <4BD2799C.2080001@aleksey.com> Message-ID: <4BD29333.1010300@kosek.cz> Aleksey Sanin wrote: > Thanks a lot for sending me the example certs to me! Could you > please try one more version? > > http://www.aleksey.com/public/xmlsec-20100423.tar.gz Many thanks, excellent support! I can confirm that it now works even with the real certificate. Do you have rough idea when the next "official" version of xmlsec could be released with this patch applied? > Unfortunately, MSCrypto is not smart enough to always normalize > the certificates subjects in its internal store and I had to add > one more option in the certificate search chain: try with UTF8 > encoded subject. Thanks for explanation. Have a nice day, Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jirka at kosek.cz Fri Apr 23 23:48:24 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Sat, 24 Apr 2010 08:48:24 +0200 Subject: [xmlsec] Status of SHA-2 ms crypto patch Message-ID: <4BD29438.3070902@kosek.cz> Hi folks, what's the status of the following patch: http://www.aleksey.com/pipermail/xmlsec/2010/008807.html Were issues resolved and patch accepted? I'm asking because in Europe legislation in many requires to use SHA-2 based digesting and digital signature algorithms starting from 2010/2011. xmlsec is now extensively used on Windows platform in cases when .NET/Java crypto libraries can't be used for some reason. Thanks for info, Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From xmlsec at roumenpetrov.info Sat Apr 24 02:10:30 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Sat, 24 Apr 2010 12:10:30 +0300 Subject: [xmlsec] trunk build with libraries from non-standard location In-Reply-To: <4BCE3DDB.4030005@aleksey.com> References: <4BC8D5E1.4080504@roumenpetrov.info> <4BCE3DDB.4030005@aleksey.com> Message-ID: <4BD2B586.3050800@roumenpetrov.info> Aleksey Sanin wrote: > Thanks a lot for the bug report, investigation and the patch. > I confirmed the problem on my machine and also confirmed > that the patch fixes it. I've added also similar changes > for xmlsec command line tool as well :) Thanks . Maybe src/mscrypto/Makefile.am is good to be changed in same way. I'm still thinking that this is libtool issue and I will try to create simple test case to libtool suitable for report to libtool project. > The patch is in gnome git. > > Thanks again! > > Aleksey Roumen From xmlsec at roumenpetrov.info Sat Apr 24 02:33:38 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Sat, 24 Apr 2010 12:33:38 +0300 Subject: [xmlsec] --with-libxml-src break pkg-config tests Message-ID: <4BD2BAF2.4060908@roumenpetrov.info> Hi all, First lets see configure script: =============== ... AC_ARG_ENABLE(pkgconfig, [ --enable-pkgconfig ... if test "z$enable_pkgconfig" = "zno" ; then ...PKG_CONFIG_ENABLED=no fi ... AC_ARG_WITH(libxml-src, ... if test "z$with_libxml" = "zno" -o "z$with_libxml_src" = "zno"; then ... elif test "z$with_libxml_src" != "z" ; then ... elif test "z$with_libxml" = "z" -a "z$PKG_CONFIG_ENABLED" = "zyes" ; then PKG_CHECK_MODULES(LIBXML,..... fi ... =============== My version of pkg-config in 0.23 and in this version macro PKG_CHECK_MODULES require PKG_PROG_PKG_CONFIG. The macro PKG_PROG_PKG_CONFIG check for pkg-config tool and set variable PKG_CONFIG. The issue is that macros are expended in last elif block and if one of test (conditions ) before succeed code from PKG_PROG_PKG_CONFIG is never executed so variable PKG_CONFIG left empty. Work-around is to set PKG_CONFIG on configure command line or as env. variable. One of possible fixes is to rewrite if test "z$enable_pkgconfig" block to set PKG_CONFIG variable. Other is to rewrite block and to add macro PKG_PROG_PKG_CONFIG. I don't know which version pkg package add this macro. Also I'm not sure that line "if ! pkg-config --atleast-pkgconfig-version 0.9 ; then" work well on unix shells. This character "!" could be issue for some old unix shells as example solaris 8. Roumen From aleksey at aleksey.com Sat Apr 24 11:24:27 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 24 Apr 2010 11:24:27 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD29333.1010300@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> <4BD1AC5F.3080200@aleksey.com> <4BD2799C.2080001@aleksey.com> <4BD29333.1010300@kosek.cz> Message-ID: <4BD3375B.2060302@aleksey.com> Great news! I was thinking about doing a release next week. Aleksey On 4/23/2010 11:44 PM, Jirka Kosek wrote: > Aleksey Sanin wrote: > >> Thanks a lot for sending me the example certs to me! Could you >> please try one more version? >> >> http://www.aleksey.com/public/xmlsec-20100423.tar.gz > > Many thanks, excellent support! I can confirm that it now works even > with the real certificate. > > Do you have rough idea when the next "official" version of xmlsec could > be released with this patch applied? > >> Unfortunately, MSCrypto is not smart enough to always normalize >> the certificates subjects in its internal store and I had to add >> one more option in the certificate search chain: try with UTF8 >> encoded subject. > > Thanks for explanation. > > Have a nice day, > > Jirka > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Sat Apr 24 11:37:08 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 24 Apr 2010 11:37:08 -0700 Subject: [xmlsec] trunk build with libraries from non-standard location In-Reply-To: <4BD2B586.3050800@roumenpetrov.info> References: <4BC8D5E1.4080504@roumenpetrov.info> <4BCE3DDB.4030005@aleksey.com> <4BD2B586.3050800@roumenpetrov.info> Message-ID: <4BD33A54.1060904@aleksey.com> Unfortunately, I don't have mingw environment to test it but I will be happy to apply a patch if you create one :) Thanks, Aleksey On 4/24/2010 2:10 AM, Roumen Petrov wrote: > Aleksey Sanin wrote: >> Thanks a lot for the bug report, investigation and the patch. >> I confirmed the problem on my machine and also confirmed >> that the patch fixes it. I've added also similar changes >> for xmlsec command line tool as well :) > > Thanks . > Maybe src/mscrypto/Makefile.am is good to be changed in same way. > I'm still thinking that this is libtool issue and I will try to create > simple test case to libtool suitable for report to libtool project. > > >> The patch is in gnome git. >> >> Thanks again! >> >> Aleksey > > Roumen From aleksey at aleksey.com Sat Apr 24 15:04:27 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 24 Apr 2010 15:04:27 -0700 Subject: [xmlsec] Status of SHA-2 ms crypto patch In-Reply-To: <4BD29438.3070902@kosek.cz> References: <4BD29438.3070902@kosek.cz> Message-ID: <4BD36AEB.7030700@aleksey.com> Thanks for the reminder! I've actually had it sitting on a branch for a while. Unfortunately, I was able to get the verification part supported but I can't figure out how to force CryptAcquireCertificatePrivateKey() to use the new "Microsoft Enhanced RSA and AES Cryptographic Provider" instead of the default one. Because of that signatures from pkcs12 files are broken. I was planning to take a look but never got back to it. Anyway, I decided to check it in - I cleaned up a lot of stuff with this patch and added ability to search for any number of providers. Roumen, I know you've looked at the original patch and I would appreciate if you can take a look: http://git.gnome.org/browse/xmlsec/commit/?id=6ca808b68ab4a0acc1e2c3ec9ad707720cc8c56d I would appreciate your comments. Aleksey On 4/23/2010 11:48 PM, Jirka Kosek wrote: > Hi folks, > > what's the status of the following patch: > > http://www.aleksey.com/pipermail/xmlsec/2010/008807.html > > Were issues resolved and patch accepted? I'm asking because in Europe > legislation in many requires to use SHA-2 based digesting and digital > signature algorithms starting from 2010/2011. xmlsec is now extensively > used on Windows platform in cases when .NET/Java crypto libraries can't > be used for some reason. > > Thanks for info, > > Jirka > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Sat Apr 24 18:27:22 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 24 Apr 2010 18:27:22 -0700 Subject: [xmlsec] Status of SHA-2 ms crypto patch In-Reply-To: <4BD36AEB.7030700@aleksey.com> References: <4BD29438.3070902@kosek.cz> <4BD36AEB.7030700@aleksey.com> Message-ID: <4BD39A7A.40709@aleksey.com> Actually, I did a little more research and figured out how to specify CSP from pkcs12 file. I've updated tests and everything looks good now. Aleksey On 4/24/2010 3:04 PM, Aleksey Sanin wrote: > Thanks for the reminder! I've actually had it sitting on > a branch for a while. Unfortunately, I was able to get > the verification part supported but I can't figure out > how to force CryptAcquireCertificatePrivateKey() to use > the new "Microsoft Enhanced RSA and AES Cryptographic > Provider" instead of the default one. Because of that > signatures from pkcs12 files are broken. I was planning > to take a look but never got back to it. > > Anyway, I decided to check it in - I cleaned up a lot of > stuff with this patch and added ability to search for any > number of providers. Roumen, I know you've looked at the > original patch and I would appreciate if you can take a look: > > http://git.gnome.org/browse/xmlsec/commit/?id=6ca808b68ab4a0acc1e2c3ec9ad707720cc8c56d > > > I would appreciate your comments. > > Aleksey > > > On 4/23/2010 11:48 PM, Jirka Kosek wrote: >> Hi folks, >> >> what's the status of the following patch: >> >> http://www.aleksey.com/pipermail/xmlsec/2010/008807.html >> >> Were issues resolved and patch accepted? I'm asking because in Europe >> legislation in many requires to use SHA-2 based digesting and digital >> signature algorithms starting from 2010/2011. xmlsec is now extensively >> used on Windows platform in cases when .NET/Java crypto libraries can't >> be used for some reason. >> >> Thanks for info, >> >> Jirka >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Sat Apr 24 18:59:20 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 24 Apr 2010 18:59:20 -0700 Subject: [xmlsec] --with-libxml-src break pkg-config tests In-Reply-To: <4BD2BAF2.4060908@roumenpetrov.info> References: <4BD2BAF2.4060908@roumenpetrov.info> Message-ID: <4BD3A1F8.7090700@aleksey.com> Thanks for bug report! I think this should fix it http://git.gnome.org/browse/xmlsec/diff/configure.in?id=361f8ef176f9f6920f8846f1d9b5361f7b0849c4 Could you please try it and let me know if you still have problems? Thanks Aleksey On 4/24/2010 2:33 AM, Roumen Petrov wrote: > Hi all, > > First lets see configure script: > =============== > ... > AC_ARG_ENABLE(pkgconfig, [ --enable-pkgconfig ... > if test "z$enable_pkgconfig" = "zno" ; then > ...PKG_CONFIG_ENABLED=no > fi > ... > AC_ARG_WITH(libxml-src, ... > if test "z$with_libxml" = "zno" -o "z$with_libxml_src" = "zno"; then > ... > elif test "z$with_libxml_src" != "z" ; then > ... > elif test "z$with_libxml" = "z" -a "z$PKG_CONFIG_ENABLED" = "zyes" ; then > PKG_CHECK_MODULES(LIBXML,..... > fi > ... > =============== > My version of pkg-config in 0.23 and in this version macro > PKG_CHECK_MODULES require PKG_PROG_PKG_CONFIG. > The macro PKG_PROG_PKG_CONFIG check for pkg-config tool and set variable > PKG_CONFIG. > > The issue is that macros are expended in last elif block and if one of > test (conditions ) before succeed code from PKG_PROG_PKG_CONFIG is never > executed so variable PKG_CONFIG left empty. > > > > Work-around is to set PKG_CONFIG on configure command line or as env. > variable. > > One of possible fixes is to rewrite if test "z$enable_pkgconfig" block > to set PKG_CONFIG variable. > > Other is to rewrite block and to add macro PKG_PROG_PKG_CONFIG. I don't > know which version pkg package add this macro. > > > Also I'm not sure that line "if ! pkg-config --atleast-pkgconfig-version > 0.9 ; then" > work well on unix shells. This character "!" could be issue for some old > unix shells as example solaris 8. > > > Roumen > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From xmlsec at roumenpetrov.info Mon Apr 26 14:19:25 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Tue, 27 Apr 2010 00:19:25 +0300 Subject: [xmlsec] trunk build with libraries from non-standard location In-Reply-To: <4BD33A54.1060904@aleksey.com> References: <4BC8D5E1.4080504@roumenpetrov.info> <4BCE3DDB.4030005@aleksey.com> <4BD2B586.3050800@roumenpetrov.info> <4BD33A54.1060904@aleksey.com> Message-ID: <4BD6035D.7010500@roumenpetrov.info> About reported - Idea is based on issue for openssl and native build. About mingw - after recent changes(fixes) for conversions between locale code page and utf-8 one I guess that patch for mingw should define xxxW for functions in def-file. Right now I'm not able to test build , but in second week of May I will be in position to look into recent changes for mscrypto module. Aleksey Sanin wrote: > Unfortunately, I don't have mingw environment to test it but > I will be happy to apply a patch if you create one :) > > Thanks, > Aleksey > > On 4/24/2010 2:10 AM, Roumen Petrov wrote: >> Aleksey Sanin wrote: >>> Thanks a lot for the bug report, investigation and the patch. >>> I confirmed the problem on my machine and also confirmed >>> that the patch fixes it. I've added also similar changes >>> for xmlsec command line tool as well :) >> >> Thanks . >> Maybe src/mscrypto/Makefile.am is good to be changed in same way. >> I'm still thinking that this is libtool issue and I will try to create >> simple test case to libtool suitable for report to libtool project. >> >> >>> The patch is in gnome git. >>> >>> Thanks again! >>> >>> Aleksey >> >> Roumen > From xmlsec at roumenpetrov.info Mon Apr 26 15:29:46 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Tue, 27 Apr 2010 01:29:46 +0300 Subject: [xmlsec] --with-libxml-src break pkg-config tests In-Reply-To: <4BD3A1F8.7090700@aleksey.com> References: <4BD2BAF2.4060908@roumenpetrov.info> <4BD3A1F8.7090700@aleksey.com> Message-ID: <4BD613DA.2060902@roumenpetrov.info> Aleksey Sanin wrote: > Thanks for bug report! I think this should fix it > > http://git.gnome.org/browse/xmlsec/diff/configure.in?id=361f8ef176f9f6920f8846f1d9b5361f7b0849c4 > > > Could you please try it and let me know if you still > have problems? > > Thanks > Aleksey Go ahead If you plan to release new version in next two weeks. The issue is not for regular builds. Roumen From aleksey at aleksey.com Mon Apr 26 18:05:00 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 26 Apr 2010 18:05:00 -0700 Subject: [xmlsec] trunk build with libraries from non-standard location In-Reply-To: <4BD6035D.7010500@roumenpetrov.info> References: <4BC8D5E1.4080504@roumenpetrov.info> <4BCE3DDB.4030005@aleksey.com> <4BD2B586.3050800@roumenpetrov.info> <4BD33A54.1060904@aleksey.com> <4BD6035D.7010500@roumenpetrov.info> Message-ID: <4BD6383C.9030403@aleksey.com> It's a good point. Thanks for looking into it. Aleksey On 4/26/2010 2:19 PM, Roumen Petrov wrote: > About reported - Idea is based on issue for openssl and native build. > > About mingw - after recent changes(fixes) for conversions between locale > code page and utf-8 one I guess that patch for mingw should define xxxW > for functions in def-file. Right now I'm not able to test build , but in > second week of May I will be in position to look into recent changes for > mscrypto module. > > > Aleksey Sanin wrote: >> Unfortunately, I don't have mingw environment to test it but >> I will be happy to apply a patch if you create one :) >> >> Thanks, >> Aleksey >> >> On 4/24/2010 2:10 AM, Roumen Petrov wrote: >>> Aleksey Sanin wrote: >>>> Thanks a lot for the bug report, investigation and the patch. >>>> I confirmed the problem on my machine and also confirmed >>>> that the patch fixes it. I've added also similar changes >>>> for xmlsec command line tool as well :) >>> >>> Thanks . >>> Maybe src/mscrypto/Makefile.am is good to be changed in same way. >>> I'm still thinking that this is libtool issue and I will try to create >>> simple test case to libtool suitable for report to libtool project. >>> >>> >>>> The patch is in gnome git. >>>> >>>> Thanks again! >>>> >>>> Aleksey >>> >>> Roumen >> > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From jirka at kosek.cz Tue Apr 27 05:29:34 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Tue, 27 Apr 2010 14:29:34 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD29333.1010300@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> <4BD1AC5F.3080200@aleksey.com> <4BD2799C.2080001@aleksey.com> <4BD29333.1010300@kosek.cz> Message-ID: <4BD6D8AE.5000202@kosek.cz> Jirka Kosek wrote: > Aleksey Sanin wrote: > >> Thanks a lot for sending me the example certs to me! Could you >> please try one more version? >> >> http://www.aleksey.com/public/xmlsec-20100423.tar.gz > > Many thanks, excellent support! I can confirm that it now works even > with the real certificate. Just now I have found another issue. If you will ask for SubjectName in signature template, like: Then encoding of subject name is mangled -- corresponding bytes in file are encoded using local windows code page (windows-1250 in my case) instead of UTF-8. This results in non-wellformed XML. Thanks, Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Tue Apr 27 07:07:57 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 27 Apr 2010 07:07:57 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD6D8AE.5000202@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> <4BD1AC5F.3080200@aleksey.com> <4BD2799C.2080001@aleksey.com> <4BD29333.1010300@kosek.cz> <4BD6D8AE.5000202@kosek.cz> Message-ID: <4BD6EFBD.4090606@aleksey.com> Good catch! Let me take a look. I assume I can use the certs you've already sent me :) Aleksey On 4/27/2010 5:29 AM, Jirka Kosek wrote: > Jirka Kosek wrote: >> Aleksey Sanin wrote: >> >>> Thanks a lot for sending me the example certs to me! Could you >>> please try one more version? >>> >>> http://www.aleksey.com/public/xmlsec-20100423.tar.gz >> >> Many thanks, excellent support! I can confirm that it now works even >> with the real certificate. > > Just now I have found another issue. If you will ask for SubjectName in > signature template, like: > > > > > > > > Then encoding of subject name is mangled -- corresponding bytes in file > are encoded using local windows code page (windows-1250 in my case) > instead of UTF-8. This results in non-wellformed XML. > > Thanks, > > Jirka > From path at bshellz.net Tue Apr 27 15:15:43 2010 From: path at bshellz.net (path at bshellz.net) Date: Wed, 28 Apr 2010 00:15:43 +0200 Subject: [xmlsec] error on signature verification Message-ID: <20100427221543.GA2906@bshellz.net> Aleksey, I'm trying to validate the attached document, so I'm using two command lines to verify both signatures: xmlsec1 --verify --print-debug \ --print-crypto-error-msgs \ --id-attr:ID 'http://www.sii.cl/SiiDte:Documento' \ --node-name 'http://www.sii.cl/SiiDte:Documento' \ --node-id 'F185T33' \ documento-20100427.1.xml 2>&1 xmlsec1 --verify --print-debug \ --print-crypto-error-msgs \ --id-attr:ID 'http://www.sii.cl/SiiDte:SetDTE' \ --node-name 'http://www.sii.cl/SiiDte:SetDTE' \ --node-id 'DTE1272374641984' \ documento-20100427.1.xml 2>&1 With first one, the signature is validated and it's ok, but the second one seems to try to verify the first '#F185T33' instead of the second one '#DTE1272374641984', and I get this error message: Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "documento-20100427.1.xml" = VERIFICATION CONTEXT == Status: unknown And the trace seems to be looking at the first URI: func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('F185T33')) func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: Thanks in advance, -------------- next part -------------- A non-text attachment was scrubbed... Name: documento-20100427.1.xml Type: application/xml Size: 8442 bytes Desc: not available URL: From aleksey at aleksey.com Tue Apr 27 16:02:45 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 27 Apr 2010 16:02:45 -0700 Subject: [xmlsec] error on signature verification In-Reply-To: <20100427221543.GA2906@bshellz.net> References: <20100427221543.GA2906@bshellz.net> Message-ID: <4BD76D15.80006@aleksey.com> The xmlsec1 utility tries to find the ds:Signature element in the sub-tree specified by --node-id or --node-name parameter. The document you have looks as follows (irrelevant pieces are removed): I am not exactly sure why the first command verified something (I would expect it to do nothing since there are no signature nodes in the subtree). But the second command correctly finds the first signature element in the subtree specified by the --node-id or --node-name parameter (BTW, you just need one parameter :) ). For documents with multiple signatures, I strongly recommend to put ID attribute directly into node. This way you can easily specify the right signature node to sign or verify. Regarding the error about xpointer(), please read section 3.4 from FAQ http://www.aleksey.com/xmlsec/faq.html Aleksey On 4/27/2010 3:15 PM, path at bshellz.net wrote: > Aleksey, > > I'm trying to validate the attached document, so I'm using > two command lines to verify both signatures: > > xmlsec1 --verify --print-debug \ > --print-crypto-error-msgs \ > --id-attr:ID 'http://www.sii.cl/SiiDte:Documento' \ > --node-name 'http://www.sii.cl/SiiDte:Documento' \ > --node-id 'F185T33' \ > documento-20100427.1.xml 2>&1 > > xmlsec1 --verify --print-debug \ > --print-crypto-error-msgs \ > --id-attr:ID 'http://www.sii.cl/SiiDte:SetDTE' \ > --node-name 'http://www.sii.cl/SiiDte:SetDTE' \ > --node-id 'DTE1272374641984' \ > documento-20100427.1.xml 2>&1 > > With first one, the signature is validated and it's ok, but the second one seems to try to verify the > first '#F185T33' instead of the second one '#DTE1272374641984', and I get this error message: > > Error: signature failed > ERROR > SignedInfo References (ok/all): 0/1 > Manifests References (ok/all): 0/0 > Error: failed to verify file "documento-20100427.1.xml" > = VERIFICATION CONTEXT > == Status: unknown > > And the trace seems to be looking at the first URI: > > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > library function failed:expr=xpointer(id('F185T33')) > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > > Thanks in advance, > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Tue Apr 27 19:39:13 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 27 Apr 2010 19:39:13 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD6D8AE.5000202@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> <4BD1AC5F.3080200@aleksey.com> <4BD2799C.2080001@aleksey.com> <4BD29333.1010300@kosek.cz> <4BD6D8AE.5000202@kosek.cz> Message-ID: <4BD79FD1.7080908@aleksey.com> OK, I decided to bite the bullet and convert xmlsec to Unicode completely. For backward compatibility, there will be an option to compile it in non-unicode mode but the default mode will be unicode. I hope this took care of all the issues with I18N. Jirka, could you please try this build: http://www.aleksey.com/public/xmlsec-20100427.tar.gz I tested it and it seems to work but you are finding all the possible issues that I never can find myself :) Thanks a lot! Aleksey On 4/27/2010 5:29 AM, Jirka Kosek wrote: > Jirka Kosek wrote: >> Aleksey Sanin wrote: >> >>> Thanks a lot for sending me the example certs to me! Could you >>> please try one more version? >>> >>> http://www.aleksey.com/public/xmlsec-20100423.tar.gz >> >> Many thanks, excellent support! I can confirm that it now works even >> with the real certificate. > > Just now I have found another issue. If you will ask for SubjectName in > signature template, like: > > > > > > > > Then encoding of subject name is mangled -- corresponding bytes in file > are encoded using local windows code page (windows-1250 in my case) > instead of UTF-8. This results in non-wellformed XML. > > Thanks, > > Jirka > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Thu Apr 29 06:48:59 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 29 Apr 2010 06:48:59 -0700 Subject: [xmlsec] MD5 signature values are different for same file... In-Reply-To: References: Message-ID: <4BD98E4B.2090807@aleksey.com> No, "..." don't have any special meaning except the usual one - indicate that something is skipped from the text. Please use xmlsec mailing list for your questions. Best, Aleksey On 4/29/2010 4:32 AM, Naval Patel wrote: > Hi Aleksey... > > I am sorry for the previous email... I wonder why i didnt think that the > digest value stored is base64 encoded and not Hex. Sorry about that. > > But I have another question to you... I am currently enabling digital > signature on my product. I would be making a template document and then > sign it. I have come across few samples on internet where they keep 3 > dots for eg. ... and the sample document > provided with XMLSEC has these 3 dots missing. Though adding the 3 dots > throws an error to me. Is there any peculiar significance to add those 3 > dots? > > Thanks, > Naval. > > On Thu, Apr 29, 2010 at 1:51 PM, Naval Patel @gmail.com > wrote: > > Hi Aleksey, > > First of all, thanks a ton for this library which is coming very > helpful to me. > > I am using XMLSEC along with OpenSSL for digital signature document > signing as well as verification. I have come across a point where I > see the digest value for the same file as two separate values under > two conditions mentioned below: > > Case 1: I am using the MD5 algorithm for digest value of the file > that is pointed by URI of . The generated digest value is > lets say something. On verification this goes in very well, it does > not bother me atall. > Case 2: I use the openssl.exe on commandline and I fear that the MD5 > value for the same file differs from what I am getting in case 1. I > also cross verified the results by entering the text on an online > tool for generating MD5 value at > http://www.adamek.biz/md5-generator.php > > Also I am observing that each of the digest or signature value ends > with and equal to sign '='. Is this a normal behavior? > > Please do reply to me, else i would be stuck. > > Regards, > Naval Patel > ~ have fun ~ > > > > > -- > Naval Patel > ~ have fun ~ From aleksey at aleksey.com Thu Apr 29 09:41:07 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 29 Apr 2010 09:41:07 -0700 Subject: [xmlsec] New xmlsec 1.2.15 release Message-ID: <4BD9B6A3.5000208@aleksey.com> The new XML Security Library 1.2.15 release available at the usual place: http://www.aleksey.com/xmlsec/download.html This release includes the following changes: * xmlsec-mscrypto: Added HMAC with MD5, SHA1, SHA256/384/512; RSA with MD5, SHA256/384/512 support. * xmlsec-mscrypto: Converted to Unicode (the non-Unicode builds are still available as compile time option). * xmlsec-nss: Added MD5 and SHA256/384/512 support for digest, HMAC and RSA (the new minimum required version for NSS library is 3.9). * xmlsec-gnutls: Added SHA256/384/512 for digest and HMAC; MD5 and RIPEMD160 digests support (the new minimum required version for GnuTLS library is 2.8.0). * Several critical bug fixes and code cleanups. Thanks to everyone for the contribution, patches and bug reports! Aleksey Sanin From cagutier at gmail.com Wed May 5 00:39:36 2010 From: cagutier at gmail.com (=?ISO-8859-1?Q?Carlos_Guti=E9rrez?=) Date: Wed, 5 May 2010 09:39:36 +0200 Subject: [xmlsec] XML Enveloped signature: problem declaring Reference URI to root node Message-ID: Hello, I'm trying to validate the belowd XML enveloping/envoped signature at http://www.aleksey.com/xmlsec/xmldsig-verifier.html but I'm getting an xpointer-related error The error received is : func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('RemesaMensajeLigeroFirmaGlobal')) func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature verification failed the XML: ?xml version="1.0" encoding="UTF-8" ?> Q2826000H 05113189J 05113189J AEATPI20040504GECOEX MODIF.IMPORTE CREDITOS N?020923300221Y 9335d792cef1a2de3a61e6728188c3bc43a431fa kOK2dhpXe/Qywad8hvAiFQiondo= /Q5DR3ceJgc+1NK2LI3MP3YTrtM= EgQYPNGKuwTnzsjVS/AVgUYSEd4= AGsgkJ+UC73pekxf/13B6UI4otHKQV5PNXMEkxVb0grhdm9ozffnFok0988AB/I/6AbE0MNhrTbU H5FIt12mGo8uwt2KGo0YJnJfDlNH9+I3MB1flskQMcYOnJg2T/haWTB5u3FjdM22Q7UZsrJ2ri5C y2NNao6c5RJlJU3WVUk= MIIFHjCCBIegAwIBAgIEPLueRTANBgkqhkiG9w0BAQUFADA2MQswCQYDVQQGEwJFUzENMAsGA1UE ChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIENBMB4XDTEwMDQxMjE4MDcyOFoXDTEzMDQx MjE4MDcyOFowgYAxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENs YXNlIDIgQ0ExEjAQBgNVBAsTCTUwMDA1MzA3NTE0MDIGA1UEAxQrTk9NQlJFIEVTUEHxT0wgRVNQ QfFPTCBKVUFOIC0gTklGIDk5OTk5OTk5UjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtodl IWnO/HEJig91PQBPy7F9WI/X6q4EeCipS+ZnMzlhiOzY8V5bUOCxr+JlULtOVlwhAMw/CLImyMfx vCV1ECkXOCFkgUFssTBl9MqU9zSvZnIrZ1pkApsVpTWcQAhBt8m6mEiLKkwojPKosv64f7PWVtFz 8EdRQLhLwUvXoisCAwEAAaOCAuwwggLoMGwGA1UdEQRlMGOkYTBfMRgwFgYJKwYBBAGsZgEEEwk5 OTk5OTk5OVIxFjAUBgkrBgEEAaxmAQMUB0VTUEHRT0wxFjAUBgkrBgEEAaxmAQIUB0VTUEHRT0wx EzARBgkrBgEEAaxmAQETBEpVQU4wCQYDVR0TBAIwADArBgNVHRAEJDAigA8yMDEwMDQxMjE4MDcy OFqBDzIwMTMwNDEyMTgwNzI4WjALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1Ud DgQWBBSZi9FNqfHZcEL9Nx8gfEis9Lp1IDAfBgNVHSMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDX YTCCATEGA1UdIASCASgwggEkMIIBIAYJKwYBBAGsZgMFMIIBETA0BggrBgEFBQcCARYoaHR0cDov L3d3dy5jZXJ0LmZubXQuZXMvY29udmVuaW8vZHBjLnBkZjCB2AYIKwYBBQUHAgIwgcsagchDZXJ0 aWZpY2FkbyBSZWNvbm9jaWRvIGV4cGVkaWRvIHNlZ/puIGxlZ2lzbGFjafNuIHZpZ2VudGUuVXNv IGxpbWl0YWRvIGEgbGEgQ29tdW5pZGFkIEVsZWN0cvNuaWNhIHBvciB2YWxvciBt4XhpbW8gZGUg MTAwIGUgc2Fsdm8gZXhjZXBjaW9uZXMgZW4gRFBDLkNvbnRhY3RvIEZOTVQ6Qy9Kb3JnZSBKdWFu IDEwNi0yODAwOS1NYWRyaWQtRXNwYfFhLjAdBgkrBgEEAaxmASEEEBYOUEVSU09OQSBGSVNJQ0Ew LwYIKwYBBQUHAQMEIzAhMAgGBgQAjkYBATAVBgYEAI5GAQIwCxMDRVVSAgFkAgEAMFsGA1UdHwRU MFIwUKBOoEykSjBIMQswCQYDVQQGEwJFUzENMAsGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBD bGFzZSAyIENBMRAwDgYDVQQDEwdDUkw3MDE0MA0GCSqGSIb3DQEBBQUAA4GBABq/mfoMQaczp2jX IeBygiLSpcRzwRa5K0PGMt0MtEyKacwdqy6bKMP28hz2qCwRTGeBhG9+rnwjkiZlXSMBnIb3x8Gb VKX9Mehr4xPpHI4wIp0cNiG01ZILqAGk1GKCTbE/4FnZZzTMKSnFtBp3ZzpXkzTiwrrf615G7JwG O6vu 2010-04-29T13:27:58+01:00 http://www.aeat.es/firma/SignaturePolicyV1.pdf Dmi29y1d6Np/ARK0xKGu/CyA4ZU= descripcion mime ulyimo What we understand from the error message is that there's a problem when resolving the first URI Reference. Is it mandatory that the Reference element that contains the enveloped transformation declared its URI attribute as "" ? As fas as I know there shouldn't be any problem in including a URI value within the Reference element that contains the enveloped transform, isn't it? -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed May 5 00:41:25 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 05 May 2010 00:41:25 -0700 Subject: [xmlsec] XML Enveloped signature: problem declaring Reference URI to root node In-Reply-To: References: Message-ID: <4BE12125.2020408@aleksey.com> http://www.aleksey.com/xmlsec/faq.html Aleksey On 5/5/2010 12:39 AM, Carlos Guti?rrez wrote: > Hello, > I'm trying to validate the belowd XML enveloping/envoped signature at > http://www.aleksey.com/xmlsec/xmldsig-verifier.html but I'm getting an > xpointer-related error > The error received is : > > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('RemesaMensajeLigeroFirmaGlobal')) > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: > func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer > func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: > Error: signature verification failed > > the XML: > ?xml version="1.0" encoding="UTF-8" ?> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > Id="RemesaMensajeLigeroFirmaGlobal" ape:idRef="20100429132756490000"> > > Q2826000H > 05113189J > 05113189J > > AEATPI20040504GECOEX > MODIF.IMPORTE CREDITOS N?020923300221Y > > algoritmo="SHA-1">9335d792cef1a2de3a61e6728188c3bc43a431fa > > > > > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" /> > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> > > > kOK2dhpXe/Qywad8hvAiFQiondo= > > > > /Q5DR3ceJgc+1NK2LI3MP3YTrtM= > > > > EgQYPNGKuwTnzsjVS/AVgUYSEd4= > > > AGsgkJ+UC73pekxf/13B6UI4otHKQV5PNXMEkxVb0grhdm9ozffnFok0988AB/I/6AbE0MNhrTbU > H5FIt12mGo8uwt2KGo0YJnJfDlNH9+I3MB1flskQMcYOnJg2T/haWTB5u3FjdM22Q7UZsrJ2ri5C > y2NNao6c5RJlJU3WVUk= > > > MIIFHjCCBIegAwIBAgIEPLueRTANBgkqhkiG9w0BAQUFADA2MQswCQYDVQQGEwJFUzENMAsGA1UE > ChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIENBMB4XDTEwMDQxMjE4MDcyOFoXDTEzMDQx > MjE4MDcyOFowgYAxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENs > YXNlIDIgQ0ExEjAQBgNVBAsTCTUwMDA1MzA3NTE0MDIGA1UEAxQrTk9NQlJFIEVTUEHxT0wgRVNQ > QfFPTCBKVUFOIC0gTklGIDk5OTk5OTk5UjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtodl > IWnO/HEJig91PQBPy7F9WI/X6q4EeCipS+ZnMzlhiOzY8V5bUOCxr+JlULtOVlwhAMw/CLImyMfx > vCV1ECkXOCFkgUFssTBl9MqU9zSvZnIrZ1pkApsVpTWcQAhBt8m6mEiLKkwojPKosv64f7PWVtFz > 8EdRQLhLwUvXoisCAwEAAaOCAuwwggLoMGwGA1UdEQRlMGOkYTBfMRgwFgYJKwYBBAGsZgEEEwk5 > OTk5OTk5OVIxFjAUBgkrBgEEAaxmAQMUB0VTUEHRT0wxFjAUBgkrBgEEAaxmAQIUB0VTUEHRT0wx > EzARBgkrBgEEAaxmAQETBEpVQU4wCQYDVR0TBAIwADArBgNVHRAEJDAigA8yMDEwMDQxMjE4MDcy > OFqBDzIwMTMwNDEyMTgwNzI4WjALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1Ud > DgQWBBSZi9FNqfHZcEL9Nx8gfEis9Lp1IDAfBgNVHSMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDX > YTCCATEGA1UdIASCASgwggEkMIIBIAYJKwYBBAGsZgMFMIIBETA0BggrBgEFBQcCARYoaHR0cDov > L3d3dy5jZXJ0LmZubXQuZXMvY29udmVuaW8vZHBjLnBkZjCB2AYIKwYBBQUHAgIwgcsagchDZXJ0 > aWZpY2FkbyBSZWNvbm9jaWRvIGV4cGVkaWRvIHNlZ/puIGxlZ2lzbGFjafNuIHZpZ2VudGUuVXNv > IGxpbWl0YWRvIGEgbGEgQ29tdW5pZGFkIEVsZWN0cvNuaWNhIHBvciB2YWxvciBt4XhpbW8gZGUg > MTAwIGUgc2Fsdm8gZXhjZXBjaW9uZXMgZW4gRFBDLkNvbnRhY3RvIEZOTVQ6Qy9Kb3JnZSBKdWFu > IDEwNi0yODAwOS1NYWRyaWQtRXNwYfFhLjAdBgkrBgEEAaxmASEEEBYOUEVSU09OQSBGSVNJQ0Ew > LwYIKwYBBQUHAQMEIzAhMAgGBgQAjkYBATAVBgYEAI5GAQIwCxMDRVVSAgFkAgEAMFsGA1UdHwRU > MFIwUKBOoEykSjBIMQswCQYDVQQGEwJFUzENMAsGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBD > bGFzZSAyIENBMRAwDgYDVQQDEwdDUkw3MDE0MA0GCSqGSIb3DQEBBQUAA4GBABq/mfoMQaczp2jX > IeBygiLSpcRzwRa5K0PGMt0MtEyKacwdqy6bKMP28hz2qCwRTGeBhG9+rnwjkiZlXSMBnIb3x8Gb > VKX9Mehr4xPpHI4wIp0cNiG01ZILqAGk1GKCTbE/4FnZZzTMKSnFtBp3ZzpXkzTiwrrf615G7JwG > O6vu > > > > xmlns:etsi="http://uri.etsi.org/01903/v1.2.2#" Target="#Firma" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> > > > 2010-04-29T13:27:58+01:00 > > > > http://www.aeat.es/firma/SignaturePolicyV1.pdf > > > > > Dmi29y1d6Np/ARK0xKGu/CyA4ZU= > > > > > > > descripcion > mime > ulyimo > > > > > > > > > What we understand from the error message is that there's a problem when > resolving the first URI Reference. Is it mandatory that the Reference > element that contains the enveloped transformation declared its URI > attribute as "" ? > As fas as I know there shouldn't be any problem in including a URI value > within the Reference element that contains the enveloped transform, > isn't it? > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From jirka at kosek.cz Thu May 6 03:58:23 2010 From: jirka at kosek.cz (Jirka Kosek) Date: Thu, 06 May 2010 12:58:23 +0200 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BD79FD1.7080908@aleksey.com> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> <4BD1AC5F.3080200@aleksey.com> <4BD2799C.2080001@aleksey.com> <4BD29333.1010300@kosek.cz> <4BD6D8AE.5000202@kosek.cz> <4BD79FD1.7080908@aleksey.com> Message-ID: <4BE2A0CF.7020808@kosek.cz> Aleksey Sanin wrote: > OK, I decided to bite the bullet and convert xmlsec to Unicode > completely. For backward compatibility, there will be an option > to compile it in non-unicode mode but the default mode will be > unicode. I hope this took care of all the issues with I18N. Well then it seems that I owe you at least one beer ;-) > Jirka, could you please try this build: > > http://www.aleksey.com/public/xmlsec-20100427.tar.gz > > I tested it and it seems to work but you are finding all the > possible issues that I never can find myself :) I made some test and it seems OK. Thank you very much and sorry for late reply, I have been pretty busy with other things in past days. Jirka -- ------------------------------------------------------------------ Jirka Kosek e-mail: jirka at kosek.cz http://xmlguru.cz ------------------------------------------------------------------ Professional XML consulting and training services DocBook customization, custom XSLT/XSL-FO document processing ------------------------------------------------------------------ OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member ------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From aleksey at aleksey.com Thu May 6 19:22:33 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 06 May 2010 19:22:33 -0700 Subject: [xmlsec] Signing with X509 certificate using mscrypto provider In-Reply-To: <4BE2A0CF.7020808@kosek.cz> References: <4BCDA184.3040402@kosek.cz> <4BCDF730.2000805@aleksey.com> <4BCE297B.1040102@kosek.cz> <4BCE2B7F.3010509@aleksey.com> <4BCE2DB6.2030801@kosek.cz> <4BCE336A.6030208@aleksey.com> <4BCEB09B.1080109@kosek.cz> <4BCF0D9C.2010904@aleksey.com> <4BCF0DCA.6000203@kosek.cz> <4BCF0EDF.5020808@aleksey.com> <4BCF120F.3040609@kosek.cz> <4BD05E22.5000308@aleksey.com> <4BD0669B.60907@kosek.cz> <4BD089B9.50904@aleksey.com> <4BD0CBA7.6030501@kosek.cz> <4BD1315A.7090705@aleksey.com> <4BD15B52.6080800@kosek.cz> <4BD1AC5F.3080200@aleksey.com> <4BD2799C.2080001@aleksey.com> <4BD29333.1010300@kosek.cz> <4BD6D8AE.5000202@kosek.cz> <4BD79FD1.7080908@aleksey.com> <4BE2A0CF.7020808@kosek.cz> Message-ID: <4BE37969.70603@aleksey.com> Sure thing! No worries about delay, I did more tests myself and was very comfortable with the change :) And sure about beer - next time I am in Europe I make sure to visit Praga :) Aleksey On 5/6/2010 3:58 AM, Jirka Kosek wrote: > Aleksey Sanin wrote: > >> OK, I decided to bite the bullet and convert xmlsec to Unicode >> completely. For backward compatibility, there will be an option >> to compile it in non-unicode mode but the default mode will be >> unicode. I hope this took care of all the issues with I18N. > > Well then it seems that I owe you at least one beer ;-) > >> Jirka, could you please try this build: >> >> http://www.aleksey.com/public/xmlsec-20100427.tar.gz >> >> I tested it and it seems to work but you are finding all the >> possible issues that I never can find myself :) > > I made some test and it seems OK. Thank you very much and sorry for late > reply, I have been pretty busy with other things in past days. > > Jirka > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Thu May 6 19:24:02 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 06 May 2010 19:24:02 -0700 Subject: [xmlsec] xmlsec1+ws-security In-Reply-To: References: Message-ID: <4BE379C2.1070402@aleksey.com> 1) Please use xmlsec mailing list for questions about the library. 2) Did you try to verify the signed data with xmlsec command line utility? If "not" then could you please try it? Thanks, Aleksey On 5/6/2010 6:27 AM, "Sz?kv?lgyi P?ter" wrote: > Dear Aleksey, > > I want to use xmlsec and curl to send signed data to wss4j server with > ws-security. But always sent to me this error: > org.apache.ws.security.WSSecurityException: The signature or decryption > was invalid > > First I created the sign node: > > xmlNodePtr signNode = xmlSecTmplSignatureCreateNsPref(m_doc, > xmlSecTransformExclC14NId, xmlSecTransformRsaSha1Id, NULL, (const > xmlChar*)"ds"); > > xmlAddChild(Security, signNode); > > Add I added BinarySecurityToken with Content to Security node, then run: > > // I added reference and transform to: > xmlNodePtr refnode = xmlSecTmplSignatureAddReference(signNode, > xmlSecTransformSha1Id, NULL, (const xmlChar*)"#X509Token", NULL); > xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformExclC14NId); > > xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id, NULL, > (const xmlChar*)"#Body", NULL); > xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformExclC14NId); > > keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL); > > Add SecurityTokenReference. > > dsigCtx = xmlSecDSigCtxCreate(NULL); > > loading cert... > > xmlSecDSigCtxSign(dsigCtx, signNode); > > The signed xml generater without any error. > > I tested it all of canonical method, nothing changed. Unfortunatly i don't > have access to the server application to debug client code. > > Do you have any idea wath is wrong? > > Thanks in advance: > Peter > > > > From mauricio at sercon.com.br Tue May 11 12:16:24 2010 From: mauricio at sercon.com.br (Mauricio) Date: Tue, 11 May 2010 16:16:24 -0300 Subject: [xmlsec] Digital Signatures without line breaks Message-ID: <9C1FC0C315A845FB908FD4F0750FADE5@mauricio> I'm using Xmlsec to create digital signatures ( including X509 certtificates ) without any problems so far in the Linux/Apache environment. However these same signatures are being rejected by Windows NET Web Services apparently because of the line breaks in the X509Certificate tag. How to avoid those line breaks and put everything in a single line ? Thank You, Shaidmann -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue May 11 13:28:00 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 11 May 2010 13:28:00 -0700 Subject: [xmlsec] Digital Signatures without line breaks In-Reply-To: <9C1FC0C315A845FB908FD4F0750FADE5@mauricio> References: <9C1FC0C315A845FB908FD4F0750FADE5@mauricio> Message-ID: <4BE9BDD0.8080006@aleksey.com> You have 3 options: 1) File a bug against Microsoft. XMLDsig spec (http://www.w3.org/TR/xmldsig-core) refers to RFC 2045 (http://www.ietf.org/rfc/rfc2045.txt) which describes base64 encoding/decoding in section 6.8: "The encoded output stream must be represented in lines of no more than 76 characters each. All line breaks or other characters not found in Table 1 must be ignored by decoding software. In base64 data, characters other than those in Table 1, line breaks, and other white space probably indicate a transmission error, about which a warning message or even a message rejection might be appropriate under some circumstances." 2) Set base64LineSize to 0 in keyInfoWriteCtx in the xmlSecDSigCtx structure. This would disable line wraps for a particular dsig operation. 3) Call xmlSecBase64SetDefaultLineSize(0) right after initializing xmlsec library. This would disable line wraps globally. Aleksey On 5/11/2010 12:16 PM, Mauricio wrote: > I'm using Xmlsec to create digital signatures ( including X509 > certtificates ) without any problems so far in the Linux/Apache environment. > However these same signatures are being rejected by Windows NET Web > Services apparently because of the line breaks in the X509Certificate tag. > How to avoid those line breaks and put everything in a single line ? > Thank You, > Shaidmann > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Tue May 11 14:25:23 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 11 May 2010 14:25:23 -0700 Subject: [xmlsec] Digital Signatures without line breaks In-Reply-To: References: <9C1FC0C315A845FB908FD4F0750FADE5@mauricio> <4BE9BDD0.8080006@aleksey.com> Message-ID: <4BE9CB43.3050803@aleksey.com> Option 1 or 3 from my first reply Aleksey On 5/11/2010 2:22 PM, Mauricio wrote: > Thank You. > > Setting base64LineSize to 0 in dsigCtx->keyInfoWriteCtx did it and > produced the tag without line breaks. > > But I still get the tag with the troublesome line breaks. > > Any suggestion on how to get rid of those as well ? > > Thanks again for the quick answer to the first question. > > Shaidmann > > > > From xmlsec at roumenpetrov.info Wed May 12 12:44:49 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Wed, 12 May 2010 22:44:49 +0300 Subject: [xmlsec] PATCH: nss_from_seamonkey Message-ID: <4BEB0531.7050904@roumenpetrov.info> Hi Aleksey, Please find attached file nss_from_seamonkey.patch.gz : pick nss (and nspr) from seamonkey package as xxx-nspr match "nspr" version but "xxx-nss" match browser (seamonkey) version. Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: nss_from_seamonkey.patch.gz Type: application/x-gzip Size: 620 bytes Desc: not available URL: From xmlsec at roumenpetrov.info Wed May 12 12:51:17 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Wed, 12 May 2010 22:51:17 +0300 Subject: [xmlsec] PATCH: reorderlibxmlsec as dep. lib Message-ID: <4BEB06B5.4020506@roumenpetrov.info> Hi Aleksey, Please find attached file "reorder_libxmlsec_as_dep_lib.patch.gz" - lets keep order of mscrypto dependent libraries same as for other crypto modules. Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: reorder_libxmlsec_as_dep_lib.patch.gz Type: application/x-gzip Size: 276 bytes Desc: not available URL: From xmlsec at roumenpetrov.info Wed May 12 13:00:26 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Wed, 12 May 2010 23:00:26 +0300 Subject: [xmlsec] default as crypto ? Message-ID: <4BEB08DA.10005@roumenpetrov.info> Hi Aleksey, Please find attachment "fix_default_crypto.patch.gz". XMLSEC_CRYPTO is not makefile macro(variable in GNU terminology). I think that substitute s/default/$(XMLSEC_CRYPTO)/ is not correct and correct ones are: - s/default/@XMLSEC_CRYPTO@/ : - s/default/$(DEFAULT_CRYPTO)/ : as in attached patch Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: fix_default_crypto.patch.gz Type: application/x-gzip Size: 333 bytes Desc: not available URL: From xmlsec at roumenpetrov.info Wed May 12 13:04:59 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Wed, 12 May 2010 23:04:59 +0300 Subject: [xmlsec] remove path from #include "src/gcrypt/asn1.h" Message-ID: <4BEB09EB.4090606@roumenpetrov.info> Hi Aleksey, The new gcrypt module (git repo) is with two C files that include asn1.h with path component. In my repo I should replace #include "src/gcrypt/asn1.h" with #include "asn1.h" in app.c and ans1.c otherwise make fail. My build directory tree differ from source. Roumen From xmlsec at roumenpetrov.info Wed May 12 13:19:02 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Wed, 12 May 2010 23:19:02 +0300 Subject: [xmlsec] PATCH: UNICODE and RSA/OAEP port for mingw xmlsec-mscrypto Message-ID: <4BEB0D36.3030608@roumenpetrov.info> Hi Aleksey, Please find attached file "mscrypto-mingw.patch.gz" - xmlsec-mingw.h : port is updated with new defines for SHA2..,3..,5.. CertNameToStr removed as is defined in mingw.org headers since 2002 - *.c : now xmlsec-mingw.h is reqired for every mscrypto C-file so it is included in "private.h" and removed from *.c files. - mingw-crypt32.def : For first time I check build with unicode (CPPFLAGS='-DUNICODE -D_UNICODE') and result is missing two W functions. Patch that add configure script options will be implemented later. - crypto.c mingw.org won't provide functions with *_s suffix. I think that is save this file to call functions without *_s suffix but for now I add fake *_s functions only for mingw instead to modify code do not use *_s. Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: mscrypto-mingw.patch.gz Type: application/x-gzip Size: 2357 bytes Desc: not available URL: From aleksey at aleksey.com Wed May 12 13:20:16 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 12 May 2010 13:20:16 -0700 Subject: [xmlsec] PATCH: nss_from_seamonkey In-Reply-To: <4BEB0531.7050904@roumenpetrov.info> References: <4BEB0531.7050904@roumenpetrov.info> Message-ID: <4BEB0D80.4040002@aleksey.com> Is this correct? PKG_CHECK_MODULES(NSS, [seamonkey-nspr >= $NSPR_MIN_VERSION seamonkey-nss >= $SEAMONKEY_MIN_VERSION] Shouldn't it be " >= $SEAMONKEY_MIN_VERSION" for both comparisons? Aleksey On 5/12/2010 12:44 PM, Roumen Petrov wrote: > Hi Aleksey, > > Please find attached file nss_from_seamonkey.patch.gz : pick nss (and > nspr) from seamonkey package as xxx-nspr match "nspr" version but > "xxx-nss" match browser (seamonkey) version. > > Roumen > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From xmlsec at roumenpetrov.info Wed May 12 13:26:15 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Wed, 12 May 2010 23:26:15 +0300 Subject: [xmlsec] What about .gitignore ? Message-ID: <4BEB0EE7.1090808@roumenpetrov.info> Hi Aleksey, After bootstrap git list lot of "Untracked files". To minimize list I use following .gitignore file in repository top directory. ==================== *~ *.orig autom4te.cache/ config.guess config.sub aclocal.m4 configure ltmain.sh /Makefile.in /apps/Makefile.in /docs/Makefile.in /docs/api/Makefile.in /include/Makefile.in /include/xmlsec/Makefile.in /include/xmlsec/gcrypt/Makefile.in /include/xmlsec/gnutls/Makefile.in /include/xmlsec/mscrypto/Makefile.in /include/xmlsec/nss/Makefile.in /include/xmlsec/openssl/Makefile.in /include/xmlsec/private/Makefile.in /man/Makefile.in /src/Makefile.in /src/gcrypt/Makefile.in /src/gnutls/Makefile.in /src/mscrypto/Makefile.in /src/nss/Makefile.in /src/openssl/Makefile.in ==================== I think that is good to exclude every Makefile.in but for now I list all of them. If I understand properly .gitignore syntax /Makefile.in ignore only Makefile.in only in top directory and Makefile.in will ignore all including sub-directories. Roumen From aleksey at aleksey.com Wed May 12 13:33:06 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 12 May 2010 13:33:06 -0700 Subject: [xmlsec] PATCH: reorderlibxmlsec as dep. lib In-Reply-To: <4BEB06B5.4020506@roumenpetrov.info> References: <4BEB06B5.4020506@roumenpetrov.info> Message-ID: <4BEB1082.4080000@aleksey.com> Applied, thank you! Aleksey On 5/12/2010 12:51 PM, Roumen Petrov wrote: > Hi Aleksey, > > Please find attached file "reorder_libxmlsec_as_dep_lib.patch.gz" - lets > keep order of mscrypto dependent libraries same as for other crypto > modules. > > Roumen > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed May 12 13:33:20 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 12 May 2010 13:33:20 -0700 Subject: [xmlsec] default as crypto ? In-Reply-To: <4BEB08DA.10005@roumenpetrov.info> References: <4BEB08DA.10005@roumenpetrov.info> Message-ID: <4BEB1090.3030200@aleksey.com> Good catch, applied, thanks! Aleksey On 5/12/2010 1:00 PM, Roumen Petrov wrote: > Hi Aleksey, > > Please find attachment "fix_default_crypto.patch.gz". > XMLSEC_CRYPTO is not makefile macro(variable in GNU terminology). > I think that substitute s/default/$(XMLSEC_CRYPTO)/ is not correct and > correct ones are: > - s/default/@XMLSEC_CRYPTO@/ : > - s/default/$(DEFAULT_CRYPTO)/ : as in attached patch > > Roumen > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed May 12 13:33:56 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 12 May 2010 13:33:56 -0700 Subject: [xmlsec] remove path from #include "src/gcrypt/asn1.h" In-Reply-To: <4BEB09EB.4090606@roumenpetrov.info> References: <4BEB09EB.4090606@roumenpetrov.info> Message-ID: <4BEB10B4.5010000@aleksey.com> Sick, I should have guessed. Fixed. Aleksey On 5/12/2010 1:04 PM, Roumen Petrov wrote: > Hi Aleksey, > > The new gcrypt module (git repo) is with two C files that include asn1.h > with path component. > In my repo I should replace #include "src/gcrypt/asn1.h" with #include > "asn1.h" in app.c and ans1.c otherwise make fail. My build directory > tree differ from source. > > > Roumen > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed May 12 13:34:05 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 12 May 2010 13:34:05 -0700 Subject: [xmlsec] PATCH: UNICODE and RSA/OAEP port for mingw xmlsec-mscrypto In-Reply-To: <4BEB0D36.3030608@roumenpetrov.info> References: <4BEB0D36.3030608@roumenpetrov.info> Message-ID: <4BEB10BD.7000202@aleksey.com> Applied, thanks! Aleksey On 5/12/2010 1:19 PM, Roumen Petrov wrote: > Hi Aleksey, > > Please find attached file "mscrypto-mingw.patch.gz" > - xmlsec-mingw.h : > port is updated with new defines for SHA2..,3..,5.. > CertNameToStr removed as is defined in mingw.org headers since 2002 > > - *.c : > now xmlsec-mingw.h is reqired for every mscrypto C-file so it is > included in "private.h" and removed from *.c files. > > - mingw-crypt32.def : > For first time I check build with unicode (CPPFLAGS='-DUNICODE > -D_UNICODE') and result is missing two W functions. Patch that add > configure script options will be implemented later. > > - crypto.c > mingw.org won't provide functions with *_s suffix. I think that is save > this file to call functions without *_s suffix but for now I add fake > *_s functions only for mingw instead to modify code do not use *_s. > > Roumen > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From xmlsec at roumenpetrov.info Wed May 12 13:36:34 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Wed, 12 May 2010 23:36:34 +0300 Subject: [xmlsec] PATCH: nss_from_seamonkey In-Reply-To: <4BEB0D80.4040002@aleksey.com> References: <4BEB0531.7050904@roumenpetrov.info> <4BEB0D80.4040002@aleksey.com> Message-ID: <4BEB1152.7020305@roumenpetrov.info> Yes - note seamonkey-nspr match "nspr" version (!) - but seamonkey-nss" match seamonkey version. SEAMONKEY_MIN_VERSION is set to 1.0 as this work for versions before 2.0 (tested by me long time ago). I could not check xulrunner-nspr and nspr packages as I don't have OS with those packages. mozilla-nspr - may be is dead now Roumen P.S.: $ cat /usr/lib/pkgconfig/seamonkey-nspr.pc prefix=/usr exec_prefix=/usr libdir=/usr/lib/seamonkey-2.0.4 includedir=/usr/include/seamonkey-2.0.4 Name: NSPR Description: The Netscape Portable Runtime Version: 4.7.1 Libs: -L/usr/lib/seamonkey-2.0.4 -lplds4 -lplc4 -lnspr4 -lpthread -ldl Cflags: -I/usr/include/seamonkey-2.0.4/nspr $ cat /usr/lib/pkgconfig/seamonkey-nss.pc prefix=/usr exec_prefix=/usr libdir=/usr/lib/seamonkey-2.0.4 includedir=/usr/include/seamonkey-2.0.4 Name: NSS Description: Mozilla Network Security Services Version: 2.0.4 Requires: seamonkey-nspr >= 4.7.1 Libs: -L${libdir} -lnss3 -lsmime3 -lssl3 -lsoftokn3 Cflags: -I${includedir}/nss Aleksey Sanin wrote: > Is this correct? > > PKG_CHECK_MODULES(NSS, [seamonkey-nspr >= $NSPR_MIN_VERSION > seamonkey-nss >= $SEAMONKEY_MIN_VERSION] > > Shouldn't it be " >= $SEAMONKEY_MIN_VERSION" for both comparisons? > > Aleksey > > On 5/12/2010 12:44 PM, Roumen Petrov wrote: >> Hi Aleksey, >> >> Please find attached file nss_from_seamonkey.patch.gz : pick nss (and >> nspr) from seamonkey package as xxx-nspr match "nspr" version but >> "xxx-nss" match browser (seamonkey) version. >> >> Roumen >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > From aleksey at aleksey.com Wed May 12 13:38:22 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 12 May 2010 13:38:22 -0700 Subject: [xmlsec] What about .gitignore ? In-Reply-To: <4BEB0EE7.1090808@roumenpetrov.info> References: <4BEB0EE7.1090808@roumenpetrov.info> Message-ID: <4BEB11BE.8010509@aleksey.com> Thanks! I've added a few more files and checked in. Aleksey On 5/12/2010 1:26 PM, Roumen Petrov wrote: > Hi Aleksey, > After bootstrap git list lot of "Untracked files". > To minimize list I use following .gitignore file in repository top > directory. > ==================== > *~ > *.orig > autom4te.cache/ > config.guess > config.sub > aclocal.m4 > configure > ltmain.sh > /Makefile.in > /apps/Makefile.in > /docs/Makefile.in > /docs/api/Makefile.in > /include/Makefile.in > /include/xmlsec/Makefile.in > /include/xmlsec/gcrypt/Makefile.in > /include/xmlsec/gnutls/Makefile.in > /include/xmlsec/mscrypto/Makefile.in > /include/xmlsec/nss/Makefile.in > /include/xmlsec/openssl/Makefile.in > /include/xmlsec/private/Makefile.in > /man/Makefile.in > /src/Makefile.in > /src/gcrypt/Makefile.in > /src/gnutls/Makefile.in > /src/mscrypto/Makefile.in > /src/nss/Makefile.in > /src/openssl/Makefile.in > ==================== > > I think that is good to exclude every Makefile.in but for now I list all > of them. > If I understand properly .gitignore syntax /Makefile.in ignore only > Makefile.in only in top directory and Makefile.in will ignore all > including sub-directories. > > Roumen > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed May 12 13:45:02 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 12 May 2010 13:45:02 -0700 Subject: [xmlsec] PATCH: nss_from_seamonkey In-Reply-To: <4BEB1152.7020305@roumenpetrov.info> References: <4BEB0531.7050904@roumenpetrov.info> <4BEB0D80.4040002@aleksey.com> <4BEB1152.7020305@roumenpetrov.info> Message-ID: <4BEB134E.5000409@aleksey.com> Thanks! Checked in and I actually have xulrunner packages on my Ubuntu, they use NSPR/NSS version numbers so I fixed it as well. Aleksey On 5/12/2010 1:36 PM, Roumen Petrov wrote: > Yes > - note seamonkey-nspr match "nspr" version (!) > - but seamonkey-nss" match seamonkey version. > > SEAMONKEY_MIN_VERSION is set to 1.0 as this work for versions before 2.0 > (tested by me long time ago). > > I could not check xulrunner-nspr and nspr packages as I don't have OS > with those packages. mozilla-nspr - may be is dead now > > Roumen > > P.S.: > $ cat /usr/lib/pkgconfig/seamonkey-nspr.pc > prefix=/usr > exec_prefix=/usr > libdir=/usr/lib/seamonkey-2.0.4 > includedir=/usr/include/seamonkey-2.0.4 > > Name: NSPR > Description: The Netscape Portable Runtime > Version: 4.7.1 > Libs: -L/usr/lib/seamonkey-2.0.4 -lplds4 -lplc4 -lnspr4 -lpthread -ldl > Cflags: -I/usr/include/seamonkey-2.0.4/nspr > > $ cat /usr/lib/pkgconfig/seamonkey-nss.pc > prefix=/usr > exec_prefix=/usr > libdir=/usr/lib/seamonkey-2.0.4 > includedir=/usr/include/seamonkey-2.0.4 > > Name: NSS > Description: Mozilla Network Security Services > Version: 2.0.4 > Requires: seamonkey-nspr >= 4.7.1 > Libs: -L${libdir} -lnss3 -lsmime3 -lssl3 -lsoftokn3 > Cflags: -I${includedir}/nss > > > Aleksey Sanin wrote: >> Is this correct? >> >> PKG_CHECK_MODULES(NSS, [seamonkey-nspr >= $NSPR_MIN_VERSION >> seamonkey-nss >= $SEAMONKEY_MIN_VERSION] >> >> Shouldn't it be " >= $SEAMONKEY_MIN_VERSION" for both comparisons? >> >> Aleksey >> >> On 5/12/2010 12:44 PM, Roumen Petrov wrote: >>> Hi Aleksey, >>> >>> Please find attached file nss_from_seamonkey.patch.gz : pick nss (and >>> nspr) from seamonkey package as xxx-nspr match "nspr" version but >>> "xxx-nss" match browser (seamonkey) version. >>> >>> Roumen >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> http://www.aleksey.com/mailman/listinfo/xmlsec >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > From xmlsec at roumenpetrov.info Wed May 12 14:01:00 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Thu, 13 May 2010 00:01:00 +0300 Subject: [xmlsec] What about .gitignore ? In-Reply-To: <4BEB11BE.8010509@aleksey.com> References: <4BEB0EE7.1090808@roumenpetrov.info> <4BEB11BE.8010509@aleksey.com> Message-ID: <4BEB170C.6080307@roumenpetrov.info> Aleksey Sanin wrote: > Thanks! I've added a few more files and checked in. My build is outside source tree so that my list is so short. As Makefile.in exclude all files including those in sub-directories I expect that Makefile to do the same and lines with path component like apps/Makefile are extra. > Aleksey > > On 5/12/2010 1:26 PM, Roumen Petrov wrote: >> Hi Aleksey, >> After bootstrap git list lot of "Untracked files". >> To minimize list I use following .gitignore file in repository top >> directory. >> ==================== [SNIP] >> ==================== >> >> I think that is good to exclude every Makefile.in but for now I list all >> of them. >> If I understand properly .gitignore syntax /Makefile.in ignore only >> Makefile.in only in top directory and Makefile.in will ignore all >> including sub-directories. >> >> Roumen Roumen From aleksey at aleksey.com Wed May 12 14:02:46 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 12 May 2010 14:02:46 -0700 Subject: [xmlsec] What about .gitignore ? In-Reply-To: <4BEB170C.6080307@roumenpetrov.info> References: <4BEB0EE7.1090808@roumenpetrov.info> <4BEB11BE.8010509@aleksey.com> <4BEB170C.6080307@roumenpetrov.info> Message-ID: <4BEB1776.10909@aleksey.com> Yes, you are correct about Makefile but there is a real one in examples/ folder that I don't want to exclude. Aleksey On 5/12/2010 2:01 PM, Roumen Petrov wrote: > Aleksey Sanin wrote: >> Thanks! I've added a few more files and checked in. > > My build is outside source tree so that my list is so short. > As Makefile.in exclude all files including those in sub-directories I > expect that Makefile to do the same and lines with path component like > apps/Makefile are extra. > > >> Aleksey >> >> On 5/12/2010 1:26 PM, Roumen Petrov wrote: >>> Hi Aleksey, >>> After bootstrap git list lot of "Untracked files". >>> To minimize list I use following .gitignore file in repository top >>> directory. >>> ==================== > [SNIP] >>> ==================== >>> >>> I think that is good to exclude every Makefile.in but for now I list all >>> of them. >>> If I understand properly .gitignore syntax /Makefile.in ignore only >>> Makefile.in only in top directory and Makefile.in will ignore all >>> including sub-directories. >>> >>> Roumen > > Roumen From xmlsec at roumenpetrov.info Sun May 16 07:07:19 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Sun, 16 May 2010 17:07:19 +0300 Subject: [xmlsec] PATCH: add support for msys environment in xmlsec tests Message-ID: <4BEFFC17.3080604@roumenpetrov.info> (resent with correct sender address ) Hi Aleksey, Please find attached file "xmlsec-Msys-test-environment.patch.gz" - allow xmlsec tests to run under msys shells. About page http://www.aleksey.com/xmlsec/xmldsig.html : May be HMAC-SHA1 (currently N) and Enveloped Signature (currently empty) should by set to "Y" ? Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: xmlsec-Msys-test-environment.patch.gz Type: application/x-gzip Size: 507 bytes Desc: not available URL: From aleksey at aleksey.com Mon May 17 11:55:31 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 17 May 2010 11:55:31 -0700 Subject: [xmlsec] PATCH: add support for msys environment in xmlsec tests In-Reply-To: <4BEFFC17.3080604@roumenpetrov.info> References: <4BEFFC17.3080604@roumenpetrov.info> Message-ID: <4BF19123.7060106@aleksey.com> Thanks: the patch is applied, the doc fixed. Aleksey On 5/16/2010 7:07 AM, Roumen Petrov wrote: > (resent with correct sender address ) > > Hi Aleksey, > > Please find attached file "xmlsec-Msys-test-environment.patch.gz" - > allow xmlsec tests to run under msys shells. > > About page http://www.aleksey.com/xmlsec/xmldsig.html : May be HMAC-SHA1 > (currently N) and Enveloped Signature (currently empty) should by set to > "Y" ? > > Roumen > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From rahul3894singh at gmail.com Sat May 22 19:44:43 2010 From: rahul3894singh at gmail.com (rahul kumar) Date: Sun, 23 May 2010 08:14:43 +0530 Subject: [xmlsec] Compilation of XmlSec Application on Windows Message-ID: Hi Aleksey, I am using xmlsec API on windows XP ( 32 bit) and once I use try to verify the my license file from my written application it crashes " I have compiled the xmlsec1-1.2.12 ( also tried by downloading the xmlsec1-1.2.13)on windows and my application crashes when call the function xmlSecDSigCtxVerify. I am using the same version of XMLSEC on my Linux environment and it is working fine. I am using openssl 1.0.0 version ( Openssl Lite on Windows). After my analysis I found that the application crashes in function xmlSecTransformC14NPushXml ( In file c14n.c) where it calls the function xmlOutputBufferClose(buf), if I comment this function then the operation fails but the application doesnt crash. " But when I try to verify my license file using the application provided along with xmlsec library for windows it works fine. The libxml2 and openSSL libraries are same in both the scenario. It will be great help if you can guide me how the application provided with xmlsex ( i.e. xmlsec.exe ) is compiled. Regards, Rahul. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Sat May 22 20:10:32 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 22 May 2010 20:10:32 -0700 Subject: [xmlsec] Compilation of XmlSec Application on Windows In-Reply-To: References: Message-ID: <4BF89CA8.8010308@aleksey.com> Take a look at section 2.7 from the FAQ https://www.aleksey.com/xmlsec/faq.html Aleksey On 5/22/2010 7:44 PM, rahul kumar wrote: > Hi Aleksey, > > I am using xmlsec API on windows XP ( 32 bit) and once I use try to > verify the my license file from my written application it crashes > > " > > I have compiled the xmlsec1-1.2.12 ( also tried by downloading the > xmlsec1-1.2.13)on windows and my application crashes when call the > function xmlSecDSigCtxVerify. > > I am using the same version of XMLSEC on my Linux environment and it is > working fine. I am using openssl 1.0.0 version ( Openssl Lite on Windows). > > After my analysis I found that the application crashes in function > xmlSecTransformC14NPushXml ( In file c14n.c) where it calls the function > xmlOutputBufferClose(buf), if I comment this function then the operation > fails but the application doesnt crash. > > " > > But when I try to verify my license file using the application provided > along with xmlsec library for windows it works fine. The libxml2 and > openSSL libraries are same in both the scenario. > > It will be great help if you can guide me how the application provided > with xmlsex ( i.e. xmlsec.exe ) is compiled. > > Regards, > > Rahul. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From rahul3894singh at gmail.com Sat May 22 21:54:50 2010 From: rahul3894singh at gmail.com (rahul kumar) Date: Sun, 23 May 2010 10:24:50 +0530 Subject: [xmlsec] Compilation of XmlSec Application on Windows In-Reply-To: <4BF89CA8.8010308@aleksey.com> References: <4BF89CA8.8010308@aleksey.com> Message-ID: Hi Aleksey, T Just to add further. There is a difference between the linking of the application xmlsec.exe provided in the site and my application (i) Application xmlsec.exe is not linked to libxmlsec-openssl.dll but my application is not linked And after doing some analysis I found that the libxmlsec-openssl.dll is internally calling c:\windows\system32\LIBEAY32.DLL ( I have installed OpenSSL light) and inside the c:\windows\system32\LIBEAY32.DLL the application crashes at function OSSL_libdes_version. Please provide your views. Regards, Rahul. On Sun, May 23, 2010 at 8:40 AM, Aleksey Sanin wrote: > Take a look at section 2.7 from the FAQ > > https://www.aleksey.com/xmlsec/faq.html > > Aleksey > > > On 5/22/2010 7:44 PM, rahul kumar wrote: > >> Hi Aleksey, >> >> I am using xmlsec API on windows XP ( 32 bit) and once I use try to >> verify the my license file from my written application it crashes >> >> " >> >> I have compiled the xmlsec1-1.2.12 ( also tried by downloading the >> xmlsec1-1.2.13)on windows and my application crashes when call the >> function xmlSecDSigCtxVerify. >> >> I am using the same version of XMLSEC on my Linux environment and it is >> working fine. I am using openssl 1.0.0 version ( Openssl Lite on Windows). >> >> After my analysis I found that the application crashes in function >> xmlSecTransformC14NPushXml ( In file c14n.c) where it calls the function >> xmlOutputBufferClose(buf), if I comment this function then the operation >> fails but the application doesnt crash. >> >> " >> >> But when I try to verify my license file using the application provided >> along with xmlsec library for windows it works fine. The libxml2 and >> openSSL libraries are same in both the scenario. >> >> It will be great help if you can guide me how the application provided >> with xmlsex ( i.e. xmlsec.exe ) is compiled. >> >> Regards, >> >> Rahul. >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rahul3894singh at gmail.com Sat May 22 21:55:41 2010 From: rahul3894singh at gmail.com (rahul kumar) Date: Sun, 23 May 2010 10:25:41 +0530 Subject: [xmlsec] Compilation of XmlSec Application on Windows In-Reply-To: <4BF89CA8.8010308@aleksey.com> References: <4BF89CA8.8010308@aleksey.com> Message-ID: Hi Aleksey, Thanks for your quick response. I have gone through the link provided by you. Just to add further. There is a difference between the linking of the application xmlsec.exe provided in the site and my application (i) Application xmlsec.exe is not linked to libxmlsec-openssl.dll but my application is not linked And after doing some analysis I found that the libxmlsec-openssl.dll is internally calling c:\windows\system32\LIBEAY32.DLL ( I have installed OpenSSL light) and inside the c:\windows\system32\LIBEAY32.DLL the application crashes at function OSSL_libdes_version. Please provide your views. Regards, Rahul. On Sun, May 23, 2010 at 8:40 AM, Aleksey Sanin wrote: > Take a look at section 2.7 from the FAQ > > https://www.aleksey.com/xmlsec/faq.html > > Aleksey > > > On 5/22/2010 7:44 PM, rahul kumar wrote: > >> Hi Aleksey, >> >> I am using xmlsec API on windows XP ( 32 bit) and once I use try to >> verify the my license file from my written application it crashes >> >> " >> >> I have compiled the xmlsec1-1.2.12 ( also tried by downloading the >> xmlsec1-1.2.13)on windows and my application crashes when call the >> function xmlSecDSigCtxVerify. >> >> I am using the same version of XMLSEC on my Linux environment and it is >> working fine. I am using openssl 1.0.0 version ( Openssl Lite on Windows). >> >> After my analysis I found that the application crashes in function >> xmlSecTransformC14NPushXml ( In file c14n.c) where it calls the function >> xmlOutputBufferClose(buf), if I comment this function then the operation >> fails but the application doesnt crash. >> >> " >> >> But when I try to verify my license file using the application provided >> along with xmlsec library for windows it works fine. The libxml2 and >> openSSL libraries are same in both the scenario. >> >> It will be great help if you can guide me how the application provided >> with xmlsex ( i.e. xmlsec.exe ) is compiled. >> >> Regards, >> >> Rahul. >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Sat May 22 22:13:56 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 22 May 2010 22:13:56 -0700 Subject: [xmlsec] Compilation of XmlSec Application on Windows In-Reply-To: References: <4BF89CA8.8010308@aleksey.com> Message-ID: <4BF8B994.5090602@aleksey.com> You obviously have a problem with compiling the library. You need to make sure you use the same compiler/linker and same target for all your libraries. Aleksey On 5/22/2010 9:55 PM, rahul kumar wrote: > Hi Aleksey, > > Thanks for your quick response. I have gone through the link provided by > you. > Just to add further. > > There is a difference between the linking of the application xmlsec.exe > provided in the site and my application > (i) Application xmlsec.exe is not linked to libxmlsec-openssl.dll but my > application is not linked > > And after doing some analysis I found that the libxmlsec-openssl.dll is > internally calling c:\windows\system32\LIBEAY32.DLL ( I have installed > OpenSSL light) and inside the c:\windows\system32\LIBEAY32.DLL the > application crashes at function OSSL_libdes_version. > > Please provide your views. > > Regards, > Rahul. > > > On Sun, May 23, 2010 at 8:40 AM, Aleksey Sanin > wrote: > > Take a look at section 2.7 from the FAQ > > https://www.aleksey.com/xmlsec/faq.html > > Aleksey > > > On 5/22/2010 7:44 PM, rahul kumar wrote: > > Hi Aleksey, > > I am using xmlsec API on windows XP ( 32 bit) and once I use try to > verify the my license file from my written application it crashes > > " > > I have compiled the xmlsec1-1.2.12 ( also tried by downloading the > xmlsec1-1.2.13)on windows and my application crashes when call the > function xmlSecDSigCtxVerify. > > I am using the same version of XMLSEC on my Linux environment > and it is > working fine. I am using openssl 1.0.0 version ( Openssl Lite on > Windows). > > After my analysis I found that the application crashes in function > xmlSecTransformC14NPushXml ( In file c14n.c) where it calls the > function > xmlOutputBufferClose(buf), if I comment this function then the > operation > fails but the application doesnt crash. > > " > > But when I try to verify my license file using the application > provided > along with xmlsec library for windows it works fine. The libxml2 and > openSSL libraries are same in both the scenario. > > It will be great help if you can guide me how the application > provided > with xmlsex ( i.e. xmlsec.exe ) is compiled. > > Regards, > > Rahul. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > > From xmlsec at roumenpetrov.info Mon May 24 13:38:06 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Mon, 24 May 2010 23:38:06 +0300 Subject: [xmlsec] Compilation of XmlSec Application on Windows In-Reply-To: <4BF8B994.5090602@aleksey.com> References: <4BF89CA8.8010308@aleksey.com> <4BF8B994.5090602@aleksey.com> Message-ID: <4BFAE3AE.2000502@roumenpetrov.info> Aleksey Sanin wrote: > You obviously have a problem with compiling the library. You need > to make sure you use the same compiler/linker and same target for > all your libraries. > > Aleksey Yes and no. Probably issue it related to different msvc runtimes as is reported crash in xmlOutputBufferClose. This is well documented in MSDN - file and memory operations must use API from same shared library(DLL). As example lets DLL is linked to msvc runtime version A and application is linked to version B. In this case application cannot perform IO operation on file stream(FILE*) returned by DLL and vice versa - DLL cannot perform IO operation on file stream opened by application. > On 5/22/2010 9:55 PM, rahul kumar wrote: >> Hi Aleksey, [SNIP] >> After my analysis I found that the application crashes in function >> xmlSecTransformC14NPushXml ( In file c14n.c) where it calls the >> function >> xmlOutputBufferClose(buf), if I comment this function then the >> operation >> fails but the application doesnt crash. [SNIP] May if you application use libxml IO callbacks you issue will be resolved on windows where OS lack standard C runtime. Roumen From rahul3894singh at gmail.com Tue May 25 02:45:25 2010 From: rahul3894singh at gmail.com (rahul kumar) Date: Tue, 25 May 2010 15:15:25 +0530 Subject: [xmlsec] Compilation of XmlSec Application on Windows In-Reply-To: <4BF8B994.5090602@aleksey.com> References: <4BF89CA8.8010308@aleksey.com> <4BF8B994.5090602@aleksey.com> Message-ID: Hi Aleksey, After figuring out the compilation problem related to xmlsec on windows. And the application is not crashing anymore. I am using the same version of xmlsec on Windows and Linux and after some analysis from my side I am finding the following thing on Windows:- Inside the function xmlSecDSigCtxProcessKeyInfoNode ( in file xmldsig.c ) The statement is not setting the values as expected dsigCtx->signKey = (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, &(dsigCtx->keyInfoReadCtx)); But in Linux the same line the value of dsigCtx->signKey is setting properly and in windows after execution of this statement the value of dsigCtx->signKey still remains NULL. Please provide some views from your side and will help me a lot. Regards, Rahul. On Sun, May 23, 2010 at 10:43 AM, Aleksey Sanin wrote: > You obviously have a problem with compiling the library. You need > to make sure you use the same compiler/linker and same target for > all your libraries. > > Aleksey > > > On 5/22/2010 9:55 PM, rahul kumar wrote: > >> Hi Aleksey, >> >> Thanks for your quick response. I have gone through the link provided by >> you. >> Just to add further. >> >> There is a difference between the linking of the application xmlsec.exe >> provided in the site and my application >> (i) Application xmlsec.exe is not linked to libxmlsec-openssl.dll but my >> application is not linked >> >> And after doing some analysis I found that the libxmlsec-openssl.dll is >> internally calling c:\windows\system32\LIBEAY32.DLL ( I have installed >> OpenSSL light) and inside the c:\windows\system32\LIBEAY32.DLL the >> application crashes at function OSSL_libdes_version. >> >> Please provide your views. >> >> Regards, >> Rahul. >> >> >> On Sun, May 23, 2010 at 8:40 AM, Aleksey Sanin > > wrote: >> >> Take a look at section 2.7 from the FAQ >> >> https://www.aleksey.com/xmlsec/faq.html >> >> Aleksey >> >> >> On 5/22/2010 7:44 PM, rahul kumar wrote: >> >> Hi Aleksey, >> >> I am using xmlsec API on windows XP ( 32 bit) and once I use try to >> verify the my license file from my written application it crashes >> >> " >> >> I have compiled the xmlsec1-1.2.12 ( also tried by downloading >> the >> xmlsec1-1.2.13)on windows and my application crashes when call the >> function xmlSecDSigCtxVerify. >> >> I am using the same version of XMLSEC on my Linux environment >> and it is >> working fine. I am using openssl 1.0.0 version ( Openssl Lite on >> Windows). >> >> After my analysis I found that the application crashes in function >> xmlSecTransformC14NPushXml ( In file c14n.c) where it calls the >> function >> xmlOutputBufferClose(buf), if I comment this function then the >> operation >> fails but the application doesnt crash. >> >> " >> >> But when I try to verify my license file using the application >> provided >> along with xmlsec library for windows it works fine. The libxml2 >> and >> openSSL libraries are same in both the scenario. >> >> It will be great help if you can guide me how the application >> provided >> with xmlsex ( i.e. xmlsec.exe ) is compiled. >> >> Regards, >> >> Rahul. >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue May 25 07:44:50 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 25 May 2010 07:44:50 -0700 Subject: [xmlsec] Compilation of XmlSec Application on Windows In-Reply-To: References: <4BF89CA8.8010308@aleksey.com> <4BF8B994.5090602@aleksey.com> Message-ID: <4BFBE262.7070802@aleksey.com> I am sorry I don't know. You have the debugger :) Aleksey On 5/25/2010 2:45 AM, rahul kumar wrote: > Hi Aleksey, > > After figuring out the compilation problem related to xmlsec on windows. > And the application is not crashing anymore. > I am using the same version of xmlsec on Windows and Linux and after > some analysis from my side I am finding the following thing on Windows:- > > Inside the function > xmlSecDSigCtxProcessKeyInfoNode ( in file xmldsig.c ) > > The statement is not setting the values as expected > dsigCtx->signKey = (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, > &(dsigCtx->keyInfoReadCtx)); > > But in Linux the same line the value of dsigCtx->signKey is setting > properly and in windows after execution of this statement the value > of dsigCtx->signKey still remains NULL. > > Please provide some views from your side and will help me a lot. > > Regards, > Rahul. > > > On Sun, May 23, 2010 at 10:43 AM, Aleksey Sanin > wrote: > > You obviously have a problem with compiling the library. You need > to make sure you use the same compiler/linker and same target for > all your libraries. > > Aleksey > > > On 5/22/2010 9:55 PM, rahul kumar wrote: > > Hi Aleksey, > > Thanks for your quick response. I have gone through the link > provided by > you. > Just to add further. > > There is a difference between the linking of the application > xmlsec.exe > provided in the site and my application > (i) Application xmlsec.exe is not linked to > libxmlsec-openssl.dll but my > application is not linked > > And after doing some analysis I found that the > libxmlsec-openssl.dll is > internally calling c:\windows\system32\LIBEAY32.DLL ( I have > installed > OpenSSL light) and inside the c:\windows\system32\LIBEAY32.DLL the > application crashes at function OSSL_libdes_version. > > Please provide your views. > > Regards, > Rahul. > > > On Sun, May 23, 2010 at 8:40 AM, Aleksey Sanin > > >> wrote: > > Take a look at section 2.7 from the FAQ > > https://www.aleksey.com/xmlsec/faq.html > > Aleksey > > > On 5/22/2010 7:44 PM, rahul kumar wrote: > > Hi Aleksey, > > I am using xmlsec API on windows XP ( 32 bit) and once I > use try to > verify the my license file from my written application > it crashes > > " > > I have compiled the xmlsec1-1.2.12 ( also tried by > downloading the > xmlsec1-1.2.13)on windows and my application crashes > when call the > function xmlSecDSigCtxVerify. > > I am using the same version of XMLSEC on my Linux > environment > and it is > working fine. I am using openssl 1.0.0 version ( Openssl > Lite on > Windows). > > After my analysis I found that the application crashes > in function > xmlSecTransformC14NPushXml ( In file c14n.c) where it > calls the > function > xmlOutputBufferClose(buf), if I comment this function > then the > operation > fails but the application doesnt crash. > > " > > But when I try to verify my license file using the > application > provided > along with xmlsec library for windows it works fine. The > libxml2 and > openSSL libraries are same in both the scenario. > > It will be great help if you can guide me how the > application > provided > with xmlsex ( i.e. xmlsec.exe ) is compiled. > > Regards, > > Rahul. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > From aleksey at aleksey.com Tue May 25 15:45:18 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 25 May 2010 15:45:18 -0700 Subject: [xmlsec] New xmlsec 1.2.16 release Message-ID: <4BFC52FE.8000602@aleksey.com> The new XML Security Library 1.2.16 release available at the usual place: http://www.aleksey.com/xmlsec/download.html This release includes the following changes: * New xmlsec-gcrypt library with support for most crypto operations. * xmlsec-gnutls: Added X509 support and converted the library to use xmlsec-gcrypt library for all crypto operations. * xmlsec-mscrypto: RSA/OAEP and AES/DES KW support. * Several minor bug fixes and code cleanups. Thanks to everyone for the contribution, patches and bug reports! Aleksey Sanin From mahendra0203 at gmail.com Wed Jun 16 00:06:11 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Wed, 16 Jun 2010 12:36:11 +0530 Subject: [xmlsec] Spaces in xml Id attribute Message-ID: Hi, I have an xml file where the Id attribute has a space. xmlsec is unable to verify the file. The Id attribute is defined as metioned below: When I execute the command *xmlsec1 --verify --id-attr:Id LicenceData --trusted-pem root.pem act_space.XML , *I get the below mentioned below. func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('licnew 1')) func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Thanks and Regards, Mahendra Naik -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Jun 16 14:52:02 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 16 Jun 2010 14:52:02 -0700 Subject: [xmlsec] Spaces in xml Id attribute In-Reply-To: References: Message-ID: <4C194782.40602@aleksey.com> Sorry, no idea. It is deep in the xpath evaluator in the libxml2. Aleksey On 6/16/2010 12:06 AM, mahendra N wrote: > Hi, > I have an xml file where the Id attribute has a space. xmlsec is > unable to verify the file. > > The Id attribute is defined as metioned below: > > > > > > When I execute the command > /xmlsec1 --verify --id-attr:Id LicenceData --trusted-pem root.pem > act_space.XML , /I get the below mentioned below. > > > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > library function failed:expr=xpointer(id('licnew 1')) > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec > library function failed:transform=xpointer > func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > > > Thanks and Regards, > Mahendra Naik > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From veillard at redhat.com Thu Jun 17 19:51:48 2010 From: veillard at redhat.com (Daniel Veillard) Date: Fri, 18 Jun 2010 04:51:48 +0200 Subject: [xmlsec] Spaces in xml Id attribute In-Reply-To: References: Message-ID: <20100618025148.GA3922@redhat.com> On Wed, Jun 16, 2010 at 12:36:11PM +0530, mahendra N wrote: > Hi, > I have an xml file where the Id attribute has a space. xmlsec is unable > to verify the file. > > The Id attribute is defined as metioned below: > > > > > > When I execute the command > *xmlsec1 --verify --id-attr:Id LicenceData --trusted-pem root.pem > act_space.XML , *I get the below mentioned below. > http://www.w3.org/TR/REC-xml/#sec-attribute-types Validity constraint: ID Values of type ID MUST match the Name production. XML Name production is defined at http://www.w3.org/TR/REC-xml/#NT-Name and obviously can't take a space. Whatever generated that xml:id is broken. Libxml2 might still register this as an ID, but subsequent tries at using this id is also likely to fail for XPath. In a nutshell spaces are forbidden in ID identifiers. Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/ From xmlsec at roumenpetrov.info Sat Jun 26 13:58:08 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Sat, 26 Jun 2010 23:58:08 +0300 Subject: [xmlsec] xmlsec and gcrypt < 1.4.3 Message-ID: <4C2669E0.4080103@roumenpetrov.info> Hi All, On my system gcrypt is to old (1.4.0) and test with last xmlsec version didn't pass. The attached patch "xmlsec_gcrypt_1.4_0-2.patch" resolve issue to me. May be instead to patch xmlsec source is better to increase required minimum gcrypt version. I'm not familiar with this library and I'm not sure whether versions 1.4.3, 1.4.4 or 1.4.5 resolve security bugs. Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: xmlsec_gcrypt_1.4_0-2.patch Type: text/x-diff Size: 3569 bytes Desc: not available URL: From aleksey at aleksey.com Sun Jun 27 10:27:18 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sun, 27 Jun 2010 10:27:18 -0700 Subject: [xmlsec] xmlsec and gcrypt < 1.4.3 In-Reply-To: <4C2669E0.4080103@roumenpetrov.info> References: <4C2669E0.4080103@roumenpetrov.info> Message-ID: <4C2789F6.9060609@aleksey.com> Thanks! Applied. Aleksey On 6/26/2010 1:58 PM, Roumen Petrov wrote: > Hi All, > > On my system gcrypt is to old (1.4.0) and test with last xmlsec version > didn't pass. > The attached patch "xmlsec_gcrypt_1.4_0-2.patch" resolve issue to me. > > May be instead to patch xmlsec source is better to increase required > minimum gcrypt version. I'm not familiar with this library and I'm not > sure whether versions 1.4.3, 1.4.4 or 1.4.5 resolve security bugs. > > Roumen > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From liliabakova at mail.ru Sat Jul 17 18:18:59 2010 From: liliabakova at mail.ru (=?koi8-r?Q?=EC=C9=CC=C9=D1_=E2=C1=CB=CF=D7=C1?=) Date: Sun, 18 Jul 2010 05:18:59 +0400 Subject: [xmlsec] =?koi8-r?b?W1JFXSDv1NrZ1yDPINLB09PZzMvF?= Message-ID: ?????????, ????????????! ???????? ????????, ?????? ???? _______________ ??? ???????: http://eligans.ru http://lan-electric.ru http://adivas.ru From luiz at xharbour.com.br Sun Jul 18 09:34:38 2010 From: luiz at xharbour.com.br (Luiz Rafael Culik Guimaraes) Date: Sun, 18 Jul 2010 13:34:38 -0300 Subject: [xmlsec] sing an xml on an specific element Message-ID: <434E7B2E3F204F4AA2CF2E7B3F9389CE@luizr> Hi im using xmlsec to sing successfully xml files, but now i need to sing an xml stating on an specific tag taking the xml bellow, i need only to sign infNFe tag ... // many other tags inside with info and the resulting xml should be ...// many other tags inside with info . any suggestion, ive done my signature code based on sign3.c sample Regards and thanks in advance Luiz From aleksey at aleksey.com Sun Jul 18 09:50:34 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sun, 18 Jul 2010 09:50:34 -0700 Subject: [xmlsec] sing an xml on an specific element In-Reply-To: <434E7B2E3F204F4AA2CF2E7B3F9389CE@luizr> References: <434E7B2E3F204F4AA2CF2E7B3F9389CE@luizr> Message-ID: <4C4330DA.2090309@aleksey.com> I believe you need this http://www.w3.org/TR/xmldsig-filter2/ For examples, look at this test: tests/merlin-xpath-filter2-three/sign-spec.tmpl Aleksey On 7/18/2010 9:34 AM, Luiz Rafael Culik Guimaraes wrote: > Hi > > im using xmlsec to sing successfully xml files, > but now i need to sing an xml stating on an specific tag > > taking the xml bellow, i need only to sign infNFe tag > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > > ... // many other tags inside with info > > > > > and the resulting xml should be > > > versao="1.01"> > ...// many other tags inside with info > > > . > > > any suggestion, ive done my signature code based on sign3.c sample > > Regards and thanks in advance > Luiz > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From help at roumenpetrov.info Sun May 16 07:07:35 2010 From: help at roumenpetrov.info (Roumen Petrov) Date: Sun, 16 May 2010 14:07:35 -0000 Subject: [xmlsec] PATCH:-Msys-test-environment.patch.gz Message-ID: <4BEFFBA9.8090508@roumenpetrov.info> Hi Aleksey, Please find attached file "xmlsec-Msys-test-environment.patch.gz" - allow xmlsec tests to run under msys shells. About page http://www.aleksey.com/xmlsec/xmldsig.html : May be HMAC-SHA1 (currently N) and Enveloped Signature (currently empty) should by set to "Y" ? Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: xmlsec-Msys-test-environment.patch.gz Type: application/x-gzip Size: 507 bytes Desc: not available URL: From Michael.X.Stahl at Oracle.com Wed Jul 14 03:19:39 2010 From: Michael.X.Stahl at Oracle.com (Michael Stahl) Date: Wed, 14 Jul 2010 12:19:39 +0200 Subject: [xmlsec] [patch] configure check for libxml2/libxslt prepends /bin Message-ID: hi libxmlsec maintainers, the check for the xml2-config/xslt-config programs in configure (as of libxmlsec 1.2.14) is a bit suboptimal: AC_PATH_PROG([LIBXML_CONFIG], [$LIBXML_CONFIG], [], [$with_libxml/bin:$PATH]) if no --with-libxml parameter is given explicitly, it will prepend /bin to $PATH (because $with_libxml is empty). this is not usually a problem, except that on my Solaris box for some reason there's a /bin/xml2-config and /bin/xslt-config :( attached patch fixed that for me. [ note that i'm not a shell expert, but i've tested that the ${var:+foo} construct works with Solaris old moldy /bin/sh and with Ubuntu /bin/dash ] regards, michael -- "To argue with a person who has renounced the use of reason is like administering medicine to the dead." -- Thomas Paine -------------- next part -------------- A non-text attachment was scrubbed... Name: xmlsec1-configure-libxml-libxslt.patch Type: text/x-patch Size: 903 bytes Desc: not available URL: From aleksey at aleksey.com Mon Jul 19 08:27:25 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 19 Jul 2010 08:27:25 -0700 Subject: [xmlsec] Query Regarding encrypt2. In-Reply-To: <880B6BE6B7BFD811A5EA0020AF5A497F079BE4@LONDEXCH1> References: <880B6BE6B7BFD811A5EA0020AF5A497F079BE4@LONDEXCH1> Message-ID: <4C446EDD.8000701@aleksey.com> Try to use xmlsec command line tool. Unfortunately, compilation on Windows is not as simple as it should be. Aleksey On 6/22/2004 8:59 AM, Grahame Dawes wrote: > I was looking for a tool to encrypt the data in an xml file. Thought > such a tool must exist on the web so started searching. > > At first I thought I could use xmlsec, then after much reading and > searching it seems I need > > Encrypt2. > > The xml file I have a simple a sequential file with records containing 3 > fields of which I need to encrypt at least 1 in every record. > > I was hoping to avoid having to create templates etc myself and was > hoping some utility could pass my file, add in the tags for > encoded, encrypted data assuming I specified a key. > > I was looking for the ready built examples .exe?s to run as shown on > http://cvs.gnome.org/viewcvs/*checkout*/xmlsec/docs/api/xmlsec-examples.html > > After much searching and not finding an encrypt2.exe to download I > copied the source and win32 downloads and started building. > > I am sure I have my includes and library files correct. I could not find > a win32 makefile (still searching) > > However I using Visual Studio 2003 VC++ and the linker is reporting > > error LNK2020: unresolved token (0A00000F) __imp_xmlSecTypeEncElement > > which dll should this be in? > > I am trying to build it using openssl as my chosen encryption method. > > Any ideas on how to compile encrypt2 would be useful. > > Grahame > > PS Hope I got the correct mailing list. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Mon Jul 19 08:43:12 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 19 Jul 2010 08:43:12 -0700 Subject: [xmlsec] [patch] configure check for libxml2/libxslt prepends /bin In-Reply-To: References: Message-ID: <4C447290.9010509@aleksey.com> Thanks Michael! I fixed it in a slightly different way by adding an explicit if() check for an empty $with_libxml/libxslt. Aleksey On 7/14/2010 3:19 AM, Michael Stahl wrote: > > hi libxmlsec maintainers, > > the check for the xml2-config/xslt-config programs in configure (as of > libxmlsec 1.2.14) is a bit suboptimal: > > AC_PATH_PROG([LIBXML_CONFIG], [$LIBXML_CONFIG], [], > [$with_libxml/bin:$PATH]) > > if no --with-libxml parameter is given explicitly, it will prepend /bin to > $PATH (because $with_libxml is empty). > this is not usually a problem, except that on my Solaris box for some > reason there's a /bin/xml2-config and /bin/xslt-config :( > > attached patch fixed that for me. > [ note that i'm not a shell expert, but i've tested that the ${var:+foo} > construct works with Solaris old moldy /bin/sh and with Ubuntu /bin/dash ] > > regards, > michael > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From BrianW at Snowflake.k12.az.us Mon Jul 26 08:33:15 2010 From: BrianW at Snowflake.k12.az.us (Brian Weir) Date: Mon, 26 Jul 2010 08:33:15 -0700 Subject: [xmlsec] dependencies Message-ID: <9C7C7DA89FD71844BD2D4504B5B809CF02D2493D@MailServer.SUSD5.SNOWFLAKE.K12.AZ.US> On the website it show a map with blue and gray arrows and says to follow the arrows. I have downloaded all of the dependent binaries but am not sure I am placing them in right. Do I copy all the "bin" folder contents and put them in the "bin" folder of the xmlsec or what? I guess what I am saying is that I don't know how to make the dependencies work together. "To satisfy the dependencies, look up the desired package and get that and everything else below, following the arrows. The blue arrows show the mandatory dependencies, you'll never get through without these. The gray arrows represent the dependencies which can be removed through recompiling. For the binary packages to work, you must follow all arrows. " Brian Weir Education Technologist/Spanish Teacher Snowflake Unified School District 928-536-4156 ext. 7555 brianw at snowflake.k12.az.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Mon Jul 26 08:52:53 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 26 Jul 2010 08:52:53 -0700 Subject: [xmlsec] dependencies In-Reply-To: <9C7C7DA89FD71844BD2D4504B5B809CF02D2493D@MailServer.SUSD5.SNOWFLAKE.K12.AZ.US> References: <9C7C7DA89FD71844BD2D4504B5B809CF02D2493D@MailServer.SUSD5.SNOWFLAKE.K12.AZ.US> Message-ID: <4C4DAF55.605@aleksey.com> Hm... Where do you see a map with arrows? Aleksey On 7/26/2010 8:33 AM, Brian Weir wrote: > On the website it show a map with blue and gray arrows and says to > follow the arrows. I have downloaded all of the dependent binaries but > am not sure I am placing them in right. Do I copy all the "bin" folder > contents and put them in the "bin" folder of the xmlsec or what? I guess > what I am saying is that I don't know how to make the dependencies work > together. > "To satisfy the dependencies, look up the desired package and get that > and everything else below, following the arrows. The blue arrows show > the mandatory dependencies, you'll never get through without these. The > gray arrows represent the dependencies which can be removed through > recompiling. For the binary packages to work, you must follow all arrows. " > > Brian Weir > Education Technologist/Spanish Teacher > Snowflake Unified School District > 928-536-4156 ext. 7555 > brianw at snowflake.k12.az.us > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Mon Jul 26 14:21:34 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 26 Jul 2010 14:21:34 -0700 Subject: [xmlsec] dependencies In-Reply-To: <9C7C7DA89FD71844BD2D4504B5B809CF02D24940@MailServer.SUSD5.SNOWFLAKE.K12.AZ.US> References: <9C7C7DA89FD71844BD2D4504B5B809CF02D24940@MailServer.SUSD5.SNOWFLAKE.K12.AZ.US> Message-ID: <4C4DFC5E.7040606@aleksey.com> Ah, you are talking Windows :) Yes, you want to put all dlls and all exe files into one folder Aleksey On 7/26/2010 2:17 PM, Brian Weir wrote: > The diagram on the following website under "Get the binaries" section. > > http://www.zlatkovic.com/libxml.en.html > > > > Brian Weir > Education Technologist > Snowflake Unified School District > 928-536-4156 ext. 7790 > brianw at snowflake.k12.az.us > > > > > -----Original Message----- > From: Aleksey Sanin [mailto:aleksey at aleksey.com] > Sent: Monday, July 26, 2010 8:53 AM > To: Brian Weir > Cc: xmlsec at aleksey.com > Subject: Re: [xmlsec] dependencies > > > Hm... Where do you see a map with arrows? > > Aleksey > > On 7/26/2010 8:33 AM, Brian Weir wrote: >> On the website it show a map with blue and gray arrows and says to >> follow the arrows. I have downloaded all of the dependent binaries but >> am not sure I am placing them in right. Do I copy all the "bin" folder >> contents and put them in the "bin" folder of the xmlsec or what? I guess >> what I am saying is that I don't know how to make the dependencies work >> together. >> "To satisfy the dependencies, look up the desired package and get that >> and everything else below, following the arrows. The blue arrows show >> the mandatory dependencies, you'll never get through without these. The >> gray arrows represent the dependencies which can be removed through >> recompiling. For the binary packages to work, you must follow all arrows. " >> >> Brian Weir >> Education Technologist/Spanish Teacher >> Snowflake Unified School District >> 928-536-4156 ext. 7555 >> brianw at snowflake.k12.az.us >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec From invite+kr4mmnynw5ex at facebookmail.com Tue Jul 27 04:32:30 2010 From: invite+kr4mmnynw5ex at facebookmail.com (Feng Lu) Date: Tue, 27 Jul 2010 04:32:30 -0700 Subject: [xmlsec] =?utf-8?b?5oiR5ZyoIEZhY2Vib29rIOS4iuaJvuS9oOWRog==?= Message-ID: <744e485609c01b4580a01865ed5d1e69@www.facebook.com> ??Xml ??? ??????Facebook??????????????????????????????????????????????????????Facebook??????????????????? ??? Feng ?? Facebook?????????? http://www.facebook.com/p.php?i=1102945833&k=Z5E5PZRSV4TF6BD1QFWTYQW22SIB4U6FWUCQF&r Already have an account? Add this email address to your account: http://www.facebook.com/n/?merge_accounts.php&e=xmlsec%40aleksey.com&c=9efd8df249f45e58bc1cc6b0e8ec97b6 ======================================= Feng Lu ?? xmlsec at aleksey.com ??Facebook? ??????????Facebook?????? ?????????? http://www.facebook.com/o.php?k=2c3e6e&u=100000488856886&mid=2b8c0fcG5af32d9d9d36G0G8 Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonatas_fischer at developer.inf.br Tue Jul 27 07:26:30 2010 From: jonatas_fischer at developer.inf.br (Jonatas Fischer) Date: Tue, 27 Jul 2010 11:26:30 -0300 Subject: [xmlsec] Validating XML with Key Message-ID: <000f01cb2d97$c20dd870$46298950$@inf.br> I?m trying validate a digital signature with the certificate located at KEYINFO node. I had tried a lot of different ways to do it, but I have no success. I used the code of lasso project (http:// lasso.entrouvert.org) And of a mail (http://www.mail-archive.com/xmlsec at aleksey.com/msg03925.html) This is my code (pascal code): function verify_file(const xml_file : string) : integer; var doc : xmlDocPtr; Signature, NFe, KeyInfo : xmlNodePtr; dsigCtx : xmlSecDSigCtxPtr; sl : TStringList; sText : Ansistring; rc : integer; cert_data, cert_key : xmlSecKeyDataPtr; cert : Pointer; key : xmlSecKeyPtr; ffile : TextFile; begin //inicializa??o das vari?veis doc := nil; Signature := nil; dsigCtx := nil; sl := TStringList.Create; //inicializa leitura do arquivo sl.LoadFromFile(xml_file); sText :=sl.Text; doc := xmlParseDoc(PAnsiChar(UTF8Encode(sText))); if (doc = nil) or (xmlDocGetRootElement(doc) = nil) then raise Exception.Create('erro ao ler xml'); NFe := xmlSecFindNode(xmlDocGetRootElement(doc),'NFe','http://www.portalfiscal.inf. br/nfe'); Signature := xmlSecFindNode(NFe,xmlSecNodeSignature, xmlSecDSigNs); KeyInfo := xmlSecFindNode(Signature, xmlSecNodeKeyInfo, xmlSecDSigNs); if NFe = nil then raise Exception.Create('Error: start node not found in ' + xml_file); dsigCtx := xmlSecDSigCtxCreate(nil); try if (dsigCtx = nil) then raise Exception.Create('Failed to create Signature Context'); Key := xmlSecKeyCreate(); //if I don?t use this, will not work dsigCtx.keyInfoReadCtx.flags := XMLSEC_KEYINFO_FLAGS_DONT_STOP_ON_KEY_FOUND or XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; dsigCtx.keyInfoReadCtx.mode := xmlSecKeyInfoModeRead; dsigCtx.keyInfoReadCtx.keyReq.keyId := xmlSecOpenSSLKeyDataX509GetKlass; dsigCtx.keyInfoReadCtx.keyReq.keyType := xmlSecKeyDataTypePublic; dsigCtx.keyInfoReadCtx.keyReq.keyUsage := xmlSecKeyDataUsageAny; //if (xmlSecKeyInfoNodeRead(KeyInfo, dsigCtx.signKey, @dsigCtx.keyInfoReadCtx) < 0) then if (xmlSecKeyInfoNodeRead(KeyInfo, key, @dsigCtx.keyInfoReadCtx) < 0) then begin xmlSecKeyDestroy(dsigCtx.signKey); xmlSecDSigCtxDestroy(dsigCtx); raise Exception.Create('Could not read KeyInfo'); end; cert_data := xmlSecKeyGetData(Key, xmlSecOpenSSLKeyDataX509GetKlass); if (cert_data <> nil) then begin cert := xmlSecOpenSSLKeyDataX509GetCert(cert_data, 0); if (cert <> nil) then begin cert_key := xmlSecOpenSSLX509CertGetKey(cert); rc := xmlSecKeySetValue(Key, cert_key); if (rc < 0) then showmessage('num deu'); end; end; dsigCtx.signKey := Key; //dsigCtx.keyInfoReadCtx.enabledKeyData. if(xmlSecDSigCtxVerify(dsigCtx, Signature) < 0) then begin xmlSecDSigCtxDebugDump(dsigCtx,nil); dsigCtx.signKey := nil; xmlSecKeyDestroy(Key); xmlSecDSigCtxDestroy(dsigCtx); raise Exception.Create('Failed to verify signature'); end; finally if(doc <> nil) then xmlFreeDoc(doc); end; end; this is the debug info func=xmlSecXPathDataExecute:file=..\src\xpath.c:line=273:obj=unknown:subj=xm lXPt rEval:error=5:libxml2 library function failed:expr=xpointer(id('NFe4210070950036 0000127550020000000560000000593')) func=xmlSecXPathDataListExecute:file=..\src\xpath.c:line=356:obj=unknown:sub j=xm lSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=..\src\xpath.c:line=466:obj=xpointer:s ubj= xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2395:obj=xp oint er:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=..\src\transforms.c:line=1226:obj=unk nown :subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xp ointer func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1286:obj=unknow n:su bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=u nkno wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=u nkno wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed :node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=un know n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed : func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml SecD SigCtxSigantureProcessNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxDebugDump:file=..\src\xmldsig.c:line=1068:obj=unknown:subj =out put != NULL:error=100:assertion: and this is the xml: 42 000000014RETORNO DE INDUSTRIZALIZACAO055142010-07-122010-07-12142091022141 101.010295305000121TECHCONTROL COM. DE DISP. DE CONTROLE LTDATECHCONTROL INDUSTRIALRUA ANITA GARIBALDI1190ANITA GARIBALDI4209102JOINVILLESC892033001058BRASIL473433770925567923894475466999950935576000119PLASCAR IND. COMPONENTES PLASTICOS LTDAAVENIDA WILHELM WINTER300DISTRITO INDUSTRIAL3525904JUNDIAISP 132130001058BRASIL080072980040708156011999DISP. CONT. CUBING FAROL FOX GP (1)846630006902PC1.000025000.000025000.00PC< /uTrib>1.000025000.000009030.00 0.000.0000.000.000.009999925000.000.000.00 07070.000.000.000.0025000.000.000.000.000.000.000.000.000.00< vNF>25000.00001824869000113JOINVILENSE CARGAS EXPRESS LTDA254494684ROD BR 101 - KM 43 43 GALP 4/5 NOVA BRASILIA 89213125JOINVILLESC1< /qVol>DOCUMENTO EMITIDO POR ME OU EPP OPTANTE PELO SIMPLES NACIONAL LC 123/2006.|RETORNO TOTAL DE SUA NF 127519| N+66WC/Fl+c rTqXw0kSD846MIH4= HHim9Z0p881/LPRrGgKmqjREdG8WTSlyY7lVZs9SyEIJcMo8OZ5/MMwd9TkQPNe8ZUEh+i22 /Du2wfjH0fgaB5/sM8Wi2YTT1BqKbQ1YJIQw+r5YQFpsTzzIvH5sKEkhQpwYdCt6gkJPdJPH 7nP+NVcKfHcdHH6eqSmJu2p1JMM= MIIGMjCCBRqgAwIBAgIIaVC6ceRbadswDQYJKoZIhvcNAQEFBQAwTDELMAkGA1UEBhMCQlIx EzARBgNVBAoTCklDUC1CcmFzaWwxKDAmBgNVBAMTH1NFUkFTQSBDZXJ0aWZpY2Fkb3JhIERp Z2l0YWwgdjEwHhcNMTAwNTI0MTcyMjAwWhcNMTMwNTIzMTcyMjAwWjCB7TELMAkGA1UEBhMC QlIxEzARBgNVBAoTCklDUC1CcmFzaWwxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRgwFgYDVQQL Ew8wMDAwMDEwMDEwNzQxNjgxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQLEwsoRU0g QlJBTkNPKTEUMBIGA1UECxMLKEVNIEJSQU5DTykxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQw EgYDVQQLEwsoRU0gQlJBTkNPKTErMCkGA1UEAxMiSUNQIElORFVTVFJJQSBERSBQTEFTVElD T1MgTFREQSBNRTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz43Y4jSPQK3wiobHFSjn 1cMkh2PLsSk9VRjCjJPG7oELq+Oyu44eW4Ee+lTKq3E0KoAMBrNodPChAXATIAOhRLMqFUcA GNJvzYa5AY3IqZNvsyoxL5olZe5OknL5Pw0Y+qUJ7bN3V7EWi8SX6V8kKqESDOf1VgQpgteE +IlAF50CAwEAAaOCAvgwggL0MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD AgYIKwYBBQUHAwQwHwYDVR0jBBgwFoAUt2CoW/mypq4A7XTr1UrJlmhm9VwwgbsGA1UdEQSB szCBsIEaU1RBTlBMQVNUQFNUQU5QTEFTVC5DT00uQlKgPQYFYEwBAwSgNBMyMTIwNTE5ODkw Njk2ODQyMDkyOTAwMDAwMDAwMDAwMDAwMDAwMDA0MjI5NDQ5U1NQU0OgHwYFYEwBAwKgFhMU VElBR08gRklSTU8gRlJBQ0NBUk+gGQYFYEwBAwOgEBMOMDk1MDAzNjAwMDAxMjegFwYFYEwB AwegDhMMMDAwMDAwMDAwMDAwMFcGA1UdIARQME4wTAYGYEwBAgMDMEIwQAYIKwYBBQUHAgEW NGh0dHA6Ly93d3cuY2VydGlmaWNhZG9kaWdpdGFsLmNvbS5ici9yZXBvc2l0b3Jpby9kcGMw gfAGA1UdHwSB6DCB5TBJoEegRYZDaHR0cDovL3d3dy5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29t LmJyL3JlcG9zaXRvcmlvL2xjci9zZXJhc2FjZHYxLmNybDBDoEGgP4Y9aHR0cDovL2xjci5j ZXJ0aWZpY2Fkb3MuY29tLmJyL3JlcG9zaXRvcmlvL2xjci9zZXJhc2FjZHYxLmNybDBToFGg T4ZNaHR0cDovL3JlcG9zaXRvcmlvLmljcGJyYXNpbC5nb3YuYnIvbGNyL1NlcmFzYS9yZXBv c2l0b3Jpby9sY3Ivc2VyYXNhY2R2MS5jcmwwgZcGCCsGAQUFBwEBBIGKMIGHMDwGCCsGAQUF BzABhjBodHRwOi8vb2NzcC5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29tLmJyL3NlcmFzYWNkdjEw RwYIKwYBBQUHMAKGO2h0dHA6Ly93d3cuY2VydGlmaWNhZG9kaWdpdGFsLmNvbS5ici9jYWRl aWFzL3NlcmFzYWNkdjEucDdiMA0GCSqGSIb3DQEBBQUAA4IBAQAdZZc3HomaTE5zOc+4+G2V OP7YZJ9PmavlCR+D9WppuQ0DEWAM/FPgAOIDH+koDHdQrMaXa+9M96zS2fFcxBv/wiOUkyBv daRINCWjjveziNy5C1BSLeQg1QoBsHmrq6MJj6g67Yhm7sWwXIQADPDOEvF7ErnIfC1xZn/7 Ngku6sBNp5zssrzz/q39OdsskucUce0+xrVGt+R1X1UZFCcNQLh7aUCkcni2SZT+nrNjagu2 S6pPRznescQPuZVJHjGmqIaQIi04nin4yOFzKHujJxWwIlrKmFG7l2NXwkz4u/aYnKsCXm4o c9/8EJyXFmPmUr4QvEjQ409RuO33oQkW 1SVRS20100615093536421007095003600001275500200000005600000005932010- 07-09T15:40:54342100031729699N+66WC/Fl+crT qXw0kSD846MIH4=100Autorizado o uso da NF-e When I try to validate the same xml at http://www.aleksey.com/xmlsec/xmldsig-verifier.html I have the error: func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEv al:error=5:libxml2 library function failed:expr=xpointer(id('NFe42100709500360000127550020000000560000000593')) func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSe cXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xml SecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer: subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:su bj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj= xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown: subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown: subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:s ubj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSig CtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature verification failed Somebody can help me? Jonatas Fischer Sys Developer Software (55) 47 3423-2710 -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Jul 27 07:55:02 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 27 Jul 2010 07:55:02 -0700 Subject: [xmlsec] Validating XML with Key In-Reply-To: <000f01cb2d97$c20dd870$46298950$@inf.br> References: <000f01cb2d97$c20dd870$46298950$@inf.br> Message-ID: <4C4EF346.7020908@aleksey.com> Please read section 3.2 from the FAQ http://www.aleksey.com/xmlsec/faq.html Aleksey On 7/27/2010 7:26 AM, Jonatas Fischer wrote: > I?m trying validate a digital signature with the certificate located at > KEYINFO node. > > I had tried a lot of different ways to do it, but I have no success. > > I used the code of lasso project (http://*lasso*.entrouvert.org > ) > > And of a mail (http://www.mail-archive.com/xmlsec at aleksey.com/msg03925.html) > > This is my code (pascal code): > > function verify_file(const xml_file : string) : integer; > > var > > doc : xmlDocPtr; > > Signature, NFe, KeyInfo : xmlNodePtr; > > dsigCtx : xmlSecDSigCtxPtr; > > sl : TStringList; > > sText : Ansistring; > > rc : integer; > > cert_data, cert_key : xmlSecKeyDataPtr; > > cert : Pointer; > > key : xmlSecKeyPtr; > > ffile : TextFile; > > begin > > //inicializa??o das vari?veis > > doc := nil; > > Signature := nil; > > dsigCtx := nil; > > sl := TStringList.Create; > > //inicializa leitura do arquivo > > sl.LoadFromFile(xml_file); > > sText :=sl.Text; > > doc := xmlParseDoc(PAnsiChar(UTF8Encode(sText))); > > if (doc = nil) or (xmlDocGetRootElement(doc) = nil) then > > raise Exception.Create('erro ao ler xml'); > > NFe := > xmlSecFindNode(xmlDocGetRootElement(doc),'NFe','http://www.portalfiscal.inf.br/nfe'); > > Signature := xmlSecFindNode(NFe,xmlSecNodeSignature, xmlSecDSigNs); > > KeyInfo := xmlSecFindNode(Signature, xmlSecNodeKeyInfo, xmlSecDSigNs); > > if NFe = nil then > > raise Exception.Create('Error: start node not found in ' + xml_file); > > dsigCtx := xmlSecDSigCtxCreate(nil); > > try > > if (dsigCtx = nil) then > > raise Exception.Create('Failed to create Signature Context'); > > Key := xmlSecKeyCreate(); > > //if I don?t use this, will not work > > dsigCtx.keyInfoReadCtx.flags := > XMLSEC_KEYINFO_FLAGS_DONT_STOP_ON_KEY_FOUND or > XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; > > dsigCtx.keyInfoReadCtx.mode := xmlSecKeyInfoModeRead; > > dsigCtx.keyInfoReadCtx.keyReq.keyId := > xmlSecOpenSSLKeyDataX509GetKlass; > > dsigCtx.keyInfoReadCtx.keyReq.keyType := xmlSecKeyDataTypePublic; > > dsigCtx.keyInfoReadCtx.keyReq.keyUsage := xmlSecKeyDataUsageAny; > > //if (xmlSecKeyInfoNodeRead(KeyInfo, dsigCtx.signKey, > @dsigCtx.keyInfoReadCtx) < 0) then > > if (xmlSecKeyInfoNodeRead(KeyInfo, key, @dsigCtx.keyInfoReadCtx) < > 0) then > > begin > > xmlSecKeyDestroy(dsigCtx.signKey); > > xmlSecDSigCtxDestroy(dsigCtx); > > raise Exception.Create('Could not read KeyInfo'); > > end; > > cert_data := xmlSecKeyGetData(Key, xmlSecOpenSSLKeyDataX509GetKlass); > > if (cert_data <> nil) then > > begin > > cert := xmlSecOpenSSLKeyDataX509GetCert(cert_data, 0); > > if (cert <> nil) then > > begin > > cert_key > := xmlSecOpenSSLX509CertGetKey(cert); > > rc := > xmlSecKeySetValue(Key, cert_key); > > if (rc < > 0) then > > showmessage('num deu'); > > end; > > end; > > dsigCtx.signKey := Key; > > //dsigCtx.keyInfoReadCtx.enabledKeyData. > > if(xmlSecDSigCtxVerify(dsigCtx, Signature) < 0) then > > begin > > xmlSecDSigCtxDebugDump(dsigCtx,nil); > > dsigCtx.signKey := nil; > > xmlSecKeyDestroy(Key); > > xmlSecDSigCtxDestroy(dsigCtx); > > raise Exception.Create('Failed to verify signature'); > > end; > > finally > > if(doc <> nil) then > > xmlFreeDoc(doc); > > end; > > end; > > this is the debug info > > func=xmlSecXPathDataExecute:file=..\src\xpath.c:line=273:obj=unknown:subj=xmlXPt > > rEval:error=5:libxml2 library function > failed:expr=xpointer(id('NFe4210070950036 > > 0000127550020000000560000000593')) > > func=xmlSecXPathDataListExecute:file=..\src\xpath.c:line=356:obj=unknown:subj=xm > > lSecXPathDataExecute:error=1:xmlsec library function failed: > > func=xmlSecTransformXPathExecute:file=..\src\xpath.c:line=466:obj=xpointer:subj= > > xmlSecXPathDataExecute:error=1:xmlsec library function failed: > > func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2395:obj=xpoint > > er:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: > > func=xmlSecTransformCtxXmlExecute:file=..\src\transforms.c:line=1226:obj=unknown > > :subj=xmlSecTransformPushXml:error=1:xmlsec library function > failed:transform=xp > > ointer > > func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1286:obj=unknown:su > > bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: > > func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unkno > > wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: > > func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unkno > > wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library > function failed > > :node=Reference > > func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknow > > n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library > function failed > > : > > func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecD > > SigCtxSigantureProcessNode:error=1:xmlsec library function failed: > > func=xmlSecDSigCtxDebugDump:file=..\src\xmldsig.c:line=1068:obj=unknown:subj=out > > put != NULL:error=100:assertion: > > and this is the xml: > > > > > > > > Id="NFe42100710295305000121550010000000040000000144">42000000014RETORNO > DE > INDUSTRIZALIZACAO055142010-07-122010-07-12142091022141101.010295305000121TECHCONTROL > COM. DE DISP. DE CONTROLE LTDATECHCONTROL > INDUSTRIALRUA ANITA > GARIBALDI1190ANITA > GARIBALDI4209102JOINVILLESC892033001058BRASIL473433770925567923894475466999950935576000119PLASCAR > IND. COMPONENTES PLASTICOS LTDAAVENIDA WILHELM > WINTER300DISTRITO > INDUSTRIAL3525904JUNDIAISP132130001058BRASIL0800729800407081560119 nItem="1">99DISP. CONT. CUBING FAROL > FOX GP > (1)846630006902PC1.000025000.000025000.00PC1.000025000.000009030.000.000.0000.000.000.009999925000.000.000.0007070.000.000.000.0025000.000.000.000.000.000.000.000.000.0025000.00001824869000113JOINVILENSE > CARGAS EXPRESS LTDA254494684ROD BR 101 - KM 43 > 43 GALP 4/5 NOVA BRASILIA > 89213125JOINVILLESC1DOCUMENTO > EMITIDO POR ME OU EPP OPTANTE PELO SIMPLES NACIONAL LC 123/2006.|RETORNO > TOTAL DE SUA NF 127519| > > xmlns="http://www.w3.org/2000/09/xmldsig#"> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> URI="#NFe42100709500360000127550020000000560000000593"> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>N+66WC/Fl+crTqXw0kSD846MIH4= > > > HHim9Z0p881/LPRrGgKmqjREdG8WTSlyY7lVZs9SyEIJcMo8OZ5/MMwd9TkQPNe8ZUEh+i22 > > > /Du2wfjH0fgaB5/sM8Wi2YTT1BqKbQ1YJIQw+r5YQFpsTzzIvH5sKEkhQpwYdCt6gkJPdJPH > > 7nP+NVcKfHcdHH6eqSmJu2p1JMM= > > > > > > > > > MIIGMjCCBRqgAwIBAgIIaVC6ceRbadswDQYJKoZIhvcNAQEFBQAwTDELMAkGA1UEBhMCQlIx > > > EzARBgNVBAoTCklDUC1CcmFzaWwxKDAmBgNVBAMTH1NFUkFTQSBDZXJ0aWZpY2Fkb3JhIERp > > > Z2l0YWwgdjEwHhcNMTAwNTI0MTcyMjAwWhcNMTMwNTIzMTcyMjAwWjCB7TELMAkGA1UEBhMC > > > QlIxEzARBgNVBAoTCklDUC1CcmFzaWwxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRgwFgYDVQQL > > > Ew8wMDAwMDEwMDEwNzQxNjgxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQLEwsoRU0g > > > QlJBTkNPKTEUMBIGA1UECxMLKEVNIEJSQU5DTykxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQw > > > EgYDVQQLEwsoRU0gQlJBTkNPKTErMCkGA1UEAxMiSUNQIElORFVTVFJJQSBERSBQTEFTVElD > > > T1MgTFREQSBNRTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz43Y4jSPQK3wiobHFSjn > > > 1cMkh2PLsSk9VRjCjJPG7oELq+Oyu44eW4Ee+lTKq3E0KoAMBrNodPChAXATIAOhRLMqFUcA > > > GNJvzYa5AY3IqZNvsyoxL5olZe5OknL5Pw0Y+qUJ7bN3V7EWi8SX6V8kKqESDOf1VgQpgteE > > > +IlAF50CAwEAAaOCAvgwggL0MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD > > > AgYIKwYBBQUHAwQwHwYDVR0jBBgwFoAUt2CoW/mypq4A7XTr1UrJlmhm9VwwgbsGA1UdEQSB > > > szCBsIEaU1RBTlBMQVNUQFNUQU5QTEFTVC5DT00uQlKgPQYFYEwBAwSgNBMyMTIwNTE5ODkw > > > Njk2ODQyMDkyOTAwMDAwMDAwMDAwMDAwMDAwMDA0MjI5NDQ5U1NQU0OgHwYFYEwBAwKgFhMU > > > VElBR08gRklSTU8gRlJBQ0NBUk+gGQYFYEwBAwOgEBMOMDk1MDAzNjAwMDAxMjegFwYFYEwB > > > AwegDhMMMDAwMDAwMDAwMDAwMFcGA1UdIARQME4wTAYGYEwBAgMDMEIwQAYIKwYBBQUHAgEW > > > NGh0dHA6Ly93d3cuY2VydGlmaWNhZG9kaWdpdGFsLmNvbS5ici9yZXBvc2l0b3Jpby9kcGMw > > > gfAGA1UdHwSB6DCB5TBJoEegRYZDaHR0cDovL3d3dy5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29t > > > LmJyL3JlcG9zaXRvcmlvL2xjci9zZXJhc2FjZHYxLmNybDBDoEGgP4Y9aHR0cDovL2xjci5j > > > ZXJ0aWZpY2Fkb3MuY29tLmJyL3JlcG9zaXRvcmlvL2xjci9zZXJhc2FjZHYxLmNybDBToFGg > > > T4ZNaHR0cDovL3JlcG9zaXRvcmlvLmljcGJyYXNpbC5nb3YuYnIvbGNyL1NlcmFzYS9yZXBv > > > c2l0b3Jpby9sY3Ivc2VyYXNhY2R2MS5jcmwwgZcGCCsGAQUFBwEBBIGKMIGHMDwGCCsGAQUF > > > BzABhjBodHRwOi8vb2NzcC5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29tLmJyL3NlcmFzYWNkdjEw > > > RwYIKwYBBQUHMAKGO2h0dHA6Ly93d3cuY2VydGlmaWNhZG9kaWdpdGFsLmNvbS5ici9jYWRl > > > aWFzL3NlcmFzYWNkdjEucDdiMA0GCSqGSIb3DQEBBQUAA4IBAQAdZZc3HomaTE5zOc+4+G2V > > > OP7YZJ9PmavlCR+D9WppuQ0DEWAM/FPgAOIDH+koDHdQrMaXa+9M96zS2fFcxBv/wiOUkyBv > > > daRINCWjjveziNy5C1BSLeQg1QoBsHmrq6MJj6g67Yhm7sWwXIQADPDOEvF7ErnIfC1xZn/7 > > > Ngku6sBNp5zssrzz/q39OdsskucUce0+xrVGt+R1X1UZFCcNQLh7aUCkcni2SZT+nrNjagu2 > > > S6pPRznescQPuZVJHjGmqIaQIi04nin4yOFzKHujJxWwIlrKmFG7l2NXwkz4u/aYnKsCXm4o > > c9/8EJyXFmPmUr4QvEjQ409RuO33oQkW > > > > > > > > > > Id="ID342100031729699">1SVRS20100615093536421007095003600001275500200000005600000005932010-07-09T15:40:54342100031729699N+66WC/Fl+crTqXw0kSD846MIH4=100Autorizado > o uso da NF-e > > When I try to validate the same xml at > http://www.aleksey.com/xmlsec/xmldsig-verifier.html I have the error: > > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > library function > failed:expr=xpointer(id('NFe42100709500360000127550020000000560000000593')) > > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > > func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec > library function failed:transform=xpointer > > func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > library function failed: > > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > > Error: signature verification failed > > Somebody can help me? > > *Jonatas Fischer* > > *Sys Developer Software* > > (55) 47 3423-2710 > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From jonatas_fischer at developer.inf.br Tue Jul 27 13:59:48 2010 From: jonatas_fischer at developer.inf.br (Jonatas Fischer) Date: Tue, 27 Jul 2010 17:59:48 -0300 Subject: [xmlsec] RES: Validating XML with Key In-Reply-To: <4C4EF346.7020908@aleksey.com> References: <000f01cb2d97$c20dd870$46298950$@inf.br> <4C4EF346.7020908@aleksey.com> Message-ID: <000c01cb2dce$b3fa0150$1bee03f0$@inf.br> Thanks, it works. Jonatas Fischer -----Mensagem original----- De: Aleksey Sanin [mailto:aleksey at aleksey.com] Enviada em: ter?a-feira, 27 de julho de 2010 11:55 Para: Jonatas Fischer Cc: xmlsec at aleksey.com Assunto: Re: [xmlsec] Validating XML with Key Please read section 3.2 from the FAQ http://www.aleksey.com/xmlsec/faq.html Aleksey On 7/27/2010 7:26 AM, Jonatas Fischer wrote: > I?m trying validate a digital signature with the certificate located at > KEYINFO node. > > I had tried a lot of different ways to do it, but I have no success. > > I used the code of lasso project (http://*lasso*.entrouvert.org > ) > > And of a mail (http://www.mail-archive.com/xmlsec at aleksey.com/msg03925.html) > > This is my code (pascal code): > > function verify_file(const xml_file : string) : integer; > > var > > doc : xmlDocPtr; > > Signature, NFe, KeyInfo : xmlNodePtr; > > dsigCtx : xmlSecDSigCtxPtr; > > sl : TStringList; > > sText : Ansistring; > > rc : integer; > > cert_data, cert_key : xmlSecKeyDataPtr; > > cert : Pointer; > > key : xmlSecKeyPtr; > > ffile : TextFile; > > begin > > //inicializa??o das vari?veis > > doc := nil; > > Signature := nil; > > dsigCtx := nil; > > sl := TStringList.Create; > > //inicializa leitura do arquivo > > sl.LoadFromFile(xml_file); > > sText :=sl.Text; > > doc := xmlParseDoc(PAnsiChar(UTF8Encode(sText))); > > if (doc = nil) or (xmlDocGetRootElement(doc) = nil) then > > raise Exception.Create('erro ao ler xml'); > > NFe := > xmlSecFindNode(xmlDocGetRootElement(doc),'NFe','http://www.portalfiscal.inf. br/nfe'); > > Signature := xmlSecFindNode(NFe,xmlSecNodeSignature, xmlSecDSigNs); > > KeyInfo := xmlSecFindNode(Signature, xmlSecNodeKeyInfo, xmlSecDSigNs); > > if NFe = nil then > > raise Exception.Create('Error: start node not found in ' + xml_file); > > dsigCtx := xmlSecDSigCtxCreate(nil); > > try > > if (dsigCtx = nil) then > > raise Exception.Create('Failed to create Signature Context'); > > Key := xmlSecKeyCreate(); > > //if I don?t use this, will not work > > dsigCtx.keyInfoReadCtx.flags := > XMLSEC_KEYINFO_FLAGS_DONT_STOP_ON_KEY_FOUND or > XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; > > dsigCtx.keyInfoReadCtx.mode := xmlSecKeyInfoModeRead; > > dsigCtx.keyInfoReadCtx.keyReq.keyId := > xmlSecOpenSSLKeyDataX509GetKlass; > > dsigCtx.keyInfoReadCtx.keyReq.keyType := xmlSecKeyDataTypePublic; > > dsigCtx.keyInfoReadCtx.keyReq.keyUsage := xmlSecKeyDataUsageAny; > > //if (xmlSecKeyInfoNodeRead(KeyInfo, dsigCtx.signKey, > @dsigCtx.keyInfoReadCtx) < 0) then > > if (xmlSecKeyInfoNodeRead(KeyInfo, key, @dsigCtx.keyInfoReadCtx) < > 0) then > > begin > > xmlSecKeyDestroy(dsigCtx.signKey); > > xmlSecDSigCtxDestroy(dsigCtx); > > raise Exception.Create('Could not read KeyInfo'); > > end; > > cert_data := xmlSecKeyGetData(Key, xmlSecOpenSSLKeyDataX509GetKlass); > > if (cert_data <> nil) then > > begin > > cert := xmlSecOpenSSLKeyDataX509GetCert(cert_data, 0); > > if (cert <> nil) then > > begin > > cert_key > := xmlSecOpenSSLX509CertGetKey(cert); > > rc := > xmlSecKeySetValue(Key, cert_key); > > if (rc < > 0) then > > showmessage('num deu'); > > end; > > end; > > dsigCtx.signKey := Key; > > //dsigCtx.keyInfoReadCtx.enabledKeyData. > > if(xmlSecDSigCtxVerify(dsigCtx, Signature) < 0) then > > begin > > xmlSecDSigCtxDebugDump(dsigCtx,nil); > > dsigCtx.signKey := nil; > > xmlSecKeyDestroy(Key); > > xmlSecDSigCtxDestroy(dsigCtx); > > raise Exception.Create('Failed to verify signature'); > > end; > > finally > > if(doc <> nil) then > > xmlFreeDoc(doc); > > end; > > end; > > this is the debug info > > func=xmlSecXPathDataExecute:file=..\src\xpath.c:line=273:obj=unknown:subj=xm lXPt > > rEval:error=5:libxml2 library function > failed:expr=xpointer(id('NFe4210070950036 > > 0000127550020000000560000000593')) > > func=xmlSecXPathDataListExecute:file=..\src\xpath.c:line=356:obj=unknown:sub j=xm > > lSecXPathDataExecute:error=1:xmlsec library function failed: > > func=xmlSecTransformXPathExecute:file=..\src\xpath.c:line=466:obj=xpointer:s ubj= > > xmlSecXPathDataExecute:error=1:xmlsec library function failed: > > func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2395:obj=xp oint > > er:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: > > func=xmlSecTransformCtxXmlExecute:file=..\src\transforms.c:line=1226:obj=unk nown > > :subj=xmlSecTransformPushXml:error=1:xmlsec library function > failed:transform=xp > > ointer > > func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1286:obj=unknow n:su > > bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: > > func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=u nkno > > wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: > > func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=u nkno > > wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library > function failed > > :node=Reference > > func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=un know > > n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library > function failed > > : > > func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml SecD > > SigCtxSigantureProcessNode:error=1:xmlsec library function failed: > > func=xmlSecDSigCtxDebugDump:file=..\src\xmldsig.c:line=1068:obj=unknown:subj =out > > put != NULL:error=100:assertion: > > and this is the xml: > > > > > > > > Id="NFe42100710295305000121550010000000040000000144">42 000000014RETORNO > DE > INDUSTRIZALIZACAO055142010-07-122010-07-12142091022141 101.010295305000121TECHCONTROL > COM. DE DISP. DE CONTROLE LTDATECHCONTROL > INDUSTRIALRUA ANITA > GARIBALDI1190ANITA > GARIBALDI4209102JOINVILLESC892033001058BRASIL473433770925567923894475466999950935576000119PLASCAR > IND. COMPONENTES PLASTICOS LTDAAVENIDA WILHELM > WINTER300DISTRITO > INDUSTRIAL3525904JUNDIAISP 132130001058BRASIL0800729800407081560119 nItem="1">99DISP. CONT. CUBING FAROL > FOX GP > (1)846630006902PC1.000025000.000025000.00PC< /uTrib>1.000025000.000009030.00 0.000.0000.000.000.009999925000.000.000.00 07070.000.000.000.0025000.000.000.000.000.000.000.000.000.00< vNF>25000.00001824869000113JOINVILENSE > CARGAS EXPRESS LTDA254494684ROD BR 101 - KM 43 > 43 GALP 4/5 NOVA BRASILIA > 89213125JOINVILLESC1< /qVol>DOCUMENTO > EMITIDO POR ME OU EPP OPTANTE PELO SIMPLES NACIONAL LC 123/2006.|RETORNO > TOTAL DE SUA NF 127519| > > xmlns="http://www.w3.org/2000/09/xmldsig#"> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> URI="#NFe42100709500360000127550020000000560000000593"> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>N+66WC/Fl+c rTqXw0kSD846MIH4= > > > HHim9Z0p881/LPRrGgKmqjREdG8WTSlyY7lVZs9SyEIJcMo8OZ5/MMwd9TkQPNe8ZUEh+i22 > > > /Du2wfjH0fgaB5/sM8Wi2YTT1BqKbQ1YJIQw+r5YQFpsTzzIvH5sKEkhQpwYdCt6gkJPdJPH > > 7nP+NVcKfHcdHH6eqSmJu2p1JMM= > > > > > > > > > MIIGMjCCBRqgAwIBAgIIaVC6ceRbadswDQYJKoZIhvcNAQEFBQAwTDELMAkGA1UEBhMCQlIx > > > EzARBgNVBAoTCklDUC1CcmFzaWwxKDAmBgNVBAMTH1NFUkFTQSBDZXJ0aWZpY2Fkb3JhIERp > > > Z2l0YWwgdjEwHhcNMTAwNTI0MTcyMjAwWhcNMTMwNTIzMTcyMjAwWjCB7TELMAkGA1UEBhMC > > > QlIxEzARBgNVBAoTCklDUC1CcmFzaWwxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRgwFgYDVQQL > > > Ew8wMDAwMDEwMDEwNzQxNjgxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQLEwsoRU0g > > > QlJBTkNPKTEUMBIGA1UECxMLKEVNIEJSQU5DTykxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQw > > > EgYDVQQLEwsoRU0gQlJBTkNPKTErMCkGA1UEAxMiSUNQIElORFVTVFJJQSBERSBQTEFTVElD > > > T1MgTFREQSBNRTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz43Y4jSPQK3wiobHFSjn > > > 1cMkh2PLsSk9VRjCjJPG7oELq+Oyu44eW4Ee+lTKq3E0KoAMBrNodPChAXATIAOhRLMqFUcA > > > GNJvzYa5AY3IqZNvsyoxL5olZe5OknL5Pw0Y+qUJ7bN3V7EWi8SX6V8kKqESDOf1VgQpgteE > > > +IlAF50CAwEAAaOCAvgwggL0MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD > > > AgYIKwYBBQUHAwQwHwYDVR0jBBgwFoAUt2CoW/mypq4A7XTr1UrJlmhm9VwwgbsGA1UdEQSB > > > szCBsIEaU1RBTlBMQVNUQFNUQU5QTEFTVC5DT00uQlKgPQYFYEwBAwSgNBMyMTIwNTE5ODkw > > > Njk2ODQyMDkyOTAwMDAwMDAwMDAwMDAwMDAwMDA0MjI5NDQ5U1NQU0OgHwYFYEwBAwKgFhMU > > > VElBR08gRklSTU8gRlJBQ0NBUk+gGQYFYEwBAwOgEBMOMDk1MDAzNjAwMDAxMjegFwYFYEwB > > > AwegDhMMMDAwMDAwMDAwMDAwMFcGA1UdIARQME4wTAYGYEwBAgMDMEIwQAYIKwYBBQUHAgEW > > > NGh0dHA6Ly93d3cuY2VydGlmaWNhZG9kaWdpdGFsLmNvbS5ici9yZXBvc2l0b3Jpby9kcGMw > > > gfAGA1UdHwSB6DCB5TBJoEegRYZDaHR0cDovL3d3dy5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29t > > > LmJyL3JlcG9zaXRvcmlvL2xjci9zZXJhc2FjZHYxLmNybDBDoEGgP4Y9aHR0cDovL2xjci5j > > > ZXJ0aWZpY2Fkb3MuY29tLmJyL3JlcG9zaXRvcmlvL2xjci9zZXJhc2FjZHYxLmNybDBToFGg > > > T4ZNaHR0cDovL3JlcG9zaXRvcmlvLmljcGJyYXNpbC5nb3YuYnIvbGNyL1NlcmFzYS9yZXBv > > > c2l0b3Jpby9sY3Ivc2VyYXNhY2R2MS5jcmwwgZcGCCsGAQUFBwEBBIGKMIGHMDwGCCsGAQUF > > > BzABhjBodHRwOi8vb2NzcC5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29tLmJyL3NlcmFzYWNkdjEw > > > RwYIKwYBBQUHMAKGO2h0dHA6Ly93d3cuY2VydGlmaWNhZG9kaWdpdGFsLmNvbS5ici9jYWRl > > > aWFzL3NlcmFzYWNkdjEucDdiMA0GCSqGSIb3DQEBBQUAA4IBAQAdZZc3HomaTE5zOc+4+G2V > > > OP7YZJ9PmavlCR+D9WppuQ0DEWAM/FPgAOIDH+koDHdQrMaXa+9M96zS2fFcxBv/wiOUkyBv > > > daRINCWjjveziNy5C1BSLeQg1QoBsHmrq6MJj6g67Yhm7sWwXIQADPDOEvF7ErnIfC1xZn/7 > > > Ngku6sBNp5zssrzz/q39OdsskucUce0+xrVGt+R1X1UZFCcNQLh7aUCkcni2SZT+nrNjagu2 > > > S6pPRznescQPuZVJHjGmqIaQIi04nin4yOFzKHujJxWwIlrKmFG7l2NXwkz4u/aYnKsCXm4o > > c9/8EJyXFmPmUr4QvEjQ409RuO33oQkW > > > > > > > > > > Id="ID342100031729699">1SVRS20100615093536421007095003600001275500200000005600000005932010- 07-09T15:40:54342100031729699N+66WC/Fl+crT qXw0kSD846MIH4=100Autorizado > o uso da NF-e > > When I try to validate the same xml at > http://www.aleksey.com/xmlsec/xmldsig-verifier.html I have the error: > > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEv al:error=5:libxml2 > library function > failed:expr=xpointer(id('NFe42100709500360000127550020000000560000000593')) > > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSe cXPathDataExecute:error=1:xmlsec > library function failed: > > func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xml SecXPathDataExecute:error=1:xmlsec > library function failed: > > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer: subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:su bj=xmlSecTransformPushXml:error=1:xmlsec > library function failed:transform=xpointer > > func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj= xmlSecTransformCtxXmlExecute:error=1:xmlsec > library function failed: > > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown: subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown: subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:s ubj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSig CtxSigantureProcessNode:error=1:xmlsec > library function failed: > > Error: signature verification failed > > Somebody can help me? > > *Jonatas Fischer* > > *Sys Developer Software* > > (55) 47 3423-2710 > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From Douglas_Roberts at Dell.com Fri Aug 6 11:01:57 2010 From: Douglas_Roberts at Dell.com (Douglas_Roberts at Dell.com) Date: Fri, 6 Aug 2010 13:01:57 -0500 Subject: [xmlsec] libltdl is required for dynamic loading... Message-ID: <938BEB3BE9E7B845918799DB0F3BFC589B1071D9AB@AUSX7MCPC101.AMER.DELL.COM> Hi all, I am porting xmlsec to a new embedded device using a new toolchain. I ran into a problem while configuring xmlsec for which I can't resolve. I am using libtool-2.2.8 xml2-2.7.7 xslt-1.1.26 xmlsec1-1.2.16 ./configure --host=${TARGET} --build=i686 --with-libxml-src=../../xml2/libxml2-2.7.7 --with-libxslt-src=../../xslt/libxslt-1.1.26 --with-default-crypto=openssl --without-gcrypt --without-gnutls --without-nss --prefix=${TARGET_PREFIX} ... ... ... [partial output] checking for default crypto library... yes ('openssl') checking for MD5 support... yes checking for RIPEMD-160 support... yes checking for SHA1 support... yes checking for SHA224 support... yes checking for SHA256 support... yes checking for SHA384 support... yes checking for SHA512 support... yes checking for HMAC support... yes checking for DSA support... yes checking for RSA support... yes checking for x509 support... yes checking for DES support... yes checking for AES support... yes checking for GOST support... no checking for XMLDSig support... yes checking for XMLEnc support... yes checking for XMKMS support - under development... no checking for xmlsec-crypto dynamic loading support... checking ltdl.h usability... yes checking ltdl.h presence... yes checking for ltdl.h... yes checking for lt_dlopenext in -lltdl... no configure: error: libltdl is required for xmlsec-crypto dynamic loading make[1]: *** [build] Error 1 make[1]: Leaving directory `/home/droberts/src/apps/xmlsec' I can't tell if the function lt_dlopenext is missing in the 'ltdl' library or is the library not being found. The libtool library was installed and appears to be in the proper location. I did a search in hex mode on the library and there are references to dlopenext so it appears to have been compiled into the library. Am I missing some environment variables? Any help or suggestions would be greatly appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Fri Aug 6 14:09:07 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 06 Aug 2010 14:09:07 -0700 Subject: [xmlsec] libltdl is required for dynamic loading... In-Reply-To: <938BEB3BE9E7B845918799DB0F3BFC589B1071D9AB@AUSX7MCPC101.AMER.DELL.COM> References: <938BEB3BE9E7B845918799DB0F3BFC589B1071D9AB@AUSX7MCPC101.AMER.DELL.COM> Message-ID: <4C5C79F3.8050306@aleksey.com> 1) Take a look at the detailed log. It should have the exact error details. 2) It might happen that your embedded device doesn't support shared libraries at all. You can always compile xmlsec w/o dynamic loading. Aleksey On 8/6/2010 11:01 AM, Douglas_Roberts at Dell.com wrote: > Hi all, > > I am porting xmlsec to a new embedded device using a new toolchain. I > ran into a problem while configuring xmlsec for which I can?t resolve. > > I am using > > libtool-2.2.8 > > xml2-2.7.7 > > xslt-1.1.26 > > xmlsec1-1.2.16 > > ./configure --host=${TARGET} --build=i686 > --with-libxml-src=../../xml2/libxml2-2.7.7 > --with-libxslt-src=../../xslt/libxslt-1.1.26 > --with-default-crypto=openssl --without-gcrypt --without-gnutls > --without-nss --prefix=${TARGET_PREFIX} > > ? > > ? > > ? > > [partial output] > > checking for default crypto library... yes ('openssl') > > checking for MD5 support... yes > > checking for RIPEMD-160 support... yes > > checking for SHA1 support... yes > > checking for SHA224 support... yes > > checking for SHA256 support... yes > > checking for SHA384 support... yes > > checking for SHA512 support... yes > > checking for HMAC support... yes > > checking for DSA support... yes > > checking for RSA support... yes > > checking for x509 support... yes > > checking for DES support... yes > > checking for AES support... yes > > checking for GOST support... no > > checking for XMLDSig support... yes > > checking for XMLEnc support... yes > > checking for XMKMS support - under development... no > > checking for xmlsec-crypto dynamic loading support... checking ltdl.h > usability... yes > > checking ltdl.h presence... yes > > checking for ltdl.h... yes > > *checking for lt_dlopenext in -lltdl... no* > > configure: error: libltdl is required for xmlsec-crypto dynamic loading > > make[1]: *** [build] Error 1 > > make[1]: Leaving directory `/home/droberts/src/apps/xmlsec' > > I can?t tell if the function lt_dlopenext is missing in the ?ltdl? > library or is the library not being found. The libtool library was > installed and appears to be in the proper location. I did a search in > hex mode on the library and there are references to dlopenext so it > appears to have been compiled into the library. Am I missing some > environment variables? > > Any help or suggestions would be greatly appreciated. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From duhcrab at yahoo.com Fri Aug 13 11:05:14 2010 From: duhcrab at yahoo.com (Duh Crab) Date: Fri, 13 Aug 2010 11:05:14 -0700 (PDT) Subject: [xmlsec] Sign XML using EVP_PKEY and X509 cert in memory Message-ID: <56618.92489.qm@web50805.mail.re2.yahoo.com> I am trying to sign XML using the pkey and X509 cert in a pkcs12 file. I extracted the pkey and cert from the pkcs12 file using the following - EVP_PKEY *pkey; X509 *cert; PKCS12 *p12; p12 = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12, passphrase, &pkey, &cert, &ca); I now want to use the pkey and cert from above to sign xml using xmlsec. How do I use these with the following api's? xmlSecCryptoAppKeyLoadMemory() xmlSecOpenSSLAppKeyCertLoadMemory() If I save the pkey and cert above to the filesystem and then call - xmlSecCryptoAppKeyLoad() and xmlSecCryptoAppKeyCertLoad() (along with other xmlsec api's), everything works well and I am able to sign the XML. However, there are cases where I do not have access to the filesystem and need to use pkey and cert from memory. Thanks, Sri From aleksey at aleksey.com Fri Aug 13 11:13:22 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 13 Aug 2010 11:13:22 -0700 Subject: [xmlsec] Sign XML using EVP_PKEY and X509 cert in memory In-Reply-To: <56618.92489.qm@web50805.mail.re2.yahoo.com> References: <56618.92489.qm@web50805.mail.re2.yahoo.com> Message-ID: <4C658B42.9020600@aleksey.com> You can load PKCS12 key+cert directly from xmlsec, take a look at xmlSecCryptoAppPkcs12Load() and xmlSecCryptoAppPkcs12LoadMemory() functions. Or xmlsec-openssl specific call xmlSecOpenSSLAppPkcs12LoadBIO(). Otherwise, if you want to parse PKCS12 container yourself, take a look at xmlsec-openssl specific functions in xmlsec/openssl/evp.h and xmlsec/openssl/x509.h. Something like xmlSecOpenSSLEvpKeyAdopt(), xmlSecOpenSSLKeyDataX509AdoptKeyCert(), and xmlSecOpenSSLKeyDataX509AdoptCert(). For details on how to use these functions, best of all study the source code for the xmlSecOpenSSLAppPkcs12LoadBIO() function. It makes all the right calls in the right order :) Aleksey On 8/13/2010 11:05 AM, Duh Crab wrote: > > > > > I am trying to sign XML using the pkey and X509 cert in a pkcs12 file. > > > I extracted the pkey and cert from the pkcs12 file using the following - > > EVP_PKEY *pkey; > > X509 *cert; > > PKCS12 *p12; > > > > p12 = d2i_PKCS12_fp(fp, NULL); > > PKCS12_parse(p12, passphrase,&pkey,&cert,&ca); > > > > I now want to use the pkey and cert from above to sign xml using xmlsec. > > How do I use these with the following api's? > > xmlSecCryptoAppKeyLoadMemory() > > xmlSecOpenSSLAppKeyCertLoadMemory() > > > > If I save the pkey and cert above to the filesystem and then call - > > xmlSecCryptoAppKeyLoad() and xmlSecCryptoAppKeyCertLoad() (along with other xmlsec api's), everything works well and I > > am able to sign the XML. > > > > However, there are cases where I do not have access to the filesystem and need to use pkey and cert from memory. > > > > Thanks, > > Sri > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From luiz at xharbour.com.br Tue Aug 17 07:30:18 2010 From: luiz at xharbour.com.br (luiz at xharbour.com.br) Date: Tue, 17 Aug 2010 11:30:18 -0300 Subject: [xmlsec] singning an template Message-ID: Hi I have the follow xml 6291 55299440002399 REDE RECAPEX PNEUS LTDA 2010-08-11 2010-08-11 1 203.75 0.00 1 WS 85dc70f0c28fd2d6ed45167f3f07fd27d96bf46 00001166506 REDE RECAPEX PNEUS LTDA RPS NF 000008 2010-08-11T00:00:00 N 0 0 1900-01-01 99 00000000000 68233436000245 ARIVALDO APARECIDO MORAES E CIA LTDA R JOSE ZEFERINO FERREIRA 536 PQ BANDEIRANTES 6291 CAMPINAS (SP) 13181713 331399900 5.0000 A 6291 CAMPINAS (SP) A T 0.00 0.00 0.00 0.00 0.00 0.0000 0.0000 0.0000 0.0000 0.0000 19 32315200 19 38640414 ALINHAMENTO (CONV) EIXO TRAS AUTO/CAMION 1.0000 48.7500 48.75 CAMBAGEM(COMPLETA)DIANT.DIREITA AUTO/CAM 1.0000 80.0000 80.00 CAMBAGEM(COMPLETA)DIANT.ESQUER.AUTO/CAM 1.0000 75.0000 75.00 //Lote //RPS / i need to sing only the LOTE tag ( with all his content) so i set the follow c Function (based on sing1.c sample adapted to use xharbour compiler) int sign_fileex(const char* tmpl_file, const char* key_file, const char* outfile ,const char * pass) { xmlDocPtr doc = NULL; xmlNodePtr node = NULL; xmlSecDSigCtxPtr dsigCtx = NULL; int res = -1; assert(tmpl_file); assert(key_file); /* load template */ doc = xmlParseFile(tmpl_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ TraceLog("err.log", "Error: unable to parse file \"%s\"\n", tmpl_file); goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { TraceLog("err.log", "Error: start node not found in \"%s\"\n", tmpl_file); goto done; } /* create signature context, we don't need keys manager in this example */ dsigCtx = xmlSecDSigCtxCreate(NULL); if(dsigCtx == NULL) { TraceLog("err.log","Error: failed to create signature context\n"); goto done; } /* load private key, assuming that there is not password */ dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPkcs12, pass, NULL, NULL); if(dsigCtx->signKey == NULL) { TraceLog("err.log","Error: failed to load private pem key from \"%s\"\n", key_file); goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) { TraceLog("err.log","Error: failed to set key name for key from \"%s\"\n", key_file); goto done; } /* sign the template */ if(xmlSecDSigCtxSign(dsigCtx, node) < 0) { TraceLog("err.log","Error: signature failed\n"); goto done; } /* print signed document to stdout */ //xmlDocDump(stdout, doc); xmlSaveFile(outfile,doc); /* success */ res = 0; done: /* cleanup */ if(dsigCtx != NULL) { xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { xmlFreeDoc(doc); } return(res); } HB_FUNC( SIGNXMLEX) { const char* xml_file= hb_parc(1); const char* key_file = hb_parc(2); const char* outfile= hb_parc(3 ) ; const char * pass = hb_parc( 4 ) ; // const char * datafile = hb_parc( 5); xmlInitParser(); LIBXML_TEST_VERSION xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS; xmlSubstituteEntitiesDefault(1); #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ /* Init xmlsec library */ if(xmlSecInit() < 0) { TraceLog("err.log", "Error: xmlsec initialization failed.\n"); hb_retnl( -1 ) ; return ; } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { TraceLog("err.log", "Error: loaded xmlsec library version is not compatible.\n"); hb_retnl( -1 ) ; return ; } /* Load default crypto engine if we are supporting dynamic * loading for xmlsec-crypto libraries. Use the crypto library * name ("openssl", "nss", etc.) to load corresponding * xmlsec-crypto library. */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary("openssl") < 0 ) { hb_retnl( -1 ) ; return ; } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { TraceLog("err.log", "Error: crypto initialization failed.\n"); hb_retnl( -1 ) ; return ; } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { TraceLog("err.log", "Error: xmlsec-crypto initialization failed.\n"); hb_retnl( -1 ) ; return ; } if(sign_fileex( xml_file, key_file, outfile , pass ) < 0) { hb_retnl( -1 ) ; return ; } /* Shutdown xmlsec-crypto library */ xmlSecCryptoShutdown(); /* Shutdown crypto library */ xmlSecCryptoAppShutdown(); /* Shutdown xmlsec library */ xmlSecShutdown(); /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); hb_retnl( 0);return; } but when i run this code, i get the follow erros func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec library function failed:href= func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed:name=CanonicalizationMethod func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=689:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function failed:node=CanonicalizationMethod func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: what is the error with template Regards Luiz From aleksey at aleksey.com Tue Aug 17 07:43:27 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 17 Aug 2010 07:43:27 -0700 Subject: [xmlsec] singning an template In-Reply-To: References: Message-ID: <4C6AA00F.7060700@aleksey.com> This is the problem, I believe the error is pretty clear about this func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec library function failed:href= func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed:name=CanonicalizationMethod Aleksey From luiz at xharbour.com.br Tue Aug 17 07:53:57 2010 From: luiz at xharbour.com.br (luiz at xharbour.com.br) Date: Tue, 17 Aug 2010 11:53:57 -0300 Subject: [xmlsec] singning an template In-Reply-To: <4C6AA00F.7060700@aleksey.com> References: <4C6AA00F.7060700@aleksey.com> Message-ID: Hi Alex Thanks for fast response I filled this two tags with values as also dsig:DigestMethod Algorithm tag and the error now is func=xmlSecTransformXPath2NodeRead:file=..\src\xpath.c:line=758:obj=xpath2:subj=Transform:error=27:unexpected node: func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1571:obj=unknown:subj=id->readNode:error=1:xmlsec library function failed:transform=xpath2 func=xmlSecTransformCtxNodesListRead:file=..\src\transforms.c:line=733:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed:node=Transform func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1454:obj=unknown:subj=xmlSecTransformCtxNodesListRead:error=1:xmlsec library function failed:node=Transforms func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: how should be the transform section //Lote //RPS or i need to add all tags inside as union? Regards Luiz > This is the problem, I believe the error is pretty clear about this > > > > > > func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec > library function failed:href= > func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec > library function failed:name=CanonicalizationMethod > > > Aleksey > From aleksey at aleksey.com Tue Aug 17 08:01:12 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 17 Aug 2010 08:01:12 -0700 Subject: [xmlsec] singning an template In-Reply-To: References: <4C6AA00F.7060700@aleksey.com> Message-ID: <4C6AA438.8010800@aleksey.com> / Aleksey On 8/17/2010 7:53 AM, luiz at xharbour.com.br wrote: > Hi Alex > > Thanks for fast response > > I filled this two tags with values as also dsig:DigestMethod Algorithm tag > and the error now is > > func=xmlSecTransformXPath2NodeRead:file=..\src\xpath.c:line=758:obj=xpath2:subj=Transform:error=27:unexpected > node: > func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1571:obj=unknown:subj=id->readNode:error=1:xmlsec > library function failed:transform=xpath2 > func=xmlSecTransformCtxNodesListRead:file=..\src\transforms.c:line=733:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec > library function failed:node=Transform > func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1454:obj=unknown:subj=xmlSecTransformCtxNodesListRead:error=1:xmlsec > library function failed:node=Transforms > func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > > > how should be the transform section > > > //Lote > //RPS > > > or i need to add all tags inside as union? > > Regards > Luiz > >> This is the problem, I believe the error is pretty clear about this >> >> >> >> >> >> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec >> library function failed:href= >> func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >> library function failed:name=CanonicalizationMethod >> >> >> Aleksey >> > > From luiz at xharbour.com.br Tue Aug 17 08:04:18 2010 From: luiz at xharbour.com.br (luiz at xharbour.com.br) Date: Tue, 17 Aug 2010 12:04:18 -0300 Subject: [xmlsec] singning an template In-Reply-To: <4C6AA438.8010800@aleksey.com> References: <4C6AA00F.7060700@aleksey.com> <4C6AA438.8010800@aleksey.com> Message-ID: <42e7ea9718a7565903033cd579a0a2d6.squirrel@webmail.xharbour.com.br> Alex an you point where to insert on my xml file bellow? 6291 55299440002399 REDE RECAPEX PNEUS LTDA 2010-08-11 2010-08-11 1 203.75 0.00 1 WS 85dc70f0c28fd2d6ed45167f3f07fd27d96bf46 00001166506 REDE RECAPEX PNEUS LTDA RPS NF 000008 2010-08-11T00:00:00 N 0 0 1900-01-01 99 00000000000 68233436000245 ARIVALDO APARECIDO MORAES E CIA LTDA R JOSE ZEFERINO FERREIRA 536 PQ BANDEIRANTES 6291 CAMPINAS (SP) 13181713 331399900 5.0000 A 6291 CAMPINAS (SP) A T 0.00 0.00 0.00 0.00 0.00 0.0000 0.0000 0.0000 0.0000 0.0000 19 32315200 19 38640414 ALINHAMENTO (CONV) EIXO TRAS AUTO/CAMION 1.0000 48.7500 48.75 CAMBAGEM(COMPLETA)DIANT.DIREITA AUTO/CAM 1.0000 80.0000 80.00 CAMBAGEM(COMPLETA)DIANT.ESQUER.AUTO/CAM 1.0000 75.0000 75.00 //Lote //RPS / Regards Luiz > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" > /> > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> > / > > > > > Aleksey > > On 8/17/2010 7:53 AM, luiz at xharbour.com.br wrote: >> Hi Alex >> >> Thanks for fast response >> >> I filled this two tags with values as also dsig:DigestMethod Algorithm >> tag >> and the error now is >> >> func=xmlSecTransformXPath2NodeRead:file=..\src\xpath.c:line=758:obj=xpath2:subj=Transform:error=27:unexpected >> node: >> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1571:obj=unknown:subj=id->readNode:error=1:xmlsec >> library function failed:transform=xpath2 >> func=xmlSecTransformCtxNodesListRead:file=..\src\transforms.c:line=733:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >> library function failed:node=Transform >> func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1454:obj=unknown:subj=xmlSecTransformCtxNodesListRead:error=1:xmlsec >> library function failed:node=Transforms >> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec >> library function failed:node=Reference >> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec >> library function failed: >> func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >> library function failed: >> >> >> how should be the transform section >> >> >> >> //Lote >> //RPS >> >> >> or i need to add all tags inside as union? >> >> Regards >> Luiz >> >>> This is the problem, I believe the error is pretty clear about this >>> >>> >>> >>> >>> >>> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec >>> library function failed:href= >>> func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >>> library function failed:name=CanonicalizationMethod >>> >>> >>> Aleksey >>> >> >> > From aleksey at aleksey.com Tue Aug 17 08:06:39 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 17 Aug 2010 08:06:39 -0700 Subject: [xmlsec] singning an template In-Reply-To: <42e7ea9718a7565903033cd579a0a2d6.squirrel@webmail.xharbour.com.br> References: <4C6AA00F.7060700@aleksey.com> <4C6AA438.8010800@aleksey.com> <42e7ea9718a7565903033cd579a0a2d6.squirrel@webmail.xharbour.com.br> Message-ID: <4C6AA57F.4030608@aleksey.com> I don't suggest to insert. There is a problem in your file, I copy/pasted the part that is broken. Aleksey On 8/17/2010 8:04 AM, luiz at xharbour.com.br wrote: > Alex > > an you point where to insert on my xml file bellow? > > > xmlns:tipos="http://localhost:8080/WsNFe2/tp" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://localhost:8080/WsNFe2/lote > http://localhost:8080/WsNFe2/xsd/ReqEnvioLoteRPS.xsd"> > > 6291 > 55299440002399 > REDE RECAPEX PNEUS LTDA > > 2010-08-11 > 2010-08-11 > 1 > 203.75 > 0.00 > 1 > WS > > > > 85dc70f0c28fd2d6ed45167f3f07fd27d96bf46 > 00001166506 > REDE RECAPEX PNEUS LTDA > RPS > NF > 000008 > 2010-08-11T00:00:00 > N > > 0 > 0 > 1900-01-01 > 99 > 00000000000 > 68233436000245 > ARIVALDO APARECIDO MORAES E CIA LTDA > R > JOSE ZEFERINO FERREIRA > 536 > > PQ BANDEIRANTES > 6291 > CAMPINAS (SP) > 13181713 > > 331399900 > 5.0000 > A > 6291 > CAMPINAS (SP) > A > T > 0.00 > 0.00 > 0.00 > 0.00 > 0.00 > 0.0000 > 0.0000 > 0.0000 > 0.0000 > 0.0000 > > 19 > 32315200 > 19 > 38640414 > > > > > ALINHAMENTO (CONV) EIXO TRAS > AUTO/CAMION > 1.0000 > 48.7500 > 48.75 > > > CAMBAGEM(COMPLETA)DIANT.DIREITA > AUTO/CAM > 1.0000 > 80.0000 > 80.00 > > > CAMBAGEM(COMPLETA)DIANT.ESQUER.AUTO/CAM > 1.0000 > 75.0000 > 75.00 > > > > > xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"> > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> > > > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> > //Lote > //RPS > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> > > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" > /> > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> > / > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> > > > > > > > > > > > > > > Regards > Luiz > >> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >> /> >> > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >> > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> >> / >> >> >> >> >> Aleksey >> >> On 8/17/2010 7:53 AM, luiz at xharbour.com.br wrote: >>> Hi Alex >>> >>> Thanks for fast response >>> >>> I filled this two tags with values as also dsig:DigestMethod Algorithm >>> tag >>> and the error now is >>> >>> func=xmlSecTransformXPath2NodeRead:file=..\src\xpath.c:line=758:obj=xpath2:subj=Transform:error=27:unexpected >>> node: >>> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1571:obj=unknown:subj=id->readNode:error=1:xmlsec >>> library function failed:transform=xpath2 >>> func=xmlSecTransformCtxNodesListRead:file=..\src\transforms.c:line=733:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >>> library function failed:node=Transform >>> func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1454:obj=unknown:subj=xmlSecTransformCtxNodesListRead:error=1:xmlsec >>> library function failed:node=Transforms >>> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec >>> library function failed:node=Reference >>> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec >>> library function failed: >>> func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >>> library function failed: >>> >>> >>> how should be the transform section >>> >>> >>> >>> //Lote >>> //RPS >>> >>> >>> or i need to add all tags inside as union? >>> >>> Regards >>> Luiz >>> >>>> This is the problem, I believe the error is pretty clear about this >>>> >>>> >>>> >>>> >>>> >>>> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec >>>> library function failed:href= >>>> func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >>>> library function failed:name=CanonicalizationMethod >>>> >>>> >>>> Aleksey >>>> >>> >>> >> > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From luiz at xharbour.com.br Tue Aug 17 08:09:25 2010 From: luiz at xharbour.com.br (luiz at xharbour.com.br) Date: Tue, 17 Aug 2010 12:09:25 -0300 Subject: [xmlsec] singning an template In-Reply-To: <4C6AA57F.4030608@aleksey.com> References: <4C6AA00F.7060700@aleksey.com> <4C6AA438.8010800@aleksey.com> <42e7ea9718a7565903033cd579a0a2d6.squirrel@webmail.xharbour.com.br> <4C6AA57F.4030608@aleksey.com> Message-ID: Alex how to correct this broken Part? Regards Luiz > I don't suggest to insert. There is a problem in your file, > I copy/pasted the part that is broken. > > Aleksey > > On 8/17/2010 8:04 AM, luiz at xharbour.com.br wrote: >> Alex >> >> an you point where to insert on my xml file bellow? >> >> >> > xmlns:tipos="http://localhost:8080/WsNFe2/tp" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> xsi:schemaLocation="http://localhost:8080/WsNFe2/lote >> http://localhost:8080/WsNFe2/xsd/ReqEnvioLoteRPS.xsd"> >> >> 6291 >> 55299440002399 >> REDE RECAPEX PNEUS LTDA >> >> 2010-08-11 >> 2010-08-11 >> 1 >> 203.75 >> 0.00 >> 1 >> WS >> >> >> >> 85dc70f0c28fd2d6ed45167f3f07fd27d96bf46 >> 00001166506 >> REDE RECAPEX PNEUS LTDA >> RPS >> NF >> 000008 >> 2010-08-11T00:00:00 >> N >> >> 0 >> 0 >> 1900-01-01 >> 99 >> 00000000000 >> 68233436000245 >> ARIVALDO APARECIDO MORAES E CIA >> LTDA >> R >> JOSE ZEFERINO FERREIRA >> 536 >> >> PQ BANDEIRANTES >> 6291 >> CAMPINAS (SP) >> 13181713 >> >> 331399900 >> 5.0000 >> A >> 6291 >> CAMPINAS (SP) >> A >> T >> 0.00 >> 0.00 >> 0.00 >> 0.00 >> 0.00 >> 0.0000 >> 0.0000 >> 0.0000 >> 0.0000 >> 0.0000 >> >> 19 >> 32315200 >> 19 >> 38640414 >> >> >> >> >> ALINHAMENTO (CONV) EIXO TRAS >> AUTO/CAMION >> 1.0000 >> 48.7500 >> 48.75 >> >> >> CAMBAGEM(COMPLETA)DIANT.DIREITA >> AUTO/CAM >> 1.0000 >> 80.0000 >> 80.00 >> >> >> CAMBAGEM(COMPLETA)DIANT.ESQUER.AUTO/CAM >> 1.0000 >> 75.0000 >> 75.00 >> >> >> >> >> > xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"> >> >> > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> >> >> >> > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >> >> //Lote >> //RPS >> >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >> >> >> >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >> /> >> > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >> > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> >> / >> >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Regards >> Luiz >> >>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >>> /> >>> >> Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >>> >> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> >>> / >>> >>> >>> >>> >>> Aleksey >>> >>> On 8/17/2010 7:53 AM, luiz at xharbour.com.br wrote: >>>> Hi Alex >>>> >>>> Thanks for fast response >>>> >>>> I filled this two tags with values as also dsig:DigestMethod Algorithm >>>> tag >>>> and the error now is >>>> >>>> func=xmlSecTransformXPath2NodeRead:file=..\src\xpath.c:line=758:obj=xpath2:subj=Transform:error=27:unexpected >>>> node: >>>> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1571:obj=unknown:subj=id->readNode:error=1:xmlsec >>>> library function failed:transform=xpath2 >>>> func=xmlSecTransformCtxNodesListRead:file=..\src\transforms.c:line=733:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >>>> library function failed:node=Transform >>>> func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1454:obj=unknown:subj=xmlSecTransformCtxNodesListRead:error=1:xmlsec >>>> library function failed:node=Transforms >>>> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec >>>> library function failed:node=Reference >>>> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec >>>> library function failed: >>>> func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >>>> library function failed: >>>> >>>> >>>> how should be the transform section >>>> >>>> >>> Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >>>> >>>> //Lote >>>> >>>> //RPS >>>> >>>> >>>> or i need to add all tags inside as union? >>>> >>>> Regards >>>> Luiz >>>> >>>>> This is the problem, I believe the error is pretty clear about this >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec >>>>> library function failed:href= >>>>> func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >>>>> library function failed:name=CanonicalizationMethod >>>>> >>>>> >>>>> Aleksey >>>>> >>>> >>>> >>> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > From duhcrab at yahoo.com Tue Aug 17 09:50:27 2010 From: duhcrab at yahoo.com (Duh Crab) Date: Tue, 17 Aug 2010 09:50:27 -0700 (PDT) Subject: [xmlsec] Sign XML using EVP_PKEY and X509 cert in memory Message-ID: <920799.51850.qm@web50806.mail.re2.yahoo.com> I used xmlSecOpenSSLAppPkcs12LoadBIO() as a template and loaded EVP_PKEY pkey and X509 cert using the code below. data = xmlSecOpenSSLEvpKeyAdopt(pKey); if(data == NULL) { EVP_PKEY_free(pKey); goto done; } x509Data = xmlSecKeyDataCreate(xmlSecOpenSSLKeyDataX509Id); if(x509Data == NULL) { goto done; } /* starting from openssl 1.0.0 the PKCS12_parse() call will not create certs chain object if there is no certificates in the pkcs12 file and it will be null */ if(chain == NULL) { chain = sk_X509_new_null(); if(chain == NULL) { DEBUGPRINT("chain processing error\n"); goto done; } } has_cert = 0; for(i = 0; i < sk_X509_num(chain); ++i) { assert(sk_X509_value(chain, i)); if(X509_cmp(sk_X509_value(chain, i), cert) != 0) { has_cert = 1; break; } } if(has_cert != 0) { tmpcert = X509_dup(cert); if(tmpcert == NULL) { DEBUGPRINT("tmpcert == NULL\n"); goto done; } ret = sk_X509_push(chain, tmpcert); if(ret < 1) { DEBUGPRINT("sk_X509_push() returned <1\n"); X509_free(tmpcert); goto done; } } ret = xmlSecOpenSSLKeyDataX509AdoptKeyCert(x509Data, cert); if(ret < 0) { DEBUGPRINT("xmlSecOpenSSLKeyDataX509AdoptKeyCert() returned <0 \n"); goto done; } for(i = 0; i < sk_X509_num(chain); ++i) { assert(sk_X509_value(chain, i)); tmpcert = X509_dup(sk_X509_value(chain, i)); if(tmpcert == NULL) { DEBUGPRINT("tmpcert == NULL \n"); X509_free(tmpcert); goto done; } ret = xmlSecOpenSSLKeyDataX509AdoptCert(x509Data, tmpcert); if(ret < 0) { DEBUGPRINT("xmlSecOpenSSLKeyDataX509AdoptCert ret < 0 \n"); goto done; } } key = xmlSecKeyCreate(); if(key == NULL) { goto done; } ret = xmlSecKeySetValue(key, data); if(ret < 0) { xmlSecKeyDestroy(key); key = NULL; goto done; } data = NULL; ret = xmlSecKeyAdoptData(key, x509Data); if(ret < 0) { xmlSecKeyDestroy(key); key = NULL; goto done; } x509Data = NULL; dsigCtx->signKey = key; data = xmlSecKeyEnsureData(dsigCtx->signKey, xmlSecOpenSSLKeyDataX509Id); ret = xmlSecOpenSSLKeyDataX509AdoptCert(data, cert); if(ret < 0) { DEBUGPRINT("Processing error\n"); goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(dsigCtx->signKey, BAD_CAST "BDCKey.pem") < 0) { DEBUGPRINT("Error: failed to set key name for key from BDCKey.pem\n"); goto done; } /* sign the template */ if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) { DEBUGPRINT("Error: signature failed\n"); goto done; } The final step of signing the xml using xmlSecDSigCtxSign() failed with the following error ? func=xmlSecTransformIdListFindByHref:file=..\src\transforms.c:line=2538:obj=unkn own:subj=xmlSecPtrListCheckId(list, xmlSecTransformIdListId):error=100:assertion : func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj =xmlSecTransformIdListFindByHref:error=1:xmlsec library function failed:href=htt p://www.w3.org/2001/10/xml-exc-c14n# func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:su bj=xmlSecTransformNodeRead:error=1:xmlsec library function failed:name=Canonical izationMethod func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=689:obj=unkno wn:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function failed:node=C anonicalizationMethod func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknow n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed : func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSi gCtxSigantureProcessNode:error=1:xmlsec library function failed: Any suggestions? Thanks, Sri From: Aleksey Sanin Date: August 13, 2010 1:13:22 PM CDT To: Duh Crab Cc: "xmlsec at aleksey.com" Subject: Re: [xmlsec] Sign XML using EVP_PKEY and X509 cert in memory You can load PKCS12 key+cert directly from xmlsec, take a look at xmlSecCryptoAppPkcs12Load() and xmlSecCryptoAppPkcs12LoadMemory() functions. Or xmlsec-openssl specific call xmlSecOpenSSLAppPkcs12LoadBIO(). Otherwise, if you want to parse PKCS12 container yourself, take a look at xmlsec-openssl specific functions in xmlsec/openssl/evp.h and xmlsec/openssl/x509.h. Something like xmlSecOpenSSLEvpKeyAdopt(), xmlSecOpenSSLKeyDataX509AdoptKeyCert(), and xmlSecOpenSSLKeyDataX509AdoptCert(). For details on how to use these functions, best of all study the source code for the xmlSecOpenSSLAppPkcs12LoadBIO() function. It makes all the right calls in the right order :) Aleksey On 8/13/2010 11:05 AM, Duh Crab wrote: I am trying to sign XML using the pkey and X509 cert in a pkcs12 file. I extracted the pkey and cert from the pkcs12 file using the following - EVP_PKEY *pkey; X509 *cert; PKCS12 *p12; p12 = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12, passphrase,&pkey,&cert,&ca); I now want to use the pkey and cert from above to sign xml using xmlsec. How do I use these with the following api's? xmlSecCryptoAppKeyLoadMemory() xmlSecOpenSSLAppKeyCertLoadMemory() If I save the pkey and cert above to the filesystem and then call - xmlSecCryptoAppKeyLoad() and xmlSecCryptoAppKeyCertLoad() (along with other xmlsec api's), everything works well and I am able to sign the XML. However, there are cases where I do not have access to the filesystem and need to use pkey and cert from memory. Thanks, Sri _______________________________________________ xmlsec mailing list xmlsec at aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Aug 17 09:51:03 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 17 Aug 2010 09:51:03 -0700 Subject: [xmlsec] singning an template In-Reply-To: References: <4C6AA00F.7060700@aleksey.com> <4C6AA438.8010800@aleksey.com> <42e7ea9718a7565903033cd579a0a2d6.squirrel@webmail.xharbour.com.br> <4C6AA57F.4030608@aleksey.com> Message-ID: <4C6ABDF7.3070301@aleksey.com> Take a look at the xml piece I copy/pasted. Aleksey On 8/17/2010 8:09 AM, luiz at xharbour.com.br wrote: > Alex > > how to correct this broken Part? > > Regards > Luiz > >> I don't suggest to insert. There is a problem in your file, >> I copy/pasted the part that is broken. >> >> Aleksey >> >> On 8/17/2010 8:04 AM, luiz at xharbour.com.br wrote: >>> Alex >>> >>> an you point where to insert on my xml file bellow? >>> >>> >>> >> xmlns:tipos="http://localhost:8080/WsNFe2/tp" >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >>> xsi:schemaLocation="http://localhost:8080/WsNFe2/lote >>> http://localhost:8080/WsNFe2/xsd/ReqEnvioLoteRPS.xsd"> >>> >>> 6291 >>> 55299440002399 >>> REDE RECAPEX PNEUS LTDA >>> >>> 2010-08-11 >>> 2010-08-11 >>> 1 >>> 203.75 >>> 0.00 >>> 1 >>> WS >>> >>> >>> >>> 85dc70f0c28fd2d6ed45167f3f07fd27d96bf46 >>> 00001166506 >>> REDE RECAPEX PNEUS LTDA >>> RPS >>> NF >>> 000008 >>> 2010-08-11T00:00:00 >>> N >>> >>> 0 >>> 0 >>> 1900-01-01 >>> 99 >>> 00000000000 >>> 68233436000245 >>> ARIVALDO APARECIDO MORAES E CIA >>> LTDA >>> R >>> JOSE ZEFERINO FERREIRA >>> 536 >>> >>> PQ BANDEIRANTES >>> 6291 >>> CAMPINAS (SP) >>> 13181713 >>> >>> 331399900 >>> 5.0000 >>> A >>> 6291 >>> CAMPINAS (SP) >>> A >>> T >>> 0.00 >>> 0.00 >>> 0.00 >>> 0.00 >>> 0.00 >>> 0.0000 >>> 0.0000 >>> 0.0000 >>> 0.0000 >>> 0.0000 >>> >>> 19 >>> 32315200 >>> 19 >>> 38640414 >>> >>> >>> >>> >>> ALINHAMENTO (CONV) EIXO TRAS >>> AUTO/CAMION >>> 1.0000 >>> 48.7500 >>> 48.75 >>> >>> >>> CAMBAGEM(COMPLETA)DIANT.DIREITA >>> AUTO/CAM >>> 1.0000 >>> 80.0000 >>> 80.00 >>> >>> >>> CAMBAGEM(COMPLETA)DIANT.ESQUER.AUTO/CAM >>> 1.0000 >>> 75.0000 >>> 75.00 >>> >>> >>> >>> >>> >> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"> >>> >>> >> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> >>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> >>> >>> >>> >> Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >>> >>> //Lote >>> //RPS >>> >>> >>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >>> >>> >>> >>> >>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >>> /> >>> >> Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >>> >> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> >>> / >>> >>> >>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Regards >>> Luiz >>> >>>> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >>>> /> >>>> >>> Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >>>> >>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> >>>> / >>>> >>>> >>>> >>>> >>>> Aleksey >>>> >>>> On 8/17/2010 7:53 AM, luiz at xharbour.com.br wrote: >>>>> Hi Alex >>>>> >>>>> Thanks for fast response >>>>> >>>>> I filled this two tags with values as also dsig:DigestMethod Algorithm >>>>> tag >>>>> and the error now is >>>>> >>>>> func=xmlSecTransformXPath2NodeRead:file=..\src\xpath.c:line=758:obj=xpath2:subj=Transform:error=27:unexpected >>>>> node: >>>>> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1571:obj=unknown:subj=id->readNode:error=1:xmlsec >>>>> library function failed:transform=xpath2 >>>>> func=xmlSecTransformCtxNodesListRead:file=..\src\transforms.c:line=733:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >>>>> library function failed:node=Transform >>>>> func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1454:obj=unknown:subj=xmlSecTransformCtxNodesListRead:error=1:xmlsec >>>>> library function failed:node=Transforms >>>>> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec >>>>> library function failed:node=Reference >>>>> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec >>>>> library function failed: >>>>> func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >>>>> library function failed: >>>>> >>>>> >>>>> how should be the transform section >>>>> >>>>> >>>> Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> >>>>> >>>>> //Lote >>>>> >>>>> //RPS >>>>> >>>>> >>>>> or i need to add all tags inside as union? >>>>> >>>>> Regards >>>>> Luiz >>>>> >>>>>> This is the problem, I believe the error is pretty clear about this >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec >>>>>> library function failed:href= >>>>>> func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec >>>>>> library function failed:name=CanonicalizationMethod >>>>>> >>>>>> >>>>>> Aleksey >>>>>> >>>>> >>>>> >>>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> http://www.aleksey.com/mailman/listinfo/xmlsec >> > > From aleksey at aleksey.com Tue Aug 17 09:52:37 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 17 Aug 2010 09:52:37 -0700 Subject: [xmlsec] Sign XML using EVP_PKEY and X509 cert in memory In-Reply-To: <920799.51850.qm@web50806.mail.re2.yahoo.com> References: <920799.51850.qm@web50806.mail.re2.yahoo.com> Message-ID: <4C6ABE55.5050008@aleksey.com> You have a problem linking your code. Is it on Windows? Aleksey On 8/17/2010 9:50 AM, Duh Crab wrote: > I used xmlSecOpenSSLAppPkcs12LoadBIO() as a template and loaded EVP_PKEY > pkey and X509 cert using the code below. >> >> data = xmlSecOpenSSLEvpKeyAdopt(pKey); >> >> if(data == NULL) { >> >> EVP_PKEY_free(pKey); >> >> goto done; >> >> } >> >> x509Data = xmlSecKeyDataCreate(xmlSecOpenSSLKeyDataX509Id); >> >> if(x509Data == NULL) { >> >> goto done; >> >> } >> >> /* starting from openssl 1.0.0 the PKCS12_parse() call will not create >> certs >> >> chain object if there is no certificates in the pkcs12 file and it >> will be null >> >> */ >> >> if(chain == NULL) >> >> { >> >> chain = sk_X509_new_null(); >> >> if(chain == NULL) >> >> { >> >> DEBUGPRINT("chain processing error\n"); >> >> goto done; >> >> } >> >> } >> >> has_cert = 0; >> >> for(i = 0; i < sk_X509_num(chain); ++i) { >> >> assert(sk_X509_value(chain, i)); >> >> if(X509_cmp(sk_X509_value(chain, i), cert) != 0) >> >> { >> >> has_cert = 1; >> >> break; >> >> } >> >> } >> >> if(has_cert != 0) >> >> { >> >> tmpcert = X509_dup(cert); >> >> if(tmpcert == NULL) { >> >> DEBUGPRINT("tmpcert == NULL\n"); >> >> goto done; >> >> } >> >> ret = sk_X509_push(chain, tmpcert); >> >> if(ret < 1) >> >> { >> >> DEBUGPRINT("sk_X509_push() returned <1\n"); >> >> X509_free(tmpcert); >> >> goto done; >> >> } >> >> } >> >> ret = xmlSecOpenSSLKeyDataX509AdoptKeyCert(x509Data, cert); >> >> if(ret < 0) >> >> { >> >> DEBUGPRINT("xmlSecOpenSSLKeyDataX509AdoptKeyCert() returned <0 \n"); >> >> goto done; >> >> } >> >> for(i = 0; i < sk_X509_num(chain); ++i) >> >> { >> >> assert(sk_X509_value(chain, i)); >> >> tmpcert = X509_dup(sk_X509_value(chain, i)); >> >> if(tmpcert == NULL) >> >> { >> >> DEBUGPRINT("tmpcert == NULL \n"); >> >> X509_free(tmpcert); >> >> goto done; >> >> } >> >> ret = xmlSecOpenSSLKeyDataX509AdoptCert(x509Data, tmpcert); >> >> if(ret < 0) >> >> { >> >> DEBUGPRINT("xmlSecOpenSSLKeyDataX509AdoptCert ret < 0 \n"); >> >> goto done; >> >> } >> >> } >> >> key = xmlSecKeyCreate(); >> >> if(key == NULL) >> >> { >> >> goto done; >> >> } >> >> ret = xmlSecKeySetValue(key, data); >> >> if(ret < 0) { >> >> xmlSecKeyDestroy(key); >> >> key = NULL; >> >> goto done; >> >> } >> >> data = NULL; >> >> ret = xmlSecKeyAdoptData(key, x509Data); >> >> if(ret < 0) >> >> { >> >> xmlSecKeyDestroy(key); >> >> key = NULL; >> >> goto done; >> >> } >> >> x509Data = NULL; >> >> dsigCtx->signKey = key; >> >> data = xmlSecKeyEnsureData(dsigCtx->signKey, xmlSecOpenSSLKeyDataX509Id); >> >> ret = xmlSecOpenSSLKeyDataX509AdoptCert(data, cert); >> >> if(ret < 0) >> >> { >> >> DEBUGPRINT("Processing error\n"); >> >> goto done; >> >> } >> >> /* set key name to the file name, this is just an example! */ >> >> if(xmlSecKeySetName(dsigCtx->signKey, BAD_CAST "BDCKey.pem") < 0) >> >> { >> >> DEBUGPRINT("Error: failed to set key name for key from BDCKey.pem\n"); >> >> goto done; >> >> } >> >> /* sign the template */ >> >> if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) >> >> { >> >> DEBUGPRINT("Error: signature failed\n"); >> >> goto done; >> >> } >> >> The final step of signing the xml using xmlSecDSigCtxSign() failed >> with the following error ? >> >> func=xmlSecTransformIdListFindByHref:file=..\src\transforms.c:line=2538:obj=unkn >> >> own:subj=xmlSecPtrListCheckId(list, >> xmlSecTransformIdListId):error=100:assertion >> >> : >> >> func=xmlSecTransformNodeRead:file=..\src\transforms.c:line=1533:obj=unknown:subj >> >> =xmlSecTransformIdListFindByHref:error=1:xmlsec library function >> failed:href=htt >> >> p://www.w3.org/2001/10/xml-exc-c14n# >> >> func=xmlSecTransformCtxNodeRead:file=..\src\transforms.c:line=684:obj=unknown:su >> >> bj=xmlSecTransformNodeRead:error=1:xmlsec library function >> failed:name=Canonical >> >> izationMethod >> >> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=689:obj=unkno >> >> wn:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function >> failed:node=C >> >> anonicalizationMethod >> >> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknow >> >> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library >> function failed >> >> : >> >> func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSi >> >> gCtxSigantureProcessNode:error=1:xmlsec library function failed: >> >> Any suggestions? >> >> Thanks, >> >> Sri >> >> *From:* Aleksey Sanin < >> aleksey at aleksey.com >> > >> *Date:* August 13, 2010 1:13:22 PM CDT >> *To:* Duh Crab < duhcrab at yahoo.com >> > >> *Cc:* " xmlsec at aleksey.com >> " < >> xmlsec at aleksey.com >> > >> *Subject:* *Re: [xmlsec] Sign XML using EVP_PKEY and X509 cert in >> memory* >> >> You can load PKCS12 key+cert directly from xmlsec, take a look >> at xmlSecCryptoAppPkcs12Load() and xmlSecCryptoAppPkcs12LoadMemory() >> functions. Or xmlsec-openssl specific call >> xmlSecOpenSSLAppPkcs12LoadBIO(). >> >> Otherwise, if you want to parse PKCS12 container yourself, take >> a look at xmlsec-openssl specific functions in >> xmlsec/openssl/evp.h and xmlsec/openssl/x509.h. Something like >> xmlSecOpenSSLEvpKeyAdopt(), xmlSecOpenSSLKeyDataX509AdoptKeyCert(), >> and xmlSecOpenSSLKeyDataX509AdoptCert(). For details on how to use >> these functions, best of all study the source code for the >> xmlSecOpenSSLAppPkcs12LoadBIO() function. It makes all the right >> calls in the right order :) >> >> Aleksey >> >> On 8/13/2010 11:05 AM, Duh Crab wrote: >> >> I am trying to sign XML using the pkey and X509 cert in a >> pkcs12 file. >> >> I extracted the pkey and cert from the pkcs12 file using the >> following - >> >> EVP_PKEY *pkey; >> >> X509 *cert; >> >> PKCS12 *p12; >> >> p12 = d2i_PKCS12_fp(fp, NULL); >> >> PKCS12_parse(p12, passphrase,&pkey,&cert,&ca); >> >> I now want to use the pkey and cert from above to sign xml >> using xmlsec. >> >> How do I use these with the following api's? >> >> xmlSecCryptoAppKeyLoadMemory() >> >> xmlSecOpenSSLAppKeyCertLoadMemory() >> >> If I save the pkey and cert above to the filesystem and then >> call - >> >> xmlSecCryptoAppKeyLoad() and xmlSecCryptoAppKeyCertLoad() >> (along with other xmlsec api's), everything works well and I >> >> am able to sign the XML. >> >> However, there are cases where I do not have access to the >> filesystem and need to use pkey and cert from memory. >> >> Thanks, >> >> Sri >> >> _______________________________________________ >> >> xmlsec mailing list >> >> xmlsec at aleksey.com >> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From denis.gousseau at santeos.com Tue Sep 21 03:22:55 2010 From: denis.gousseau at santeos.com (GOUSSEAU Denis) Date: Tue, 21 Sep 2010 12:22:55 +0200 Subject: [xmlsec] Sign1.c Message-ID: <00e801cb5976$f49a5880$ddcf0980$@gousseau@santeos.com> Hello I try to use the sign1.c sample with visual studio 2008. When I execute the program, i have the error : >signfic TestEnvoi.txt certs.pem Enter PEM pass phrase: func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=465:obj=un known:subj=dsigCtx->c14nMethod == NULL:error=100:assertion: func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSe cDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:Error: signature failed What is missing ? I use OpenSSL 1 with xmlsec. Thanks ----------------------------------------------- Denis GOUSSEAU Soci?t? SANTEOS ----------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Sep 21 07:13:44 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 21 Sep 2010 07:13:44 -0700 Subject: [xmlsec] Sign1.c In-Reply-To: <00e801cb5976$f49a5880$ddcf0980$@gousseau@santeos.com> References: <00e801cb5976$f49a5880$ddcf0980$@gousseau@santeos.com> Message-ID: <4C98BD98.2020408@aleksey.com> What is in the template? Aleksey On 9/21/2010 3:22 AM, GOUSSEAU Denis wrote: > Hello > > I try to use the sign1.c sample with visual studio 2008. > > When I execute the program, i have the error : > > >signfic TestEnvoi.txt certs.pem > > Enter PEM pass phrase: > > func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=465:obj=unknown:subj=dsigCtx->c14nMethod > == NULL:error=100:assertion: > > func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed:Error: signature failed > > What is missing ? > > I use OpenSSL 1 with xmlsec. > > Thanks > > ----------------------------------------------- > Denis GOUSSEAU > Soci?t? SANTEOS > ----------------------------------------------- > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From denis.gousseau at santeos.com Wed Sep 22 02:10:23 2010 From: denis.gousseau at santeos.com (GOUSSEAU Denis) Date: Wed, 22 Sep 2010 11:10:23 +0200 Subject: [xmlsec] Using xmlsec with openssl config file and engine pkcs11 Message-ID: <018801cb5a35$fd37a500$f7a6ef00$@gousseau@santeos.com> I?m trying to use XmlSec binaries with an pkcs11 engine which work fine with openssl : OpenSsl config file : openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = ./engine_pkcs11.dll MODULE_PATH = c:/windows/cps_pkcs11_w32.dll init = 0 PIN=1234 [req] distinguished_name = req_distinguished_name [req_distinguished_name] Dos command line xmlsec --sign--pwd 1234 --crypto openssl --crypto-config .\openssl.cfg TestEnvoi.txt And i have this error func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1370:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSe cDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature failed Error: failed to sign file "TestEnvoi.txt" With a pem certificate, the file can be signed. So, the problem is with openssl and the config file or the engine i?m using. Does xmlSec work with pkcs11 engine without change ? Because I saw some patch but can?t find them with problem on private key. Thanks for help. ----------------------------------------------- Denis GOUSSEAU Soci?t? SANTEOS ----------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From beall at usc.edu Wed Sep 22 14:45:02 2010 From: beall at usc.edu (Russell Beall) Date: Wed, 22 Sep 2010 14:45:02 -0700 Subject: [xmlsec] install-sh and multiple files Message-ID: <78E88FFC-254F-435A-A486-BBA22626C637@usc.edu> Hi, I am trying to install the latest version of xmlsec, but I am having trouble with the installer. The installer from 1.2.13 works because it feeds files one at a time to install-sh. The installers from 1.2.14, 1.2.15 and 1.2.16 do not work because the makefile instruction feeds multiple files to install-sh all at once. Only the first file in the list gets actually installed. The comments at the top of install-sh indicate that it can only process files one at a time. Is this a bug or am I missing something? Thanks, Russ. ============================== Russell Beall Programmer Analyst IV Enterprise Identity Management University of Southern California beall at usc.edu ============================== -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Sep 22 19:47:15 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 22 Sep 2010 19:47:15 -0700 Subject: [xmlsec] Using xmlsec with openssl config file and engine pkcs11 In-Reply-To: <018801cb5a35$fd37a500$f7a6ef00$@gousseau@santeos.com> References: <018801cb5a35$fd37a500$f7a6ef00$@gousseau@santeos.com> Message-ID: <4C9ABFB3.3010502@aleksey.com> How do you specify the key? Do you have a key name in the template? Aleksey On 9/22/10 2:10 AM, GOUSSEAU Denis wrote: > I?m trying to use XmlSec binaries with an pkcs11 engine which work fine > with openssl : > > OpenSsl config file : > > openssl_conf = openssl_def > > [openssl_def] > > engines = engine_section > > [engine_section] > > pkcs11 = pkcs11_section > > [pkcs11_section] > > engine_id = pkcs11 > > dynamic_path = ./engine_pkcs11.dll > > MODULE_PATH = c:/windows/cps_pkcs11_w32.dll > > init = 0 > > PIN=1234 > > [req] > > distinguished_name = req_distinguished_name > > [req_distinguished_name] > > Dos command line > > xmlsec --sign--pwd 1234 --crypto openssl --crypto-config .\openssl.cfg > TestEnvoi.txt > > And i have this error > > func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec > library function failed: > > func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key > is not found: > > func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec > library function failed: > > func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > > Error: signature failed > > Error: failed to sign file "TestEnvoi.txt" > > With a pem certificate, the file can be signed. > > So, the problem is with openssl and the config file or the engine i?m using. > > Does xmlSec work with pkcs11 engine without change ? Because I saw some > patch but can?t find them with problem on private key. > > Thanks for help. > > ----------------------------------------------- > Denis GOUSSEAU > Soci?t? SANTEOS > ----------------------------------------------- > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Wed Sep 22 19:49:01 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 22 Sep 2010 19:49:01 -0700 Subject: [xmlsec] install-sh and multiple files In-Reply-To: <78E88FFC-254F-435A-A486-BBA22626C637@usc.edu> References: <78E88FFC-254F-435A-A486-BBA22626C637@usc.edu> Message-ID: <4C9AC01D.7020708@aleksey.com> Which OS do you use? Aleksey On 9/22/10 2:45 PM, Russell Beall wrote: > Hi, > > I am trying to install the latest version of xmlsec, but I am having > trouble with the installer. > > The installer from 1.2.13 works because it feeds files one at a time to > install-sh. > > The installers from 1.2.14, 1.2.15 and 1.2.16 do not work because the > makefile instruction feeds multiple files to install-sh all at once. > Only the first file in the list gets actually installed. > > The comments at the top of install-sh indicate that it can only process > files one at a time. > > Is this a bug or am I missing something? > > Thanks, > Russ. > > ============================== > Russell Beall > Programmer Analyst IV > Enterprise Identity Management > University of Southern California > beall at usc.edu > ============================== > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From xmlsec at roumenpetrov.info Fri Sep 24 13:31:30 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Fri, 24 Sep 2010 23:31:30 +0300 Subject: [xmlsec] install-sh and multiple files In-Reply-To: <4C9AC01D.7020708@aleksey.com> References: <78E88FFC-254F-435A-A486-BBA22626C637@usc.edu> <4C9AC01D.7020708@aleksey.com> Message-ID: <4C9D0AA2.2030900@roumenpetrov.info> Aleksey Sanin wrote: > Which OS do you use? > > Aleksey > > On 9/22/10 2:45 PM, Russell Beall wrote: >> Hi, >> >> I am trying to install the latest version of xmlsec, but I am having >> trouble with the installer. >> >> The installer from 1.2.13 works because it feeds files one at a time to >> install-sh. >> >> The installers from 1.2.14, 1.2.15 and 1.2.16 do not work because the >> makefile instruction feeds multiple files to install-sh all at once. >> Only the first file in the list gets actually installed. >> [SNIP] I guess that repository is with old autotools files: The my source tree differ to origin is following files: +++ b/depcomp +++ b/install-sh +++ b/m4/libtool.m4 +++ b/m4/ltoptions.m4 +++ b/m4/ltversion.m4 +++ b/m4/lt~obsolete.m4 +++ b/missing +++ b/mkinstalldirs The diference is from following comands: $ libtoolize --force --copy $ aclocal --force -I m4 $ autoheader --force $ autoconf --force $ automake --add-missing --copy --force-missing --foreign as libtool is trunk (after 2.2.10) version, automake - 1.11.1 and autoconf - 2.65. The diff file show that install.sh into repository is with comment "# This comes from X11R5 (mit/util/scripts/install.sh)". Definitely this old script don't support multiple files on command line. Solution - either remove from repository depcomp, install-sh, missing and mkinstalldirs so that autogen.sh script will create that when is build release tar-bal or update update autogen.sh script to use --force argument to replace old automake files. Roumen From beall at usc.edu Fri Sep 24 14:48:41 2010 From: beall at usc.edu (Russell Beall) Date: Fri, 24 Sep 2010 14:48:41 -0700 Subject: [xmlsec] install-sh and multiple files In-Reply-To: <4C9D0AA2.2030900@roumenpetrov.info> References: <78E88FFC-254F-435A-A486-BBA22626C637@usc.edu> <4C9AC01D.7020708@aleksey.com> <4C9D0AA2.2030900@roumenpetrov.info> Message-ID: <5D640B91-7055-4E1D-B7A1-7F74A7D76173@usc.edu> Yes, it probably is just an old version of install-sh. One thing I found which "solves" the problem is that I copied over the install-sh from libxml2-2.7.7. Multi-file copies work properly with that edition and I was able to install 1.2.16 with that. Russ. On Sep 24, 2010, at 1:31 PM, Roumen Petrov wrote: > Aleksey Sanin wrote: >> Which OS do you use? >> >> Aleksey >> >> On 9/22/10 2:45 PM, Russell Beall wrote: >>> Hi, >>> >>> I am trying to install the latest version of xmlsec, but I am having >>> trouble with the installer. >>> >>> The installer from 1.2.13 works because it feeds files one at a time to >>> install-sh. >>> >>> The installers from 1.2.14, 1.2.15 and 1.2.16 do not work because the >>> makefile instruction feeds multiple files to install-sh all at once. >>> Only the first file in the list gets actually installed. >>> > [SNIP] > > I guess that repository is with old autotools files: > The my source tree differ to origin is following files: > +++ b/depcomp > +++ b/install-sh > +++ b/m4/libtool.m4 > +++ b/m4/ltoptions.m4 > +++ b/m4/ltversion.m4 > +++ b/m4/lt~obsolete.m4 > +++ b/missing > +++ b/mkinstalldirs > > The diference is from following comands: > $ libtoolize --force --copy > $ aclocal --force -I m4 > $ autoheader --force > $ autoconf --force > $ automake --add-missing --copy --force-missing --foreign > > as libtool is trunk (after 2.2.10) version, automake - 1.11.1 and autoconf - 2.65. > > The diff file show that install.sh into repository is with comment "# This comes from X11R5 (mit/util/scripts/install.sh)". Definitely this old script don't support multiple files on command line. > > Solution - either remove from repository depcomp, install-sh, missing and mkinstalldirs so that autogen.sh script will create that when is build release tar-bal or update update autogen.sh script to use --force argument to replace old automake files. > > Roumen From aleksey at aleksey.com Fri Sep 24 21:44:49 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 24 Sep 2010 21:44:49 -0700 Subject: [xmlsec] install-sh and multiple files In-Reply-To: <4C9D0AA2.2030900@roumenpetrov.info> References: <78E88FFC-254F-435A-A486-BBA22626C637@usc.edu> <4C9AC01D.7020708@aleksey.com> <4C9D0AA2.2030900@roumenpetrov.info> Message-ID: <4C9D7E41.8080904@aleksey.com> Thanks! Good suggestions. I removed these files form Git and update autogen.sh to call all the tools you've mentioned. Aleksey On 9/24/10 1:31 PM, Roumen Petrov wrote: > Aleksey Sanin wrote: >> Which OS do you use? >> >> Aleksey >> >> On 9/22/10 2:45 PM, Russell Beall wrote: >>> Hi, >>> >>> I am trying to install the latest version of xmlsec, but I am having >>> trouble with the installer. >>> >>> The installer from 1.2.13 works because it feeds files one at a time to >>> install-sh. >>> >>> The installers from 1.2.14, 1.2.15 and 1.2.16 do not work because the >>> makefile instruction feeds multiple files to install-sh all at once. >>> Only the first file in the list gets actually installed. >>> > [SNIP] > > I guess that repository is with old autotools files: > The my source tree differ to origin is following files: > +++ b/depcomp > +++ b/install-sh > +++ b/m4/libtool.m4 > +++ b/m4/ltoptions.m4 > +++ b/m4/ltversion.m4 > +++ b/m4/lt~obsolete.m4 > +++ b/missing > +++ b/mkinstalldirs > > The diference is from following comands: > $ libtoolize --force --copy > $ aclocal --force -I m4 > $ autoheader --force > $ autoconf --force > $ automake --add-missing --copy --force-missing --foreign > > as libtool is trunk (after 2.2.10) version, automake - 1.11.1 and > autoconf - 2.65. > > The diff file show that install.sh into repository is with comment "# > This comes from X11R5 (mit/util/scripts/install.sh)". Definitely this > old script don't support multiple files on command line. > > Solution - either remove from repository depcomp, install-sh, missing > and mkinstalldirs so that autogen.sh script will create that when is > build release tar-bal or update update autogen.sh script to use --force > argument to replace old automake files. > > Roumen > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From Frank.Buettner at webinstore.de Tue Oct 5 01:22:42 2010 From: Frank.Buettner at webinstore.de (=?iso-8859-1?Q?Frank_B=FCttner?=) Date: Tue, 5 Oct 2010 10:22:42 +0200 Subject: [xmlsec] Build error with 1.2.16 Message-ID: <1A64D6DE439EB545A573C57EA859626F7A901016AD@WEBINSTORSERVER.webinstore.local> Hello, when I try to build xmlsec, I get the follow error: c14n.c: In function 'xmlSecTransformC14NExecute': c14n.c:423: error: 'XML_C14N_1_0' undeclared (first use in this function) c14n.c:423: error: (Each undeclared identifier is reported only once c14n.c:423: error: for each function it appears in.) c14n.c:431: error: 'XML_C14N_1_1' undeclared (first use in this function) c14n.c:439: error: 'XML_C14N_EXCLUSIVE_1_0' undeclared (first use in this function) I have try libxml2-2.7.4 and 2.7.7 always the same result. What do I wrong? From aleksey at aleksey.com Tue Oct 5 08:14:23 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 05 Oct 2010 08:14:23 -0700 Subject: [xmlsec] Build error with 1.2.16 In-Reply-To: <1A64D6DE439EB545A573C57EA859626F7A901016AD@WEBINSTORSERVER.webinstore.local> References: <1A64D6DE439EB545A573C57EA859626F7A901016AD@WEBINSTORSERVER.webinstore.local> Message-ID: <4CAB40CF.3050708@aleksey.com> Hm... This is weird. The XML_C14N_1_1 and other constants are defined in LibXML2's include/libxml/c14n.h file. Can you attach the complete config.log and the complete output of make command? Thanks Aleksey On 10/5/10 1:22 AM, Frank B?ttner wrote: > Hello, when I try to build xmlsec, > I get the follow error: > c14n.c: In function 'xmlSecTransformC14NExecute': > c14n.c:423: error: 'XML_C14N_1_0' undeclared (first use in this function) > c14n.c:423: error: (Each undeclared identifier is reported only once > c14n.c:423: error: for each function it appears in.) > c14n.c:431: error: 'XML_C14N_1_1' undeclared (first use in this function) > c14n.c:439: error: 'XML_C14N_EXCLUSIVE_1_0' undeclared (first use in this function) > > I have try libxml2-2.7.4 and 2.7.7 always the same result. > What do I wrong? > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From Frank.Buettner at webinstore.de Tue Oct 5 23:41:16 2010 From: Frank.Buettner at webinstore.de (=?iso-8859-1?Q?Frank_B=FCttner?=) Date: Wed, 6 Oct 2010 08:41:16 +0200 Subject: [xmlsec] Build error with 1.2.16 In-Reply-To: <4CAB40CF.3050708@aleksey.com> References: <1A64D6DE439EB545A573C57EA859626F7A901016AD@WEBINSTORSERVER.webinstore.local>, <4CAB40CF.3050708@aleksey.com> Message-ID: <1A64D6DE439EB545A573C57EA859626F7A9334E7B7@WEBINSTORSERVER.webinstore.local> I have found it, the problem was, that I have uses my own version of libxml2 and the system version of libxslt from CentOS5. And when I look at the include paths at the compiling line , I seen the the headers of libxml2 are first included from CentOS and then my own. And this was it. After build my own version of libxslt which use my libxslt all was ok. So the xmlsec lib was totally guiltless. Thanks, for help. Frank Betreff: Re: [xmlsec] Build error with 1.2.16 Hm... This is weird. The XML_C14N_1_1 and other constants are defined in LibXML2's include/libxml/c14n.h file. Can you attach the complete config.log and the complete output of make command? Thanks Aleksey On 10/5/10 1:22 AM, Frank B?ttner wrote: > Hello, when I try to build xmlsec, > I get the follow error: > c14n.c: In function 'xmlSecTransformC14NExecute': > c14n.c:423: error: 'XML_C14N_1_0' undeclared (first use in this function) > c14n.c:423: error: (Each undeclared identifier is reported only once > c14n.c:423: error: for each function it appears in.) > c14n.c:431: error: 'XML_C14N_1_1' undeclared (first use in this function) > c14n.c:439: error: 'XML_C14N_EXCLUSIVE_1_0' undeclared (first use in this function) > > I have try libxml2-2.7.4 and 2.7.7 always the same result. > What do I wrong? > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From aleksey at aleksey.com Tue Oct 5 23:56:48 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 05 Oct 2010 23:56:48 -0700 Subject: [xmlsec] Build error with 1.2.16 In-Reply-To: <1A64D6DE439EB545A573C57EA859626F7A9334E7B7@WEBINSTORSERVER.webinstore.local> References: <1A64D6DE439EB545A573C57EA859626F7A901016AD@WEBINSTORSERVER.webinstore.local>, <4CAB40CF.3050708@aleksey.com> <1A64D6DE439EB545A573C57EA859626F7A9334E7B7@WEBINSTORSERVER.webinstore.local> Message-ID: <4CAC1DB0.7060301@aleksey.com> Glad to know :) On 10/5/10 11:41 PM, Frank B?ttner wrote: > I have found it, > the problem was, that I have uses my own version of libxml2 and the > system version of libxslt from CentOS5. And when I look at the > include paths at the compiling line , I seen the the headers of > libxml2 are first included from CentOS and then my own. > And this was it. After build my own version of libxslt which > use my libxslt all was ok. So the xmlsec lib was totally guiltless. > > Thanks, for help. > Frank > > Betreff: Re: [xmlsec] Build error with 1.2.16 > > Hm... This is weird. The XML_C14N_1_1 and other constants are defined > in LibXML2's include/libxml/c14n.h file. Can you attach the complete > config.log and the complete output of make command? > > Thanks > Aleksey > > On 10/5/10 1:22 AM, Frank B?ttner wrote: >> Hello, when I try to build xmlsec, >> I get the follow error: >> c14n.c: In function 'xmlSecTransformC14NExecute': >> c14n.c:423: error: 'XML_C14N_1_0' undeclared (first use in this function) >> c14n.c:423: error: (Each undeclared identifier is reported only once >> c14n.c:423: error: for each function it appears in.) >> c14n.c:431: error: 'XML_C14N_1_1' undeclared (first use in this function) >> c14n.c:439: error: 'XML_C14N_EXCLUSIVE_1_0' undeclared (first use in this function) >> >> I have try libxml2-2.7.4 and 2.7.7 always the same result. >> What do I wrong? >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From cruisercoder at gmail.com Tue Oct 12 23:36:39 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Tue, 12 Oct 2010 23:36:39 -0700 Subject: [xmlsec] corrupt context after verify call Message-ID: After I call xmlSecDSigCtxVerify, the status in the contex is corrupted with a large number. However xmlsec1 reports validation as OK. xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references --id-attr:ResponseID urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml Also xmlSecDSigCtxDebugDump output is exactly the same for xmlsec1 and my program. I've reduced the code down to what is below and I'm having trouble seeing what could be wrong. libxml version: 2.6.27 xmlsec version: 1.2.11 Thanks for any help. #include #include #include #include #include #ifndef XMLSEC_NO_XSLT #include #endif void error(const char *); int main(int argc, char **argv) { using namespace std; int status(0); xmlSecKeysMngrPtr mngr_; xmlSecDSigCtxPtr dsigCtx; xmlDocPtr doc_; cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl; cout << "xmlsec version: " << XMLSEC_VERSION << endl; xmlInitParser(); LIBXML_TEST_VERSION; xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS; xmlSubstituteEntitiesDefault(1); #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif // Init xmlsec library if (xmlSecInit() < 0) error("xmlSecInit"); if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion"); #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) error("xmlSecCryptoDLLoadLibrary"); #endif if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto initialization failed."); if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto initialization failed."); mngr_ = xmlSecKeysMngrCreate(); if (!mngr_) error("bad"); if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) error("bad"); xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem); xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", format, NULL, NULL, NULL); if (!key) error("key load error"); if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0) error("could not add key"); doc_ = xmlParseFile("saml.xml"); if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad"); set_id(doc_); xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_), xmlSecNodeSignature, xmlSecDSigNs); if (!node) error("start node not found"); dsigCtx = xmlSecDSigCtxCreate(mngr_); if (!dsigCtx) error("failed to create signature context"); std::cout << "status before: " << dsigCtx->status << std::endl; if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) error("signature verify error"); std::cout << "status: " << dsigCtx->status << std::endl; //xmlSecDSigCtxDebugDump(dsigCtx, stdout); return status; } void set_id(xmlDocPtr doc) { using namespace std; xmlNodePtr node = xmlSecFindNode( xmlDocGetRootElement(doc), BAD_CAST "Response", BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol"); cout << "element name: " << node->name<< endl; xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID"); if (!attr) error("attribute not found"); cout << "attribute name: " << attr->name<< endl; xmlChar *value = xmlNodeListGetString(node->doc, attr->children, 1); if (!value) error("xmlNodeListGetString"); cout << "value: " << value << endl; xmlAttrPtr tmp(xmlGetID(node->doc, value)); if (tmp) { cout << "id already registered" << endl; } else { xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr); if (!id) { xmlFree(value); // fix error("xmlAddID error"); } cout << "id added" << endl; } //xmlFree(value); // fix } void error(const char *e) { std::cout << e << std::endl; std::cout << "exiting" << std::endl; exit(0); } -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Oct 13 07:28:43 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 13 Oct 2010 07:28:43 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: References: Message-ID: <4CB5C21B.5000509@aleksey.com> What is the output of the xmlsec1 command? Aleksey On 10/12/10 11:36 PM, Erik Smith wrote: > After I call xmlSecDSigCtxVerify, the status in the contex is corrupted > with a large number. However xmlsec1 reports validation as OK. > > xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references > --id-attr:ResponseID urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml > > Also xmlSecDSigCtxDebugDump output is exactly the same for xmlsec1 and > my program. > > I've reduced the code down to what is below and I'm having trouble > seeing what could be wrong. > > libxml version: 2.6.27 > xmlsec version: 1.2.11 > > Thanks for any help. > > > > #include > #include > #include > #include > #include > > #ifndef XMLSEC_NO_XSLT > #include > #endif > > void error(const char *); > > int main(int argc, char **argv) { > using namespace std; > int status(0); > > xmlSecKeysMngrPtr mngr_; > xmlSecDSigCtxPtr dsigCtx; > xmlDocPtr doc_; > > cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl; > cout << "xmlsec version: " << XMLSEC_VERSION << endl; > > xmlInitParser(); > LIBXML_TEST_VERSION; > xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS; > xmlSubstituteEntitiesDefault(1); > > #ifndef XMLSEC_NO_XSLT > xmlIndentTreeOutput = 1; > #endif > // Init xmlsec library > if (xmlSecInit() < 0) error("xmlSecInit"); > if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion"); > > #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING > if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) > error("xmlSecCryptoDLLoadLibrary"); > #endif > > if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto > initialization failed."); > if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto > initialization failed."); > > mngr_ = xmlSecKeysMngrCreate(); > if (!mngr_) error("bad"); > > if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) error("bad"); > > xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem); > xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", format, NULL, > NULL, NULL); > if (!key) error("key load error"); > > if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0) > error("could not add key"); > > doc_ = xmlParseFile("saml.xml"); > if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad"); > > set_id(doc_); > > xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_), > xmlSecNodeSignature, xmlSecDSigNs); > if (!node) error("start node not found"); > > dsigCtx = xmlSecDSigCtxCreate(mngr_); > if (!dsigCtx) error("failed to create signature context"); > > std::cout << "status before: " << dsigCtx->status << std::endl; > if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) error("signature verify > error"); > std::cout << "status: " << dsigCtx->status << std::endl; > //xmlSecDSigCtxDebugDump(dsigCtx, stdout); > > return status; > } > > void set_id(xmlDocPtr doc) { > using namespace std; > > xmlNodePtr node = xmlSecFindNode( > xmlDocGetRootElement(doc), > BAD_CAST "Response", > BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol"); > > cout << "element name: " << node->name<< endl; > xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID"); > if (!attr) error("attribute not found"); > cout << "attribute name: " << attr->name<< endl; > > xmlChar *value = xmlNodeListGetString(node->doc, attr->children, 1); > if (!value) error("xmlNodeListGetString"); > cout << "value: " << value << endl; > > xmlAttrPtr tmp(xmlGetID(node->doc, value)); > if (tmp) { > cout << "id already registered" << endl; > } else { > xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr); > if (!id) { > xmlFree(value); // fix > error("xmlAddID error"); > } > cout << "id added" << endl; > } > > //xmlFree(value); // fix > } > > void error(const char *e) { > std::cout << e << std::endl; > std::cout << "exiting" << std::endl; > exit(0); > } > > > > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From cruisercoder at gmail.com Wed Oct 13 07:32:06 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Wed, 13 Oct 2010 07:32:06 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: <4CB5C21B.5000509@aleksey.com> References: <4CB5C21B.5000509@aleksey.com> Message-ID: xmlsec output: OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: succeeded == flags: 0x00000006 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) === Transform: membuf-transform (href=NULL) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Key: == KEY === method: RSAKeyValue === key type: Public === key usage: -1 === rsa key: size = 1024 === list size: 1 === X509 Data: ==== Certificate: ==== Subject Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon ==== Issuer Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon ==== Issuer Serial: 4CAB2D3B == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: === uri xpointer expr: #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: enveloped-signature (href= http://www.w3.org/2000/09/xmldsig#enveloped-signature) === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) === Transform: membuf-transform (href=NULL) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == PreDigest data - start buffer: kpentiurn:oasis:names:tc:1.0:cm:bearer == PreDigest data - end buffer == Manifest References List: === list size: 0 On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin wrote: > What is the output of the xmlsec1 command? > > Aleksey > > > On 10/12/10 11:36 PM, Erik Smith wrote: > >> After I call xmlSecDSigCtxVerify, the status in the contex is corrupted >> with a large number. However xmlsec1 reports validation as OK. >> >> xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references >> --id-attr:ResponseID urn:oasis:names:tc:SAML:1.0:protocol:Response >> /saml.xml >> >> Also xmlSecDSigCtxDebugDump output is exactly the same for xmlsec1 and >> my program. >> >> I've reduced the code down to what is below and I'm having trouble >> seeing what could be wrong. >> >> libxml version: 2.6.27 >> xmlsec version: 1.2.11 >> >> Thanks for any help. >> >> >> >> #include >> #include >> #include >> #include >> #include >> >> #ifndef XMLSEC_NO_XSLT >> #include >> #endif >> >> void error(const char *); >> >> int main(int argc, char **argv) { >> using namespace std; >> int status(0); >> >> xmlSecKeysMngrPtr mngr_; >> xmlSecDSigCtxPtr dsigCtx; >> xmlDocPtr doc_; >> >> cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl; >> cout << "xmlsec version: " << XMLSEC_VERSION << endl; >> >> xmlInitParser(); >> LIBXML_TEST_VERSION; >> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS; >> xmlSubstituteEntitiesDefault(1); >> >> #ifndef XMLSEC_NO_XSLT >> xmlIndentTreeOutput = 1; >> #endif >> // Init xmlsec library >> if (xmlSecInit() < 0) error("xmlSecInit"); >> if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion"); >> >> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING >> if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) >> error("xmlSecCryptoDLLoadLibrary"); >> #endif >> >> if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto >> initialization failed."); >> if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto >> initialization failed."); >> >> mngr_ = xmlSecKeysMngrCreate(); >> if (!mngr_) error("bad"); >> >> if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) error("bad"); >> >> xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem); >> xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", format, NULL, >> NULL, NULL); >> if (!key) error("key load error"); >> >> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0) >> error("could not add key"); >> >> doc_ = xmlParseFile("saml.xml"); >> if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad"); >> >> set_id(doc_); >> >> xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_), >> xmlSecNodeSignature, xmlSecDSigNs); >> if (!node) error("start node not found"); >> >> dsigCtx = xmlSecDSigCtxCreate(mngr_); >> if (!dsigCtx) error("failed to create signature context"); >> >> std::cout << "status before: " << dsigCtx->status << std::endl; >> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) error("signature verify >> error"); >> std::cout << "status: " << dsigCtx->status << std::endl; >> //xmlSecDSigCtxDebugDump(dsigCtx, stdout); >> >> return status; >> } >> >> void set_id(xmlDocPtr doc) { >> using namespace std; >> >> xmlNodePtr node = xmlSecFindNode( >> xmlDocGetRootElement(doc), >> BAD_CAST "Response", >> BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol"); >> >> cout << "element name: " << node->name<< endl; >> xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID"); >> if (!attr) error("attribute not found"); >> cout << "attribute name: " << attr->name<< endl; >> >> xmlChar *value = xmlNodeListGetString(node->doc, attr->children, 1); >> if (!value) error("xmlNodeListGetString"); >> cout << "value: " << value << endl; >> >> xmlAttrPtr tmp(xmlGetID(node->doc, value)); >> if (tmp) { >> cout << "id already registered" << endl; >> } else { >> xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr); >> if (!id) { >> xmlFree(value); // fix >> error("xmlAddID error"); >> } >> cout << "id added" << endl; >> } >> >> //xmlFree(value); // fix >> } >> >> void error(const char *e) { >> std::cout << e << std::endl; >> std::cout << "exiting" << std::endl; >> exit(0); >> } >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Oct 13 09:29:24 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 13 Oct 2010 09:29:24 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: References: <4CB5C21B.5000509@aleksey.com> Message-ID: <4CB5DE64.5040908@aleksey.com> Sounds like you are compiling your application with different flags compared to xmlsec. Something like structure members alignment or debug vs. release. Aleksey On 10/13/10 7:32 AM, Erik Smith wrote: > xmlsec output: > > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > = VERIFICATION CONTEXT > == Status: succeeded > == flags: 0x00000006 > == flags2: 0x00000000 > == Key Info Read Ctx: > = KEY INFO READ CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: rsa > ==== keyType: 0x00000001 > ==== keyUsage: 0x00000002 > ==== keyBitsSize: 0 > === list size: 0 > == Key Info Write Ctx: > = KEY INFO WRITE CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: NULL > ==== keyType: 0x00000001 > ==== keyUsage: 0xffffffff > ==== keyBitsSize: 0 > === list size: 0 > == Signature Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > === Transform: membuf-transform (href=NULL) > == Signature Method: > === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == Signature Key: > == KEY > === method: RSAKeyValue > === key type: Public > === key usage: -1 > === rsa key: size = 1024 > === list size: 1 > === X509 Data: > ==== Certificate: > ==== Subject Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Serial: 4CAB2D3B > == SignedInfo References List: > === list size: 1 > = REFERENCE VERIFICATION CONTEXT > == Status: succeeded > == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: > === uri xpointer expr: #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 > === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > === Transform: enveloped-signature > (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) > === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: membuf-transform (href=NULL) > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: membuf-transform (href=NULL) > == Digest Method: > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > == PreDigest data - start buffer: > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" > MinorVersion="1" Recipient="http://amgr.emdeon.com" > ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"> Value="samlp:Success"> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" > IssueInstant="2010-10-06T16:15:38.906Z" > Issuer="http://access.emdeon.com" MajorVersion="1" > MinorVersion="1"> NotOnOrAfter="2010-10-06T21:25:38.905Z"> AuthenticationInstant="2010-10-06T16:15:38.906Z" > AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer > == PreDigest data - end buffer > == Manifest References List: > === list size: 0 > > > On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin > wrote: > > What is the output of the xmlsec1 command? > > Aleksey > > > On 10/12/10 11:36 PM, Erik Smith wrote: > > After I call xmlSecDSigCtxVerify, the status in the contex is > corrupted > with a large number. However xmlsec1 reports validation as OK. > > xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references > --id-attr:ResponseID > urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml > > Also xmlSecDSigCtxDebugDump output is exactly the same for > xmlsec1 and > my program. > > I've reduced the code down to what is below and I'm having trouble > seeing what could be wrong. > > libxml version: 2.6.27 > xmlsec version: 1.2.11 > > Thanks for any help. > > > > #include > #include > #include > #include > #include > > #ifndef XMLSEC_NO_XSLT > #include > #endif > > void error(const char *); > > int main(int argc, char **argv) { > using namespace std; > int status(0); > > xmlSecKeysMngrPtr mngr_; > xmlSecDSigCtxPtr dsigCtx; > xmlDocPtr doc_; > > cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl; > cout << "xmlsec version: " << XMLSEC_VERSION << endl; > > xmlInitParser(); > LIBXML_TEST_VERSION; > xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | > XML_COMPLETE_ATTRS; > xmlSubstituteEntitiesDefault(1); > > #ifndef XMLSEC_NO_XSLT > xmlIndentTreeOutput = 1; > #endif > // Init xmlsec library > if (xmlSecInit() < 0) error("xmlSecInit"); > if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion"); > > #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING > if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) > error("xmlSecCryptoDLLoadLibrary"); > #endif > > if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto > initialization failed."); > if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto > initialization failed."); > > mngr_ = xmlSecKeysMngrCreate(); > if (!mngr_) error("bad"); > > if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) > error("bad"); > > xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem); > xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", > format, NULL, > NULL, NULL); > if (!key) error("key load error"); > > if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0) > error("could not add key"); > > doc_ = xmlParseFile("saml.xml"); > if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad"); > > set_id(doc_); > > xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_), > xmlSecNodeSignature, xmlSecDSigNs); > if (!node) error("start node not found"); > > dsigCtx = xmlSecDSigCtxCreate(mngr_); > if (!dsigCtx) error("failed to create signature context"); > > std::cout << "status before: " << dsigCtx->status << std::endl; > if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) > error("signature verify > error"); > std::cout << "status: " << dsigCtx->status << std::endl; > //xmlSecDSigCtxDebugDump(dsigCtx, stdout); > > return status; > } > > void set_id(xmlDocPtr doc) { > using namespace std; > > xmlNodePtr node = xmlSecFindNode( > xmlDocGetRootElement(doc), > BAD_CAST "Response", > BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol"); > > cout << "element name: " << node->name<< endl; > xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID"); > if (!attr) error("attribute not found"); > cout << "attribute name: " << attr->name<< endl; > > xmlChar *value = xmlNodeListGetString(node->doc, > attr->children, 1); > if (!value) error("xmlNodeListGetString"); > cout << "value: " << value << endl; > > xmlAttrPtr tmp(xmlGetID(node->doc, value)); > if (tmp) { > cout << "id already registered" << endl; > } else { > xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr); > if (!id) { > xmlFree(value); // fix > error("xmlAddID error"); > } > cout << "id added" << endl; > } > > //xmlFree(value); // fix > } > > void error(const char *e) { > std::cout << e << std::endl; > std::cout << "exiting" << std::endl; > exit(0); > } > > > > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > > From cruisercoder at gmail.com Wed Oct 13 10:56:36 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Wed, 13 Oct 2010 10:56:36 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: <4CB5DE64.5040908@aleksey.com> References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> Message-ID: I rebuilt libxml, xmlsec, and libxslt to the latest and I get an x509 error for some reason. Any ideas on this? libxml version: 2.7.7 xmlsec version: 1.2.16 libxslt version: 1.1.26 func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto library function failed: func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec library function failed: func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec library function failed:xmlSecOpenSSLX509StoreId func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec library function failed: 2010/10/13 Aleksey Sanin > Sounds like you are compiling your application with different flags > compared to xmlsec. Something like structure members alignment > or debug vs. release. > > Aleksey > > > On 10/13/10 7:32 AM, Erik Smith wrote: > >> xmlsec output: >> >> OK >> SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> = VERIFICATION CONTEXT >> == Status: succeeded >> == flags: 0x00000006 >> == flags2: 0x00000000 >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Public >> === key usage: -1 >> === rsa key: size = 1024 >> === list size: 1 >> === X509 Data: >> ==== Certificate: >> ==== Subject Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Serial: 4CAB2D3B >> == SignedInfo References List: >> === list size: 1 >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr >> ) >> === Transform: enveloped-signature >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" >> MinorVersion="1" Recipient="http://amgr.emdeon.com" >> >> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404">> Value="samlp:Success">> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" >> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" >> IssueInstant="2010-10-06T16:15:38.906Z" >> Issuer="http://access.emdeon.com" MajorVersion="1" >> MinorVersion="1">> >> NotOnOrAfter="2010-10-06T21:25:38.905Z">> AuthenticationInstant="2010-10-06T16:15:38.906Z" >> >> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer >> == PreDigest data - end buffer >> == Manifest References List: >> === list size: 0 >> >> >> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin > > wrote: >> >> What is the output of the xmlsec1 command? >> >> Aleksey >> >> >> On 10/12/10 11:36 PM, Erik Smith wrote: >> >> After I call xmlSecDSigCtxVerify, the status in the contex is >> corrupted >> with a large number. However xmlsec1 reports validation as OK. >> >> xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references >> --id-attr:ResponseID >> urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml >> >> Also xmlSecDSigCtxDebugDump output is exactly the same for >> xmlsec1 and >> my program. >> >> I've reduced the code down to what is below and I'm having trouble >> seeing what could be wrong. >> >> libxml version: 2.6.27 >> xmlsec version: 1.2.11 >> >> Thanks for any help. >> >> >> >> #include >> #include >> #include >> #include >> #include >> >> #ifndef XMLSEC_NO_XSLT >> #include >> #endif >> >> void error(const char *); >> >> int main(int argc, char **argv) { >> using namespace std; >> int status(0); >> >> xmlSecKeysMngrPtr mngr_; >> xmlSecDSigCtxPtr dsigCtx; >> xmlDocPtr doc_; >> >> cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl; >> cout << "xmlsec version: " << XMLSEC_VERSION << endl; >> >> xmlInitParser(); >> LIBXML_TEST_VERSION; >> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | >> XML_COMPLETE_ATTRS; >> xmlSubstituteEntitiesDefault(1); >> >> #ifndef XMLSEC_NO_XSLT >> xmlIndentTreeOutput = 1; >> #endif >> // Init xmlsec library >> if (xmlSecInit() < 0) error("xmlSecInit"); >> if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion"); >> >> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING >> if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) >> error("xmlSecCryptoDLLoadLibrary"); >> #endif >> >> if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto >> initialization failed."); >> if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto >> initialization failed."); >> >> mngr_ = xmlSecKeysMngrCreate(); >> if (!mngr_) error("bad"); >> >> if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) >> error("bad"); >> >> xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem); >> xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", >> format, NULL, >> NULL, NULL); >> if (!key) error("key load error"); >> >> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0) >> error("could not add key"); >> >> doc_ = xmlParseFile("saml.xml"); >> if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad"); >> >> set_id(doc_); >> >> xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_), >> xmlSecNodeSignature, xmlSecDSigNs); >> if (!node) error("start node not found"); >> >> dsigCtx = xmlSecDSigCtxCreate(mngr_); >> if (!dsigCtx) error("failed to create signature context"); >> >> std::cout << "status before: " << dsigCtx->status << >> std::endl; >> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) >> error("signature verify >> error"); >> std::cout << "status: " << dsigCtx->status << std::endl; >> //xmlSecDSigCtxDebugDump(dsigCtx, stdout); >> >> return status; >> } >> >> void set_id(xmlDocPtr doc) { >> using namespace std; >> >> xmlNodePtr node = xmlSecFindNode( >> xmlDocGetRootElement(doc), >> BAD_CAST "Response", >> BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol"); >> >> cout << "element name: " << node->name<< endl; >> xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID"); >> if (!attr) error("attribute not found"); >> cout << "attribute name: " << attr->name<< endl; >> >> xmlChar *value = xmlNodeListGetString(node->doc, >> attr->children, 1); >> if (!value) error("xmlNodeListGetString"); >> cout << "value: " << value << endl; >> >> xmlAttrPtr tmp(xmlGetID(node->doc, value)); >> if (tmp) { >> cout << "id already registered" << endl; >> } else { >> xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr); >> if (!id) { >> xmlFree(value); // fix >> error("xmlAddID error"); >> } >> cout << "id added" << endl; >> } >> >> //xmlFree(value); // fix >> } >> >> void error(const char *e) { >> std::cout << e << std::endl; >> std::cout << "exiting" << std::endl; >> exit(0); >> } >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Oct 13 12:04:42 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 13 Oct 2010 12:04:42 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> Message-ID: <4CB602CA.10105@aleksey.com> The dir might not exists? Aleksey On 10/13/10 10:56 AM, Erik Smith wrote: > I rebuilt libxml, xmlsec, and libxslt to the latest and I get an x509 > error for some reason. Any ideas on this? > > libxml version: 2.7.7 > xmlsec version: 1.2.16 > libxslt version: 1.1.26 > func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto > library function failed: > func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec > library function failed: > func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec > library function failed:xmlSecOpenSSLX509StoreId > func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec > library function failed: > > > > 2010/10/13 Aleksey Sanin > > > Sounds like you are compiling your application with different flags > compared to xmlsec. Something like structure members alignment > or debug vs. release. > > Aleksey > > > On 10/13/10 7:32 AM, Erik Smith wrote: > > xmlsec output: > > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > = VERIFICATION CONTEXT > == Status: succeeded > == flags: 0x00000006 > == flags2: 0x00000000 > == Key Info Read Ctx: > = KEY INFO READ CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: rsa > ==== keyType: 0x00000001 > ==== keyUsage: 0x00000002 > ==== keyBitsSize: 0 > === list size: 0 > == Key Info Write Ctx: > = KEY INFO WRITE CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: NULL > ==== keyType: 0x00000001 > ==== keyUsage: 0xffffffff > ==== keyBitsSize: 0 > === list size: 0 > == Signature Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > === Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > === Transform: membuf-transform (href=NULL) > == Signature Method: > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == Signature Key: > == KEY > === method: RSAKeyValue > === key type: Public > === key usage: -1 > === rsa key: size = 1024 > === list size: 1 > === X509 Data: > ==== Certificate: > ==== Subject Name: > /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Name: > /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Serial: 4CAB2D3B > == SignedInfo References List: > === list size: 1 > = REFERENCE VERIFICATION CONTEXT > == Status: succeeded > == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: > === uri xpointer expr: > #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 > === Transform: xpointer > (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > === Transform: enveloped-signature > (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) > === Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: membuf-transform (href=NULL) > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: membuf-transform (href=NULL) > == Digest Method: > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > == PreDigest data - start buffer: > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" > MinorVersion="1" Recipient="http://amgr.emdeon.com" > ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"> Value="samlp:Success"> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" > IssueInstant="2010-10-06T16:15:38.906Z" > Issuer="http://access.emdeon.com" MajorVersion="1" > MinorVersion="1"> NotOnOrAfter="2010-10-06T21:25:38.905Z"> AuthenticationInstant="2010-10-06T16:15:38.906Z" > AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer > == PreDigest data - end buffer > == Manifest References List: > === list size: 0 > > > On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin > > >> wrote: > > What is the output of the xmlsec1 command? > > Aleksey > > > On 10/12/10 11:36 PM, Erik Smith wrote: > > After I call xmlSecDSigCtxVerify, the status in the > contex is > corrupted > with a large number. However xmlsec1 reports > validation as OK. > > xmlsec1 --verify --pubkey-cert-pem cert.crt > --store-references > --id-attr:ResponseID > urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml > > Also xmlSecDSigCtxDebugDump output is exactly the same for > xmlsec1 and > my program. > > I've reduced the code down to what is below and I'm > having trouble > seeing what could be wrong. > > libxml version: 2.6.27 > xmlsec version: 1.2.11 > > Thanks for any help. > > > > #include > #include > #include > #include > #include > > #ifndef XMLSEC_NO_XSLT > #include > #endif > > void error(const char *); > > int main(int argc, char **argv) { > using namespace std; > int status(0); > > xmlSecKeysMngrPtr mngr_; > xmlSecDSigCtxPtr dsigCtx; > xmlDocPtr doc_; > > cout << "libxml version: " << LIBXML_DOTTED_VERSION > << endl; > cout << "xmlsec version: " << XMLSEC_VERSION << endl; > > xmlInitParser(); > LIBXML_TEST_VERSION; > xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | > XML_COMPLETE_ATTRS; > xmlSubstituteEntitiesDefault(1); > > #ifndef XMLSEC_NO_XSLT > xmlIndentTreeOutput = 1; > #endif > // Init xmlsec library > if (xmlSecInit() < 0) error("xmlSecInit"); > if (xmlSecCheckVersion() != 1) > error("xmlSecCheckVersion"); > > #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING > if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) > error("xmlSecCryptoDLLoadLibrary"); > #endif > > if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto > initialization failed."); > if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto > initialization failed."); > > mngr_ = xmlSecKeysMngrCreate(); > if (!mngr_) error("bad"); > > if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) > error("bad"); > > xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem); > xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", > format, NULL, > NULL, NULL); > if (!key) error("key load error"); > > if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, > key) < 0) > error("could not add key"); > > doc_ = xmlParseFile("saml.xml"); > if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad"); > > set_id(doc_); > > xmlNodePtr node = > xmlSecFindNode(xmlDocGetRootElement(doc_), > xmlSecNodeSignature, xmlSecDSigNs); > if (!node) error("start node not found"); > > dsigCtx = xmlSecDSigCtxCreate(mngr_); > if (!dsigCtx) error("failed to create signature > context"); > > std::cout << "status before: " << dsigCtx->status > << std::endl; > if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) > error("signature verify > error"); > std::cout << "status: " << dsigCtx->status << > std::endl; > //xmlSecDSigCtxDebugDump(dsigCtx, stdout); > > return status; > } > > void set_id(xmlDocPtr doc) { > using namespace std; > > xmlNodePtr node = xmlSecFindNode( > xmlDocGetRootElement(doc), > BAD_CAST "Response", > BAD_CAST > "urn:oasis:names:tc:SAML:1.0:protocol"); > > cout << "element name: " << node->name<< endl; > xmlAttrPtr attr = xmlHasProp(node, BAD_CAST > "ResponseID"); > if (!attr) error("attribute not found"); > cout << "attribute name: " << attr->name<< endl; > > xmlChar *value = xmlNodeListGetString(node->doc, > attr->children, 1); > if (!value) error("xmlNodeListGetString"); > cout << "value: " << value << endl; > > xmlAttrPtr tmp(xmlGetID(node->doc, value)); > if (tmp) { > cout << "id already registered" << endl; > } else { > xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST > value, attr); > if (!id) { > xmlFree(value); // fix > error("xmlAddID error"); > } > cout << "id added" << endl; > } > > //xmlFree(value); // fix > } > > void error(const char *e) { > std::cout << e << std::endl; > std::cout << "exiting" << std::endl; > exit(0); > } > > > > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > From cruisercoder at gmail.com Wed Oct 13 12:07:54 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Wed, 13 Oct 2010 12:07:54 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: <4CB602CA.10105@aleksey.com> References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> Message-ID: I'm not specifying any directories in the code, only two files in the CWD. Did something change in recent version that requires a cert directory for openssl? erik On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin wrote: > The dir might not exists? > > Aleksey > > > On 10/13/10 10:56 AM, Erik Smith wrote: > >> I rebuilt libxml, xmlsec, and libxslt to the latest and I get an x509 >> error for some reason. Any ideas on this? >> >> libxml version: 2.7.7 >> xmlsec version: 1.2.16 >> libxslt version: 1.1.26 >> >> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto >> library function failed: >> >> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec >> library function failed: >> >> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec >> library function failed:xmlSecOpenSSLX509StoreId >> >> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec >> library function failed: >> >> >> >> 2010/10/13 Aleksey Sanin > >> >> >> >> Sounds like you are compiling your application with different flags >> compared to xmlsec. Something like structure members alignment >> or debug vs. release. >> >> Aleksey >> >> >> On 10/13/10 7:32 AM, Erik Smith wrote: >> >> xmlsec output: >> >> OK >> SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> = VERIFICATION CONTEXT >> == Status: succeeded >> == flags: 0x00000006 >> == flags2: 0x00000000 >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: exc-c14n >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: rsa-sha1 >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Public >> === key usage: -1 >> === rsa key: size = 1024 >> === list size: 1 >> === X509 Data: >> ==== Certificate: >> ==== Subject Name: >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Name: >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Serial: 4CAB2D3B >> == SignedInfo References List: >> === list size: 1 >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: >> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 >> === Transform: xpointer >> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: enveloped-signature >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: exc-c14n >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" >> MinorVersion="1" Recipient="http://amgr.emdeon.com" >> >> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404">> Value="samlp:Success">> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" >> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" >> IssueInstant="2010-10-06T16:15:38.906Z" >> Issuer="http://access.emdeon.com" MajorVersion="1" >> MinorVersion="1">> >> NotOnOrAfter="2010-10-06T21:25:38.905Z">> AuthenticationInstant="2010-10-06T16:15:38.906Z" >> >> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer >> == PreDigest data - end buffer >> == Manifest References List: >> === list size: 0 >> >> >> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin >> >> >> wrote: >> >> What is the output of the xmlsec1 command? >> >> Aleksey >> >> >> On 10/12/10 11:36 PM, Erik Smith wrote: >> >> After I call xmlSecDSigCtxVerify, the status in the >> contex is >> corrupted >> with a large number. However xmlsec1 reports >> validation as OK. >> >> xmlsec1 --verify --pubkey-cert-pem cert.crt >> --store-references >> --id-attr:ResponseID >> urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml >> >> Also xmlSecDSigCtxDebugDump output is exactly the same for >> xmlsec1 and >> my program. >> >> I've reduced the code down to what is below and I'm >> having trouble >> seeing what could be wrong. >> >> libxml version: 2.6.27 >> xmlsec version: 1.2.11 >> >> Thanks for any help. >> >> >> >> #include >> #include >> #include >> #include >> #include >> >> #ifndef XMLSEC_NO_XSLT >> #include >> #endif >> >> void error(const char *); >> >> int main(int argc, char **argv) { >> using namespace std; >> int status(0); >> >> xmlSecKeysMngrPtr mngr_; >> xmlSecDSigCtxPtr dsigCtx; >> xmlDocPtr doc_; >> >> cout << "libxml version: " << LIBXML_DOTTED_VERSION >> << endl; >> cout << "xmlsec version: " << XMLSEC_VERSION << endl; >> >> xmlInitParser(); >> LIBXML_TEST_VERSION; >> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | >> XML_COMPLETE_ATTRS; >> xmlSubstituteEntitiesDefault(1); >> >> #ifndef XMLSEC_NO_XSLT >> xmlIndentTreeOutput = 1; >> #endif >> // Init xmlsec library >> if (xmlSecInit() < 0) error("xmlSecInit"); >> if (xmlSecCheckVersion() != 1) >> error("xmlSecCheckVersion"); >> >> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING >> if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) >> error("xmlSecCryptoDLLoadLibrary"); >> #endif >> >> if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto >> initialization failed."); >> if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto >> initialization failed."); >> >> mngr_ = xmlSecKeysMngrCreate(); >> if (!mngr_) error("bad"); >> >> if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) >> error("bad"); >> >> xmlSecKeyDataFormat >> format(xmlSecKeyDataFormatCertPem); >> xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", >> format, NULL, >> NULL, NULL); >> if (!key) error("key load error"); >> >> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, >> key) < 0) >> error("could not add key"); >> >> doc_ = xmlParseFile("saml.xml"); >> if (!doc_ || !xmlDocGetRootElement(doc_)) >> error("bad"); >> >> set_id(doc_); >> >> xmlNodePtr node = >> xmlSecFindNode(xmlDocGetRootElement(doc_), >> xmlSecNodeSignature, xmlSecDSigNs); >> if (!node) error("start node not found"); >> >> dsigCtx = xmlSecDSigCtxCreate(mngr_); >> if (!dsigCtx) error("failed to create signature >> context"); >> >> std::cout << "status before: " << dsigCtx->status >> << std::endl; >> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) >> error("signature verify >> error"); >> std::cout << "status: " << dsigCtx->status << >> std::endl; >> //xmlSecDSigCtxDebugDump(dsigCtx, stdout); >> >> return status; >> } >> >> void set_id(xmlDocPtr doc) { >> using namespace std; >> >> xmlNodePtr node = xmlSecFindNode( >> xmlDocGetRootElement(doc), >> BAD_CAST "Response", >> BAD_CAST >> "urn:oasis:names:tc:SAML:1.0:protocol"); >> >> cout << "element name: " << node->name<< endl; >> xmlAttrPtr attr = xmlHasProp(node, BAD_CAST >> "ResponseID"); >> if (!attr) error("attribute not found"); >> cout << "attribute name: " << attr->name<< endl; >> >> xmlChar *value = xmlNodeListGetString(node->doc, >> attr->children, 1); >> if (!value) error("xmlNodeListGetString"); >> cout << "value: " << value << endl; >> >> xmlAttrPtr tmp(xmlGetID(node->doc, value)); >> if (tmp) { >> cout << "id already registered" << endl; >> } else { >> xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST >> value, attr); >> if (!id) { >> xmlFree(value); // fix >> error("xmlAddID error"); >> } >> cout << "id added" << endl; >> } >> >> //xmlFree(value); // fix >> } >> >> void error(const char *e) { >> std::cout << e << std::endl; >> std::cout << "exiting" << std::endl; >> exit(0); >> } >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> > >> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Oct 13 12:09:59 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 13 Oct 2010 12:09:59 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> Message-ID: <4CB60407.8@aleksey.com> No changes, it is a part of xmlsec-openssl init process. On 10/13/10 12:07 PM, Erik Smith wrote: > I'm not specifying any directories in the code, only two files in the > CWD. Did something change in recent version that requires a cert > directory for openssl? > > erik > > On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin > wrote: > > The dir might not exists? > > Aleksey > > > On 10/13/10 10:56 AM, Erik Smith wrote: > > I rebuilt libxml, xmlsec, and libxslt to the latest and I get an > x509 > error for some reason. Any ideas on this? > > libxml version: 2.7.7 > xmlsec version: 1.2.16 > libxslt version: 1.1.26 > func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto > library function failed: > func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec > library function failed: > func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec > library function failed:xmlSecOpenSSLX509StoreId > func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec > library function failed: > > > > 2010/10/13 Aleksey Sanin >> > > > Sounds like you are compiling your application with > different flags > compared to xmlsec. Something like structure members alignment > or debug vs. release. > > Aleksey > > > On 10/13/10 7:32 AM, Erik Smith wrote: > > xmlsec output: > > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > = VERIFICATION CONTEXT > == Status: succeeded > == flags: 0x00000006 > == flags2: 0x00000000 > == Key Info Read Ctx: > = KEY INFO READ CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: rsa > ==== keyType: 0x00000001 > ==== keyUsage: 0x00000002 > ==== keyBitsSize: 0 > === list size: 0 > == Key Info Write Ctx: > = KEY INFO WRITE CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: NULL > ==== keyType: 0x00000001 > ==== keyUsage: 0xffffffff > ==== keyBitsSize: 0 > === list size: 0 > == Signature Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > === Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > === Transform: membuf-transform (href=NULL) > == Signature Method: > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == Signature Key: > == KEY > === method: RSAKeyValue > === key type: Public > === key usage: -1 > === rsa key: size = 1024 > === list size: 1 > === X509 Data: > ==== Certificate: > ==== Subject Name: > /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Name: > /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Serial: 4CAB2D3B > == SignedInfo References List: > === list size: 1 > = REFERENCE VERIFICATION CONTEXT > == Status: succeeded > == URI: > "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: > === uri xpointer expr: > #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 > === Transform: xpointer > (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > === Transform: enveloped-signature > (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) > === Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: membuf-transform (href=NULL) > === Transform: sha1 > (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: membuf-transform (href=NULL) > == Digest Method: > === Transform: sha1 > (href=http://www.w3.org/2000/09/xmldsig#sha1) > == PreDigest data - start buffer: > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" > MinorVersion="1" Recipient="http://amgr.emdeon.com" > > ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"> Value="samlp:Success"> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" > IssueInstant="2010-10-06T16:15:38.906Z" > Issuer="http://access.emdeon.com" MajorVersion="1" > MinorVersion="1"> NotBefore="2010-10-06T21:15:38.905Z" > > NotOnOrAfter="2010-10-06T21:25:38.905Z"> AuthenticationInstant="2010-10-06T16:15:38.906Z" > > AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer > == PreDigest data - end buffer > == Manifest References List: > === list size: 0 > > > On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin > > > > > >>> wrote: > > What is the output of the xmlsec1 command? > > Aleksey > > > On 10/12/10 11:36 PM, Erik Smith wrote: > > After I call xmlSecDSigCtxVerify, the status in the > contex is > corrupted > with a large number. However xmlsec1 reports > validation as OK. > > xmlsec1 --verify --pubkey-cert-pem cert.crt > --store-references > --id-attr:ResponseID > urn:oasis:names:tc:SAML:1.0:protocol:Response > /saml.xml > > Also xmlSecDSigCtxDebugDump output is exactly > the same for > xmlsec1 and > my program. > > I've reduced the code down to what is below and I'm > having trouble > seeing what could be wrong. > > libxml version: 2.6.27 > xmlsec version: 1.2.11 > > Thanks for any help. > > > > #include > #include > #include > #include > #include > > #ifndef XMLSEC_NO_XSLT > #include > #endif > > void error(const char *); > > int main(int argc, char **argv) { > using namespace std; > int status(0); > > xmlSecKeysMngrPtr mngr_; > xmlSecDSigCtxPtr dsigCtx; > xmlDocPtr doc_; > > cout << "libxml version: " << > LIBXML_DOTTED_VERSION > << endl; > cout << "xmlsec version: " << > XMLSEC_VERSION << endl; > > xmlInitParser(); > LIBXML_TEST_VERSION; > xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | > XML_COMPLETE_ATTRS; > xmlSubstituteEntitiesDefault(1); > > #ifndef XMLSEC_NO_XSLT > xmlIndentTreeOutput = 1; > #endif > // Init xmlsec library > if (xmlSecInit() < 0) error("xmlSecInit"); > if (xmlSecCheckVersion() != 1) > error("xmlSecCheckVersion"); > > #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING > if(xmlSecCryptoDLLoadLibrary(BAD_CAST > "openssl") < 0) > error("xmlSecCryptoDLLoadLibrary"); > #endif > > if(xmlSecCryptoAppInit(NULL) < 0) > error("Error: crypto > initialization failed."); > if(xmlSecCryptoInit() < 0) error("Error: > xmlsec-crypto > initialization failed."); > > mngr_ = xmlSecKeysMngrCreate(); > if (!mngr_) error("bad"); > > if > (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) > error("bad"); > > xmlSecKeyDataFormat > format(xmlSecKeyDataFormatCertPem); > xmlSecKeyPtr key = > xmlSecCryptoAppKeyLoad("cert.crt", > format, NULL, > NULL, NULL); > if (!key) error("key load error"); > > > if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, > key) < 0) > error("could not add key"); > > doc_ = xmlParseFile("saml.xml"); > if (!doc_ || !xmlDocGetRootElement(doc_)) > error("bad"); > > set_id(doc_); > > xmlNodePtr node = > xmlSecFindNode(xmlDocGetRootElement(doc_), > xmlSecNodeSignature, xmlSecDSigNs); > if (!node) error("start node not found"); > > dsigCtx = xmlSecDSigCtxCreate(mngr_); > if (!dsigCtx) error("failed to create signature > context"); > > std::cout << "status before: " << > dsigCtx->status > << std::endl; > if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) > error("signature verify > error"); > std::cout << "status: " << dsigCtx->status << > std::endl; > //xmlSecDSigCtxDebugDump(dsigCtx, stdout); > > return status; > } > > void set_id(xmlDocPtr doc) { > using namespace std; > > xmlNodePtr node = xmlSecFindNode( > xmlDocGetRootElement(doc), > BAD_CAST "Response", > BAD_CAST > "urn:oasis:names:tc:SAML:1.0:protocol"); > > cout << "element name: " << node->name<< endl; > xmlAttrPtr attr = xmlHasProp(node, BAD_CAST > "ResponseID"); > if (!attr) error("attribute not found"); > cout << "attribute name: " << attr->name<< > endl; > > xmlChar *value = > xmlNodeListGetString(node->doc, > attr->children, 1); > if (!value) error("xmlNodeListGetString"); > cout << "value: " << value << endl; > > xmlAttrPtr tmp(xmlGetID(node->doc, value)); > if (tmp) { > cout << "id already registered" << endl; > } else { > xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST > value, attr); > if (!id) { > xmlFree(value); // fix > error("xmlAddID error"); > } > cout << "id added" << endl; > } > > //xmlFree(value); // fix > } > > void error(const char *e) { > std::cout << e << std::endl; > std::cout << "exiting" << std::endl; > exit(0); > } > > > > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > >> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > From cruisercoder at gmail.com Wed Oct 13 12:11:50 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Wed, 13 Oct 2010 12:11:50 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: <4CB60407.8@aleksey.com> References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> <4CB60407.8@aleksey.com> Message-ID: The same code run on the earlier library versions did not have this issue (see code below). Do I need to specify a directory if I'm just loading a cert in a manger? erik On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin wrote: > No changes, it is a part of xmlsec-openssl init process. > > > On 10/13/10 12:07 PM, Erik Smith wrote: > >> I'm not specifying any directories in the code, only two files in the >> CWD. Did something change in recent version that requires a cert >> directory for openssl? >> >> erik >> >> On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin > > wrote: >> >> The dir might not exists? >> >> Aleksey >> >> >> On 10/13/10 10:56 AM, Erik Smith wrote: >> >> I rebuilt libxml, xmlsec, and libxslt to the latest and I get an >> x509 >> error for some reason. Any ideas on this? >> >> libxml version: 2.7.7 >> xmlsec version: 1.2.16 >> libxslt version: 1.1.26 >> >> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto >> library function failed: >> >> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec >> library function failed: >> >> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec >> library function failed:xmlSecOpenSSLX509StoreId >> >> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec >> library function failed: >> >> >> >> 2010/10/13 Aleksey Sanin > > >> >> >> >> >> Sounds like you are compiling your application with >> different flags >> compared to xmlsec. Something like structure members alignment >> or debug vs. release. >> >> Aleksey >> >> >> On 10/13/10 7:32 AM, Erik Smith wrote: >> >> xmlsec output: >> >> OK >> SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> = VERIFICATION CONTEXT >> == Status: succeeded >> == flags: 0x00000006 >> == flags2: 0x00000000 >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: exc-c14n >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: rsa-sha1 >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Public >> === key usage: -1 >> === rsa key: size = 1024 >> === list size: 1 >> === X509 Data: >> ==== Certificate: >> ==== Subject Name: >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Name: >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Serial: 4CAB2D3B >> == SignedInfo References List: >> === list size: 1 >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: >> "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: >> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 >> === Transform: xpointer >> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: enveloped-signature >> (href= >> http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: exc-c14n >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 >> (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 >> (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" >> MinorVersion="1" Recipient="http://amgr.emdeon.com" >> >> >> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404">> Value="samlp:Success">> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" >> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" >> IssueInstant="2010-10-06T16:15:38.906Z" >> Issuer="http://access.emdeon.com" MajorVersion="1" >> MinorVersion="1">> NotBefore="2010-10-06T21:15:38.905Z" >> >> >> NotOnOrAfter="2010-10-06T21:25:38.905Z">> AuthenticationInstant="2010-10-06T16:15:38.906Z" >> >> >> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer >> == PreDigest data - end buffer >> == Manifest References List: >> === list size: 0 >> >> >> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin >> >> > >> >> >>> wrote: >> >> What is the output of the xmlsec1 command? >> >> Aleksey >> >> >> On 10/12/10 11:36 PM, Erik Smith wrote: >> >> After I call xmlSecDSigCtxVerify, the status in the >> contex is >> corrupted >> with a large number. However xmlsec1 reports >> validation as OK. >> >> xmlsec1 --verify --pubkey-cert-pem cert.crt >> --store-references >> --id-attr:ResponseID >> urn:oasis:names:tc:SAML:1.0:protocol:Response >> /saml.xml >> >> Also xmlSecDSigCtxDebugDump output is exactly >> the same for >> xmlsec1 and >> my program. >> >> I've reduced the code down to what is below and I'm >> having trouble >> seeing what could be wrong. >> >> libxml version: 2.6.27 >> xmlsec version: 1.2.11 >> >> Thanks for any help. >> >> >> >> #include >> #include >> #include >> #include >> #include >> >> #ifndef XMLSEC_NO_XSLT >> #include >> #endif >> >> void error(const char *); >> >> int main(int argc, char **argv) { >> using namespace std; >> int status(0); >> >> xmlSecKeysMngrPtr mngr_; >> xmlSecDSigCtxPtr dsigCtx; >> xmlDocPtr doc_; >> >> cout << "libxml version: " << >> LIBXML_DOTTED_VERSION >> << endl; >> cout << "xmlsec version: " << >> XMLSEC_VERSION << endl; >> >> xmlInitParser(); >> LIBXML_TEST_VERSION; >> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | >> XML_COMPLETE_ATTRS; >> xmlSubstituteEntitiesDefault(1); >> >> #ifndef XMLSEC_NO_XSLT >> xmlIndentTreeOutput = 1; >> #endif >> // Init xmlsec library >> if (xmlSecInit() < 0) error("xmlSecInit"); >> if (xmlSecCheckVersion() != 1) >> error("xmlSecCheckVersion"); >> >> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING >> if(xmlSecCryptoDLLoadLibrary(BAD_CAST >> "openssl") < 0) >> error("xmlSecCryptoDLLoadLibrary"); >> #endif >> >> if(xmlSecCryptoAppInit(NULL) < 0) >> error("Error: crypto >> initialization failed."); >> if(xmlSecCryptoInit() < 0) error("Error: >> xmlsec-crypto >> initialization failed."); >> >> mngr_ = xmlSecKeysMngrCreate(); >> if (!mngr_) error("bad"); >> >> if >> (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) >> error("bad"); >> >> xmlSecKeyDataFormat >> format(xmlSecKeyDataFormatCertPem); >> xmlSecKeyPtr key = >> xmlSecCryptoAppKeyLoad("cert.crt", >> format, NULL, >> NULL, NULL); >> if (!key) error("key load error"); >> >> >> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, >> key) < 0) >> error("could not add key"); >> >> doc_ = xmlParseFile("saml.xml"); >> if (!doc_ || !xmlDocGetRootElement(doc_)) >> error("bad"); >> >> set_id(doc_); >> >> xmlNodePtr node = >> xmlSecFindNode(xmlDocGetRootElement(doc_), >> xmlSecNodeSignature, xmlSecDSigNs); >> if (!node) error("start node not found"); >> >> dsigCtx = xmlSecDSigCtxCreate(mngr_); >> if (!dsigCtx) error("failed to create >> signature >> context"); >> >> std::cout << "status before: " << >> dsigCtx->status >> << std::endl; >> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) >> error("signature verify >> error"); >> std::cout << "status: " << dsigCtx->status << >> std::endl; >> //xmlSecDSigCtxDebugDump(dsigCtx, stdout); >> >> return status; >> } >> >> void set_id(xmlDocPtr doc) { >> using namespace std; >> >> xmlNodePtr node = xmlSecFindNode( >> xmlDocGetRootElement(doc), >> BAD_CAST "Response", >> BAD_CAST >> "urn:oasis:names:tc:SAML:1.0:protocol"); >> >> cout << "element name: " << node->name<< endl; >> xmlAttrPtr attr = xmlHasProp(node, BAD_CAST >> "ResponseID"); >> if (!attr) error("attribute not found"); >> cout << "attribute name: " << attr->name<< >> endl; >> >> xmlChar *value = >> xmlNodeListGetString(node->doc, >> attr->children, 1); >> if (!value) error("xmlNodeListGetString"); >> cout << "value: " << value << endl; >> >> xmlAttrPtr tmp(xmlGetID(node->doc, value)); >> if (tmp) { >> cout << "id already registered" << endl; >> } else { >> xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST >> value, attr); >> if (!id) { >> xmlFree(value); // fix >> error("xmlAddID error"); >> } >> cout << "id added" << endl; >> } >> >> //xmlFree(value); // fix >> } >> >> void error(const char *e) { >> std::cout << e << std::endl; >> std::cout << "exiting" << std::endl; >> exit(0); >> } >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> > >> >> >> >> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Oct 13 13:47:51 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 13 Oct 2010 13:47:51 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> <4CB60407.8@aleksey.com> Message-ID: <4CB61AF7.3010909@aleksey.com> It might be hard coded from OpenSSL during compilation On 10/13/10 12:11 PM, Erik Smith wrote: > The same code run on the earlier library versions did not have this > issue (see code below). Do I need to specify a directory if I'm just > loading a cert in a manger? > > erik > > On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin > wrote: > > No changes, it is a part of xmlsec-openssl init process. > > > On 10/13/10 12:07 PM, Erik Smith wrote: > > I'm not specifying any directories in the code, only two files > in the > CWD. Did something change in recent version that requires a cert > directory for openssl? > > erik > > On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin > > >> wrote: > > The dir might not exists? > > Aleksey > > > On 10/13/10 10:56 AM, Erik Smith wrote: > > I rebuilt libxml, xmlsec, and libxslt to the latest and > I get an > x509 > error for some reason. Any ideas on this? > > libxml version: 2.7.7 > xmlsec version: 1.2.16 > libxslt version: 1.1.26 > > func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto > library function failed: > > func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec > library function failed: > > func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec > library function failed:xmlSecOpenSSLX509StoreId > > func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec > library function failed: > > > > 2010/10/13 Aleksey Sanin > > > > > >>> > > > Sounds like you are compiling your application with > different flags > compared to xmlsec. Something like structure members > alignment > or debug vs. release. > > Aleksey > > > On 10/13/10 7:32 AM, Erik Smith wrote: > > xmlsec output: > > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > = VERIFICATION CONTEXT > == Status: succeeded > == flags: 0x00000006 > == flags2: 0x00000000 > == Key Info Read Ctx: > = KEY INFO READ CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: rsa > ==== keyType: 0x00000001 > ==== keyUsage: 0x00000002 > ==== keyBitsSize: 0 > === list size: 0 > == Key Info Write Ctx: > = KEY INFO WRITE CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: NULL > ==== keyType: 0x00000001 > ==== keyUsage: 0xffffffff > ==== keyBitsSize: 0 > === list size: 0 > == Signature Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > === Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > === Transform: membuf-transform (href=NULL) > == Signature Method: > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == Signature Key: > == KEY > === method: RSAKeyValue > === key type: Public > === key usage: -1 > === rsa key: size = 1024 > === list size: 1 > === X509 Data: > ==== Certificate: > ==== Subject Name: > /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Name: > /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Serial: 4CAB2D3B > == SignedInfo References List: > === list size: 1 > = REFERENCE VERIFICATION CONTEXT > == Status: succeeded > == URI: > "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: > === uri xpointer expr: > #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 > === Transform: xpointer > (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > === Transform: enveloped-signature > > (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) > === Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: membuf-transform (href=NULL) > === Transform: sha1 > (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: membuf-transform (href=NULL) > == Digest Method: > === Transform: sha1 > (href=http://www.w3.org/2000/09/xmldsig#sha1) > == PreDigest data - start buffer: > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > IssueInstant="2010-10-06T21:15:38.906Z" > MajorVersion="1" > MinorVersion="1" Recipient="http://amgr.emdeon.com" > > > ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"> > Value="samlp:Success"> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > > AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" > IssueInstant="2010-10-06T16:15:38.906Z" > Issuer="http://access.emdeon.com" MajorVersion="1" > MinorVersion="1"> NotBefore="2010-10-06T21:15:38.905Z" > > > NotOnOrAfter="2010-10-06T21:25:38.905Z"> AuthenticationInstant="2010-10-06T16:15:38.906Z" > > > AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer > == PreDigest data - end buffer > == Manifest References List: > === list size: 0 > > > On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin > > > > > >> > > > > > >>>> wrote: > > What is the output of the xmlsec1 command? > > Aleksey > > > On 10/12/10 11:36 PM, Erik Smith wrote: > > After I call xmlSecDSigCtxVerify, the > status in the > contex is > corrupted > with a large number. However xmlsec1 > reports > validation as OK. > > xmlsec1 --verify --pubkey-cert-pem cert.crt > --store-references > --id-attr:ResponseID > > urn:oasis:names:tc:SAML:1.0:protocol:Response > /saml.xml > > Also xmlSecDSigCtxDebugDump output is > exactly > the same for > xmlsec1 and > my program. > > I've reduced the code down to what is > below and I'm > having trouble > seeing what could be wrong. > > libxml version: 2.6.27 > xmlsec version: 1.2.11 > > Thanks for any help. > > > > #include > #include > #include > #include > #include > > #ifndef XMLSEC_NO_XSLT > #include > #endif > > void error(const char *); > > int main(int argc, char **argv) { > using namespace std; > int status(0); > > xmlSecKeysMngrPtr mngr_; > xmlSecDSigCtxPtr dsigCtx; > xmlDocPtr doc_; > > cout << "libxml version: " << > LIBXML_DOTTED_VERSION > << endl; > cout << "xmlsec version: " << > XMLSEC_VERSION << endl; > > xmlInitParser(); > LIBXML_TEST_VERSION; > xmlLoadExtDtdDefaultValue = > XML_DETECT_IDS | > XML_COMPLETE_ATTRS; > xmlSubstituteEntitiesDefault(1); > > #ifndef XMLSEC_NO_XSLT > xmlIndentTreeOutput = 1; > #endif > // Init xmlsec library > if (xmlSecInit() < 0) > error("xmlSecInit"); > if (xmlSecCheckVersion() != 1) > error("xmlSecCheckVersion"); > > #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING > if(xmlSecCryptoDLLoadLibrary(BAD_CAST > "openssl") < 0) > error("xmlSecCryptoDLLoadLibrary"); > #endif > > if(xmlSecCryptoAppInit(NULL) < 0) > error("Error: crypto > initialization failed."); > if(xmlSecCryptoInit() < 0) > error("Error: > xmlsec-crypto > initialization failed."); > > mngr_ = xmlSecKeysMngrCreate(); > if (!mngr_) error("bad"); > > if > (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) > error("bad"); > > xmlSecKeyDataFormat > format(xmlSecKeyDataFormatCertPem); > xmlSecKeyPtr key = > xmlSecCryptoAppKeyLoad("cert.crt", > format, NULL, > NULL, NULL); > if (!key) error("key load error"); > > > if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, > key) < 0) > error("could not add key"); > > doc_ = xmlParseFile("saml.xml"); > if (!doc_ || > !xmlDocGetRootElement(doc_)) > error("bad"); > > set_id(doc_); > > xmlNodePtr node = > xmlSecFindNode(xmlDocGetRootElement(doc_), > xmlSecNodeSignature, xmlSecDSigNs); > if (!node) error("start node not > found"); > > dsigCtx = xmlSecDSigCtxCreate(mngr_); > if (!dsigCtx) error("failed to > create signature > context"); > > std::cout << "status before: " << > dsigCtx->status > << std::endl; > if (xmlSecDSigCtxVerify(dsigCtx, > node) < 0) > error("signature verify > error"); > std::cout << "status: " << > dsigCtx->status << > std::endl; > //xmlSecDSigCtxDebugDump(dsigCtx, > stdout); > > return status; > } > > void set_id(xmlDocPtr doc) { > using namespace std; > > xmlNodePtr node = xmlSecFindNode( > xmlDocGetRootElement(doc), > BAD_CAST "Response", > BAD_CAST > "urn:oasis:names:tc:SAML:1.0:protocol"); > > cout << "element name: " << > node->name<< endl; > xmlAttrPtr attr = xmlHasProp(node, > BAD_CAST > "ResponseID"); > if (!attr) error("attribute not > found"); > cout << "attribute name: " << > attr->name<< > endl; > > xmlChar *value = > xmlNodeListGetString(node->doc, > attr->children, 1); > if (!value) > error("xmlNodeListGetString"); > cout << "value: " << value << endl; > > xmlAttrPtr tmp(xmlGetID(node->doc, > value)); > if (tmp) { > cout << "id already registered" > << endl; > } else { > xmlIDPtr id = xmlAddID(NULL, > doc, BAD_CAST > value, attr); > if (!id) { > xmlFree(value); // fix > error("xmlAddID error"); > } > cout << "id added" << endl; > } > > //xmlFree(value); // fix > } > > void error(const char *e) { > std::cout << e << std::endl; > std::cout << "exiting" << std::endl; > exit(0); > } > > > > > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > >> > > > > > >>> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > From cruisercoder at gmail.com Wed Oct 13 14:31:02 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Wed, 13 Oct 2010 14:31:02 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: <4CB61AF7.3010909@aleksey.com> References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> <4CB60407.8@aleksey.com> <4CB61AF7.3010909@aleksey.com> Message-ID: It looks like the open SSL Dir issue was a bad library interaction. So I made sure all relavant libs were up-to-date and dynamically loaded. libxml version: 2.7.7 xmlsec version: 1.2.16 libxslt version: 1.1.26 When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not found", which I think has to do with it looking for a cert as a key in the document. I had tried this to address the open SSL Dir issue which appears to have been resolve as stated above. Going back to xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is seen originally in the code below gets me back to the same error with the corrupted status: status before xmlSecDSigCtxVerify: 0 status after xmlSecDSigCtxVerify: 5361840 compilation is simple: export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I. -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1 g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1 -lxmlsec1-openssl -m64 erik On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin wrote: > It might be hard coded from OpenSSL during compilation > > > On 10/13/10 12:11 PM, Erik Smith wrote: > >> The same code run on the earlier library versions did not have this >> issue (see code below). Do I need to specify a directory if I'm just >> loading a cert in a manger? >> >> erik >> >> On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin > > wrote: >> >> No changes, it is a part of xmlsec-openssl init process. >> >> >> On 10/13/10 12:07 PM, Erik Smith wrote: >> >> I'm not specifying any directories in the code, only two files >> in the >> CWD. Did something change in recent version that requires a cert >> directory for openssl? >> >> erik >> >> On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin >> >> >> wrote: >> >> The dir might not exists? >> >> Aleksey >> >> >> On 10/13/10 10:56 AM, Erik Smith wrote: >> >> I rebuilt libxml, xmlsec, and libxslt to the latest and >> I get an >> x509 >> error for some reason. Any ideas on this? >> >> libxml version: 2.7.7 >> xmlsec version: 1.2.16 >> libxslt version: 1.1.26 >> >> >> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto >> library function failed: >> >> >> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec >> library function failed: >> >> >> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec >> library function failed:xmlSecOpenSSLX509StoreId >> >> >> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec >> library function failed: >> >> >> >> 2010/10/13 Aleksey Sanin > >> > >> >> >> >>> >> >> >> Sounds like you are compiling your application with >> different flags >> compared to xmlsec. Something like structure members >> alignment >> or debug vs. release. >> >> Aleksey >> >> >> On 10/13/10 7:32 AM, Erik Smith wrote: >> >> xmlsec output: >> >> OK >> SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> = VERIFICATION CONTEXT >> == Status: succeeded >> == flags: 0x00000006 >> == flags2: 0x00000000 >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: exc-c14n >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: rsa-sha1 >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Public >> === key usage: -1 >> === rsa key: size = 1024 >> === list size: 1 >> === X509 Data: >> ==== Certificate: >> ==== Subject Name: >> >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Name: >> >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Serial: 4CAB2D3B >> == SignedInfo References List: >> === list size: 1 >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: >> "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: >> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 >> === Transform: xpointer >> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: enveloped-signature >> >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: exc-c14n >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 >> (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 >> (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema" >> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> IssueInstant="2010-10-06T21:15:38.906Z" >> MajorVersion="1" >> MinorVersion="1" Recipient="http://amgr.emdeon.com >> " >> >> >> >> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404">> >> Value="samlp:Success">> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" >> >> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" >> IssueInstant="2010-10-06T16:15:38.906Z" >> Issuer="http://access.emdeon.com" MajorVersion="1" >> MinorVersion="1">> NotBefore="2010-10-06T21:15:38.905Z" >> >> >> >> NotOnOrAfter="2010-10-06T21:25:38.905Z">> AuthenticationInstant="2010-10-06T16:15:38.906Z" >> >> >> >> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer >> == PreDigest data - end buffer >> == Manifest References List: >> === list size: 0 >> >> >> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin >> >> > >> >> >> >> >> > >> >> >>>> >> wrote: >> >> What is the output of the xmlsec1 command? >> >> Aleksey >> >> >> On 10/12/10 11:36 PM, Erik Smith wrote: >> >> After I call xmlSecDSigCtxVerify, the >> status in the >> contex is >> corrupted >> with a large number. However xmlsec1 >> reports >> validation as OK. >> >> xmlsec1 --verify --pubkey-cert-pem cert.crt >> --store-references >> --id-attr:ResponseID >> >> urn:oasis:names:tc:SAML:1.0:protocol:Response >> /saml.xml >> >> Also xmlSecDSigCtxDebugDump output is >> exactly >> the same for >> xmlsec1 and >> my program. >> >> I've reduced the code down to what is >> below and I'm >> having trouble >> seeing what could be wrong. >> >> libxml version: 2.6.27 >> xmlsec version: 1.2.11 >> >> Thanks for any help. >> >> >> >> #include >> #include >> #include >> #include >> #include >> >> #ifndef XMLSEC_NO_XSLT >> #include >> #endif >> >> void error(const char *); >> >> int main(int argc, char **argv) { >> using namespace std; >> int status(0); >> >> xmlSecKeysMngrPtr mngr_; >> xmlSecDSigCtxPtr dsigCtx; >> xmlDocPtr doc_; >> >> cout << "libxml version: " << >> LIBXML_DOTTED_VERSION >> << endl; >> cout << "xmlsec version: " << >> XMLSEC_VERSION << endl; >> >> xmlInitParser(); >> LIBXML_TEST_VERSION; >> xmlLoadExtDtdDefaultValue = >> XML_DETECT_IDS | >> XML_COMPLETE_ATTRS; >> xmlSubstituteEntitiesDefault(1); >> >> #ifndef XMLSEC_NO_XSLT >> xmlIndentTreeOutput = 1; >> #endif >> // Init xmlsec library >> if (xmlSecInit() < 0) >> error("xmlSecInit"); >> if (xmlSecCheckVersion() != 1) >> error("xmlSecCheckVersion"); >> >> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING >> if(xmlSecCryptoDLLoadLibrary(BAD_CAST >> "openssl") < 0) >> error("xmlSecCryptoDLLoadLibrary"); >> #endif >> >> if(xmlSecCryptoAppInit(NULL) < 0) >> error("Error: crypto >> initialization failed."); >> if(xmlSecCryptoInit() < 0) >> error("Error: >> xmlsec-crypto >> initialization failed."); >> >> mngr_ = xmlSecKeysMngrCreate(); >> if (!mngr_) error("bad"); >> >> if >> (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) >> error("bad"); >> >> xmlSecKeyDataFormat >> format(xmlSecKeyDataFormatCertPem); >> xmlSecKeyPtr key = >> xmlSecCryptoAppKeyLoad("cert.crt", >> format, NULL, >> NULL, NULL); >> if (!key) error("key load error"); >> >> >> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, >> key) < 0) >> error("could not add key"); >> >> doc_ = xmlParseFile("saml.xml"); >> if (!doc_ || >> !xmlDocGetRootElement(doc_)) >> error("bad"); >> >> set_id(doc_); >> >> xmlNodePtr node = >> xmlSecFindNode(xmlDocGetRootElement(doc_), >> xmlSecNodeSignature, xmlSecDSigNs); >> if (!node) error("start node not >> found"); >> >> dsigCtx = xmlSecDSigCtxCreate(mngr_); >> if (!dsigCtx) error("failed to >> create signature >> context"); >> >> std::cout << "status before: " << >> dsigCtx->status >> << std::endl; >> if (xmlSecDSigCtxVerify(dsigCtx, >> node) < 0) >> error("signature verify >> error"); >> std::cout << "status: " << >> dsigCtx->status << >> std::endl; >> //xmlSecDSigCtxDebugDump(dsigCtx, >> stdout); >> >> return status; >> } >> >> void set_id(xmlDocPtr doc) { >> using namespace std; >> >> xmlNodePtr node = xmlSecFindNode( >> xmlDocGetRootElement(doc), >> BAD_CAST "Response", >> BAD_CAST >> "urn:oasis:names:tc:SAML:1.0:protocol"); >> >> cout << "element name: " << >> node->name<< endl; >> xmlAttrPtr attr = xmlHasProp(node, >> BAD_CAST >> "ResponseID"); >> if (!attr) error("attribute not >> found"); >> cout << "attribute name: " << >> attr->name<< >> endl; >> >> xmlChar *value = >> xmlNodeListGetString(node->doc, >> attr->children, 1); >> if (!value) >> error("xmlNodeListGetString"); >> cout << "value: " << value << endl; >> >> xmlAttrPtr tmp(xmlGetID(node->doc, >> value)); >> if (tmp) { >> cout << "id already registered" >> << endl; >> } else { >> xmlIDPtr id = xmlAddID(NULL, >> doc, BAD_CAST >> value, attr); >> if (!id) { >> xmlFree(value); // fix >> error("xmlAddID error"); >> } >> cout << "id added" << endl; >> } >> >> //xmlFree(value); // fix >> } >> >> void error(const char *e) { >> std::cout << e << std::endl; >> std::cout << "exiting" << std::endl; >> exit(0); >> } >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> > >> >> >> >> >> > >> >> >>> >> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Oct 13 18:38:10 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 13 Oct 2010 18:38:10 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> <4CB60407.8@aleksey.com> <4CB61AF7.3010909@aleksey.com> Message-ID: <4CB65F02.9040603@aleksey.com> Well, I have no idea how xmlsec was compiled. Aleksey On 10/13/10 2:31 PM, Erik Smith wrote: > It looks like the open SSL Dir issue was a bad library interaction. So > I made sure all relavant libs were up-to-date and dynamically loaded. > > libxml version: 2.7.7 > xmlsec version: 1.2.16 > libxslt version: 1.1.26 > > When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not > found", which I think has to do with it looking for a cert as a key in > the document. I had tried this to address the open SSL Dir issue which > appears to have been resolve as stated above. > > Going back to > xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is > seen originally in the code below gets me back to the same error with > the corrupted status: > > status before xmlSecDSigCtxVerify: 0 > status after xmlSecDSigCtxVerify: 5361840 > > compilation is simple: > > export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH > > g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare > -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I. > -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1 > > g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1 > -lxmlsec1-openssl -m64 > > erik > > > > On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin > wrote: > > It might be hard coded from OpenSSL during compilation > > > On 10/13/10 12:11 PM, Erik Smith wrote: > > The same code run on the earlier library versions did not have this > issue (see code below). Do I need to specify a directory if > I'm just > loading a cert in a manger? > > erik > > On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin > > >> wrote: > > No changes, it is a part of xmlsec-openssl init process. > > > On 10/13/10 12:07 PM, Erik Smith wrote: > > I'm not specifying any directories in the code, only two > files > in the > CWD. Did something change in recent version that > requires a cert > directory for openssl? > > erik > > On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin > > > > > >>> wrote: > > The dir might not exists? > > Aleksey > > > On 10/13/10 10:56 AM, Erik Smith wrote: > > I rebuilt libxml, xmlsec, and libxslt to the > latest and > I get an > x509 > error for some reason. Any ideas on this? > > libxml version: 2.7.7 > xmlsec version: 1.2.16 > libxslt version: 1.1.26 > > > func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto > library function failed: > > > func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec > library function failed: > > > func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec > library function failed:xmlSecOpenSSLX509StoreId > > > func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec > library function failed: > > > > 2010/10/13 Aleksey Sanin > > > > >> > > > > > > >>>> > > > Sounds like you are compiling your > application with > different flags > compared to xmlsec. Something like structure > members > alignment > or debug vs. release. > > Aleksey > > > On 10/13/10 7:32 AM, Erik Smith wrote: > > xmlsec output: > > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > = VERIFICATION CONTEXT > == Status: succeeded > == flags: 0x00000006 > == flags2: 0x00000000 > == Key Info Read Ctx: > = KEY INFO READ CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: rsa > ==== keyType: 0x00000001 > ==== keyUsage: 0x00000002 > ==== keyBitsSize: 0 > === list size: 0 > == Key Info Write Ctx: > = KEY INFO WRITE CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: NULL > ==== keyType: 0x00000001 > ==== keyUsage: 0xffffffff > ==== keyBitsSize: 0 > === list size: 0 > == Signature Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > === Transform: exc-c14n > > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: rsa-sha1 > > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > === Transform: membuf-transform (href=NULL) > == Signature Method: > === Transform: rsa-sha1 > > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == Signature Key: > == KEY > === method: RSAKeyValue > === key type: Public > === key usage: -1 > === rsa key: size = 1024 > === list size: 1 > === X509 Data: > ==== Certificate: > ==== Subject Name: > > /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Name: > > /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon > ==== Issuer Serial: 4CAB2D3B > == SignedInfo References List: > === list size: 1 > = REFERENCE VERIFICATION CONTEXT > == Status: succeeded > == URI: > "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: > === uri xpointer expr: > > #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 > === Transform: xpointer > > (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > === Transform: enveloped-signature > > > (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) > === Transform: exc-c14n > > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > === Transform: membuf-transform (href=NULL) > === Transform: sha1 > (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: membuf-transform (href=NULL) > == Digest Method: > === Transform: sha1 > (href=http://www.w3.org/2000/09/xmldsig#sha1) > == PreDigest data - start buffer: > > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > IssueInstant="2010-10-06T21:15:38.906Z" > MajorVersion="1" > MinorVersion="1" > Recipient="http://amgr.emdeon.com" > > > > ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"> > Value="samlp:Success"> > xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > > AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" > IssueInstant="2010-10-06T16:15:38.906Z" > Issuer="http://access.emdeon.com" > MajorVersion="1" > MinorVersion="1"> NotBefore="2010-10-06T21:15:38.905Z" > > > > NotOnOrAfter="2010-10-06T21:25:38.905Z"> > AuthenticationInstant="2010-10-06T16:15:38.906Z" > > > > AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer > == PreDigest data - end buffer > == Manifest References List: > === list size: 0 > > > On Wed, Oct 13, 2010 at 7:28 AM, Aleksey > Sanin > > > > > >> > > > > > >>> > > > > > >> > > > > > >>>>> wrote: > > What is the output of the xmlsec1 > command? > > Aleksey > > > On 10/12/10 11:36 PM, Erik Smith wrote: > > After I call > xmlSecDSigCtxVerify, the > status in the > contex is > corrupted > with a large number. However > xmlsec1 > reports > validation as OK. > > xmlsec1 --verify > --pubkey-cert-pem cert.crt > --store-references > --id-attr:ResponseID > > urn:oasis:names:tc:SAML:1.0:protocol:Response > /saml.xml > > Also xmlSecDSigCtxDebugDump > output is > exactly > the same for > xmlsec1 and > my program. > > I've reduced the code down to > what is > below and I'm > having trouble > seeing what could be wrong. > > libxml version: 2.6.27 > xmlsec version: 1.2.11 > > Thanks for any help. > > > > #include > #include > #include > #include > #include > > #ifndef XMLSEC_NO_XSLT > #include > #endif > > void error(const char *); > > int main(int argc, char **argv) { > using namespace std; > int status(0); > > xmlSecKeysMngrPtr mngr_; > xmlSecDSigCtxPtr dsigCtx; > xmlDocPtr doc_; > > cout << "libxml version: " << > LIBXML_DOTTED_VERSION > << endl; > cout << "xmlsec version: " << > XMLSEC_VERSION << endl; > > xmlInitParser(); > LIBXML_TEST_VERSION; > xmlLoadExtDtdDefaultValue = > XML_DETECT_IDS | > XML_COMPLETE_ATTRS; > > xmlSubstituteEntitiesDefault(1); > > #ifndef XMLSEC_NO_XSLT > xmlIndentTreeOutput = 1; > #endif > // Init xmlsec library > if (xmlSecInit() < 0) > error("xmlSecInit"); > if (xmlSecCheckVersion() != 1) > error("xmlSecCheckVersion"); > > #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING > > if(xmlSecCryptoDLLoadLibrary(BAD_CAST > "openssl") < 0) > error("xmlSecCryptoDLLoadLibrary"); > #endif > > > if(xmlSecCryptoAppInit(NULL) < 0) > error("Error: crypto > initialization failed."); > if(xmlSecCryptoInit() < 0) > error("Error: > xmlsec-crypto > initialization failed."); > > mngr_ = xmlSecKeysMngrCreate(); > if (!mngr_) error("bad"); > > if > (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) > error("bad"); > > xmlSecKeyDataFormat > format(xmlSecKeyDataFormatCertPem); > xmlSecKeyPtr key = > xmlSecCryptoAppKeyLoad("cert.crt", > format, NULL, > NULL, NULL); > if (!key) error("key load > error"); > > > if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, > key) < 0) > error("could not add key"); > > doc_ = > xmlParseFile("saml.xml"); > if (!doc_ || > !xmlDocGetRootElement(doc_)) > error("bad"); > > set_id(doc_); > > xmlNodePtr node = > xmlSecFindNode(xmlDocGetRootElement(doc_), > xmlSecNodeSignature, xmlSecDSigNs); > if (!node) error("start > node not > found"); > > dsigCtx = > xmlSecDSigCtxCreate(mngr_); > if (!dsigCtx) error("failed to > create signature > context"); > > std::cout << "status > before: " << > dsigCtx->status > << std::endl; > if > (xmlSecDSigCtxVerify(dsigCtx, > node) < 0) > error("signature verify > error"); > std::cout << "status: " << > dsigCtx->status << > std::endl; > > //xmlSecDSigCtxDebugDump(dsigCtx, > stdout); > > return status; > } > > void set_id(xmlDocPtr doc) { > using namespace std; > > xmlNodePtr node = > xmlSecFindNode( > > xmlDocGetRootElement(doc), > BAD_CAST "Response", > BAD_CAST > "urn:oasis:names:tc:SAML:1.0:protocol"); > > cout << "element name: " << > node->name<< endl; > xmlAttrPtr attr = > xmlHasProp(node, > BAD_CAST > "ResponseID"); > if (!attr) error("attribute not > found"); > cout << "attribute name: " << > attr->name<< > endl; > > xmlChar *value = > xmlNodeListGetString(node->doc, > attr->children, 1); > if (!value) > error("xmlNodeListGetString"); > cout << "value: " << value > << endl; > > xmlAttrPtr > tmp(xmlGetID(node->doc, > value)); > if (tmp) { > cout << "id already > registered" > << endl; > } else { > xmlIDPtr id = > xmlAddID(NULL, > doc, BAD_CAST > value, attr); > if (!id) { > xmlFree(value); // fix > error("xmlAddID > error"); > } > cout << "id added" << endl; > } > > //xmlFree(value); // fix > } > > void error(const char *e) { > std::cout << e << std::endl; > std::cout << "exiting" << > std::endl; > exit(0); > } > > > > > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > >> > > > > > >>> > > > > > >> > > > > > >>>> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > From cruisercoder at gmail.com Wed Oct 13 19:04:19 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Wed, 13 Oct 2010 19:04:19 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: <4CB65F02.9040603@aleksey.com> References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> <4CB60407.8@aleksey.com> <4CB61AF7.3010909@aleksey.com> <4CB65F02.9040603@aleksey.com> Message-ID: gcc -m64 -DHAVE_CONFIG_H -I. -I.. -DXMLSEC_CRYPTO=\"openssl\" -DPACKAGE=\"xmlsec1\" -I../include -I../include -D__XMLSEC_FUNCTION__=__FUNCTION__ -DXMLSEC_NO_SIZE_T -DXMLSEC_NO_GOST=1 -DXMLSEC_NO_XKMS=1 -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 -I/usr/include/libxml2 -I/usr/include/libxml2 -g -O2 -MT xmlsec.o -MD -MP -MF .deps/xmlsec.Tpo -c -o xmlsec.o xmlsec.c On Wed, Oct 13, 2010 at 6:38 PM, Aleksey Sanin wrote: > Well, I have no idea how xmlsec was compiled. > > Aleksey > > > On 10/13/10 2:31 PM, Erik Smith wrote: > >> It looks like the open SSL Dir issue was a bad library interaction. So >> I made sure all relavant libs were up-to-date and dynamically loaded. >> >> libxml version: 2.7.7 >> xmlsec version: 1.2.16 >> libxslt version: 1.1.26 >> >> When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not >> found", which I think has to do with it looking for a cert as a key in >> the document. I had tried this to address the open SSL Dir issue which >> appears to have been resolve as stated above. >> >> Going back to >> xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is >> seen originally in the code below gets me back to the same error with >> the corrupted status: >> >> status before xmlSecDSigCtxVerify: 0 >> status after xmlSecDSigCtxVerify: 5361840 >> >> compilation is simple: >> >> export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH >> >> g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare >> -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I. >> -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1 >> >> g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1 >> -lxmlsec1-openssl -m64 >> >> erik >> >> >> >> On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin > > wrote: >> >> It might be hard coded from OpenSSL during compilation >> >> >> On 10/13/10 12:11 PM, Erik Smith wrote: >> >> The same code run on the earlier library versions did not have this >> issue (see code below). Do I need to specify a directory if >> I'm just >> loading a cert in a manger? >> >> erik >> >> On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin >> >> >> wrote: >> >> No changes, it is a part of xmlsec-openssl init process. >> >> >> On 10/13/10 12:07 PM, Erik Smith wrote: >> >> I'm not specifying any directories in the code, only two >> files >> in the >> CWD. Did something change in recent version that >> requires a cert >> directory for openssl? >> >> erik >> >> On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin >> >> > >> >> >>> wrote: >> >> The dir might not exists? >> >> Aleksey >> >> >> On 10/13/10 10:56 AM, Erik Smith wrote: >> >> I rebuilt libxml, xmlsec, and libxslt to the >> latest and >> I get an >> x509 >> error for some reason. Any ideas on this? >> >> libxml version: 2.7.7 >> xmlsec version: 1.2.16 >> libxslt version: 1.1.26 >> >> >> >> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto >> library function failed: >> >> >> >> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec >> library function failed: >> >> >> >> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec >> library function failed:xmlSecOpenSSLX509StoreId >> >> >> >> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec >> library function failed: >> >> >> >> 2010/10/13 Aleksey Sanin > >> > >> >> >> >> >> > >> >> >> >>>> >> >> >> Sounds like you are compiling your >> application with >> different flags >> compared to xmlsec. Something like structure >> members >> alignment >> or debug vs. release. >> >> Aleksey >> >> >> On 10/13/10 7:32 AM, Erik Smith wrote: >> >> xmlsec output: >> >> OK >> SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> = VERIFICATION CONTEXT >> == Status: succeeded >> == flags: 0x00000006 >> == flags2: 0x00000000 >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: exc-c14n >> >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: rsa-sha1 >> >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 >> >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Public >> === key usage: -1 >> === rsa key: size = 1024 >> === list size: 1 >> === X509 Data: >> ==== Certificate: >> ==== Subject Name: >> >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Name: >> >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Serial: 4CAB2D3B >> == SignedInfo References List: >> === list size: 1 >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: >> "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: >> >> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 >> === Transform: xpointer >> >> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: enveloped-signature >> >> >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: exc-c14n >> >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 >> (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 >> (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> > >> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" >> >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" >> xmlns:xsd=" >> http://www.w3.org/2001/XMLSchema" >> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> IssueInstant="2010-10-06T21:15:38.906Z" >> MajorVersion="1" >> MinorVersion="1" >> Recipient="http://amgr.emdeon.com" >> >> >> >> >> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404">> >> Value="samlp:Success">> >> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" >> >> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" >> IssueInstant="2010-10-06T16:15:38.906Z" >> Issuer="http://access.emdeon.com" >> MajorVersion="1" >> MinorVersion="1">> NotBefore="2010-10-06T21:15:38.905Z" >> >> >> >> >> NotOnOrAfter="2010-10-06T21:25:38.905Z">> >> AuthenticationInstant="2010-10-06T16:15:38.906Z" >> >> >> >> >> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer >> == PreDigest data - end buffer >> == Manifest References List: >> === list size: 0 >> >> >> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey >> Sanin >> >> > >> >> >> >> >> > >> >> >>> >> >> > >> >> >> >> >> > >> >> >>>>> >> wrote: >> >> What is the output of the xmlsec1 >> command? >> >> Aleksey >> >> >> On 10/12/10 11:36 PM, Erik Smith wrote: >> >> After I call >> xmlSecDSigCtxVerify, the >> status in the >> contex is >> corrupted >> with a large number. However >> xmlsec1 >> reports >> validation as OK. >> >> xmlsec1 --verify >> --pubkey-cert-pem cert.crt >> --store-references >> --id-attr:ResponseID >> >> urn:oasis:names:tc:SAML:1.0:protocol:Response >> /saml.xml >> >> Also xmlSecDSigCtxDebugDump >> output is >> exactly >> the same for >> xmlsec1 and >> my program. >> >> I've reduced the code down to >> what is >> below and I'm >> having trouble >> seeing what could be wrong. >> >> libxml version: 2.6.27 >> xmlsec version: 1.2.11 >> >> Thanks for any help. >> >> >> >> #include >> #include >> #include >> #include >> #include >> >> #ifndef XMLSEC_NO_XSLT >> #include >> #endif >> >> void error(const char *); >> >> int main(int argc, char **argv) { >> using namespace std; >> int status(0); >> >> xmlSecKeysMngrPtr mngr_; >> xmlSecDSigCtxPtr dsigCtx; >> xmlDocPtr doc_; >> >> cout << "libxml version: " << >> LIBXML_DOTTED_VERSION >> << endl; >> cout << "xmlsec version: " << >> XMLSEC_VERSION << endl; >> >> xmlInitParser(); >> LIBXML_TEST_VERSION; >> xmlLoadExtDtdDefaultValue = >> XML_DETECT_IDS | >> XML_COMPLETE_ATTRS; >> >> xmlSubstituteEntitiesDefault(1); >> >> #ifndef XMLSEC_NO_XSLT >> xmlIndentTreeOutput = 1; >> #endif >> // Init xmlsec library >> if (xmlSecInit() < 0) >> error("xmlSecInit"); >> if (xmlSecCheckVersion() != 1) >> error("xmlSecCheckVersion"); >> >> #ifdef >> XMLSEC_CRYPTO_DYNAMIC_LOADING >> >> if(xmlSecCryptoDLLoadLibrary(BAD_CAST >> "openssl") < 0) >> error("xmlSecCryptoDLLoadLibrary"); >> #endif >> >> >> if(xmlSecCryptoAppInit(NULL) < 0) >> error("Error: crypto >> initialization failed."); >> if(xmlSecCryptoInit() < 0) >> error("Error: >> xmlsec-crypto >> initialization failed."); >> >> mngr_ = >> xmlSecKeysMngrCreate(); >> if (!mngr_) error("bad"); >> >> if >> (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) >> error("bad"); >> >> xmlSecKeyDataFormat >> format(xmlSecKeyDataFormatCertPem); >> xmlSecKeyPtr key = >> xmlSecCryptoAppKeyLoad("cert.crt", >> format, NULL, >> NULL, NULL); >> if (!key) error("key load >> error"); >> >> >> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, >> key) < 0) >> error("could not add key"); >> >> doc_ = >> xmlParseFile("saml.xml"); >> if (!doc_ || >> !xmlDocGetRootElement(doc_)) >> error("bad"); >> >> set_id(doc_); >> >> xmlNodePtr node = >> xmlSecFindNode(xmlDocGetRootElement(doc_), >> xmlSecNodeSignature, xmlSecDSigNs); >> if (!node) error("start >> node not >> found"); >> >> dsigCtx = >> xmlSecDSigCtxCreate(mngr_); >> if (!dsigCtx) error("failed to >> create signature >> context"); >> >> std::cout << "status >> before: " << >> dsigCtx->status >> << std::endl; >> if >> (xmlSecDSigCtxVerify(dsigCtx, >> node) < 0) >> error("signature verify >> error"); >> std::cout << "status: " << >> dsigCtx->status << >> std::endl; >> >> //xmlSecDSigCtxDebugDump(dsigCtx, >> stdout); >> >> return status; >> } >> >> void set_id(xmlDocPtr doc) { >> using namespace std; >> >> xmlNodePtr node = >> xmlSecFindNode( >> >> xmlDocGetRootElement(doc), >> BAD_CAST "Response", >> BAD_CAST >> "urn:oasis:names:tc:SAML:1.0:protocol"); >> >> cout << "element name: " << >> node->name<< endl; >> xmlAttrPtr attr = >> xmlHasProp(node, >> BAD_CAST >> "ResponseID"); >> if (!attr) error("attribute >> not >> found"); >> cout << "attribute name: " << >> attr->name<< >> endl; >> >> xmlChar *value = >> xmlNodeListGetString(node->doc, >> attr->children, 1); >> if (!value) >> error("xmlNodeListGetString"); >> cout << "value: " << value >> << endl; >> >> xmlAttrPtr >> tmp(xmlGetID(node->doc, >> value)); >> if (tmp) { >> cout << "id already >> registered" >> << endl; >> } else { >> xmlIDPtr id = >> xmlAddID(NULL, >> doc, BAD_CAST >> value, attr); >> if (!id) { >> xmlFree(value); // fix >> error("xmlAddID >> error"); >> } >> cout << "id added" << >> endl; >> } >> >> //xmlFree(value); // fix >> } >> >> void error(const char *e) { >> std::cout << e << std::endl; >> std::cout << "exiting" << >> std::endl; >> exit(0); >> } >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> > >> >> >> >> >> > >> >> >>> >> >> > >> >> >> >> >> > >> >> >>>> >> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From cruisercoder at gmail.com Wed Oct 13 19:16:43 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Wed, 13 Oct 2010 19:16:43 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> <4CB60407.8@aleksey.com> <4CB61AF7.3010909@aleksey.com> <4CB65F02.9040603@aleksey.com> Message-ID: The problem went away when I added -DXMLSEC_NO_SIZE_T to my build. I must have missed some important details in the documentation about this... erik On Wed, Oct 13, 2010 at 7:04 PM, Erik Smith wrote: > gcc -m64 -DHAVE_CONFIG_H -I. -I.. -DXMLSEC_CRYPTO=\"openssl\" > -DPACKAGE=\"xmlsec1\" -I../include -I../include > -D__XMLSEC_FUNCTION__=__FUNCTION__ -DXMLSEC_NO_SIZE_T -DXMLSEC_NO_GOST=1 > -DXMLSEC_NO_XKMS=1 -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 > -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 -I/usr/include/libxml2 > -I/usr/include/libxml2 -g -O2 -MT xmlsec.o -MD -MP -MF > .deps/xmlsec.Tpo -c -o xmlsec.o xmlsec.c > > > On Wed, Oct 13, 2010 at 6:38 PM, Aleksey Sanin wrote: > >> Well, I have no idea how xmlsec was compiled. >> >> Aleksey >> >> >> On 10/13/10 2:31 PM, Erik Smith wrote: >> >>> It looks like the open SSL Dir issue was a bad library interaction. So >>> I made sure all relavant libs were up-to-date and dynamically loaded. >>> >>> libxml version: 2.7.7 >>> xmlsec version: 1.2.16 >>> libxslt version: 1.1.26 >>> >>> When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not >>> found", which I think has to do with it looking for a cert as a key in >>> the document. I had tried this to address the open SSL Dir issue which >>> appears to have been resolve as stated above. >>> >>> Going back to >>> xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is >>> seen originally in the code below gets me back to the same error with >>> the corrupted status: >>> >>> status before xmlSecDSigCtxVerify: 0 >>> status after xmlSecDSigCtxVerify: 5361840 >>> >>> compilation is simple: >>> >>> export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH >>> >>> g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare >>> -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I. >>> -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1 >>> >>> g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1 >>> -lxmlsec1-openssl -m64 >>> >>> erik >>> >>> >>> >>> On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin >> > wrote: >>> >>> It might be hard coded from OpenSSL during compilation >>> >>> >>> On 10/13/10 12:11 PM, Erik Smith wrote: >>> >>> The same code run on the earlier library versions did not have >>> this >>> issue (see code below). Do I need to specify a directory if >>> I'm just >>> loading a cert in a manger? >>> >>> erik >>> >>> On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin >>> >>> >> wrote: >>> >>> No changes, it is a part of xmlsec-openssl init process. >>> >>> >>> On 10/13/10 12:07 PM, Erik Smith wrote: >>> >>> I'm not specifying any directories in the code, only two >>> files >>> in the >>> CWD. Did something change in recent version that >>> requires a cert >>> directory for openssl? >>> >>> erik >>> >>> On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin >>> >>> > >>> >>> >>> >>> wrote: >>> >>> The dir might not exists? >>> >>> Aleksey >>> >>> >>> On 10/13/10 10:56 AM, Erik Smith wrote: >>> >>> I rebuilt libxml, xmlsec, and libxslt to the >>> latest and >>> I get an >>> x509 >>> error for some reason. Any ideas on this? >>> >>> libxml version: 2.7.7 >>> xmlsec version: 1.2.16 >>> libxslt version: 1.1.26 >>> >>> >>> >>> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto >>> library function failed: >>> >>> >>> >>> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec >>> library function failed: >>> >>> >>> >>> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec >>> library function failed:xmlSecOpenSSLX509StoreId >>> >>> >>> >>> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec >>> library function failed: >>> >>> >>> >>> 2010/10/13 Aleksey Sanin >> >>> > >>> >>> >> >>> >>> > >>> >>> >>> >>>> >>> >>> >>> Sounds like you are compiling your >>> application with >>> different flags >>> compared to xmlsec. Something like structure >>> members >>> alignment >>> or debug vs. release. >>> >>> Aleksey >>> >>> >>> On 10/13/10 7:32 AM, Erik Smith wrote: >>> >>> xmlsec output: >>> >>> OK >>> SignedInfo References (ok/all): 1/1 >>> Manifests References (ok/all): 0/0 >>> = VERIFICATION CONTEXT >>> == Status: succeeded >>> == flags: 0x00000006 >>> == flags2: 0x00000000 >>> == Key Info Read Ctx: >>> = KEY INFO READ CONTEXT >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled key data: all >>> == RetrievalMethod level (cur/max): 0/1 >>> == TRANSFORMS CTX (status=0) >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled transforms: all >>> === uri: NULL >>> === uri xpointer expr: NULL >>> == EncryptedKey level (cur/max): 0/1 >>> === KeyReq: >>> ==== keyId: rsa >>> ==== keyType: 0x00000001 >>> ==== keyUsage: 0x00000002 >>> ==== keyBitsSize: 0 >>> === list size: 0 >>> == Key Info Write Ctx: >>> = KEY INFO WRITE CONTEXT >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled key data: all >>> == RetrievalMethod level (cur/max): 0/1 >>> == TRANSFORMS CTX (status=0) >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled transforms: all >>> === uri: NULL >>> === uri xpointer expr: NULL >>> == EncryptedKey level (cur/max): 0/1 >>> === KeyReq: >>> ==== keyId: NULL >>> ==== keyType: 0x00000001 >>> ==== keyUsage: 0xffffffff >>> ==== keyBitsSize: 0 >>> === list size: 0 >>> == Signature Transform Ctx: >>> == TRANSFORMS CTX (status=2) >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled transforms: all >>> === uri: NULL >>> === uri xpointer expr: NULL >>> === Transform: exc-c14n >>> >>> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >>> === Transform: rsa-sha1 >>> >>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >>> === Transform: membuf-transform >>> (href=NULL) >>> == Signature Method: >>> === Transform: rsa-sha1 >>> >>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >>> == Signature Key: >>> == KEY >>> === method: RSAKeyValue >>> === key type: Public >>> === key usage: -1 >>> === rsa key: size = 1024 >>> === list size: 1 >>> === X509 Data: >>> ==== Certificate: >>> ==== Subject Name: >>> >>> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >>> ==== Issuer Name: >>> >>> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >>> ==== Issuer Serial: 4CAB2D3B >>> == SignedInfo References List: >>> === list size: 1 >>> = REFERENCE VERIFICATION CONTEXT >>> == Status: succeeded >>> == URI: >>> "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" >>> == Reference Transform Ctx: >>> == TRANSFORMS CTX (status=2) >>> == flags: 0x00000000 >>> == flags2: 0x00000000 >>> == enabled transforms: all >>> === uri: >>> === uri xpointer expr: >>> >>> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 >>> === Transform: xpointer >>> >>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >>> === Transform: enveloped-signature >>> >>> >>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>> === Transform: exc-c14n >>> >>> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >>> === Transform: membuf-transform >>> (href=NULL) >>> === Transform: sha1 >>> (href=http://www.w3.org/2000/09/xmldsig#sha1) >>> === Transform: membuf-transform >>> (href=NULL) >>> == Digest Method: >>> === Transform: sha1 >>> (href=http://www.w3.org/2000/09/xmldsig#sha1) >>> == PreDigest data - start buffer: >>> >> >>> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" >>> >>> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" >>> xmlns:xsd=" >>> http://www.w3.org/2001/XMLSchema" >>> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >>> IssueInstant="2010-10-06T21:15:38.906Z" >>> MajorVersion="1" >>> MinorVersion="1" >>> Recipient="http://amgr.emdeon.com" >>> >>> >>> >>> >>> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404">>> >>> Value="samlp:Success">>> >>> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" >>> >>> >>> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" >>> IssueInstant="2010-10-06T16:15:38.906Z" >>> Issuer="http://access.emdeon.com" >>> MajorVersion="1" >>> MinorVersion="1">>> NotBefore="2010-10-06T21:15:38.905Z" >>> >>> >>> >>> >>> NotOnOrAfter="2010-10-06T21:25:38.905Z">>> >>> AuthenticationInstant="2010-10-06T16:15:38.906Z" >>> >>> >>> >>> >>> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password">kpentiurn:oasis:names:tc:1.0:cm:bearer >>> == PreDigest data - end buffer >>> == Manifest References List: >>> === list size: 0 >>> >>> >>> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey >>> Sanin >>> >>> > >>> >>> >> >>> >>> > >>> >>> >>> >>> >>> > >>> >>> >> >>> >>> > >>> >>> >>>>> >>> wrote: >>> >>> What is the output of the xmlsec1 >>> command? >>> >>> Aleksey >>> >>> >>> On 10/12/10 11:36 PM, Erik Smith >>> wrote: >>> >>> After I call >>> xmlSecDSigCtxVerify, the >>> status in the >>> contex is >>> corrupted >>> with a large number. However >>> xmlsec1 >>> reports >>> validation as OK. >>> >>> xmlsec1 --verify >>> --pubkey-cert-pem cert.crt >>> --store-references >>> --id-attr:ResponseID >>> >>> urn:oasis:names:tc:SAML:1.0:protocol:Response >>> /saml.xml >>> >>> Also xmlSecDSigCtxDebugDump >>> output is >>> exactly >>> the same for >>> xmlsec1 and >>> my program. >>> >>> I've reduced the code down to >>> what is >>> below and I'm >>> having trouble >>> seeing what could be wrong. >>> >>> libxml version: 2.6.27 >>> xmlsec version: 1.2.11 >>> >>> Thanks for any help. >>> >>> >>> >>> #include >>> #include >>> #include >>> #include >>> #include >>> >>> #ifndef XMLSEC_NO_XSLT >>> #include >>> #endif >>> >>> void error(const char *); >>> >>> int main(int argc, char **argv) { >>> using namespace std; >>> int status(0); >>> >>> xmlSecKeysMngrPtr mngr_; >>> xmlSecDSigCtxPtr dsigCtx; >>> xmlDocPtr doc_; >>> >>> cout << "libxml version: " << >>> LIBXML_DOTTED_VERSION >>> << endl; >>> cout << "xmlsec version: " << >>> XMLSEC_VERSION << endl; >>> >>> xmlInitParser(); >>> LIBXML_TEST_VERSION; >>> xmlLoadExtDtdDefaultValue = >>> XML_DETECT_IDS | >>> XML_COMPLETE_ATTRS; >>> >>> xmlSubstituteEntitiesDefault(1); >>> >>> #ifndef XMLSEC_NO_XSLT >>> xmlIndentTreeOutput = 1; >>> #endif >>> // Init xmlsec library >>> if (xmlSecInit() < 0) >>> error("xmlSecInit"); >>> if (xmlSecCheckVersion() != >>> 1) >>> error("xmlSecCheckVersion"); >>> >>> #ifdef >>> XMLSEC_CRYPTO_DYNAMIC_LOADING >>> >>> if(xmlSecCryptoDLLoadLibrary(BAD_CAST >>> "openssl") < 0) >>> >>> error("xmlSecCryptoDLLoadLibrary"); >>> #endif >>> >>> >>> if(xmlSecCryptoAppInit(NULL) < 0) >>> error("Error: crypto >>> initialization failed."); >>> if(xmlSecCryptoInit() < 0) >>> error("Error: >>> xmlsec-crypto >>> initialization failed."); >>> >>> mngr_ = >>> xmlSecKeysMngrCreate(); >>> if (!mngr_) error("bad"); >>> >>> if >>> (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) >>> error("bad"); >>> >>> xmlSecKeyDataFormat >>> format(xmlSecKeyDataFormatCertPem); >>> xmlSecKeyPtr key = >>> xmlSecCryptoAppKeyLoad("cert.crt", >>> format, NULL, >>> NULL, NULL); >>> if (!key) error("key load >>> error"); >>> >>> >>> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, >>> key) < 0) >>> error("could not add key"); >>> >>> doc_ = >>> xmlParseFile("saml.xml"); >>> if (!doc_ || >>> !xmlDocGetRootElement(doc_)) >>> error("bad"); >>> >>> set_id(doc_); >>> >>> xmlNodePtr node = >>> xmlSecFindNode(xmlDocGetRootElement(doc_), >>> xmlSecNodeSignature, >>> xmlSecDSigNs); >>> if (!node) error("start >>> node not >>> found"); >>> >>> dsigCtx = >>> xmlSecDSigCtxCreate(mngr_); >>> if (!dsigCtx) error("failed >>> to >>> create signature >>> context"); >>> >>> std::cout << "status >>> before: " << >>> dsigCtx->status >>> << std::endl; >>> if >>> (xmlSecDSigCtxVerify(dsigCtx, >>> node) < 0) >>> error("signature verify >>> error"); >>> std::cout << "status: " << >>> dsigCtx->status << >>> std::endl; >>> >>> //xmlSecDSigCtxDebugDump(dsigCtx, >>> stdout); >>> >>> return status; >>> } >>> >>> void set_id(xmlDocPtr doc) { >>> using namespace std; >>> >>> xmlNodePtr node = >>> xmlSecFindNode( >>> >>> xmlDocGetRootElement(doc), >>> BAD_CAST "Response", >>> BAD_CAST >>> "urn:oasis:names:tc:SAML:1.0:protocol"); >>> >>> cout << "element name: " << >>> node->name<< endl; >>> xmlAttrPtr attr = >>> xmlHasProp(node, >>> BAD_CAST >>> "ResponseID"); >>> if (!attr) error("attribute >>> not >>> found"); >>> cout << "attribute name: " << >>> attr->name<< >>> endl; >>> >>> xmlChar *value = >>> xmlNodeListGetString(node->doc, >>> attr->children, 1); >>> if (!value) >>> error("xmlNodeListGetString"); >>> cout << "value: " << value >>> << endl; >>> >>> xmlAttrPtr >>> tmp(xmlGetID(node->doc, >>> value)); >>> if (tmp) { >>> cout << "id already >>> registered" >>> << endl; >>> } else { >>> xmlIDPtr id = >>> xmlAddID(NULL, >>> doc, BAD_CAST >>> value, attr); >>> if (!id) { >>> xmlFree(value); // >>> fix >>> error("xmlAddID >>> error"); >>> } >>> cout << "id added" << >>> endl; >>> } >>> >>> //xmlFree(value); // fix >>> } >>> >>> void error(const char *e) { >>> std::cout << e << std::endl; >>> std::cout << "exiting" << >>> std::endl; >>> exit(0); >>> } >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> > >>> >>> >> >>> >>> > >>> >>> >>> >>> >>> > >>> >>> >> >>> >>> > >>> >>> >>>> >>> >>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> >>> >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Oct 13 19:32:51 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 13 Oct 2010 19:32:51 -0700 Subject: [xmlsec] corrupt context after verify call In-Reply-To: References: <4CB5C21B.5000509@aleksey.com> <4CB5DE64.5040908@aleksey.com> <4CB602CA.10105@aleksey.com> <4CB60407.8@aleksey.com> <4CB61AF7.3010909@aleksey.com> <4CB65F02.9040603@aleksey.com> Message-ID: <4CB66BD3.4060100@aleksey.com> In general, it is recommended to use pkg-config or xmlsec1-config to get all the xmlsec cflags/libs that have been used during compilation. Take a look at the examples/Makefile for details. BTW, as expected, the struct size and alignment is different with and without this flag. This is why you got garbage :) Aleksey On 10/13/10 7:16 PM, Erik Smith wrote: > The problem went away when I added -DXMLSEC_NO_SIZE_T to my build. I > must have missed some important details in the documentation about this... > > erik > From fg at 4js.com Wed Oct 27 07:20:26 2010 From: fg at 4js.com (Frank Gross) Date: Wed, 27 Oct 2010 16:20:26 +0200 Subject: [xmlsec] Indentation and line breaks Message-ID: <4CC8352A.1070808@4js.com> Hi, I'm writing an API to handle XML signatures and XML keys based on the xmlsec library. But all XML documents generated from xmlsec contain line breaks and are not indented at all. Is it possible to disable that feature with an option such as 'xmlSecBase64SetDefaultLineSize(0)' ? I know that spaces are relevant in signature, but it should be possible for instance to create a XML signature without any line breaks, or am I wrong ? Regards, Frank -- Frank GROSS Software Engineer - Web Services Four J's Development Tools - http://www.4js.com From aleksey at aleksey.com Thu Oct 28 00:57:20 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 28 Oct 2010 00:57:20 -0700 Subject: [xmlsec] Indentation and line breaks In-Reply-To: <4CC8352A.1070808@4js.com> References: <4CC8352A.1070808@4js.com> Message-ID: <4CC92CE0.7060808@aleksey.com> There is no easy way. You can always manually remove '\n' from the source code though. Aleksey On 10/27/10 7:20 AM, Frank Gross wrote: > Hi, > > I'm writing an API to handle XML signatures and XML keys based on the > xmlsec library. But all XML documents generated from xmlsec contain line > breaks and are not indented at all. Is it possible to disable that > feature with an option such as 'xmlSecBase64SetDefaultLineSize(0)' ? I > know that spaces are relevant in signature, but it should be possible > for instance to create a XML signature without any line breaks, or am I > wrong ? > > Regards, > Frank > From gkholman at CraneSoftwrights.com Mon Nov 15 19:07:35 2010 From: gkholman at CraneSoftwrights.com (G. Ken Holman) Date: Mon, 15 Nov 2010 22:07:35 -0500 Subject: [xmlsec] xmlsec command line fail on Windows with crash Message-ID: <7.0.1.0.2.20101115214810.02227198@CraneSoftwrights.com> Hi! Attached is a renamed ZIP file with an example that when xmlsec is invoked it reports the expected correct examples and then triggers a Windows crash with the infamous "xmlsec.exe has encountered a problem and needs to close." dialogue box. The creation of the detached signature used in this test also triggers a Windows crash. Again, it happens after successfully creating the output. The file extSigned2.xml is an XML document that has an enveloped signature inside. The transformation in the detached signature ignores the subtree that contains the signatures. The file detSigned.xml is the detached signature that I created with a key I obtained from a CA in Spain. The file test.bat invokes the application with this (note the return code): T:\xmlsecProblem>xmlsec --verify detSigned.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 T:\xmlsecProblem>echo %errorlevel% -1073741819 T:\xmlsecProblem> All of my other uses of xmlsec work without a crash: creating and verifying enveloped signatures and creating and verifying detached signatures without a transform. Please let me know if you have any questions. Thank you for any help you can be determining the reason for the crashing. . . . . . . . . . Ken p.s. if anyone is curious, this is based on volunteer work being done digitally signing OASIS Universal Business Language (UBL) documents. You can find draft committee documents regarding the signature work here in the "profiledocs/" subdirectory: http://www.oasis-open.org/committees/document.php?document_id=40254 ... and how I've packaged the use of xmlsec for UBL documents here: http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig Feedback is welcome. -------------- next part -------------- A non-text attachment was scrubbed... Name: gkholman-xmlsec-20101116-0300z.zzz Type: application/octet-stream Size: 11444 bytes Desc: not available URL: -------------- next part -------------- -- Contact us for world-wide XML consulting & instructor-led training Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ G. Ken Holman mailto:gkholman at CraneSoftwrights.com Legal business disclaimers: http://www.CraneSoftwrights.com/legal From aleksey at aleksey.com Mon Nov 15 19:20:31 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 15 Nov 2010 19:20:31 -0800 Subject: [xmlsec] xmlsec command line fail on Windows with crash In-Reply-To: <7.0.1.0.2.20101115214810.02227198@CraneSoftwrights.com> References: <7.0.1.0.2.20101115214810.02227198@CraneSoftwrights.com> Message-ID: <4CE1F87F.9020809@aleksey.com> Apologies, but I don't have a windows box to test it. Any chance you can get a stack trace? Aleksey On 11/15/10 7:07 PM, G. Ken Holman wrote: > Hi! > > Attached is a renamed ZIP file with an example that when xmlsec is > invoked it reports the expected correct examples and then triggers a > Windows crash with the infamous "xmlsec.exe has encountered a problem > and needs to close." dialogue box. > > The creation of the detached signature used in this test also triggers a > Windows crash. Again, it happens after successfully creating the output. > > The file extSigned2.xml is an XML document that has an enveloped > signature inside. The transformation in the detached signature ignores > the subtree that contains the signatures. > > The file detSigned.xml is the detached signature that I created with a > key I obtained from a CA in Spain. > > The file test.bat invokes the application with this (note the return code): > > T:\xmlsecProblem>xmlsec --verify detSigned.xml > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > > T:\xmlsecProblem>echo %errorlevel% > -1073741819 > > T:\xmlsecProblem> > > > All of my other uses of xmlsec work without a crash: creating and > verifying enveloped signatures and creating and verifying detached > signatures without a transform. > > Please let me know if you have any questions. > > Thank you for any help you can be determining the reason for the crashing. > > . . . . . . . . . Ken > > p.s. if anyone is curious, this is based on volunteer work being done > digitally signing OASIS Universal Business Language (UBL) documents. You > can find draft committee documents regarding the signature work here in > the "profiledocs/" subdirectory: > > http://www.oasis-open.org/committees/document.php?document_id=40254 > > ... and how I've packaged the use of xmlsec for UBL documents here: > > http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig > > Feedback is welcome. > > -- > Contact us for world-wide XML consulting & instructor-led training > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ > G. Ken Holman mailto:gkholman at CraneSoftwrights.com > Legal business disclaimers: http://www.CraneSoftwrights.com/legal > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From gkholman at CraneSoftwrights.com Mon Nov 15 19:40:07 2010 From: gkholman at CraneSoftwrights.com (G. Ken Holman) Date: Mon, 15 Nov 2010 22:40:07 -0500 Subject: [xmlsec] xmlsec command line fail on Windows with crash In-Reply-To: <4CE1F87F.9020809@aleksey.com> References: <7.0.1.0.2.20101115214810.02227198@CraneSoftwrights.com> <4CE1F87F.9020809@aleksey.com> Message-ID: <7.0.1.0.2.20101115223414.02314a68@wheresmymailserver.com> At 2010-11-15 19:20 -0800, Aleksey Sanin wrote: >Apologies, but I don't have a windows box to >test it. Any chance you can get a stack trace? Sadly, no ... the Windows crash dialogue does not have a lot of options. I'm only running the command-line version that is freely downloadable (so that my users can also freely download it). I did find this associated with the crash: And the error signature reads: AppName: xmlsec.exe AppVer: 0.0.0.0 ModName: libxml2.dll ModVer: 0.0.0.0 Offset: 000a7b5a But I don't see in all of that anything that might be useful. When you run the verification in a non-Windows environment, do you get a clean return code? Thank you very kindly, Aleksey, for looking at this. . . . . . . . . . Ken -- Contact us for world-wide XML consulting & instructor-led training Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ G. Ken Holman mailto:gkholman at CraneSoftwrights.com Legal business disclaimers: http://www.CraneSoftwrights.com/legal From aleksey at aleksey.com Mon Nov 15 20:10:43 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 15 Nov 2010 20:10:43 -0800 Subject: [xmlsec] xmlsec command line fail on Windows with crash In-Reply-To: <7.0.1.0.2.20101115223414.02314a68@wheresmymailserver.com> References: <7.0.1.0.2.20101115214810.02227198@CraneSoftwrights.com> <4CE1F87F.9020809@aleksey.com> <7.0.1.0.2.20101115223414.02314a68@wheresmymailserver.com> Message-ID: <4CE20443.2040905@aleksey.com> No problems as far as I can tell: $ xmlsec1 verify ./detSigned.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 $ Aleksey On 11/15/10 7:40 PM, G. Ken Holman wrote: > At 2010-11-15 19:20 -0800, Aleksey Sanin wrote: >> Apologies, but I don't have a windows box to test it. Any chance you >> can get a stack trace? > > Sadly, no ... the Windows crash dialogue does not have a lot of options. > I'm only running the command-line version that is freely downloadable > (so that my users can also freely download it). > > I did find this associated with the crash: > > > > > MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" > LINK_DATE="11/01/2009 18:56:48" UPTO_LINK_DATE="11/01/2009 18:56:48" /> > > > MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x20007" > LINK_DATE="10/02/2010 11:27:57" UPTO_LINK_DATE="10/02/2010 11:27:57" /> > > > BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" > PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API > Client DLL" COMPANY_NAME="Microsoft Corporation" > PRODUCT_NAME="Microsoft? Windows? Operating System" > FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" > ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="? > Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" > VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" > MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" > UPTO_BIN_FILE_VERSION="5.1.2600.5781" > UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" > UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United > States) [0x409]" /> > > > > > And the error signature reads: > > AppName: xmlsec.exe AppVer: 0.0.0.0 ModName: libxml2.dll > ModVer: 0.0.0.0 Offset: 000a7b5a > > > > But I don't see in all of that anything that might be useful. > > When you run the verification in a non-Windows environment, do you get a > clean return code? > > Thank you very kindly, Aleksey, for looking at this. > > . . . . . . . . . Ken > > > -- > Contact us for world-wide XML consulting & instructor-led training > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ > G. Ken Holman mailto:gkholman at CraneSoftwrights.com > Legal business disclaimers: http://www.CraneSoftwrights.com/legal > From gkholman at CraneSoftwrights.com Tue Nov 16 03:37:11 2010 From: gkholman at CraneSoftwrights.com (G. Ken Holman) Date: Tue, 16 Nov 2010 06:37:11 -0500 Subject: [xmlsec] xmlsec command line fail on Windows with crash In-Reply-To: <4CE20443.2040905@aleksey.com> References: <7.0.1.0.2.20101115214810.02227198@CraneSoftwrights.com> <4CE1F87F.9020809@aleksey.com> <7.0.1.0.2.20101115223414.02314a68@wheresmymailserver.com> <4CE20443.2040905@aleksey.com> Message-ID: <7.0.1.0.2.20101116062423.022f7010@wheresmymailserver.com> At 2010-11-15 20:10 -0800, Aleksey Sanin wrote: >No problems as far as I can tell: > >$ xmlsec1 verify ./detSigned.xml >OK >SignedInfo References (ok/all): 1/1 >Manifests References (ok/all): 0/0 >$ Thanks for the report. I get the same lines. As I said, the program works fine until after the report is made and before the program exits. Then I have to interactively respond to the Windows crash dialogue boxes. The bizarre error code that is returned messes up subsequent execution in the batch file. Thankfully the files created are robust. I've documented the fault in my distribution. I'm willing to suspend the issue until an xmlsec developer on Windows has the chance to look at it. I obtained the executable from: ftp://ftp.zlatkovic.com/libxml/ Do you know of any other Windows builds of xmlsec and related libraries? Thank you again, Aleksey. And on behalf of the UBL user community (that I participate in but don't really represent!), thank you for your program! . . . . . . . . . . . . Ken -------------- next part -------------- A non-text attachment was scrubbed... Name: xmlsecWindowsCrashScreenShot.png Type: image/png Size: 37692 bytes Desc: not available URL: -------------- next part -------------- -- Contact us for world-wide XML consulting & instructor-led training Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ G. Ken Holman mailto:gkholman at CraneSoftwrights.com Legal business disclaimers: http://www.CraneSoftwrights.com/legal From aleksey at aleksey.com Tue Nov 16 07:24:11 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 16 Nov 2010 07:24:11 -0800 Subject: [xmlsec] xmlsec command line fail on Windows with crash In-Reply-To: <7.0.1.0.2.20101116062423.022f7010@wheresmymailserver.com> References: <7.0.1.0.2.20101115214810.02227198@CraneSoftwrights.com> <4CE1F87F.9020809@aleksey.com> <7.0.1.0.2.20101115223414.02314a68@wheresmymailserver.com> <4CE20443.2040905@aleksey.com> <7.0.1.0.2.20101116062423.022f7010@wheresmymailserver.com> Message-ID: <4CE2A21B.90509@aleksey.com> I'll take a look at it on weekend. I need to setup Windows VM, etc. which will take time. Aleksey On 11/16/10 3:37 AM, G. Ken Holman wrote: > At 2010-11-15 20:10 -0800, Aleksey Sanin wrote: >> No problems as far as I can tell: >> >> $ xmlsec1 verify ./detSigned.xml >> OK >> SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> $ > > Thanks for the report. I get the same lines. As I said, the program > works fine until after the report is made and before the program exits. > Then I have to interactively respond to the Windows crash dialogue > boxes. The bizarre error code that is returned messes up subsequent > execution in the batch file. Thankfully the files created are robust. > > I've documented the fault in my distribution. > > I'm willing to suspend the issue until an xmlsec developer on Windows > has the chance to look at it. I obtained the executable from: > > ftp://ftp.zlatkovic.com/libxml/ > > Do you know of any other Windows builds of xmlsec and related libraries? > > Thank you again, Aleksey. And on behalf of the UBL user community (that > I participate in but don't really represent!), thank you for your program! > > . . . . . . . . . . . . Ken > > -- > Contact us for world-wide XML consulting & instructor-led training > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ > G. Ken Holman mailto:gkholman at CraneSoftwrights.com > Legal business disclaimers: http://www.CraneSoftwrights.com/legal From fcosta75 at gmail.com Wed Nov 17 12:01:12 2010 From: fcosta75 at gmail.com (=?ISO-8859-1?Q?Fl=E1vio_Costa?=) Date: Wed, 17 Nov 2010 17:01:12 -0300 Subject: [xmlsec] Problem with multiple X509Certificates Message-ID: Hi. I developed my Delphi application using DLLs downloaded from ftp://ftp.zlatkovic.com/libxml/ and everything was fine on my tests using my company A1 certificate. When deploying to my first customer, his signed XML contained 4 distinct X509Certificate tags. After inspecting my code, I found that this strange error was created by libxmlsec, and some google search lead me to version 1.2.16, which contains a fix for this problem. But zlatkovic only provides binaries for version 1.2.13, so I tried to compile myself. The following was compiled successfully with MS Visual Studio 2010: zlib-1.2.5 xmlsec-1.2.16 libxml2-2.7.8 libxslt-1.1.25 Using new compiled DLLs, my Delphi code reached the following assert on list.c line 184: xmlSecAssert2(dst->id == src->id, -1); I've tried to compile libxmlsec version 1.2.13 again, but my code only works with zlatkovic's binaries. Every version (1.2.13, 1.2.14, 1.2.15) has this same assertion. Any suggestions? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Nov 17 12:12:05 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 17 Nov 2010 12:12:05 -0800 Subject: [xmlsec] Problem with multiple X509Certificates In-Reply-To: References: Message-ID: <4CE43715.7030903@aleksey.com> What is the stack trace? Aleksey On 11/17/10 12:01 PM, Fl?vio Costa wrote: > Hi. > > I developed my Delphi application using DLLs downloaded from > ftp://ftp.zlatkovic.com/libxml/ and everything was fine on my tests > using my company A1 certificate. > > When deploying to my first customer, his signed XML contained 4 distinct > X509Certificate tags. After inspecting my code, I found that this > strange error was created by libxmlsec, and some google search lead me > to version 1.2.16, which contains a fix for this problem. But zlatkovic > only provides binaries for version 1.2.13, so I tried to compile myself. > > The following was compiled successfully with MS Visual Studio 2010: > zlib-1.2.5 > xmlsec-1.2.16 > libxml2-2.7.8 > libxslt-1.1.25 > > Using new compiled DLLs, my Delphi code reached the following assert on > list.c line 184: > > xmlSecAssert2(dst->id == src->id, -1); > > I've tried to compile libxmlsec version 1.2.13 again, but my code only > works with zlatkovic's binaries. Every version (1.2.13, 1.2.14, 1.2.15) > has this same assertion. > > Any suggestions? > > Thanks in advance. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From fcosta75 at gmail.com Wed Nov 17 12:19:03 2010 From: fcosta75 at gmail.com (=?ISO-8859-1?Q?Fl=E1vio_Costa?=) Date: Wed, 17 Nov 2010 17:19:03 -0300 Subject: [xmlsec] Problem with multiple X509Certificates In-Reply-To: <4CE43715.7030903@aleksey.com> References: <4CE43715.7030903@aleksey.com> Message-ID: Yes, I have. XMLSEC file_: ..\src\list.c line: 184 func: xmlSecPtrListCopy, errorObject: , errorSubject: dst->id == src->id, reason: 100, msg: XMLSEC file_: ..\src\xmldsig.c line: 1335 func: xmlSecDSigReferenceCtxInitialize, errorObject: , errorSubject: xmlSecPtrListCopy, reason: 1, msg: XMLSEC file_: ..\src\xmldsig.c line: 1269 func: xmlSecDSigReferenceCtxCreate, errorObject: , errorSubject: xmlSecDSigReferenceCtxInitialize, reason: 1, msg: XMLSEC file_: ..\src\xmldsig.c line: 781 func: xmlSecDSigCtxProcessSignedInfoNode, errorObject: , errorSubject: xmlSecDSigReferenceCtxCreate, reason: 1, msg: XMLSEC file_: ..\src\xmldsig.c line: 547 func: xmlSecDSigCtxProcessSignatureNode, errorObject: , errorSubject: xmlSecDSigCtxProcessSignedInfoNode, reason: 1, msg: XMLSEC file_: ..\src\xmldsig.c line: 303 func: xmlSecDSigCtxSign, errorObject: , errorSubject: xmlSecDSigCtxSigantureProcessNode, reason: 1, msg: 2010/11/17 Aleksey Sanin > What is the stack trace? > > Aleksey > > > On 11/17/10 12:01 PM, Fl?vio Costa wrote: > >> Hi. >> >> I developed my Delphi application using DLLs downloaded from >> ftp://ftp.zlatkovic.com/libxml/ and everything was fine on my tests >> using my company A1 certificate. >> >> When deploying to my first customer, his signed XML contained 4 distinct >> X509Certificate tags. After inspecting my code, I found that this >> strange error was created by libxmlsec, and some google search lead me >> to version 1.2.16, which contains a fix for this problem. But zlatkovic >> only provides binaries for version 1.2.13, so I tried to compile myself. >> >> The following was compiled successfully with MS Visual Studio 2010: >> zlib-1.2.5 >> xmlsec-1.2.16 >> libxml2-2.7.8 >> libxslt-1.1.25 >> >> Using new compiled DLLs, my Delphi code reached the following assert on >> list.c line 184: >> >> xmlSecAssert2(dst->id == src->id, -1); >> >> I've tried to compile libxmlsec version 1.2.13 again, but my code only >> works with zlatkovic's binaries. Every version (1.2.13, 1.2.14, 1.2.15) >> has this same assertion. >> >> Any suggestions? >> >> Thanks in advance. >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Wed Nov 17 13:02:18 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 17 Nov 2010 13:02:18 -0800 Subject: [xmlsec] Problem with multiple X509Certificates In-Reply-To: References: <4CE43715.7030903@aleksey.com> Message-ID: <4CE442DA.70709@aleksey.com> OK, so the error means that one tries to copy a list to another list of a different "type". However, in the code these two lists are of the same type. Thus, the only idea I have is that there is a memory corruption somewhere or there is an error with linking. Any chance you can run it with memory check tool? Aleksey On 11/17/10 12:19 PM, Fl?vio Costa wrote: > Yes, I have. > > XMLSEC file_: ..\src\list.c line: 184 func: xmlSecPtrListCopy, > errorObject: , errorSubject: dst->id == src->id, reason: 100, msg: > XMLSEC file_: ..\src\xmldsig.c line: 1335 func: > xmlSecDSigReferenceCtxInitialize, errorObject: , errorSubject: > xmlSecPtrListCopy, reason: 1, msg: > XMLSEC file_: ..\src\xmldsig.c line: 1269 func: > xmlSecDSigReferenceCtxCreate, errorObject: , errorSubject: > xmlSecDSigReferenceCtxInitialize, reason: 1, msg: > XMLSEC file_: ..\src\xmldsig.c line: 781 func: > xmlSecDSigCtxProcessSignedInfoNode, errorObject: , errorSubject: > xmlSecDSigReferenceCtxCreate, reason: 1, msg: > XMLSEC file_: ..\src\xmldsig.c line: 547 func: > xmlSecDSigCtxProcessSignatureNode, errorObject: , errorSubject: > xmlSecDSigCtxProcessSignedInfoNode, reason: 1, msg: > XMLSEC file_: ..\src\xmldsig.c line: 303 func: xmlSecDSigCtxSign, > errorObject: , errorSubject: xmlSecDSigCtxSigantureProcessNode, reason: > 1, msg: > > 2010/11/17 Aleksey Sanin > > > What is the stack trace? > > Aleksey > > > On 11/17/10 12:01 PM, Fl?vio Costa wrote: > > Hi. > > I developed my Delphi application using DLLs downloaded from > ftp://ftp.zlatkovic.com/libxml/ and everything was fine on my tests > using my company A1 certificate. > > When deploying to my first customer, his signed XML contained 4 > distinct > X509Certificate tags. After inspecting my code, I found that this > strange error was created by libxmlsec, and some google search > lead me > to version 1.2.16, which contains a fix for this problem. But > zlatkovic > only provides binaries for version 1.2.13, so I tried to compile > myself. > > The following was compiled successfully with MS Visual Studio 2010: > zlib-1.2.5 > xmlsec-1.2.16 > libxml2-2.7.8 > libxslt-1.1.25 > > Using new compiled DLLs, my Delphi code reached the following > assert on > list.c line 184: > > xmlSecAssert2(dst->id == src->id, -1); > > I've tried to compile libxmlsec version 1.2.13 again, but my > code only > works with zlatkovic's binaries. Every version (1.2.13, 1.2.14, > 1.2.15) > has this same assertion. > > Any suggestions? > > Thanks in advance. > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From peter.seclist at bastu.net Fri Nov 19 09:53:47 2010 From: peter.seclist at bastu.net (Pekka A) Date: Fri, 19 Nov 2010 19:53:47 +0200 Subject: [xmlsec] Nodes in X509Data Message-ID: <4CE6B9AB.4070003@bastu.net> Hello I am trying to sign a XML file with xmlSecKeyDataFormatPkcs12 option, as the keys I use are stored in .p12 certificate file. All this goes very good, execpt some differences in X509Data node content, compared to an acceptable XML result. This far my output from LibXmlSec looks like this: ... MIID+jCCAuKgAwxu... <- Get this, away! MIID+jCCAuKgAwIB... <- This is GOOD! 2.5.4.5=#130b3531363313230,CN=Banko/X509IssuerName> 13070788 As you can see, the X509Certificate has two nodes. There seems to be two keys in .p12 certificate file, and both of then get picked in here. How could I choose to include only the latter one of those Certificates? The second different part is the X509IssuerSerial node. I should get the two above mentioned nodes 'X509IssuerName' and 'X509SerialNumber' added there. How could I first pick the values from inside the Certificate, and then add those two nodes to the XML structure? I'm doing this with Delphi, and I have now stared several days libxmlsec.Pas Unit. I just can't figure how to call those needed functions. And get the few needed nodes created. If I could see the answer written in C, I probably will understand how to do the calls in Delphi. Any comments appreciated. Thanks for this great Crypto library. Pekka A. From aleksey at aleksey.com Fri Nov 19 13:12:23 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 19 Nov 2010 13:12:23 -0800 Subject: [xmlsec] Nodes in X509Data In-Reply-To: <4CE6B9AB.4070003@bastu.net> References: <4CE6B9AB.4070003@bastu.net> Message-ID: <4CE6E837.8030704@aleksey.com> > As you can see, the X509Certificate has two nodes. There seems to be two > keys in .p12 certificate file, and both of then get picked in here. How > could I choose to include only the latter one of those Certificates? It's a feature :) You might want to simply create a new p12 file. > The second different part is the X509IssuerSerial node. I should get the > two above mentioned nodes 'X509IssuerName' and 'X509SerialNumber' added > there. How could I first pick the values from inside the Certificate, > and then add those two nodes to the XML structure? I am not sure what are you trying to do. These nodes are used to identify the certificate used for the signature. Not sure why do you want to pick these values yourself. Aleksey From aleksey at aleksey.com Sat Nov 20 08:07:31 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 20 Nov 2010 08:07:31 -0800 Subject: [xmlsec] Nodes in X509Data In-Reply-To: <4CE79F9E.6030102@bastu.net> References: <4CE79F9E.6030102@bastu.net> Message-ID: <4CE7F243.4060107@aleksey.com> 1) pkcs12 file is a container. You can add/remove things freely 2) To get the serial number just add X509IssuerSerial node to the template Aleksey On 11/20/10 2:14 AM, Pekka A wrote: > Aleksey Sanin wrote: > > > > It's a feature :) You might want to simply create a new p12 file. > > Hello > > Thanks for your response. That crypted p12 certificate comes from Bank, > so I am not sure if I am allowed to twiddle anything inside it, without > breaking anything, I do have a key for it though. > > I understand if that is a current XmlSec feature, so it won't go away > right away. But then the possible workarounds? > > It looks like a standard XML content anyway. Is there any XmlSec calls > how I would be able to access those nodes and drop the first > node away? > > Or if there aren't any, should I try to read the whole XML buffer out of > XmlSec. Then maybe use XmlLib2 to do the changes, and write the buffer > back to XmlSec? And after this, let XmlSec do the Singing part. > Is there any chance this could work, and I would get a well signed XML > as output? > > > I am not sure what are you trying to do. These nodes are used to > > identify the certificate used for the signature. Not sure why do you > > want to pick these values yourself. > > Again, there's nothing I can do for this. It is a strict requirement > from the bank, they want that X509SerialNumber to be visible there. > If it would be possible to use the workaround described above, then I > could add these nodes to the XML in my XmlLib2 code manually. Before the > actual Signing call. > Then I would need a bit of a help how to use XmlSec to read and get the > X509SerialNumber value out the certificate. > > cheers > Pekka A. > From mahendra0203 at gmail.com Mon Nov 22 02:14:44 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Mon, 22 Nov 2010 15:44:44 +0530 Subject: [xmlsec] Skipping certificate expiry checks in xmlsec 1.2.12 Message-ID: Hi, I want to verify a file, signed with a digital certificate which has expired. Is there a way in xmlsec to skip the checking of expiry date of certificates, and only check for the keys? Thanks and Regards, Mahendra Naik -------------- next part -------------- An HTML attachment was scrubbed... URL: From mahendra0203 at gmail.com Mon Nov 22 02:37:11 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Mon, 22 Nov 2010 16:07:11 +0530 Subject: [xmlsec] Skipping certificate expiry checks in xmlsec 1.2.12 In-Reply-To: References: Message-ID: Hi , I have tried the folowing command xmlsec1 --verify --id-attr:Id LicenceData --verification-time "2010-12-12 20:45:34" --trusted-pem root_kuc.pem license.xml license.xml is signed by root_kuc.pem, which expires on 2010-12-02. I get the following error: func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=US/ST=Newyork/O=Company/OU=BI/CN=Company Licence Generator ILG;err=10;msg=certificate has expired func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=400:obj=x509-store:subj=unknown:error=76:certificate has expirred:err=10;msg=certificate has expired func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "license.xml" Thanks and Regards, Mahendra Naik 2010/11/22 mahendra N > Hi, > > I want to verify a file, signed with a digital certificate which has > expired. Is there a way in xmlsec to skip the checking of expiry date of > certificates, and only check for the keys? > > > Thanks and Regards, > Mahendra Naik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Mon Nov 22 07:29:03 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Mon, 22 Nov 2010 07:29:03 -0800 Subject: [xmlsec] Skipping certificate expiry checks in xmlsec 1.2.12 In-Reply-To: References: Message-ID: <4CEA8C3F.8020102@aleksey.com> Try --verification-time "2010-11-12 20:45:34" On 11/22/10 2:37 AM, mahendra N wrote: > Hi , > I have tried the folowing command > > xmlsec1 --verify --id-attr:Id LicenceData --verification-time > "2010-12-12 20:45:34" --trusted-pem root_kuc.pem license.xml > > license.xml is signed by root_kuc.pem, which expires on 2010-12-02. > > I get the following error: > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > library function failed:subj=/C=US/ST=Newyork/O=Company/OU=BI/CN=Company > Licence Generator ILG;err=10;msg=certificate has expired > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=400:obj=x509-store:subj=unknown:error=76:certificate > has expirred:err=10;msg=certificate has expired > func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key > is not found: > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > ERROR > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > Error: failed to verify file "license.xml" > > Thanks and Regards, > Mahendra Naik > > 2010/11/22 mahendra N > > > Hi, > > I want to verify a file, signed with a digital certificate which > has expired. Is there a way in xmlsec to skip the checking of expiry > date of certificates, and only check for the keys? > > > Thanks and Regards, > Mahendra Naik > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From mahendra0203 at gmail.com Tue Nov 23 01:47:25 2010 From: mahendra0203 at gmail.com (mahendra N) Date: Tue, 23 Nov 2010 15:17:25 +0530 Subject: [xmlsec] Skipping certificate expiry checks in xmlsec 1.2.12 In-Reply-To: <4CEA8C3F.8020102@aleksey.com> References: <4CEA8C3F.8020102@aleksey.com> Message-ID: Hi, Thanks. I had misunderstood a concept. Now it works fine. One more question: In this case I know the start and end date of the certificate. What if I dont know the expiry date of the certificate? Then, how can I bypass expiry date checking of certificates? Will *XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS* flag be of any help? The available documentation on xmlsec says "if the flag is set then we'll skip strict checking of certs and CRLs" . What parameters of a certificate are skipped if we use this flag? If there is no way to handle it in xmlsec, Any pointers to alternate solutions(maybe openssl) would be of great help.. Thanks and Regards, Mahendra Naik 2010/11/22 Aleksey Sanin > Try > > --verification-time "2010-11-12 20:45:34" > > > On 11/22/10 2:37 AM, mahendra N wrote: > >> Hi , >> I have tried the folowing command >> >> xmlsec1 --verify --id-attr:Id LicenceData --verification-time >> "2010-12-12 20:45:34" --trusted-pem root_kuc.pem license.xml >> >> license.xml is signed by root_kuc.pem, which expires on 2010-12-02. >> >> I get the following error: >> >> >> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto >> library function failed:subj=/C=US/ST=Newyork/O=Company/OU=BI/CN=Company >> Licence Generator ILG;err=10;msg=certificate has expired >> >> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=400:obj=x509-store:subj=unknown:error=76:certificate >> has expirred:err=10;msg=certificate has expired >> >> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec >> library function failed: >> >> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key >> is not found: >> >> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec >> library function failed: >> >> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >> library function failed: >> Error: signature failed >> ERROR >> SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> Error: failed to verify file "license.xml" >> >> Thanks and Regards, >> Mahendra Naik >> >> 2010/11/22 mahendra N > > >> >> >> Hi, >> >> I want to verify a file, signed with a digital certificate which >> has expired. Is there a way in xmlsec to skip the checking of expiry >> date of certificates, and only check for the keys? >> >> >> Thanks and Regards, >> Mahendra Naik >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Nov 23 07:54:19 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 23 Nov 2010 07:54:19 -0800 Subject: [xmlsec] Skipping certificate expiry checks in xmlsec 1.2.12 In-Reply-To: References: <4CEA8C3F.8020102@aleksey.com> Message-ID: <4CEBE3AB.6010201@aleksey.com> Nope. This flag is about self signed certs, etc. You can load cert and get the dates from it. Or you can patch xmlsec and disable this check (I would advise against it but this is your code). Aleksey On 11/23/10 1:47 AM, mahendra N wrote: > Hi, > > Thanks. I had misunderstood a concept. Now it works fine. > > One more question: In this case I know the start and end date of the > certificate. What if I dont know the expiry date of the certificate? > Then, how can I bypass expiry date checking of certificates? > > Will /*XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS*/ flag be of > any help? > > The available documentation on xmlsec says "if the flag is set then > we'll skip strict checking of certs and CRLs" . What parameters of a > certificate are skipped if we use this flag? > > If there is no way to handle it in xmlsec, Any pointers to alternate > solutions(maybe openssl) would be of great help.. > > Thanks and Regards, > Mahendra Naik > > > > > 2010/11/22 Aleksey Sanin > > > Try > > --verification-time "2010-11-12 20:45:34" > > > On 11/22/10 2:37 AM, mahendra N wrote: > > Hi , > I have tried the folowing command > > xmlsec1 --verify --id-attr:Id LicenceData --verification-time > "2010-12-12 20:45:34" --trusted-pem root_kuc.pem license.xml > > license.xml is signed by root_kuc.pem, which expires on 2010-12-02. > > I get the following error: > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > library function > failed:subj=/C=US/ST=Newyork/O=Company/OU=BI/CN=Company > Licence Generator ILG;err=10;msg=certificate has expired > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=400:obj=x509-store:subj=unknown:error=76:certificate > has expirred:err=10;msg=certificate has expired > func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key > is not found: > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > ERROR > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > Error: failed to verify file "license.xml" > > Thanks and Regards, > Mahendra Naik > > 2010/11/22 mahendra N > >> > > > Hi, > > I want to verify a file, signed with a digital > certificate which > has expired. Is there a way in xmlsec to skip the checking > of expiry > date of certificates, and only check for the keys? > > > Thanks and Regards, > Mahendra Naik > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > > From aleksey at aleksey.com Tue Nov 23 22:04:10 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 23 Nov 2010 22:04:10 -0800 Subject: [xmlsec] XMLSec -- Spelling police In-Reply-To: <1290559174.26294.62.camel@sony> References: <1290559174.26294.62.camel@sony> Message-ID: <4CECAADA.1030806@aleksey.com> thanks! applied and checked in Aleksey On 11/23/10 4:39 PM, Wolfgang Woehl wrote: > Aleksey, > > typos patch attached for your consideration. Comments only. > > Wolfgang > > From gkholman at CraneSoftwrights.com Sat Nov 27 10:44:10 2010 From: gkholman at CraneSoftwrights.com (G. Ken Holman) Date: Sat, 27 Nov 2010 13:44:10 -0500 Subject: [xmlsec] xmlsec having problem finding element with Id= Message-ID: <7.0.1.0.2.20101127133210.026a0f38@CraneSoftwrights.com> Hi folks! Today I'm working on countersignatures, and I'm having a problem with xmlsec not finding an element with Id= that is cited in the URI= of a : func=xmlSecXPathDataExecute:file=..\src\xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('addedSigVal')) func=xmlSecXPathDataListExecute:file=..\src\xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=..\src\xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=..\src\transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature failed Error: failed to sign file "extSigned2.xml.raw" The extSigned2.xml.raw file is found in the attached ZIP file, named ".zzz" to get past mail filters. That file was successfully signed with a that has a signature value. To again sign the document and this time also countersign that first signature, I'm adding a second that has two elements: the first one points to the document using URI="", and the second one points to the signature value of the first signature using URI="#addedSigVal". The first line of the error message above indicates that the element with the id "addedSigVal" cannot be found. I get the same message if I try to point to the first using URI="#addedSig". Is this enough information to determine if the software is wrong or if I'm asking too much? Thanks! . . . . . . . . . Ken -------------- next part -------------- A non-text attachment was scrubbed... Name: gkholman-missid-20101127-1840z.zzz Type: application/octet-stream Size: 6177 bytes Desc: not available URL: -------------- next part -------------- -- Contact us for world-wide XML consulting & instructor-led training Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/ G. Ken Holman mailto:gkholman at CraneSoftwrights.com Legal business disclaimers: http://www.CraneSoftwrights.com/legal From aleksey at aleksey.com Sat Nov 27 12:43:42 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Sat, 27 Nov 2010 12:43:42 -0800 Subject: [xmlsec] xmlsec having problem finding element with Id= In-Reply-To: <7.0.1.0.2.20101127133210.026a0f38@CraneSoftwrights.com> References: <7.0.1.0.2.20101127133210.026a0f38@CraneSoftwrights.com> Message-ID: <4CF16D7E.9050606@aleksey.com> http://www.aleksey.com/xmlsec/faq.html On 11/27/10 10:44 AM, G. Ken Holman wrote: > Hi folks! > > Today I'm working on countersignatures, and I'm having a problem with > xmlsec not finding an element with Id= that is cited in the URI= of a > : > > func=xmlSecXPathDataExecute:file=..\src\xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > library function failed:expr=xpointer(id('addedSigVal')) > func=xmlSecXPathDataListExecute:file=..\src\xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformXPathExecute:file=..\src\xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformCtxXmlExecute:file=..\src\transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec > library function failed:transform=xpointer > func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > Error: failed to sign file "extSigned2.xml.raw" > > > The extSigned2.xml.raw file is found in the attached ZIP file, named > ".zzz" to get past mail filters. > > That file was successfully signed with a that has a > signature value. > > To again sign the document and this time also countersign that first > signature, I'm adding a second that has two > elements: the first one points to the document using > URI="", and the second one points to the signature value of the first > signature using URI="#addedSigVal". > > The first line of the error message above indicates that the element > with the id "addedSigVal" cannot be found. > > I get the same message if I try to point to the first > using URI="#addedSig". > > Is this enough information to determine if the software is wrong or if > I'm asking too much? > > Thanks! > > . . . . . . . . . Ken > > -- > Contact us for world-wide XML consulting & instructor-led training > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/ > G. Ken Holman mailto:gkholman at CraneSoftwrights.com > Legal business disclaimers: http://www.CraneSoftwrights.com/legal > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From gkholman at CraneSoftwrights.com Sat Nov 27 13:06:11 2010 From: gkholman at CraneSoftwrights.com (G. Ken Holman) Date: Sat, 27 Nov 2010 16:06:11 -0500 Subject: [xmlsec] xmlsec having problem finding element with Id= In-Reply-To: <4CF16D7E.9050606@aleksey.com> References: <7.0.1.0.2.20101127133210.026a0f38@CraneSoftwrights.com> <4CF16D7E.9050606@aleksey.com> Message-ID: <7.0.1.0.2.20101127160436.026ac230@wheresmymailserver.com> At 2010-11-27 12:43 -0800, Aleksey Sanin wrote: >http://www.aleksey.com/xmlsec/faq.html Thank you, Aleksey, for taking from your time to cite the FAQ. And thank you for being so complete as to provide for such a flexible configuration. Please forgive my oversight. Everything is now working as it should: http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig I very much appreciate your help and your software. . . . . . . . . . . Ken -- Contact us for world-wide XML consulting & instructor-led training Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/ G. Ken Holman mailto:gkholman at CraneSoftwrights.com Legal business disclaimers: http://www.CraneSoftwrights.com/legal From aleksey at aleksey.com Wed Dec 1 08:29:02 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Wed, 01 Dec 2010 08:29:02 -0800 Subject: [xmlsec] Patch for XMLsec Windows app and example builds; Failure of all examples In-Reply-To: References: Message-ID: <4CF677CE.9030609@aleksey.com> First, you probably want to use mailing list. This way you might get a better response. Second, how did you compile the library and example? Did you use provided makefiles? Aleksey On 11/30/10 11:36 PM, Paul Kennedy wrote: > > > On Tue, Nov 30, 2010 at 11:31 PM, Paul Kennedy > wrote: > > Aleksey, > > I downloaded the source for the XMLsec library, utilities and > examples from this link: > > > This link, which is at http://www.aleksey.com/xmlsec/download.html link, > which is labeled "Sources for latest version", 1.2.16: > > http://www.aleksey.com/xmlsec/download/xmlsec1-1.2.16.tar.gz > > I am building using openssl. > > Pk. > > > I found that neither the apps target not the examples built on > win32/x86, they are missing a link library reference to zlib.lib. I > have a patch for the Makefiles if you want to take it. > > But i have a bigger problem: After building all the binaries and the > examples, I am finding that all of the examples fail. I am running > the examples just as indicated in the usage() and in the C source > files, but they just don't work: > > For example: > > C:\projects\xmlsec\xmlsec1-1.2.16\examples>build\verify1.exe > sign1-res.xml rsapub.pem > func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=465:obj=unknown:subj=dsigCtx->c14nMethod > == NULL:error=100:assertion: > func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature verify > > C:\projects\xmlsec\xmlsec1-1.2.16\examples>build\verify2.exe > sign2-res.xml rsapub.pem > Signature is INVALID > > C:\projects\xmlsec\xmlsec1-1.2.16\examples>build\verify2.exe > sign2-doc.xml rsapub.pem > Error: start node not found in "sign2-doc.xml" > > C:\projects\xmlsec\xmlsec1-1.2.16\examples>build\verify3.exe > sign3-res.xml rootcert.pem > Signature is INVALID > > C:\projects\xmlsec\xmlsec1-1.2.16\examples>build\verify3.exe > sign3-doc.xml rootcert.pem > Error: start node not found in "sign3-doc.xml" > > C:\projects\xmlsec\xmlsec1-1.2.16\examples>build\verify4 > verify4-res.xml rootcert.pem > func=xmlSecPtrListAdd:file=..\src\list.c:line=305:obj=unknown:subj=xmlSecPtrListIsValid(list):error=100:assertion: > Error: failed to limit allowed key data > > C:\projects\xmlsec\xmlsec1-1.2.16\examples>build\verify4 > verify4-bad-res.xml rootcert.pem > func=xmlSecPtrListAdd:file=..\src\list.c:line=305:obj=unknown:subj=xmlSecPtrListIsValid(list):error=100:assertion: > Error: failed to limit allowed key data > > > Am I doing something wrong ? > > Thanks for your time, > Pk. > > From pfk001 at gmail.com Wed Dec 1 16:32:34 2010 From: pfk001 at gmail.com (Paul Kennedy) Date: Wed, 1 Dec 2010 16:32:34 -0800 Subject: [xmlsec] Patch for XMLsec Windows app and example builds; Failure of all examples In-Reply-To: <4CF677CE.9030609@aleksey.com> References: <4CF677CE.9030609@aleksey.com> Message-ID: On Wed, Dec 1, 2010 at 8:29 AM, Aleksey Sanin wrote: > First, you probably want to use mailing list. This way you might get > a better response. > Ok, understood. > > Second, how did you compile the library and example? Did you use > provided makefiles? > > Yes, I used the Makefiles insize the gzip archive and I followed the instructions in README, examples\README and win32\README.txt. I used 'cscript win32\configure.js' to setup my environment, as directed. I have all the needed libs in my lib directory, all needed .h files in an include directory, and the INCLUDE and LIB env vars setup properly. I'm building using Visual Studio 2005 tools, from the command-line. The zlib.lib (and zdll.lib) libraries were missing from the linker command-line in both cases, for example here's how I modified the win32\Makefile.msvc file. (I would make this change more robust, i.e. account for zdll.lib, in an actual patch for you). C:\projects\xmlsec\xmlsec1-1.2.16\win32>diff -c Makefile.msvc ..\..\..\xmlsec-1\xmlsec1-1.2.16\win32\Makefile.msvc *** Makefile.msvc 2010-12-01 08:46:29.171875000 -0800 --- ..\..\..\xmlsec-1\xmlsec1-1.2.16\win32\Makefile.msvc 2010-05-25 15:52 :46.000000000 -0700 *************** *** 359,365 **** LD = link.exe LDFLAGS = /nologo LDFLAGS = $(LDFLAGS) /LIBPATH:$(BINDIR) /LIBPATH:$(LIBPREFIX) *! LIBS = zlib.lib* # Optimisation and debug symbols. !if "$(DEBUG)" == "1" --- 359,365 ---- LD = link.exe LDFLAGS = /nologo LDFLAGS = $(LDFLAGS) /LIBPATH:$(BINDIR) /LIBPATH:$(LIBPREFIX) *! LIBS =* # Optimisation and debug symbols. !if "$(DEBUG)" == "1" Pk. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cruisercoder at gmail.com Thu Dec 2 13:14:45 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Thu, 2 Dec 2010 13:14:45 -0800 Subject: [xmlsec] oracle / crypto issue Message-ID: I need to load certificate keys to validate XML containing XML Security content. openssl seems to be the path of least resistance, but there seems to be a static library conflict between Oracle's libclntst11.a file and symbols in libcrypto.a, presumably because Oracle statically links in a version of crypto. I get errrors like this: libclntst11.a(truntim.o): In function `ERR_load_strings': truntim.c:(text.unlikely+0x58): multiple definition of `ERR_load_strings' libcrypto.a(err.o):err.c:(.text+0x19c0): first defined here /usr/bin/ld: Warning: size of symbol `ERR_load_strings' changed from 97 in libcrypto.a(err.o) to 10 in libclntst11.a(truntim.o) Is there an easy way around this openssl / crypto conflict? gcrypt doesn't have this issue but it doesn't support certificate keys. Is there a preferred cryptographic library that provides a broad range of support with the least amount of issues? erik -------------- next part -------------- An HTML attachment was scrubbed... URL: From xmlsec at roumenpetrov.info Thu Dec 2 13:26:17 2010 From: xmlsec at roumenpetrov.info (Roumen Petrov) Date: Thu, 02 Dec 2010 23:26:17 +0200 Subject: [xmlsec] oracle / crypto issue In-Reply-To: References: Message-ID: <4CF80EF9.8020801@roumenpetrov.info> Erik Smith wrote: > I need to load certificate keys to validate XML containing XML Security > content. openssl seems to be the path of least resistance, but there seems > to be a static library conflict between Oracle's libclntst11.a file and > symbols in libcrypto.a, presumably because Oracle statically links in a > version of crypto. I get errrors like this: > > libclntst11.a(truntim.o): In function `ERR_load_strings': > truntim.c:(text.unlikely+0x58): multiple definition of `ERR_load_strings' > libcrypto.a(err.o):err.c:(.text+0x19c0): first defined here > /usr/bin/ld: Warning: size of symbol `ERR_load_strings' changed from 97 in > libcrypto.a(err.o) to 10 in libclntst11.a(truntim.o) > > Is there an easy way around this openssl / crypto conflict? > > gcrypt doesn't have this issue but it doesn't support certificate keys. Is > there a preferred cryptographic library that provides a broad range of > support with the least amount of issues? > > erik > ./configure --help will show how to set header/library search paths. Put flags with paths to openssl headers and libraries so that compiler/linker to find them first. Roumen From aleksey at aleksey.com Thu Dec 2 13:33:53 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 02 Dec 2010 13:33:53 -0800 Subject: [xmlsec] oracle / crypto issue In-Reply-To: <4CF80EF9.8020801@roumenpetrov.info> References: <4CF80EF9.8020801@roumenpetrov.info> Message-ID: <4CF810C1.5010501@aleksey.com> You might also want to talk to Oracle and explain to them that statically linking a widely used open source library is a BAD idea. Aleksey On 12/2/10 1:26 PM, Roumen Petrov wrote: > Erik Smith wrote: >> I need to load certificate keys to validate XML containing XML Security >> content. openssl seems to be the path of least resistance, but there >> seems >> to be a static library conflict between Oracle's libclntst11.a file and >> symbols in libcrypto.a, presumably because Oracle statically links in a >> version of crypto. I get errrors like this: >> >> libclntst11.a(truntim.o): In function `ERR_load_strings': >> truntim.c:(text.unlikely+0x58): multiple definition of `ERR_load_strings' >> libcrypto.a(err.o):err.c:(.text+0x19c0): first defined here >> /usr/bin/ld: Warning: size of symbol `ERR_load_strings' changed from >> 97 in >> libcrypto.a(err.o) to 10 in libclntst11.a(truntim.o) >> >> Is there an easy way around this openssl / crypto conflict? >> >> gcrypt doesn't have this issue but it doesn't support certificate >> keys. Is >> there a preferred cryptographic library that provides a broad range of >> support with the least amount of issues? >> >> erik > > ./configure --help will show how to set header/library search paths. > Put flags with paths to openssl headers and libraries so that > compiler/linker to find them first. > > Roumen > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From cruisercoder at gmail.com Thu Dec 2 13:43:12 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Thu, 2 Dec 2010 13:43:12 -0800 Subject: [xmlsec] oracle / crypto issue In-Reply-To: <4CF80EF9.8020801@roumenpetrov.info> References: <4CF80EF9.8020801@roumenpetrov.info> Message-ID: I played around with that idea for a while, but since this is a "multiple definition" issue, I'm not sure how messing with the search paths helps. nm data: libcrypto.a: 00000000000019c0 T ERR_load_strings libclntst11.a: 0000000000000058 T ERR_load_strings erik On Thu, Dec 2, 2010 at 1:26 PM, Roumen Petrov wrote: > Erik Smith wrote: > >> I need to load certificate keys to validate XML containing XML Security >> content. openssl seems to be the path of least resistance, but there >> seems >> to be a static library conflict between Oracle's libclntst11.a file and >> symbols in libcrypto.a, presumably because Oracle statically links in a >> version of crypto. I get errrors like this: >> >> libclntst11.a(truntim.o): In function `ERR_load_strings': >> truntim.c:(text.unlikely+0x58): multiple definition of `ERR_load_strings' >> libcrypto.a(err.o):err.c:(.text+0x19c0): first defined here >> /usr/bin/ld: Warning: size of symbol `ERR_load_strings' changed from 97 in >> libcrypto.a(err.o) to 10 in libclntst11.a(truntim.o) >> >> Is there an easy way around this openssl / crypto conflict? >> >> gcrypt doesn't have this issue but it doesn't support certificate keys. >> Is >> there a preferred cryptographic library that provides a broad range of >> support with the least amount of issues? >> >> erik >> >> > > ./configure --help will show how to set header/library search paths. > Put flags with paths to openssl headers and libraries so that > compiler/linker to find them first. > > Roumen > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Thu Dec 2 13:57:52 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 02 Dec 2010 13:57:52 -0800 Subject: [xmlsec] oracle / crypto issue In-Reply-To: References: <4CF80EF9.8020801@roumenpetrov.info> Message-ID: <4CF81660.8020309@aleksey.com> The idea is that you can link against libclntst11.a directly instead of openssl. This would work if you find out the exact openssl version used by Oracle. Aleksey On 12/2/10 1:43 PM, Erik Smith wrote: > I played around with that idea for a while, but since this is a > "multiple definition" issue, I'm not sure how messing with the search > paths helps. > nm data: > libcrypto.a: 00000000000019c0 T ERR_load_strings > libclntst11.a: 0000000000000058 T ERR_load_strings > > erik > > On Thu, Dec 2, 2010 at 1:26 PM, Roumen Petrov > wrote: > > Erik Smith wrote: > > I need to load certificate keys to validate XML containing XML > Security > content. openssl seems to be the path of least resistance, but > there seems > to be a static library conflict between Oracle's libclntst11.a > file and > symbols in libcrypto.a, presumably because Oracle statically > links in a > version of crypto. I get errrors like this: > > libclntst11.a(truntim.o): In function `ERR_load_strings': > truntim.c:(text.unlikely+0x58): multiple definition of > `ERR_load_strings' > libcrypto.a(err.o):err.c:(.text+0x19c0): first defined here > /usr/bin/ld: Warning: size of symbol `ERR_load_strings' changed > from 97 in > libcrypto.a(err.o) to 10 in libclntst11.a(truntim.o) > > Is there an easy way around this openssl / crypto conflict? > > gcrypt doesn't have this issue but it doesn't support > certificate keys. Is > there a preferred cryptographic library that provides a broad > range of > support with the least amount of issues? > > erik > > > ./configure --help will show how to set header/library search paths. > Put flags with paths to openssl headers and libraries so that > compiler/linker to find them first. > > Roumen > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From cruisercoder at gmail.com Thu Dec 2 14:01:10 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Thu, 2 Dec 2010 14:01:10 -0800 Subject: [xmlsec] polarssl Message-ID: Are there any plans to support polarssl in the future? It has worked will for me in many instances. http://polarssl.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Thu Dec 2 14:02:13 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 02 Dec 2010 14:02:13 -0800 Subject: [xmlsec] polarssl In-Reply-To: References: Message-ID: <4CF81765.5090007@aleksey.com> I accept patches :) On 12/2/10 2:01 PM, Erik Smith wrote: > Are there any plans to support polarssl in the future? It has worked > will for me in many instances. > > http://polarssl.org/ > > > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From cruisercoder at gmail.com Thu Dec 2 17:53:55 2010 From: cruisercoder at gmail.com (Erik Smith) Date: Thu, 2 Dec 2010 17:53:55 -0800 Subject: [xmlsec] Unable to find gnutls Message-ID: xmlsec is not liking the gntils install. I'm not sure what is wrong. cd ~/gnutls-2.10.3 ./configure --prefix=$TOOLS --with-libgcrypt-prefix=$TOOLS make && make install cd ~/xmlsec1-1.2.16 ./configure --prefix=$TOOLS --with-libxml=$TOOLS --with-gcrypt=$TOOLS --with-gnutls=$TOOLS --with-libxslt=$TOOLS checking for gnutls libraries >= 2.8.0... *configure: error: Unable to find gnutls at* -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Thu Dec 2 18:33:12 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Thu, 02 Dec 2010 18:33:12 -0800 Subject: [xmlsec] Unable to find gnutls In-Reply-To: References: Message-ID: <4CF856E8.5060005@aleksey.com> Take a look at the config.log to figure out "why?" On 12/2/10 5:53 PM, Erik Smith wrote: > xmlsec is not liking the gntils install. I'm not sure what is wrong. > > cd ~/gnutls-2.10.3 > ./configure --prefix=$TOOLS --with-libgcrypt-prefix=$TOOLS > make && make install > > cd ~/xmlsec1-1.2.16 > ./configure --prefix=$TOOLS --with-libxml=$TOOLS --with-gcrypt=$TOOLS > --with-gnutls=$TOOLS --with-libxslt=$TOOLS > > checking for gnutls libraries >= 2.8.0... *configure: error: Unable to > find gnutls at* > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From estanisgeyer at hotmail.com Fri Dec 17 13:29:52 2010 From: estanisgeyer at hotmail.com (Marcelo Estanislau Geyer) Date: Fri, 17 Dec 2010 21:29:52 +0000 Subject: [xmlsec] Problems with line breaks Message-ID: Hi, I have not found a way to remove line breaks generated by xmlsec, as I will need to communicate with a webservice that will not accept any space between tags and line breaks. I tried to create a template to sign, but in some tags the xmlsec breaks the line. This occurs for example in the tag X509Data Thanks, Marcelo E. Geyer -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Fri Dec 17 13:49:17 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Fri, 17 Dec 2010 13:49:17 -0800 Subject: [xmlsec] Problems with line breaks In-Reply-To: References: Message-ID: <4D0BDADD.70101@aleksey.com> You might want to ask the webservice vendor to implement proper XML support. Meantime, you'll probably will need to remove all line breaks from xmlsec and recompile it yourself. Aleksey On 12/17/10 1:29 PM, Marcelo Estanislau Geyer wrote: > Hi, > > I have not found a way to remove line breaks generated by xmlsec, as I > will need to communicate with a webservice that will not accept any > space between tags and line breaks. > I tried to create a template to sign, but in some tags the xmlsec breaks > the line. This occurs for example in the tag X509Data > > Thanks, > > Marcelo E. Geyer > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From searchatul at gmail.com Fri Dec 17 23:51:56 2010 From: searchatul at gmail.com (Atul Aggarwal) Date: Sat, 18 Dec 2010 13:21:56 +0530 Subject: [xmlsec] signature-external-dsa.xml Test failing In-Reply-To: References: Message-ID: Hello everybody, I was just testing some of the tests on the online DigSig Verifier ( http://www.aleksey.com/xmlsec/xmldsig-verifier.html) and found that one of the test namely signature-external-dsa.xml has been failing for past month. I tried to investigate and found that the URI=" http://www.w3.org/TR/xml-stylesheet" has been changed and now pointing to Version 2 from last week of October. I guess the proper way is to point the URI to "http://www.w3.org/1999/06/REC-xml-stylesheet-19990629" (First version of spec) but still it is failing. I want to know to fix this test. I guess if I knew the private key, i could fix the test case by replacing the new SignatureValue but I don't know where to find the private key. I am a totally newbie and still learning basic concepts of XML Signatures. So please explain the solution inadequately. Please help me in this regard. -- Thanks a lot Atul Aggarwal -------------- next part -------------- An HTML attachment was scrubbed... URL: From www.naval.com at gmail.com Tue Dec 21 00:38:53 2010 From: www.naval.com at gmail.com (Naval Patel) Date: Tue, 21 Dec 2010 14:08:53 +0530 Subject: [xmlsec] Unable to verify Multiple in a single signed XML Message-ID: Hi, Its been quite some time i am modifying my code to allow a signed xml document containing the entire chain of certificates from "Local cert" through CAs and ultimately the Root CA. I have debugged the code till the call goes to *X509_verify_cert(&xsc)*. I have observed that for each * *the xmlsec adds the certificate to the X509_STACK. The function call (* xmlSecOpenSSLX509FindNextChainCert*) inside the *for loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the comment [/* get one cert after another and try to verify */] returns NULL only when it finds that the certificate does not extend any other certificates. I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. If i simply execute the signeddoc.xml, I am receiving the error [*msg=invalid CA certificate* for CA2.pem] ... the command used is *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* I broke the certificate chain by removing RootCa.pem from the signeddoc.xml and the error i received is same as of the above case *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml *I changed the command for the above file as *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, still the error was same I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml and used the command *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml *Now I removed CA2 from the signeddoc.xml and kept only CA1 and signerCert.pem, and used the command *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml ... *i could see that the verification was passing. I have deviced another way too to make this work, but i am not sure how good this way is... before passing the signeddoc.xml to xmlsec, I load the x509certificate as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* but the problem is not solved because the same document continues to be evaluated by xmlsec later and the results produced are same. Another alternative i thought was once the function *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would remove the other certificates from the STACK. That way, i will have trusted certs loaded to the global stack and while signerCert.pem is verified. Please let me know your suggestions, I will try your suggested methods. And thanks a lot for this library, it had done wonders for my work till now :) I had read an email from the archive [* http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i could not get the break through yet :( Regards, Naval -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Dec 21 07:54:07 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 21 Dec 2010 07:54:07 -0800 Subject: [xmlsec] Unable to verify Multiple in a single signed XML In-Reply-To: References: Message-ID: <4D10CD9F.4010604@aleksey.com> What errors do you get? Aleksey On 12/21/10 12:38 AM, Naval Patel wrote: > Hi, > > Its been quite some time i am modifying my code to allow a signed xml > document containing the entire chain of certificates from "Local cert" > through CAs and ultimately the Root CA. I have debugged the code till > the call goes to *X509_verify_cert(&xsc)*. I have observed that for each > * *the xmlsec adds the certificate to the X509_STACK. > The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside the *for > loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the > comment [/* get one cert after another and try to verify */] returns > NULL only when it finds that the certificate does not extend any other > certificates. > > I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. > > If i simply execute the signeddoc.xml, I am receiving the error > [*msg=invalid CA certificate* for CA2.pem] ... the command used is > *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* > I broke the certificate chain by removing RootCa.pem from the > signeddoc.xml and the error i received is same as of the above case > *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml > *I changed the command for the above file as *xmlsec.exe verify > --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, still the > error was same > I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml and used > the command *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem > CA1.pem --trusted-pem CA2.pem signeddoc.xml > *Now I removed CA2 from the signeddoc.xml and kept only CA1 and > signerCert.pem, and used the command *xmlsec.exe verify --trusted-pem > RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml ... > *i could see that the verification was passing. > > I have deviced another way too to make this work, but i am not sure how > good this way is... > > before passing the signeddoc.xml to xmlsec, I load the x509certificate > as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* but the > problem is not solved because the same document continues to be > evaluated by xmlsec later and the results produced are same. > > Another alternative i thought was once the function > *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would remove the > other certificates from the STACK. That way, i will have trusted certs > loaded to the global stack and while signerCert.pem is verified. > > Please let me know your suggestions, I will try your suggested methods. > > And thanks a lot for this library, it had done wonders for my work till > now :) > > I had read an email from the archive > [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i > could not get the break through yet :( > > Regards, > Naval > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec From www.naval.com at gmail.com Tue Dec 21 21:56:23 2010 From: www.naval.com at gmail.com (Naval Patel) Date: Wed, 22 Dec 2010 11:26:23 +0530 Subject: [xmlsec] Unable to verify Multiple in a single signed XML In-Reply-To: <4D10CD9F.4010604@aleksey.com> References: <4D10CD9F.4010604@aleksey.com> Message-ID: If the entire cert chain is in the signed document the error i get is msg=self signed certificate in certificate chain if i remove the Root certificate from the chain in the signed xml file, and pass a root certificate as trusted, then i get the error as msg=invalid CA certificate is there something that i am missing or this is not the right way to do? thanks :) Naval. On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin wrote: > What errors do you get? > > Aleksey > > > On 12/21/10 12:38 AM, Naval Patel wrote: > >> Hi, >> >> Its been quite some time i am modifying my code to allow a signed xml >> document containing the entire chain of certificates from "Local cert" >> through CAs and ultimately the Root CA. I have debugged the code till >> the call goes to *X509_verify_cert(&xsc)*. I have observed that for each >> * *the xmlsec adds the certificate to the X509_STACK. >> The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside the *for >> loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the >> comment [/* get one cert after another and try to verify */] returns >> NULL only when it finds that the certificate does not extend any other >> certificates. >> >> I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. >> >> If i simply execute the signeddoc.xml, I am receiving the error >> [*msg=invalid CA certificate* for CA2.pem] ... the command used is >> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* >> I broke the certificate chain by removing RootCa.pem from the >> signeddoc.xml and the error i received is same as of the above case >> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml >> *I changed the command for the above file as *xmlsec.exe verify >> --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, still the >> error was same >> I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml and used >> the command *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem >> CA1.pem --trusted-pem CA2.pem signeddoc.xml >> *Now I removed CA2 from the signeddoc.xml and kept only CA1 and >> signerCert.pem, and used the command *xmlsec.exe verify --trusted-pem >> RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml ... >> *i could see that the verification was passing. >> >> I have deviced another way too to make this work, but i am not sure how >> good this way is... >> >> before passing the signeddoc.xml to xmlsec, I load the x509certificate >> as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* but the >> problem is not solved because the same document continues to be >> evaluated by xmlsec later and the results produced are same. >> >> Another alternative i thought was once the function >> *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would remove the >> other certificates from the STACK. That way, i will have trusted certs >> loaded to the global stack and while signerCert.pem is verified. >> >> Please let me know your suggestions, I will try your suggested methods. >> >> And thanks a lot for this library, it had done wonders for my work till >> now :) >> >> I had read an email from the archive >> [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i >> could not get the break through yet :( >> >> Regards, >> Naval >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > -- Naval Patel ~ have fun ~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Dec 21 21:57:57 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 21 Dec 2010 21:57:57 -0800 Subject: [xmlsec] Unable to verify Multiple in a single signed XML In-Reply-To: References: <4D10CD9F.4010604@aleksey.com> Message-ID: <4D119365.7030303@aleksey.com> Could you please copy/paste the complete error? Aleksey On 12/21/10 9:56 PM, Naval Patel wrote: > If the entire cert chain is in the signed document the error i get is > msg=self signed certificate in certificate chain > > if i remove the Root certificate from the chain in the signed xml file, > and pass a root certificate as trusted, then i get the error as > msg=invalid CA certificate > > is there something that i am missing or this is not the right way to do? > > thanks :) > > Naval. > > On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin > wrote: > > What errors do you get? > > Aleksey > > > On 12/21/10 12:38 AM, Naval Patel wrote: > > Hi, > > Its been quite some time i am modifying my code to allow a > signed xml > document containing the entire chain of certificates from "Local > cert" > through CAs and ultimately the Root CA. I have debugged the code > till > the call goes to *X509_verify_cert(&xsc)*. I have observed that > for each > * *the xmlsec adds the certificate to the > X509_STACK. > The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside > the *for > loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the > comment [/* get one cert after another and try to verify */] returns > NULL only when it finds that the certificate does not extend any > other > certificates. > > I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. > > If i simply execute the signeddoc.xml, I am receiving the error > [*msg=invalid CA certificate* for CA2.pem] ... the command used is > *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* > I broke the certificate chain by removing RootCa.pem from the > signeddoc.xml and the error i received is same as of the above case > *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml > *I changed the command for the above file as *xmlsec.exe verify > --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, > still the > error was same > I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml > and used > the command *xmlsec.exe verify --trusted-pem RootCa.pem > --trusted-pem > CA1.pem --trusted-pem CA2.pem signeddoc.xml > *Now I removed CA2 from the signeddoc.xml and kept only CA1 and > signerCert.pem, and used the command *xmlsec.exe verify > --trusted-pem > RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem > signeddoc.xml ... > *i could see that the verification was passing. > > I have deviced another way too to make this work, but i am not > sure how > good this way is... > > before passing the signeddoc.xml to xmlsec, I load the > x509certificate > as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* > but the > problem is not solved because the same document continues to be > evaluated by xmlsec later and the results produced are same. > > Another alternative i thought was once the function > *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would > remove the > other certificates from the STACK. That way, i will have trusted > certs > loaded to the global stack and while signerCert.pem is verified. > > Please let me know your suggestions, I will try your suggested > methods. > > And thanks a lot for this library, it had done wonders for my > work till > now :) > > I had read an email from the archive > [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i > could not get the break through yet :( > > Regards, > Naval > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > -- > Naval Patel > ~ have fun ~ From www.naval.com at gmail.com Tue Dec 21 22:02:48 2010 From: www.naval.com at gmail.com (Naval Patel) Date: Wed, 22 Dec 2010 11:32:48 +0530 Subject: [xmlsec] Unable to verify Multiple in a single signed XML In-Reply-To: <4D119365.7030303@aleksey.com> References: <4D10CD9F.4010604@aleksey.com> <4D119365.7030303@aleksey.com> Message-ID: This is the error when root CA is in the signed xml func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=IN/ST=Mah/L=Pune/O=Agreeya/OU=Almond/CN=rootca/emailAd dress=rootca at agreeya.com;err=19;msg=self signed certificate in certificate chain func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy .c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=19;msg=self signed certificate in certificate chain this is the error when root ca is not in the signed xml, but passed explicitly as trusted. func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=IN/ST=Maharashtra/L=Pune/O=Agreeya/OU=Almond/CN=ca1/em ailAddress=ca1 at agreeya.com;err=24;msg=invalid CA certificate func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy .c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=24;msg=invalid CA certificate Thanks, Naval. On Wed, Dec 22, 2010 at 11:27 AM, Aleksey Sanin wrote: > Could you please copy/paste the complete error? > > Aleksey > > > On 12/21/10 9:56 PM, Naval Patel wrote: > >> If the entire cert chain is in the signed document the error i get is >> msg=self signed certificate in certificate chain >> >> if i remove the Root certificate from the chain in the signed xml file, >> and pass a root certificate as trusted, then i get the error as >> msg=invalid CA certificate >> >> is there something that i am missing or this is not the right way to do? >> >> thanks :) >> >> Naval. >> >> On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin > > wrote: >> >> What errors do you get? >> >> Aleksey >> >> >> On 12/21/10 12:38 AM, Naval Patel wrote: >> >> Hi, >> >> Its been quite some time i am modifying my code to allow a >> signed xml >> document containing the entire chain of certificates from "Local >> cert" >> through CAs and ultimately the Root CA. I have debugged the code >> till >> the call goes to *X509_verify_cert(&xsc)*. I have observed that >> for each >> * *the xmlsec adds the certificate to the >> X509_STACK. >> The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside >> the *for >> loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the >> comment [/* get one cert after another and try to verify */] >> returns >> NULL only when it finds that the certificate does not extend any >> other >> certificates. >> >> I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. >> >> If i simply execute the signeddoc.xml, I am receiving the error >> [*msg=invalid CA certificate* for CA2.pem] ... the command used is >> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* >> I broke the certificate chain by removing RootCa.pem from the >> signeddoc.xml and the error i received is same as of the above case >> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml >> *I changed the command for the above file as *xmlsec.exe verify >> --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, >> still the >> error was same >> I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml >> and used >> the command *xmlsec.exe verify --trusted-pem RootCa.pem >> --trusted-pem >> CA1.pem --trusted-pem CA2.pem signeddoc.xml >> *Now I removed CA2 from the signeddoc.xml and kept only CA1 and >> signerCert.pem, and used the command *xmlsec.exe verify >> --trusted-pem >> RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem >> signeddoc.xml ... >> *i could see that the verification was passing. >> >> I have deviced another way too to make this work, but i am not >> sure how >> good this way is... >> >> before passing the signeddoc.xml to xmlsec, I load the >> x509certificate >> as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* >> but the >> problem is not solved because the same document continues to be >> evaluated by xmlsec later and the results produced are same. >> >> Another alternative i thought was once the function >> *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would >> remove the >> other certificates from the STACK. That way, i will have trusted >> certs >> loaded to the global stack and while signerCert.pem is verified. >> >> Please let me know your suggestions, I will try your suggested >> methods. >> >> And thanks a lot for this library, it had done wonders for my >> work till >> now :) >> >> I had read an email from the archive >> [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but >> i >> could not get the break through yet :( >> >> Regards, >> Naval >> >> >> >> _______________________________________________ >> xmlsec mailing list >> xmlsec at aleksey.com >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> -- >> Naval Patel >> ~ have fun ~ >> > -- Naval Patel ~ have fun ~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From www.naval.com at gmail.com Tue Dec 28 08:27:43 2010 From: www.naval.com at gmail.com (Naval Patel) Date: Tue, 28 Dec 2010 21:57:43 +0530 Subject: [xmlsec] Unable to verify Multiple in a single signed XML In-Reply-To: References: <4D10CD9F.4010604@aleksey.com> <4D119365.7030303@aleksey.com> Message-ID: Hi Aleksey, I tried to verify the test file which is placed on your website at [ http://www.aleksey.com/xmlsec/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml] using online tool present on your site as well as using a locally placed xmlsec.exe. The command i am using locally is xmlsec.exe --verify signature.xml [Please tell me if I am not using the command correctly] I error I get is still the same after all the different efforts i have put in. The current procedure i am following is: 1. Read the signature.xml file and add each certificate as trusted pem. 2. in X509_vfy.c, i would delete all the certs which are not self-signed or intermediate CA. The verification succeeds in this way of verification. The risk i see in this process is that I am simply trusting any certificates that are present in the signature.xml which is a big threat. Will be extremely glad to know your response at your earliest. Regards, Naval. On Wed, Dec 22, 2010 at 11:32 AM, Naval Patel wrote: > This is the error when root CA is in the signed xml > > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library > function > failed:subj=/C=IN/ST=Mah/L=Pune/O=Agreeya/OU=Almond/CN=rootca/emailAd > dress=rootca at agreeya.com;err=19;msg=self signed certificate in certificate > chain > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification > failed:err=19;msg=self signed certificate in certificate chain > > this is the error when root ca is not in the signed xml, but passed > explicitly as trusted. > > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library > function > failed:subj=/C=IN/ST=Maharashtra/L=Pune/O=Agreeya/OU=Almond/CN=ca1/em > ailAddress=ca1 at agreeya.com;err=24;msg=invalid CA certificate > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification > failed:err=24;msg=invalid CA certificate > > > Thanks, > Naval. > > > On Wed, Dec 22, 2010 at 11:27 AM, Aleksey Sanin wrote: > >> Could you please copy/paste the complete error? >> >> Aleksey >> >> >> On 12/21/10 9:56 PM, Naval Patel wrote: >> >>> If the entire cert chain is in the signed document the error i get is >>> msg=self signed certificate in certificate chain >>> >>> if i remove the Root certificate from the chain in the signed xml file, >>> and pass a root certificate as trusted, then i get the error as >>> msg=invalid CA certificate >>> >>> is there something that i am missing or this is not the right way to do? >>> >>> thanks :) >>> >>> Naval. >>> >>> On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin >> > wrote: >>> >>> What errors do you get? >>> >>> Aleksey >>> >>> >>> On 12/21/10 12:38 AM, Naval Patel wrote: >>> >>> Hi, >>> >>> Its been quite some time i am modifying my code to allow a >>> signed xml >>> document containing the entire chain of certificates from "Local >>> cert" >>> through CAs and ultimately the Root CA. I have debugged the code >>> till >>> the call goes to *X509_verify_cert(&xsc)*. I have observed that >>> for each >>> * *the xmlsec adds the certificate to the >>> X509_STACK. >>> The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside >>> the *for >>> loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the >>> comment [/* get one cert after another and try to verify */] >>> returns >>> NULL only when it finds that the certificate does not extend any >>> other >>> certificates. >>> >>> I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. >>> >>> If i simply execute the signeddoc.xml, I am receiving the error >>> [*msg=invalid CA certificate* for CA2.pem] ... the command used is >>> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* >>> I broke the certificate chain by removing RootCa.pem from the >>> signeddoc.xml and the error i received is same as of the above >>> case >>> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml >>> *I changed the command for the above file as *xmlsec.exe verify >>> --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, >>> still the >>> error was same >>> I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml >>> and used >>> the command *xmlsec.exe verify --trusted-pem RootCa.pem >>> --trusted-pem >>> CA1.pem --trusted-pem CA2.pem signeddoc.xml >>> *Now I removed CA2 from the signeddoc.xml and kept only CA1 and >>> signerCert.pem, and used the command *xmlsec.exe verify >>> --trusted-pem >>> RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem >>> signeddoc.xml ... >>> *i could see that the verification was passing. >>> >>> I have deviced another way too to make this work, but i am not >>> sure how >>> good this way is... >>> >>> before passing the signeddoc.xml to xmlsec, I load the >>> x509certificate >>> as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* >>> but the >>> problem is not solved because the same document continues to be >>> evaluated by xmlsec later and the results produced are same. >>> >>> Another alternative i thought was once the function >>> *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would >>> remove the >>> other certificates from the STACK. That way, i will have trusted >>> certs >>> loaded to the global stack and while signerCert.pem is verified. >>> >>> Please let me know your suggestions, I will try your suggested >>> methods. >>> >>> And thanks a lot for this library, it had done wonders for my >>> work till >>> now :) >>> >>> I had read an email from the archive >>> [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but >>> i >>> could not get the break through yet :( >>> >>> Regards, >>> Naval >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> xmlsec at aleksey.com >>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> >>> -- >>> Naval Patel >>> ~ have fun ~ >>> >> > > > -- > Naval Patel > ~ have fun ~ > -- Naval Patel ~ have fun ~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey at aleksey.com Tue Dec 28 14:39:13 2010 From: aleksey at aleksey.com (Aleksey Sanin) Date: Tue, 28 Dec 2010 14:39:13 -0800 Subject: [xmlsec] Unable to verify Multiple in a single signed XML In-Reply-To: References: <4D10CD9F.4010604@aleksey.com> <4D119365.7030303@aleksey.com> Message-ID: <4D1A6711.9020904@aleksey.com> I think this is a bad idea as you already understood. Aleksey On 12/28/10 8:27 AM, Naval Patel wrote: > Hi Aleksey, > > I tried to verify the test file which is placed on your website at > [http://www.aleksey.com/xmlsec/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml] > using online tool present on your site as well as using a locally placed > xmlsec.exe. The command i am using locally is > > xmlsec.exe --verify signature.xml [Please tell me if I am not using the > command correctly] > > I error I get is still the same after all the different efforts i have > put in. > > The current procedure i am following is: > > 1. Read the signature.xml file and add each certificate as trusted pem. > 2. in X509_vfy.c, i would delete all the certs which are not self-signed > or intermediate CA. > > The verification succeeds in this way of verification. > The risk i see in this process is that I am simply trusting any > certificates that are present in the signature.xml which is a big threat. > > Will be extremely glad to know your response at your earliest. > > Regards, > Naval. > > > On Wed, Dec 22, 2010 at 11:32 AM, Naval Patel @gmail.com > wrote: > > This is the error when root CA is in the signed xml > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > library function > failed:subj=/C=IN/ST=Mah/L=Pune/O=Agreeya/OU=Almond/CN=rootca/emailAd > dress=rootca at agreeya.com ;err=19;msg=self > signed certificate in certificate chain > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=408:obj=x509-store:subj=unknown:error=71:certificate > verification failed:err=19;msg=self signed certificate in > certificate chain > > this is the error when root ca is not in the signed xml, but passed > explicitly as trusted. > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > library function > failed:subj=/C=IN/ST=Maharashtra/L=Pune/O=Agreeya/OU=Almond/CN=ca1/em > ailAddress=ca1 at agreeya.com > ;err=24;msg=invalid CA certificate > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=408:obj=x509-store:subj=unknown:error=71:certificate > verification failed:err=24;msg=invalid CA certificate > > > Thanks, > Naval. > > > On Wed, Dec 22, 2010 at 11:27 AM, Aleksey Sanin > wrote: > > Could you please copy/paste the complete error? > > Aleksey > > > On 12/21/10 9:56 PM, Naval Patel wrote: > > If the entire cert chain is in the signed document the error > i get is > msg=self signed certificate in certificate chain > > if i remove the Root certificate from the chain in the > signed xml file, > and pass a root certificate as trusted, then i get the error as > msg=invalid CA certificate > > is there something that i am missing or this is not the > right way to do? > > thanks :) > > Naval. > > On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin > > >> > wrote: > > What errors do you get? > > Aleksey > > > On 12/21/10 12:38 AM, Naval Patel wrote: > > Hi, > > Its been quite some time i am modifying my code to > allow a > signed xml > document containing the entire chain of certificates > from "Local > cert" > through CAs and ultimately the Root CA. I have > debugged the code > till > the call goes to *X509_verify_cert(&xsc)*. I have > observed that > for each > * *the xmlsec adds the certificate > to the > X509_STACK. > The function call > (*xmlSecOpenSSLX509FindNextChainCert*) inside > the *for > loop* inside the function > *xmlSecOpenSSLX509StoreVerify* with the > comment [/* get one cert after another and try to > verify */] returns > NULL only when it finds that the certificate does > not extend any > other > certificates. > > I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. > > If i simply execute the signeddoc.xml, I am > receiving the error > [*msg=invalid CA certificate* for CA2.pem] ... the > command used is > *xmlsec.exe verify --trusted-pem RootCa.pem > signeddoc.xml* > I broke the certificate chain by removing RootCa.pem > from the > signeddoc.xml and the error i received is same as of > the above case > *xmlsec.exe verify --trusted-pem RootCa.pem > signeddoc.xml > *I changed the command for the above file as > *xmlsec.exe verify > --trusted-pem RootCa.pem --trusted-pem CA2.pem > signeddoc.xml*, > still the > error was same > I maintained only CA1, CA2 and signerCert.pem in > signeddoc.xml > and used > the command *xmlsec.exe verify --trusted-pem RootCa.pem > --trusted-pem > CA1.pem --trusted-pem CA2.pem signeddoc.xml > *Now I removed CA2 from the signeddoc.xml and kept > only CA1 and > signerCert.pem, and used the command *xmlsec.exe verify > --trusted-pem > RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem > signeddoc.xml ... > *i could see that the verification was passing. > > I have deviced another way too to make this work, > but i am not > sure how > good this way is... > > before passing the signeddoc.xml to xmlsec, I load the > x509certificate > as trusted using the api > *xmlSecCryptoAppKeysMngrCertLoadMemory* > but the > problem is not solved because the same document > continues to be > evaluated by xmlsec later and the results produced > are same. > > Another alternative i thought was once the function > *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I > would > remove the > other certificates from the STACK. That way, i will > have trusted > certs > loaded to the global stack and while signerCert.pem > is verified. > > Please let me know your suggestions, I will try your > suggested > methods. > > And thanks a lot for this library, it had done > wonders for my > work till > now :) > > I had read an email from the archive > > [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i > could not get the break through yet :( > > Regards, > Naval > > > > _______________________________________________ > xmlsec mailing list > xmlsec at aleksey.com > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > -- > Naval Patel > ~ have fun ~ > > > > > -- > Naval Patel > ~ have fun ~ > > > > > -- > Naval Patel > ~ have fun ~