[xmlsec] Inconsistent dsigCtx->status value

Aleksey Sanin aleksey at aleksey.com
Fri May 13 13:46:46 PDT 2016


Yes, looks like it. Plus value 7219120 is very weird and not expected
for status. This is why I think there is a problem with either
compilation flags or library version.


Aleksey

On 5/13/16 1:44 PM, moore43132 at yahoo.com wrote:
> 
> 
> 
> It is very strange.
> I did a new build and the run time is using exact same version.
> 
> It is latest .22 version.
> Same result.
> Will try debug further.
> 
> BTW,  was the dump produced actually a valid verify ( verify ok )? 
> 
> 
> 
> 
> 
>     On Fri, 13 May, 2016 at 16:56, Aleksey Sanin
>     <aleksey at aleksey.com> wrote:
> 
>     Hm... The only idea I have is that you compile with different
>     flags or link against a different version of xmlsec library.
>     It looks like dsigCtx->status points to a different place in
>     memory.
> 
>     Aleksey
> 
>     On 5/13/16 2:16 AM, moore43132 at yahoo.com <javascript:return> wrote:
>     > Hello Aleksey & thank you for reply.
>     > I cannot see obvious error in the dump.
>     > Can you point it out if present?
>     >
>     > Also if indeed a digest is incorrect, would you expect the status to
>     > invalid? (rather than garbage value)
>     >
>     > Attached is the dump.
>     >
>     > Also some code that I added as a result of ID related errors of
>     faq 3.2
>     > This is main difference to one of your verify examples
>     > Without this code, I get lots of errors.
>     >
>     > With it, the verification runs thru, but with the contradictory result
>     > in status.
>     >
>     > Appreciate your input.
>     > Thank you.
>     > On Friday, 13 May 2016, 2:56:22, Aleksey Sanin
>     <aleksey at aleksey.com <javascript:return>> wrote:
>     >
>     >
>     > Look through the whole dump. One of the digests is likely invalid.
>     >
>     > Aleksey
>     >
>     > On 5/12/16 2:37 PM, moore43132 at yahoo.com <javascript:return>
>     <mailto:moore43132 at yahoo.com <javascript:return>>
>     > wrote:
>     >>
>     >> Hello
>     >>
>     >>
>     >> Any thoughts on how the following can happen would be much
>     appreciate.
>     >>
>     >>
>     >> Have some code like this which is preceeded by creating a verify
>     contxt
>     >> etc etc just like examples::
>     >>
>     >> ...
>     >> ...
>     >>        /* print verification result to stdout */
>     >>        if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>     >>                fprintf(stdout, "RESULT: Signature is OK  %d\n",
>     >> dsigCtx->status);
>     >>        } else {
>     >>                fprintf(stdout, "RESULT: Signature is INVALID %d\n",
>     >> dsigCtx->status);
>     >>        }
>     >>        fprintf(stdout,
>     >> "---------------------------------------------------\n");
>     >>
>     >>
>     >>        xmlSecDSigCtxDebugDump(dsigCtx, stdout);
>     >> ...
>     >> ...
>     >>
>     >>
>     >> And get the following output:
>     >>
>     >>
>     >> RESULT: Signature is INVALID 7219120
>     >> ---------------------------------------------------
>     >> = VERIFICATION CONTEXT
>     >> == Status: succeeded
>     >> == flags: 0x0000000e
>     >> == flags2: 0x00000000
>     >> == Key Info Read Ctx:
>     >> = KEY INFO READ CONTEXT
>     >> == flags: 0x00000000
>     >> == flags2: 0x00000000
>     >> == enabled key data: all
>     >> == RetrievalMethod level (cur/max): 0/1
>     >> == TRANSFORMS CTX (status=0)
>     >> == flags: 0x00000000
>     >> == flags2: 0x00000000
>     >> == enabled transforms: all
>     >> === uri: NULL
>     >> === uri xpointer expr: NULL
>     >> == EncryptedKey level (cur/max): 0/1
>     >> === KeyReq:
>     >> ==== keyId: rsa
>     >> ==== keyType: 0x00000001
>     >> ==== keyUsage: 0x00000002
>     >> ==== keyBitsSize: 0
>     >> === list size: 0
>     >> == Key Info Write Ctx:
>     >> = KEY INFO WRITE CONTEXT
>     >> == flags: 0x00000000
>     >> == flags2: 0x00000000
>     >> == enabled key data: all
>     >> == RetrievalMethod level (cur/max): 0/1
>     >> == TRANSFORMS CTX (status=0)
>     >> == flags: 0x00000000
>     >> == flags2: 0x00000000
>     >> == enabled transforms: all
>     >> === uri: NULL
>     >> === uri xpointer expr: NULL
>     >> == EncryptedKey level (cur/max): 0/1
>     >> === KeyReq:
>     >> ==== keyId: NULL
>     >> ==== keyType: 0x00000001
>     >> ==== keyUsage: 0xffffffff
>     >> ==== keyBitsSize: 0
>     >> === list size: 0
>     >> == Signature Transform Ctx:
>     >> == TRANSFORMS CTX (status=2)
>     >> == flags: 0x00000000
>     >> == flags2: 0x00000000
>     >> == enabled transforms: all
>     >> === uri: NULL
>     >> === uri xpointer expr: NULL
>     >> === Transform: exc-c14n
>     (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>     >> === Transform: membuf-transform (href=NULL)
>     >> === Transform: rsa-sha1
>     (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>     >> === Transform: membuf-transform (href=NULL)
>     >> == Signature Method:
>     >> === Transform: rsa-sha1
>     (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>     >> == Signature Key:
>     >> == KEY
>     >> === method: RSAKeyValue
>     >> === key type: Public
>     >> === key usage: -1
>     >> === key not valid before: 1458586152
>     >> === key not valid after: 1774118952
>     >> === rsa key: size = 2048
>     >> === list size: 1
>     >> === X509 Data:
>     >> ==== Key Certificate:
>     >> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>     >> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>     >> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>     >> ==== Certificate:
>     >> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>     >> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>     >> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>     >> == SignedInfo References List:
>     >> === list size: 1
>     >> = REFERENCE VERIFICATION CONTEXT
>     >> == Status: succeeded
>     >> == URI: "#_c4e9522ba1289864766f54df6a04eae5b77fd7c70d"
>     >> == Reference Transform Ctx:
>     >> == TRANSFORMS CTX (status=2)
>     >> == flags: 0x00000000
>     >> == flags2: 0x00000000
>     >> == enabled transforms: all
>     >> === uri:
>     >> === uri xpointer expr: #_c4e9522ba1289864766f54df6a04eae5b77fd7c70d
>     >> === Transform: xpointer
>     (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>     >> === Transform: enveloped-signature
>     >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>     >> === Transform: exc-c14n
>     (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>     >> === Transform: membuf-transform (href=NULL)
>     >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>     >> === Transform: membuf-transform (href=NULL)
>     >> == Digest Method:
>     >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>     >> == PreDigest data - start buffer:
>     >> ....
>     >> ....
>     >>
>     >> ....
>     >>
>     >>
>     >> Any ideas how this could happen?
>     >>
>     >> The dump prints the status as being successful.
>     >> This as per the setting of the dsigCtx->status in
>     >> xmlSecDSigCtxDebugDump() function in xmldsig.c
>     >>
>     >>
>     >> But how is it printing some garbage value before hand? (7219120)
>     >> Why is it not initialized or set to unknown/invalid.
>     >>
>     >>
>     >> Would appreciate any insight? No other logs/erros from the xmlsec are
>     >> evident.
>     >>
>     >> Are there any other logs I could refer to?
>     >> Would appreciate any thoughts.
>     >
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> xmlsec mailing list
>     >> xmlsec at aleksey.com <javascript:return> <mailto:xmlsec at aleksey.com
>     <javascript:return>>
>     >> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
>     >
>     >>
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > xmlsec mailing list
>     > xmlsec at aleksey.com <javascript:return>
>     > http://www.aleksey.com/mailman/listinfo/xmlsec
>     >
> 


More information about the xmlsec mailing list