After I call xmlSecDSigCtxVerify, the status in the contex is corrupted with a large number. However xmlsec1 reports validation as OK. <br><br>xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references --id-attr:ResponseID urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml<br>
<br>Also xmlSecDSigCtxDebugDump output is exactly the same for xmlsec1 and my program.<br><br>I've reduced the code down to what is below and I'm having trouble seeing what could be wrong.<br><br>libxml version: 2.6.27<br>
xmlsec version: 1.2.11<br><br>Thanks for any help.<br><br><br><br>#include <iostream><br>#include <xmlsec/xmltree.h><br>#include <xmlsec/xmldsig.h><br>#include <xmlsec/crypto.h><br>#include <xmlsec/errors.h><br>
<br>#ifndef XMLSEC_NO_XSLT<br>#include <libxslt/xslt.h><br>#endif<br><br>void error(const char *);<br><br>int main(int argc, char **argv) {<br> using namespace std;<br> int status(0);<br><br> xmlSecKeysMngrPtr mngr_;<br>
xmlSecDSigCtxPtr dsigCtx;<br> xmlDocPtr doc_;<br><br> cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl;<br> cout << "xmlsec version: " << XMLSEC_VERSION << endl;<br>
<br> xmlInitParser();<br> LIBXML_TEST_VERSION;<br> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;<br> xmlSubstituteEntitiesDefault(1);<br><br>#ifndef XMLSEC_NO_XSLT<br> xmlIndentTreeOutput = 1;<br>
#endif<br> // Init xmlsec library<br> if (xmlSecInit() < 0) error("xmlSecInit");<br> if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion");<br><br>#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING<br>
if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) error("xmlSecCryptoDLLoadLibrary");<br>#endif<br><br> if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto initialization failed.");<br>
if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto initialization failed.");<br><br> mngr_ = xmlSecKeysMngrCreate();<br> if (!mngr_) error("bad");<br><br> if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) error("bad");<br>
<br> xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem);<br> xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", format, NULL, NULL, NULL);<br> if (!key) error("key load error");<br><br>
if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0) error("could not add key");<br><br> doc_ = xmlParseFile("saml.xml");<br> if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad");<br>
<br> set_id(doc_);<br> <br> xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_), xmlSecNodeSignature, xmlSecDSigNs);<br> if (!node) error("start node not found"); <br>
<br> dsigCtx = xmlSecDSigCtxCreate(mngr_); <br> if (!dsigCtx) error("failed to create signature context"); <br>
<br> std::cout << "status before: " << dsigCtx->status << std::endl; <br> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) error("signature verify error"); <br>
std::cout << "status: " << dsigCtx->status << std::endl; <br> //xmlSecDSigCtxDebugDump(dsigCtx, stdout); <br> <br>
return status; <br>} <br><br>void set_id(xmlDocPtr doc) {<br> using namespace std;<br>
<br> xmlNodePtr node = xmlSecFindNode(<br> xmlDocGetRootElement(doc),<br> BAD_CAST "Response",<br> BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol");<br><br> cout << "element name: " << node->name<< endl;<br>
xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID");<br> if (!attr) error("attribute not found");<br> cout << "attribute name: " << attr->name<< endl;<br>
<br> xmlChar *value = xmlNodeListGetString(node->doc, attr->children, 1);<br> if (!value) error("xmlNodeListGetString");<br> cout << "value: " << value << endl;<br><br>
xmlAttrPtr tmp(xmlGetID(node->doc, value));<br> if (tmp) {<br> cout << "id already registered" << endl;<br> } else {<br> xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr);<br>
if (!id) {<br> xmlFree(value); // fix<br> error("xmlAddID error");<br> } <br> cout << "id added" << endl; <br>
} <br> <br> //xmlFree(value); // fix <br>
} <br><br>void error(const char *e) { <br> std::cout << e << std::endl;<br> std::cout << "exiting" << std::endl;<br>
exit(0);<br>}<br><br><br><br><br><br><br>