[xmlsec] Fuzzing XML Security Library
Aleksey Sanin
aleksey at aleksey.com
Thu Feb 5 08:54:08 PST 2015
While it is not impossible, I would be highly surprised to find bugs
in XML signature processing at this stage of life for XML Sec Library.
It is actually pretty simple to create a syntactically valid signature
that will NOT verify (hint: try to include the Signature node in the
Reference digest).
Anyway, xmlsec tool usually prints pretty good and descriptive errors.
You might want to start there.
Best,
Aleksey
On 2/4/15 11:10 PM, Henri Salo wrote:
> Hi,
>
> I have been doing some fuzzing with XML Security Library and I have found a case
> where signing a document works[0], but verifying it does not and generates
> errors [1]. Do you consider this kind of case as a bug, which should be
> reported to correct addresses etc or is this just normal functionality of the
> tools?
>
> This works:
>
> xmlsec1 --sign --privkey rsakey.pem --output sign1.xml fuzzedinputfile
>
> This does not:
>
> xmlsec1 --verify sign1.xml rsapub.pem
>
More information about the xmlsec
mailing list