[xmlsec] Usage of XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN

Frank Gross fg at 4js.com
Thu Jun 20 06:10:08 PDT 2019 

Yes, I found in keyinfo.c (line 692) where to stop the process and 
return (see following):

        tmpKey = xmlSecKeysMngrFindKey(keyInfoCtx->keysMngr, newName, keyInfoCtx);
         if(tmpKey != NULL) {

        XXXX

         } else if (keyInfoCtx->flags&XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN) {
           xmlSecOtherError(XMLSEC_ERRORS_R_KEY_NOT_FOUND, xmlSecKeyDataKlassGetName(id), "Unknown key name");
           xmlFree(newName);
           return(-1);
         }


But then at some point I return from xmlSecKeyDataEncryptedKeyXmlRead() 
with a return value of 0, instead of -1, because 
xmlSecEncCtxDecryptToBuffer(keyInfoCtx->encCtx, node) result is NULL at 
line 1354,

and I finally go back in function xmlSecKeysMngrGetKey() where 
xmlSecKeyInfoNodeRead() returns 0 and without a valid key (what is 
expected), but there is no status saying that the key was not found due 
to the name. Then, as there is a keystore set, we go for a new run in 
xmlSecKeysMngrFindKey(keyInfoCtx->keysMngr, NULL, keyInfoCtx) where of 
course, we gonna find the key without name.

Actually, in xmlSecKeysMngrGetKey() when xmlSecKeyInfoNodeRead() is 
called and no key is found (in the key store), we search again for a key 
in the key store, isn't is doing twice the same job ? And is there a way 
to return a status from xmlSecKeyInfoNodeRead(), saying that the key was 
not found due to the name, to avoid searching again ?

Thanks,

Frank


Le 19/06/2019 à 18:40, Aleksey Sanin a écrit :
> Doesn't look like it was implemented :)
>
> https://github.com/lsh123/xmlsec/search?q=XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN 
>
>
> https://github.com/lsh123/xmlsec/commit/914f5ba36b26682b1857caecd63145c141f98663 
>
>
> Should be a simple change around here:
>
> https://github.com/lsh123/xmlsec/blob/a181a96b5f73a4ac27be2fc51644326c2b89fe4d/src/keyinfo.c#L663 
>
>
>
>
>
> Aleksey
>
> On 6/19/19 3:50 AM, Frank Gross wrote:
>> Hi,
>>
>> Can someone tell me how the flag 
>> XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN is suppose to work ?
>>
>> I was expecting that xmlSecEncCtxDecrypt() fails when that flag is 
>> set because the KeyName in my encrypted document is not available in 
>> the key store, but it found actually the key because I registered 
>> that same key but with a different name.
>>
>> Thanks,
>>
>> Frank
>>
>
-- 
Frank GROSS
Software Engineer - Web Services
Four J's Development Tools - http://www.4js.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20190620/31604e6e/attachment.html>

More information about the xmlsec mailing list