[xmlsec] A really strange case of failing xpointer(id('...'))

Fri Aug 23 14:42:20 PDT 2013

Ha-ha... it's always linker's fault :)

Aleksey

On 8/23/13 10:40 AM, Max Motovilov wrote:
> Looks like I have the answer -- libxmljs statically links against a
> version of libxml2 they package along with their code :(  I must be
> seeing an ABI incompatibility between different versions of libxml2
> 
> Thanks for your quick responses!
> ...Max...
> 
>> libxml2 came from the same rpm repo as before. In fact I have what I'm
>> pretty sure is an identical VM instance w/CentOS and same versions of
>> libxml2 and libxmlsec1. The older version of my software -- which is a
>> very simple Node.js binding for libxmlsec1 -- works there just fine.
>> The code did not change between the new and old versions at all -- I
>> have simply recompiled it against newer versions of Node.js runtime
>> and libxml2 binding library (libxmljs). This newer version does work
>> on my local Mint instance but, like I said, both the libxml2 and
>> libxmlsec1 are more recent there as well. My only trail right now is
>> possible incompatibility between libxmljs and older libxml2 OR between
>> the documents libxmljs creates with libxml2 AND the way libxmlsec1
>> uses them -- the last one sounds rather fishy even to myself :(
>>
>> ...Max...
>>
>>> Weird indeed. The document and DTD look good to me but apparently ID
>>> attribute is not recognized. May be there were some changes in LibXML2?
>>> Or may be LibXML2 was not compiled with XPointer support?
>>>
>>> Aleksey
>>>
>>> On 8/23/13 9:44 AM, Max Motovilov wrote:
>>>> Happening to me in the code that's previously been working for quite a
>>>> while. Here's the document I pass via its <Signature> element into
>>>> xmlSecDSigCtxSign() :
>>>>
>>>> =========
>>>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>>>> <!DOCTYPE AuthnRequest [
>>>> <!ELEMENT AuthnRequest (#PCDATA)>
>>>> <!ATTLIST AuthnRequest ID ID #IMPLIED>
>>>> ]>
>>>> <AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="login"
>>>> Destination="http://10.0.25.17:8080/cosmosDev/web/idp/SSO"
>>>> IssueInstant="2013-08-23T18:39:25Z" Version="2.0">
>>>>    <Issuer
>>>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://10.0.26.16/ssoRequest</Issuer>
>>>>
>>>>
>>>>    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>>      <SignedInfo>
>>>>        <CanonicalizationMethod
>>>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
>>>>
>>>>        <SignatureMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>>        <Reference URI="#login">
>>>>          <Transforms>
>>>>            <Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>>          </Transforms>
>>>>          <DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>>          <DigestValue/>
>>>>        </Reference>
>>>>      </SignedInfo>
>>>>      <SignatureValue/>
>>>>    </Signature>
>>>> </AuthnRequest>
>>>> =========
>>>>
>>>> and here's the traceback I get:
>>>>
>>>> =========
>>>> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
>>>>
>>>>
>>>> library function failed:expr=xpointer(id('login'))
>>>> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:
>>>> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:
>>>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:
>>>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:transform=xpointer
>>>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:
>>>> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:
>>>> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:node=Reference
>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:
>>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>>>
>>>>
>>>> library function failed:
>>>> =========
>>>>
>>>> The document has an ID attribute declared in DTD, the value has no
>>>> weird
>>>> characters in it yet the id() expression fails. To add insult to
>>>> injury,
>>>> this is in the code that's been working for a long time on different
>>>> versions of Linux. The problem I am seeing now is on CentOS
>>>> (2.6.32-220.23.1.el6.centos.plus.x86_64), libxmlsec1 1.2.16, libxml2
>>>> 2.7.6, BUT everything has worked with this configuration (just not this
>>>> particular instance) before! The only difference I can think of is that
>>>> the XML document is now created by a different (newer) version of the
>>>> wrapper library for libxml2 (https://github.com/polotek/libxmljs) but
>>>> what could it possibly impact I don't know. Same version of the library
>>>> works for me just fine on a different system.
>>>>
>>>> Ideas or advice very much appreciated!
>>>>
>>>> Thanks in advance,
>>>> ...Max...
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>