[xmlsec] DSig verify fails

Aleksey Sanin aleksey at aleksey.com
Thu Jan 15 18:14:13 PST 2015

You can see the comment in the code or look at the doc:


You can find the list of all references with verification status
for each in the xmlDSigCtx object and perform "application defined"
logic to declare the signature valid or invalid.


On 1/15/15 4:48 PM, Hopson, Craig wrote:
> Hi Aleksey,
> I am using xmlSec to verify a dsig on an OPC file.  The signed OPC’s manifest (someUUID.psdsxs) has a list of Reference objects.  Each Reference object has a URI, DigestMethod, and DigestValue.
> I have overridden the xmlSec IO read callback to read the node because the OPC standard appends "?ContextType=text/plain" (or whatever type) to the URI.  Given a properly signed OPC, if I change one byte in my IO read proc, the library detects that the node's digest does not match the stored DigestValue and sets dsigRefCtx->status = xmlSecDSigStatusInvalid.  This is good.  HOWEVER, rather than propagating this error up so that I can declare that the dsig is invalid, the library simple grabs the next Reference node and processes it.  Consequently, even though the nodes pointed to in the manifest may be invalid, the library verifies the dsig on the OPC.
> Here is the (simplified) call stack...
> xmlSecDSigCtxVerify
> 	xmlSecDSigCtxProcessObjectNode
> 		xmlSecDSigCtxProcessObjectNode
> 		 	xmlSecDSigCtxProcessManifestNode
> 		 		xmlSecDSigReferenceCtxProcessNode(dsigRefCtx, cur);
> 		 			xmlSecOpenSSLEvpDigestVerify
> 		 					if(memcmp(ctx->dgst, data, ctx->dgstSize)
> 							transform->status = xmlSecTransformStatusFail;
> 							<<posts this error>> func=:file=/blah/blah/blah/xmlSec/xmlsec1-1.2.20/src/openssl/digests.c:line=250:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
> URI=/platforms/platforms.sec?ContentType=application/octet-stream
> 					/* set status and we are done */
>         		if(dsigRefCtx->digestMethod->status == xmlSecTransformStatusOk) {
>            			dsigRefCtx->status = xmlSecDSigStatusSucceeded;
>        			 } else {
>             			dsigRefCtx->status = xmlSecDSigStatusInvalid;
>         		}
> 			/* we don;t care if Reference processing failed because
>          		* it's Manifest node */
>         		cur = xmlSecGetNextElementNode(cur->next);
> So, how can I get the correct status propagated back to me?  Is there something I am missing in setting up the library?  Is this a bug or intended behavior?
> Thanks,
> -Craig

More information about the xmlsec mailing list