[xmlsec] Fuzzing XML Security Library
aleksey at aleksey.com
Thu Feb 5 08:54:08 PST 2015
While it is not impossible, I would be highly surprised to find bugs
in XML signature processing at this stage of life for XML Sec Library.
It is actually pretty simple to create a syntactically valid signature
that will NOT verify (hint: try to include the Signature node in the
Anyway, xmlsec tool usually prints pretty good and descriptive errors.
You might want to start there.
On 2/4/15 11:10 PM, Henri Salo wrote:
> I have been doing some fuzzing with XML Security Library and I have found a case
> where signing a document works, but verifying it does not and generates
> errors . Do you consider this kind of case as a bug, which should be
> reported to correct addresses etc or is this just normal functionality of the
> This works:
> xmlsec1 --sign --privkey rsakey.pem --output sign1.xml fuzzedinputfile
> This does not:
> xmlsec1 --verify sign1.xml rsapub.pem
More information about the xmlsec