[xmlsec] corrupt context after verify call

Aleksey Sanin aleksey at aleksey.com
Wed Oct 13 12:04:42 PDT 2010


The dir might not exists?

Aleksey

On 10/13/10 10:56 AM, Erik Smith wrote:
> I rebuilt libxml, xmlsec, and libxslt to the latest and I get an x509
> error for some reason.  Any ideas on this?
>
> libxml version: 2.7.7
> xmlsec version: 1.2.16
> libxslt version: 1.1.26
> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto
> library function failed:
> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec
> library function failed:
> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec
> library function failed:xmlSecOpenSSLX509StoreId
> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec
> library function failed:
>
>
>
> 2010/10/13 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>
>     Sounds like you are compiling your application with different flags
>     compared to xmlsec. Something like structure members alignment
>     or debug vs. release.
>
>     Aleksey
>
>
>     On 10/13/10 7:32 AM, Erik Smith wrote:
>
>         xmlsec output:
>
>         OK
>         SignedInfo References (ok/all): 1/1
>         Manifests References (ok/all): 0/0
>         = VERIFICATION CONTEXT
>         == Status: succeeded
>         == flags: 0x00000006
>         == flags2: 0x00000000
>         == Key Info Read Ctx:
>         = KEY INFO READ CONTEXT
>         == flags: 0x00000000
>         == flags2: 0x00000000
>         == enabled key data: all
>         == RetrievalMethod level (cur/max): 0/1
>         == TRANSFORMS CTX (status=0)
>         == flags: 0x00000000
>         == flags2: 0x00000000
>         == enabled transforms: all
>         === uri: NULL
>         === uri xpointer expr: NULL
>         == EncryptedKey level (cur/max): 0/1
>         === KeyReq:
>         ==== keyId: rsa
>         ==== keyType: 0x00000001
>         ==== keyUsage: 0x00000002
>         ==== keyBitsSize: 0
>         === list size: 0
>         == Key Info Write Ctx:
>         = KEY INFO WRITE CONTEXT
>         == flags: 0x00000000
>         == flags2: 0x00000000
>         == enabled key data: all
>         == RetrievalMethod level (cur/max): 0/1
>         == TRANSFORMS CTX (status=0)
>         == flags: 0x00000000
>         == flags2: 0x00000000
>         == enabled transforms: all
>         === uri: NULL
>         === uri xpointer expr: NULL
>         == EncryptedKey level (cur/max): 0/1
>         === KeyReq:
>         ==== keyId: NULL
>         ==== keyType: 0x00000001
>         ==== keyUsage: 0xffffffff
>         ==== keyBitsSize: 0
>         === list size: 0
>         == Signature Transform Ctx:
>         == TRANSFORMS CTX (status=2)
>         == flags: 0x00000000
>         == flags2: 0x00000000
>         == enabled transforms: all
>         === uri: NULL
>         === uri xpointer expr: NULL
>         === Transform: exc-c14n
>         (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>         === Transform: rsa-sha1
>         (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>         === Transform: membuf-transform (href=NULL)
>         == Signature Method:
>         === Transform: rsa-sha1
>         (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>         == Signature Key:
>         == KEY
>         === method: RSAKeyValue
>         === key type: Public
>         === key usage: -1
>         === rsa key: size = 1024
>         === list size: 1
>         === X509 Data:
>         ==== Certificate:
>         ==== Subject Name:
>         /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>         ==== Issuer Name:
>         /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>         ==== Issuer Serial: 4CAB2D3B
>         == SignedInfo References List:
>         === list size: 1
>         = REFERENCE VERIFICATION CONTEXT
>         == Status: succeeded
>         == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
>         == Reference Transform Ctx:
>         == TRANSFORMS CTX (status=2)
>         == flags: 0x00000000
>         == flags2: 0x00000000
>         == enabled transforms: all
>         === uri:
>         === uri xpointer expr:
>         #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
>         === Transform: xpointer
>         (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>         === Transform: enveloped-signature
>         (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>         === Transform: exc-c14n
>         (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>         === Transform: membuf-transform (href=NULL)
>         === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>         === Transform: membuf-transform (href=NULL)
>         == Digest Method:
>         === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>         == PreDigest data - start buffer:
>         <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
>         xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>         xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
>         xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1"
>         MinorVersion="1" Recipient="http://amgr.emdeon.com"
>         ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
>         Value="samlp:Success"></StatusCode></Status><Assertion
>         xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
>         AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
>         IssueInstant="2010-10-06T16:15:38.906Z"
>         Issuer="http://access.emdeon.com" MajorVersion="1"
>         MinorVersion="1"><Conditions NotBefore="2010-10-06T21:15:38.905Z"
>         NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
>         AuthenticationInstant="2010-10-06T16:15:38.906Z"
>         AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
>         == PreDigest data - end buffer
>         == Manifest References List:
>         === list size: 0
>
>
>         On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin
>         <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>
>             What is the output of the xmlsec1 command?
>
>             Aleksey
>
>
>             On 10/12/10 11:36 PM, Erik Smith wrote:
>
>                 After I call xmlSecDSigCtxVerify, the status in the
>         contex is
>                 corrupted
>                 with a large number.   However xmlsec1 reports
>         validation as OK.
>
>                 xmlsec1 --verify --pubkey-cert-pem cert.crt
>         --store-references
>                 --id-attr:ResponseID
>                 urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml
>
>                 Also xmlSecDSigCtxDebugDump output is exactly the same for
>                 xmlsec1 and
>                 my program.
>
>                 I've reduced the code down to what is below and I'm
>         having trouble
>                 seeing what could be wrong.
>
>                 libxml version: 2.6.27
>                 xmlsec version: 1.2.11
>
>                 Thanks for any help.
>
>
>
>                 #include <iostream>
>                 #include <xmlsec/xmltree.h>
>                 #include <xmlsec/xmldsig.h>
>                 #include <xmlsec/crypto.h>
>                 #include <xmlsec/errors.h>
>
>                 #ifndef XMLSEC_NO_XSLT
>                 #include <libxslt/xslt.h>
>                 #endif
>
>                 void error(const char *);
>
>                 int main(int argc, char **argv) {
>                      using namespace std;
>                      int status(0);
>
>                      xmlSecKeysMngrPtr mngr_;
>                      xmlSecDSigCtxPtr dsigCtx;
>                      xmlDocPtr doc_;
>
>                      cout << "libxml version: " << LIBXML_DOTTED_VERSION
>         << endl;
>                      cout << "xmlsec version: " << XMLSEC_VERSION << endl;
>
>                      xmlInitParser();
>                      LIBXML_TEST_VERSION;
>                      xmlLoadExtDtdDefaultValue = XML_DETECT_IDS |
>                 XML_COMPLETE_ATTRS;
>                      xmlSubstituteEntitiesDefault(1);
>
>                 #ifndef XMLSEC_NO_XSLT
>                      xmlIndentTreeOutput = 1;
>                 #endif
>                      // Init xmlsec library
>                      if (xmlSecInit() < 0) error("xmlSecInit");
>                      if (xmlSecCheckVersion() != 1)
>         error("xmlSecCheckVersion");
>
>                 #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>                      if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0)
>                 error("xmlSecCryptoDLLoadLibrary");
>                 #endif
>
>                      if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto
>                 initialization failed.");
>                      if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto
>                 initialization failed.");
>
>                      mngr_ = xmlSecKeysMngrCreate();
>                      if (!mngr_) error("bad");
>
>                      if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)
>                 error("bad");
>
>                      xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem);
>                      xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt",
>                 format, NULL,
>                 NULL, NULL);
>                      if (!key) error("key load error");
>
>                      if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_,
>         key) < 0)
>                 error("could not add key");
>
>                      doc_ = xmlParseFile("saml.xml");
>                      if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad");
>
>                      set_id(doc_);
>
>                      xmlNodePtr node =
>         xmlSecFindNode(xmlDocGetRootElement(doc_),
>                 xmlSecNodeSignature, xmlSecDSigNs);
>                      if (!node) error("start node not found");
>
>                      dsigCtx = xmlSecDSigCtxCreate(mngr_);
>                      if (!dsigCtx) error("failed to create signature
>         context");
>
>                      std::cout << "status before: " << dsigCtx->status
>         << std::endl;
>                      if (xmlSecDSigCtxVerify(dsigCtx, node) < 0)
>                 error("signature verify
>                 error");
>                      std::cout << "status: " << dsigCtx->status <<
>         std::endl;
>                      //xmlSecDSigCtxDebugDump(dsigCtx, stdout);
>
>                      return status;
>                 }
>
>                 void set_id(xmlDocPtr doc) {
>                      using namespace std;
>
>                      xmlNodePtr node = xmlSecFindNode(
>                              xmlDocGetRootElement(doc),
>                              BAD_CAST "Response",
>                              BAD_CAST
>         "urn:oasis:names:tc:SAML:1.0:protocol");
>
>                      cout << "element name: " << node->name<< endl;
>                      xmlAttrPtr attr = xmlHasProp(node, BAD_CAST
>         "ResponseID");
>                      if (!attr) error("attribute not found");
>                      cout << "attribute name: " << attr->name<< endl;
>
>                      xmlChar *value = xmlNodeListGetString(node->doc,
>                 attr->children, 1);
>                      if (!value) error("xmlNodeListGetString");
>                      cout << "value: " << value << endl;
>
>                      xmlAttrPtr tmp(xmlGetID(node->doc, value));
>                      if (tmp) {
>                          cout << "id already registered" << endl;
>                      } else {
>                          xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST
>         value, attr);
>                          if (!id) {
>                              xmlFree(value); // fix
>                              error("xmlAddID error");
>                          }
>                          cout << "id added" << endl;
>                      }
>
>                      //xmlFree(value); // fix
>                 }
>
>                 void error(const char *e) {
>                      std::cout << e << std::endl;
>                      std::cout << "exiting" << std::endl;
>                      exit(0);
>                 }
>
>
>
>
>
>
>
>
>                 _______________________________________________
>                 xmlsec mailing list
>         xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>
>         http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>


More information about the xmlsec mailing list