[xmlsec] Inconsistent dsigCtx->status value

Aleksey Sanin aleksey at aleksey.com
Thu May 12 18:56:20 PDT 2016 

Look through the whole dump. One of the digests is likely invalid.

Aleksey

On 5/12/16 2:37 PM, moore43132 at yahoo.com wrote:
>  
> Hello
> 
> 
> Any thoughts on how the following can happen would be much appreciate.
> 
> 
> Have some code like this which is preceeded by creating a verify contxt
> etc etc just like examples::
> 
> ...
> ...
>         /* print verification result to stdout */
>         if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>                 fprintf(stdout, "RESULT: Signature is OK  %d\n",
> dsigCtx->status);
>         } else {
>                 fprintf(stdout, "RESULT: Signature is INVALID %d\n",
> dsigCtx->status);
>         }
>         fprintf(stdout,
> "---------------------------------------------------\n");
> 
> 
>         xmlSecDSigCtxDebugDump(dsigCtx, stdout);
> ...
> ...
> 
> 
> And get the following output:
> 
> 
> RESULT: Signature is INVALID 7219120
> ---------------------------------------------------
> = VERIFICATION CONTEXT
> == Status: succeeded
> == flags: 0x0000000e
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> === Transform: membuf-transform (href=NULL)
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL)
> == Signature Method:
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key usage: -1
> === key not valid before: 1458586152
> === key not valid after: 1774118952
> === rsa key: size = 2048
> === list size: 1
> === X509 Data:
> ==== Key Certificate:
> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Certificate:
> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: "#_c4e9522ba1289864766f54df6a04eae5b77fd7c70d"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: 
> === uri xpointer expr: #_c4e9522ba1289864766f54df6a04eae5b77fd7c70d
> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> ....
> ....
> 
> ....
> 
> 
> Any ideas how this could happen?
> 
> The dump prints the status as being successful.
> This as per the setting of the dsigCtx->status in
> xmlSecDSigCtxDebugDump() function in xmldsig.c
> 
> 
> But how is it printing some garbage value before hand? (7219120)
> Why is it not initialized or set to unknown/invalid. 
> 
> 
> Would appreciate any insight? No other logs/erros from the xmlsec are
> evident.
> 
> Are there any other logs I could refer to?
> Would appreciate any thoughts. 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list