[xmlsec] corrupt context after verify call

Aleksey Sanin aleksey at aleksey.com
Wed Oct 13 18:38:10 PDT 2010


Well, I have no idea how xmlsec was compiled.

Aleksey

On 10/13/10 2:31 PM, Erik Smith wrote:
> It looks like the open SSL Dir issue was a bad library interaction.  So
> I made sure all relavant libs were up-to-date and dynamically loaded.
>
> libxml version: 2.7.7
> xmlsec version: 1.2.16
> libxslt version: 1.1.26
>
> When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not
> found", which I think has to do with it looking for a cert as a key in
> the document.  I had tried this to address the open SSL Dir issue which
> appears to have been resolve as stated above.
>
> Going back to
> xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is
> seen originally in the code below gets me back to the same error with
> the corrupted status:
>
> status before xmlSecDSigCtxVerify: 0
> status after xmlSecDSigCtxVerify: 5361840
>
> compilation is simple:
>
> export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH
>
> g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare
> -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I.
> -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1
>
> g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1
> -lxmlsec1-openssl -m64
>
> erik
>
>
>
> On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
>     It might be hard coded from OpenSSL during compilation
>
>
>     On 10/13/10 12:11 PM, Erik Smith wrote:
>
>         The same code run on the earlier library versions did not have this
>         issue (see code below).    Do I need to specify a directory if
>         I'm just
>         loading a cert in a manger?
>
>         erik
>
>         On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin
>         <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>
>             No changes, it is a part of xmlsec-openssl init process.
>
>
>             On 10/13/10 12:07 PM, Erik Smith wrote:
>
>                 I'm not specifying any directories in the code, only two
>         files
>                 in the
>                 CWD.    Did something change in recent version that
>         requires a cert
>                 directory for openssl?
>
>                 erik
>
>                 On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin
>         <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
>
>                     The dir might not exists?
>
>                     Aleksey
>
>
>                     On 10/13/10 10:56 AM, Erik Smith wrote:
>
>                         I rebuilt libxml, xmlsec, and libxslt to the
>         latest and
>                 I get an
>                         x509
>                         error for some reason.  Any ideas on this?
>
>                         libxml version: 2.7.7
>                         xmlsec version: 1.2.16
>                         libxslt version: 1.1.26
>
>
>           func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto
>                         library function failed:
>
>
>           func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec
>                         library function failed:
>
>
>           func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec
>                         library function failed:xmlSecOpenSSLX509StoreId
>
>
>           func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec
>                         library function failed:
>
>
>
>                         2010/10/13 Aleksey Sanin <aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>
>
>                             Sounds like you are compiling your
>         application with
>                         different flags
>                             compared to xmlsec. Something like structure
>         members
>                 alignment
>                             or debug vs. release.
>
>                             Aleksey
>
>
>                             On 10/13/10 7:32 AM, Erik Smith wrote:
>
>                                 xmlsec output:
>
>                                 OK
>                                 SignedInfo References (ok/all): 1/1
>                                 Manifests References (ok/all): 0/0
>                                 = VERIFICATION CONTEXT
>                                 == Status: succeeded
>                                 == flags: 0x00000006
>                                 == flags2: 0x00000000
>                                 == Key Info Read Ctx:
>                                 = KEY INFO READ CONTEXT
>                                 == flags: 0x00000000
>                                 == flags2: 0x00000000
>                                 == enabled key data: all
>                                 == RetrievalMethod level (cur/max): 0/1
>                                 == TRANSFORMS CTX (status=0)
>                                 == flags: 0x00000000
>                                 == flags2: 0x00000000
>                                 == enabled transforms: all
>                                 === uri: NULL
>                                 === uri xpointer expr: NULL
>                                 == EncryptedKey level (cur/max): 0/1
>                                 === KeyReq:
>                                 ==== keyId: rsa
>                                 ==== keyType: 0x00000001
>                                 ==== keyUsage: 0x00000002
>                                 ==== keyBitsSize: 0
>                                 === list size: 0
>                                 == Key Info Write Ctx:
>                                 = KEY INFO WRITE CONTEXT
>                                 == flags: 0x00000000
>                                 == flags2: 0x00000000
>                                 == enabled key data: all
>                                 == RetrievalMethod level (cur/max): 0/1
>                                 == TRANSFORMS CTX (status=0)
>                                 == flags: 0x00000000
>                                 == flags2: 0x00000000
>                                 == enabled transforms: all
>                                 === uri: NULL
>                                 === uri xpointer expr: NULL
>                                 == EncryptedKey level (cur/max): 0/1
>                                 === KeyReq:
>                                 ==== keyId: NULL
>                                 ==== keyType: 0x00000001
>                                 ==== keyUsage: 0xffffffff
>                                 ==== keyBitsSize: 0
>                                 === list size: 0
>                                 == Signature Transform Ctx:
>                                 == TRANSFORMS CTX (status=2)
>                                 == flags: 0x00000000
>                                 == flags2: 0x00000000
>                                 == enabled transforms: all
>                                 === uri: NULL
>                                 === uri xpointer expr: NULL
>                                 === Transform: exc-c14n
>
>           (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>                                 === Transform: rsa-sha1
>
>           (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>                                 === Transform: membuf-transform (href=NULL)
>                                 == Signature Method:
>                                 === Transform: rsa-sha1
>
>           (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>                                 == Signature Key:
>                                 == KEY
>                                 === method: RSAKeyValue
>                                 === key type: Public
>                                 === key usage: -1
>                                 === rsa key: size = 1024
>                                 === list size: 1
>                                 === X509 Data:
>                                 ==== Certificate:
>                                 ==== Subject Name:
>
>           /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>                                 ==== Issuer Name:
>
>           /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>                                 ==== Issuer Serial: 4CAB2D3B
>                                 == SignedInfo References List:
>                                 === list size: 1
>                                 = REFERENCE VERIFICATION CONTEXT
>                                 == Status: succeeded
>                                 == URI:
>         "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
>                                 == Reference Transform Ctx:
>                                 == TRANSFORMS CTX (status=2)
>                                 == flags: 0x00000000
>                                 == flags2: 0x00000000
>                                 == enabled transforms: all
>                                 === uri:
>                                 === uri xpointer expr:
>
>           #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
>                                 === Transform: xpointer
>
>           (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>                                 === Transform: enveloped-signature
>
>
>           (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>                                 === Transform: exc-c14n
>
>           (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>                                 === Transform: membuf-transform (href=NULL)
>                                 === Transform: sha1
>                         (href=http://www.w3.org/2000/09/xmldsig#sha1)
>                                 === Transform: membuf-transform (href=NULL)
>                                 == Digest Method:
>                                 === Transform: sha1
>                         (href=http://www.w3.org/2000/09/xmldsig#sha1)
>                                 == PreDigest data - start buffer:
>         <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
>
>           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>
>           xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
>                                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
>                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                                 IssueInstant="2010-10-06T21:15:38.906Z"
>                 MajorVersion="1"
>                                 MinorVersion="1"
>         Recipient="http://amgr.emdeon.com"
>
>
>
>           ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
>
>                   Value="samlp:Success"></StatusCode></Status><Assertion
>
>           xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
>
>                   AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
>                                 IssueInstant="2010-10-06T16:15:38.906Z"
>                                 Issuer="http://access.emdeon.com"
>         MajorVersion="1"
>                                 MinorVersion="1"><Conditions
>                         NotBefore="2010-10-06T21:15:38.905Z"
>
>
>
>           NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
>
>           AuthenticationInstant="2010-10-06T16:15:38.906Z"
>
>
>
>           AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
>                                 == PreDigest data - end buffer
>                                 == Manifest References List:
>                                 === list size: 0
>
>
>                                 On Wed, Oct 13, 2010 at 7:28 AM, Aleksey
>         Sanin
>         <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>> wrote:
>
>                                     What is the output of the xmlsec1
>         command?
>
>                                     Aleksey
>
>
>                                     On 10/12/10 11:36 PM, Erik Smith wrote:
>
>                                         After I call
>         xmlSecDSigCtxVerify, the
>                 status in the
>                                 contex is
>                                         corrupted
>                                         with a large number.   However
>         xmlsec1
>                 reports
>                                 validation as OK.
>
>                                         xmlsec1 --verify
>         --pubkey-cert-pem cert.crt
>                                 --store-references
>                                         --id-attr:ResponseID
>
>                   urn:oasis:names:tc:SAML:1.0:protocol:Response
>                         /saml.xml
>
>                                         Also xmlSecDSigCtxDebugDump
>         output is
>                 exactly
>                         the same for
>                                         xmlsec1 and
>                                         my program.
>
>                                         I've reduced the code down to
>         what is
>                 below and I'm
>                                 having trouble
>                                         seeing what could be wrong.
>
>                                         libxml version: 2.6.27
>                                         xmlsec version: 1.2.11
>
>                                         Thanks for any help.
>
>
>
>                                         #include <iostream>
>                                         #include <xmlsec/xmltree.h>
>                                         #include <xmlsec/xmldsig.h>
>                                         #include <xmlsec/crypto.h>
>                                         #include <xmlsec/errors.h>
>
>                                         #ifndef XMLSEC_NO_XSLT
>                                         #include <libxslt/xslt.h>
>                                         #endif
>
>                                         void error(const char *);
>
>                                         int main(int argc, char **argv) {
>                                              using namespace std;
>                                              int status(0);
>
>                                              xmlSecKeysMngrPtr mngr_;
>                                              xmlSecDSigCtxPtr dsigCtx;
>                                              xmlDocPtr doc_;
>
>                                              cout << "libxml version: " <<
>                         LIBXML_DOTTED_VERSION
>         << endl;
>                                              cout << "xmlsec version: " <<
>                         XMLSEC_VERSION << endl;
>
>                                              xmlInitParser();
>                                              LIBXML_TEST_VERSION;
>                                              xmlLoadExtDtdDefaultValue =
>                 XML_DETECT_IDS |
>                                         XML_COMPLETE_ATTRS;
>
>         xmlSubstituteEntitiesDefault(1);
>
>                                         #ifndef XMLSEC_NO_XSLT
>                                              xmlIndentTreeOutput = 1;
>                                         #endif
>                                              // Init xmlsec library
>                                              if (xmlSecInit() < 0)
>                 error("xmlSecInit");
>                                              if (xmlSecCheckVersion() != 1)
>                                 error("xmlSecCheckVersion");
>
>                                         #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>
>         if(xmlSecCryptoDLLoadLibrary(BAD_CAST
>         "openssl") < 0)
>                                         error("xmlSecCryptoDLLoadLibrary");
>                                         #endif
>
>
>         if(xmlSecCryptoAppInit(NULL) < 0)
>                         error("Error: crypto
>                                         initialization failed.");
>                                              if(xmlSecCryptoInit() < 0)
>                 error("Error:
>                         xmlsec-crypto
>                                         initialization failed.");
>
>                                              mngr_ = xmlSecKeysMngrCreate();
>                                              if (!mngr_) error("bad");
>
>                                              if
>                         (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)
>                                         error("bad");
>
>                                              xmlSecKeyDataFormat
>                         format(xmlSecKeyDataFormatCertPem);
>                                              xmlSecKeyPtr key =
>                         xmlSecCryptoAppKeyLoad("cert.crt",
>                                         format, NULL,
>                                         NULL, NULL);
>                                              if (!key) error("key load
>         error");
>
>
>                         if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_,
>                                 key) < 0)
>                                         error("could not add key");
>
>                                              doc_ =
>         xmlParseFile("saml.xml");
>                                              if (!doc_ ||
>                 !xmlDocGetRootElement(doc_))
>                         error("bad");
>
>                                              set_id(doc_);
>
>                                              xmlNodePtr node =
>                                 xmlSecFindNode(xmlDocGetRootElement(doc_),
>                                         xmlSecNodeSignature, xmlSecDSigNs);
>                                              if (!node) error("start
>         node not
>                 found");
>
>                                              dsigCtx =
>         xmlSecDSigCtxCreate(mngr_);
>                                              if (!dsigCtx) error("failed to
>                 create signature
>                                 context");
>
>                                              std::cout << "status
>         before: " <<
>                         dsigCtx->status
>         << std::endl;
>                                              if
>         (xmlSecDSigCtxVerify(dsigCtx,
>                 node) < 0)
>                                         error("signature verify
>                                         error");
>                                              std::cout << "status: " <<
>                 dsigCtx->status <<
>                                 std::endl;
>
>         //xmlSecDSigCtxDebugDump(dsigCtx,
>                 stdout);
>
>                                              return status;
>                                         }
>
>                                         void set_id(xmlDocPtr doc) {
>                                              using namespace std;
>
>                                              xmlNodePtr node =
>         xmlSecFindNode(
>
>         xmlDocGetRootElement(doc),
>                                                      BAD_CAST "Response",
>                                                      BAD_CAST
>         "urn:oasis:names:tc:SAML:1.0:protocol");
>
>                                              cout << "element name: " <<
>                 node->name<< endl;
>                                              xmlAttrPtr attr =
>         xmlHasProp(node,
>                 BAD_CAST
>         "ResponseID");
>                                              if (!attr) error("attribute not
>                 found");
>                                              cout << "attribute name: " <<
>                 attr->name<<
>                         endl;
>
>                                              xmlChar *value =
>                         xmlNodeListGetString(node->doc,
>                                         attr->children, 1);
>                                              if (!value)
>                 error("xmlNodeListGetString");
>                                              cout << "value: " << value
>         << endl;
>
>                                              xmlAttrPtr
>         tmp(xmlGetID(node->doc,
>                 value));
>                                              if (tmp) {
>                                                  cout << "id already
>         registered"
>         << endl;
>                                              } else {
>                                                  xmlIDPtr id =
>         xmlAddID(NULL,
>                 doc, BAD_CAST
>                                 value, attr);
>                                                  if (!id) {
>                                                      xmlFree(value); // fix
>                                                      error("xmlAddID
>         error");
>                                                  }
>                                                  cout << "id added" << endl;
>                                              }
>
>                                              //xmlFree(value); // fix
>                                         }
>
>                                         void error(const char *e) {
>                                              std::cout << e << std::endl;
>                                              std::cout << "exiting" <<
>         std::endl;
>                                              exit(0);
>                                         }
>
>
>
>
>
>
>
>
>
>                   _______________________________________________
>                                         xmlsec mailing list
>         xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>>
>
>
>         http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
>
>


More information about the xmlsec mailing list