[xmlsec] Fuzzing XML Security Library

Aleksey Sanin aleksey at aleksey.com
Thu Feb 5 08:54:08 PST 2015

While it is not impossible, I would be highly surprised to find bugs
in XML signature processing at this stage of life for XML Sec Library.
It is actually pretty simple to create a syntactically valid signature
that will NOT verify (hint: try to include the Signature node in the
Reference digest).

Anyway, xmlsec tool usually prints pretty good and descriptive errors.
You might want to start there.



On 2/4/15 11:10 PM, Henri Salo wrote:
> Hi,
> I have been doing some fuzzing with XML Security Library and I have found a case
> where signing a document works[0], but verifying it does not and generates
> errors [1]. Do you consider this kind of case as a bug, which should be
> reported to correct addresses etc or is this just normal functionality of the
> tools?
> This works:
> xmlsec1 --sign --privkey rsakey.pem --output sign1.xml fuzzedinputfile
> This does not:
> xmlsec1 --verify sign1.xml rsapub.pem

More information about the xmlsec mailing list