[xmlsec] Sign verification problems after SLES 11.3 system security update

Aleksey Sanin aleksey at aleksey.com
Mon Apr 27 11:58:12 PDT 2015 

The patch was related to supporting large DSA keys. Unfortunately,
I have no idea what changes have been made in SLES 11.3 so it is
hard for me to comment. However, if you are sure that xmlsec
worked before the upgrade and stopped working after, then I would
assume it was caused by upgrade and SLES team should have a better
clue on what is going on.

Aleksey

On 4/27/15 10:22 AM, spam at intlt.ru wrote:
> I'am not sure they will pay attention to this problem, because SLES did not officially maintain xmlsec package. Maybe you could advise me, where to look at? I have seen patch about DSA in your repo, maybe this thing related somehow?
> 
> 27.04.2015, 20:08, "Aleksey Sanin" <aleksey at aleksey.com>:
>> You might want to file a bug about SLES :) It's hard to say what
>> have changed.
>>
>> Aleksey
>>
>> On 4/27/15 10:05 AM, spam at intlt.ru wrote:
>>>  Yes, I did. I even tried to rebuild it from your latest git sources. This error occurs only with DSA keys, with RSA everything is ok.
>>>
>>>  27.04.2015, 19:39, "Aleksey Sanin" <aleksey at aleksey.com>:
>>>>  Did you rebuild xmlsec after the upgrade?
>>>>
>>>>  Aleksey
>>>>
>>>>  On 4/26/15 11:20 PM, Igor Sokolov wrote:
>>>>>   Something weird happened after SLES 11.3 system update. There was a bunch of Openssl security updates.
>>>>>   xmlsec1 sign verification is just stop working.
>>>>>   On other systems (non-SLES: Mint, Windows) with the same key and file everything is ok.
>>>>>   Output:
>>>>>   xmlsec1 verify --print-debug --privkey-pem ibrsStubPublicKey.pem request.txt
>>>>>   error : Unknown IO error
>>>>>   func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
>>>>>   func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=889:obj=unknown:subj=unknown:error=45:key is not found:
>>>>>   func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=581:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
>>>>>   func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
>>>>>   Error: signature failed
>>>>>   ERROR
>>>>>   SignedInfo References (ok/all): 1/1
>>>>>   Manifests References (ok/all): 0/0
>>>>>   = VERIFICATION CONTEXT
>>>>>   == Status: unknown
>>>>>   == flags: 0x00000000
>>>>>   == flags2: 0x00000000
>>>>>   == Key Info Read Ctx:
>>>>>   = KEY INFO READ CONTEXT
>>>>>   == flags: 0x00000000
>>>>>   == flags2: 0x00000000
>>>>>   == enabled key data: all
>>>>>   == RetrievalMethod level (cur/max): 0/1
>>>>>   == TRANSFORMS CTX (status=0)
>>>>>   == flags: 0x00000000
>>>>>   == flags2: 0x00000000
>>>>>   == enabled transforms: all
>>>>>   === uri: NULL
>>>>>   === uri xpointer expr: NULL
>>>>>   == EncryptedKey level (cur/max): 0/1
>>>>>   === KeyReq:
>>>>>   ==== keyId: dsa
>>>>>   ==== keyType: 0x00000001
>>>>>   ==== keyUsage: 0x00000002
>>>>>   ==== keyBitsSize: 0
>>>>>   === list size: 0
>>>>>   == Key Info Write Ctx:
>>>>>   = KEY INFO WRITE CONTEXT
>>>>>   == flags: 0x00000000
>>>>>   == flags2: 0x00000000
>>>>>   == enabled key data: all
>>>>>   == RetrievalMethod level (cur/max): 0/1
>>>>>   == TRANSFORMS CTX (status=0)
>>>>>   == flags: 0x00000000
>>>>>   == flags2: 0x00000000
>>>>>   == enabled transforms: all
>>>>>   === uri: NULL
>>>>>   === uri xpointer expr: NULL
>>>>>   == EncryptedKey level (cur/max): 0/1
>>>>>   === KeyReq:
>>>>>   ==== keyId: NULL
>>>>>   ==== keyType: 0x00000001
>>>>>   ==== keyUsage: 0xffffffff
>>>>>   ==== keyBitsSize: 0
>>>>>   === list size: 0
>>>>>   == Signature Transform Ctx:
>>>>>   == TRANSFORMS CTX (status=0)
>>>>>   == flags: 0x00000000
>>>>>   == flags2: 0x00000000
>>>>>   == enabled transforms: all
>>>>>   === uri: NULL
>>>>>   === uri xpointer expr: NULL
>>>>>   === Transform: c14n-with-comments (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
>>>>>   === Transform: dsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#dsa-sha1)
>>>>>   == Signature Method:
>>>>>   === Transform: dsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#dsa-sha1)
>>>>>   == SignedInfo References List:
>>>>>   === list size: 1
>>>>>   = REFERENCE VERIFICATION CONTEXT
>>>>>   == Status: succeeded
>>>>>   == URI: ""
>>>>>   == Reference Transform Ctx:
>>>>>   == TRANSFORMS CTX (status=2)
>>>>>   == flags: 0x00000000
>>>>>   == flags2: 0x00000000
>>>>>   == enabled transforms: all
>>>>>   === uri: NULL
>>>>>   === uri xpointer expr: NULL
>>>>>   === Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>>   === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>   === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>   === Transform: membuf-transform (href=NULL)
>>>>>   == Digest Method:
>>>>>   === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>   == Manifest References List:
>>>>>   === list size: 0
>>>>>   Error: failed to verify file "request.txt"
>>>>>   _______________________________________________
>>>>>   xmlsec mailing list
>>>>>   xmlsec at aleksey.com
>>>>>   http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list