[xmlsec] Inconsistent dsigCtx->status value

Aleksey Sanin aleksey at aleksey.com
Fri May 13 08:55:56 PDT 2016


Hm... The only idea I have is that you compile with different
flags or link against a different version of xmlsec library.
It looks like dsigCtx->status points to a different place in
memory.

Aleksey

On 5/13/16 2:16 AM, moore43132 at yahoo.com wrote:
> Hello Aleksey & thank you for reply.
> I cannot see obvious error in the dump.
> Can you point it out if present?
> 
> Also if indeed a digest is incorrect, would you expect the status to
> invalid? (rather than garbage value)
> 
> Attached is the dump.
> 
> Also some code that I added as a result of ID related errors of faq 3.2
> This is main difference to one of your verify examples
> Without this code, I get lots of errors.
> 
> With it, the verification runs thru, but with the contradictory result
> in status. 
> 
> Appreciate your input. 
> Thank you. 
> On Friday, 13 May 2016, 2:56:22, Aleksey Sanin <aleksey at aleksey.com> wrote:
> 
> 
> Look through the whole dump. One of the digests is likely invalid.
> 
> Aleksey
> 
> On 5/12/16 2:37 PM, moore43132 at yahoo.com <mailto:moore43132 at yahoo.com>
> wrote:
>> 
>> Hello
>>
>>
>> Any thoughts on how the following can happen would be much appreciate.
>>
>>
>> Have some code like this which is preceeded by creating a verify contxt
>> etc etc just like examples::
>>
>> ...
>> ...
>>        /* print verification result to stdout */
>>        if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>>                fprintf(stdout, "RESULT: Signature is OK  %d\n",
>> dsigCtx->status);
>>        } else {
>>                fprintf(stdout, "RESULT: Signature is INVALID %d\n",
>> dsigCtx->status);
>>        }
>>        fprintf(stdout,
>> "---------------------------------------------------\n");
>>
>>
>>        xmlSecDSigCtxDebugDump(dsigCtx, stdout);
>> ...
>> ...
>>
>>
>> And get the following output:
>>
>>
>> RESULT: Signature is INVALID 7219120
>> ---------------------------------------------------
>> = VERIFICATION CONTEXT
>> == Status: succeeded
>> == flags: 0x0000000e
>> == flags2: 0x00000000
>> == Key Info Read Ctx:
>> = KEY INFO READ CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: rsa
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0x00000002
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Key Info Write Ctx:
>> = KEY INFO WRITE CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: NULL
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0xffffffff
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Signature Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Signature Method:
>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> == Signature Key:
>> == KEY
>> === method: RSAKeyValue
>> === key type: Public
>> === key usage: -1
>> === key not valid before: 1458586152
>> === key not valid after: 1774118952
>> === rsa key: size = 2048
>> === list size: 1
>> === X509 Data:
>> ==== Key Certificate:
>> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> ==== Certificate:
>> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> == SignedInfo References List:
>> === list size: 1
>> = REFERENCE VERIFICATION CONTEXT
>> == Status: succeeded
>> == URI: "#_c4e9522ba1289864766f54df6a04eae5b77fd7c70d"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri:
>> === uri xpointer expr: #_c4e9522ba1289864766f54df6a04eae5b77fd7c70d
>> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: enveloped-signature
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == PreDigest data - start buffer:
>> ....
>> ....
>>
>> ....
>>
>>
>> Any ideas how this could happen?
>>
>> The dump prints the status as being successful.
>> This as per the setting of the dsigCtx->status in
>> xmlSecDSigCtxDebugDump() function in xmldsig.c
>>
>>
>> But how is it printing some garbage value before hand? (7219120)
>> Why is it not initialized or set to unknown/invalid.
>>
>>
>> Would appreciate any insight? No other logs/erros from the xmlsec are
>> evident.
>>
>> Are there any other logs I could refer to?
>> Would appreciate any thoughts.
> 
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
>>
> 
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list