[xmlsec] Encrypt and Decrypt

Doug Royer xmlsec@aleksey.com
Sun, 26 Jan 2003 12:44:50 -0700


This is a cryptographically signed message in MIME format.

--------------ms030505040208010907090409
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



Aleksey Sanin wrote:
> Hi, Doug!
> 
> One of the warnings (about key origin)  you get during encryption could 
> be safely
> ignored and another one (doc != NULL)  was already fixed in CVS but it also
> should not cause problems. Bottom line, you should have valid encrypted
> document on stdout as the result.

Thanks.

This makes my application look busted. I have looked at the source and
I can not find a way to turn the warning off. Is there a way?

What do I point CVSROOT at to get the correct CVS tree?

I am not a CVS expert, so I tried:

	cvs update -d -P -j XMLSEC_0_0_X_BRANCH xmlsec
	
However when I try to build the results I get:


  (RedHat-8.0)
  ./autogen.sh
  ...
  checking for gcc... gcc
  checking for C compiler default output... a.out
  checking whether the C compiler works... yes
  checking whether we are cross compiling... no
  ...
  ...
  checking for LibXML2 libraries >= 2.4.24... yes ('2.5.1')
  checking for LibXSLT libraries >= 1.0.20... yes ('1.0.24')
  checking for NSS libraries >= 0.0.0... no
  checking for OpenSSL libraries >= 0.9.6... yes ('0.9.7' )
  checking for SHA1 support... yes
  checking for RIPEMD-160 support... yes
  checking for HMAC support... yes
  checking for DSA support... yes
  checking for RSA support... yes
  checking for DES support... yes
  checking for AES support... yes
  checking for X509 support... yes
  checking for PGP support... no
  checking for XMLDSig support... yes
  checking for XMLEnc support... yes
  checking for Simple Keys Manager testing... yes
  checking for pedantic compilation... ./configure: line 10109: syntax error
   near unexpected token `<<<'
   ./configure: line 10109: `<<<<<<< configure.in'



	
> However, decryption fails because decrypted session DES key is NULL.
> The big surprise to me is that you could not decrypted the test.xml file 
> from the package as well. I am really puzzled.

> Can you please run 'make check' in the top level xmlsec folder, please? 
> It will be   great to do this when xmlsec is compiled with openSSL 0.9.7
 > because 0.9.6 misses some features and half of test will fail because
 > of it. The expected results are:
>
> OK for positive tests and FAIL for negative tests.

(From the configurable 0.0.11 tree == NOT - XMLSEC_0_0_X_BRANCH)

The only failure is at the end of the run:

   # make check
    ...
    --------- Negative Testing: Following tests MUST FAIL ----------
     --- detailed log is written to  /tmp/testEnc.20030126_121627-871.log
     01-phaos-xmlenc-3/bad-alg-enc-element-aes128-kw-3des
     Decrypt existing document                             Error
     --- testEnc finished

Yet log file has three (or five) failures (from the logs I can not tell
which fails, the text after 'failed:' or the text before 'failed:'
or both):

    ../apps/xmlsec decrypt --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
    ../tests/merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5.xml
    xmlSecX509StoreVerify (x509.c:1090): error 41: cert verification failed :
    error=20 (unable to get local issuer certificate)
    xmlSecX509DataNodeRead (keyinfo.c:1196): error 41: cert verification
    failed:
    ../apps/xmlsec encrypt --keys ../tests/merlin-xmlenc-five/keys.xml
    --session-key-aes128 --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
    --xml ../tests/merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5.data
    --node-id Purchase
    ../tests/merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5.tmpl
    ../apps/xmlsec decrypt --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
    /tmp/testEnc.20030126_121627-871.tmp


    ../apps/xmlsec decrypt --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
    ../tests/merlin-xmlenc-five/encrypt-data-tripledes-cbc-rsa-oaep-mgf1p.xml
    xmlSecX509StoreVerify (x509.c:1090): error 41: cert verification failed :
    error=20 (unable to get local issuer certificate)
    xmlSecX509DataNodeRead (keyinfo.c:1196): error 41: cert verification
    failed:
    ../apps/xmlsec encrypt --keys ../tests/merlin-xmlenc-five/keys.xml
    --session-key-des3 --privkey ../tests/merlin-xmlenc-five/rsapriv.pem
    --binary
    ../tests/merlin-xmlenc-five/encrypt-data-tripledes-cbc-rsa-oaep-mgf1p.data
    ../tests/merlin-xmlenc-five/encrypt-data-tripledes-cbc-rsa-oaep-mgf1p.tmpl

    ../apps/xmlsec decrypt --keys ../tests/01-phaos-xmlenc-3/keys.xml
    ../tests/01-phaos-xmlenc-3/bad-alg-enc-element-aes128-kw-3des.xml
    xmlSecEvpCipherFinal (ciphers.c:454): error 3: crypto operation failed :
    EVP_DecryptFinal - 0
    xmlSecCipherTransformFlush (ciphers.c:316): error 2: xmlsec
    operation failed : xmlSecCipherFinal - -1
    xmlSecCipherTransformFlush (ciphers.c:335): error 2: xmlsec
    operation failed : xmlSecBinTransformFlush - -1
    xmlSecCipherValueNodeRead (xmlenc.c:1758): error 2: xmlsec
    operation failed : xmlSecBinTransformWFlush - -1
    xmlSecCipherDataNodeRead (xmlenc.c:1614): error 2: xmlsec operation
    failed : xmlSecCipherValueNodeRead - -1
    xmlSecDecrypt (xmlenc.c:1036): error 2: xmlsec operation failed :
    xmlSecCipherDataNodeRead - -1
    Error: xmlSecDecrypt() failed
    Error: operation failed
    --- testEnc finished


 > If it's not the case then I would suspect libraries mismatch.
 > Check 'xmlsec-config --cflags' and 'xmlsec-config --libs' output
 > and make sure that it matches your expectation (especially about
 > OpenSSL!).

They look valid:

	# xml2-config -cflags (--version == 2.5.1)
	-I/usr/local/try1/include/libxml2

	# xslt-config --cflags (--version == 1.0.24)
         -I/usr/local/try1/include -I/usr/local/try1/include/libxml2

	# xslt-config --cflags
         -I/usr/local/try1/include/xmlsec -I/usr/local/try1/include/libxml2

	# xmlsec-config --libs (--version == 0.0.11)
	-L/usr/local/try1/lib -Wl,-rpath=/usr/local/try1/lib
         -lxmlsec -lxslt -lxml2 -lz -liconv -lm -lcrypto


Notes:
	(1) OPENSSL is not in the flags for xmlsec-config
             --libs or --cflags. It is also not in xmlsec-config.in
             in the XMLSEC_0_0_X_BRANCH.

         (2) I added '-Wl,-rpath...' to xmlsec-config to ensure
             that I got the correct libraries at run time and
             not the system libaries. I did he same for xml2-config
             and xslt-config.

         (3) I had to remove -static from the 'doc/examples' makefiles
             because my system only has shared objects for -liconv
             (no libiconv.a) .


An 'ldd' of xmlsec produced what I expected:

         libcrypto.so.0.9.7 => /usr/local/try1/lib/libcrypto.so.0.9.7
         (0x40013000)
         libxslt.so.1 => /usr/local/try1/lib/libxslt.so.1 (0x4010c000)
         libxml2.so.2 => /usr/local/try1/lib/libxml2.so.2 (0x40135000)
         libz.so.1 => /usr/lib/libz.so.1 (0x4020c000)
         libiconv.so.2 => /usr/local/lib/libiconv.so.2 (0x4021a000)
         libm.so.6 => /lib/i686/libm.so.6 (0x402ef000)
         libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
         libdl.so.2 => /lib/libdl.so.2 (0x40312000)
         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

And ./enc2  rsakey.pem test.xml, produces:
  (ciphers.c:445): error 19: invalid data : padding is greater than buffer
  (ciphers.c:316): error 2: xmlsec operation failed : xmlSecCipherFinal - -1
  (ciphers.c:335): error 2: xmlsec operation failed : xmlSecBinTransformFlush 
- -1
  (xmlenc.c:1758): error 2: xmlsec operation failed : xmlSecBinTransformWFlush 
- -1
  (xmlenc.c:1614): error 2: xmlsec operation failed : 
xmlSecCipherValueNodeRead - -1
  (xmlenc.c:1036): error 2: xmlsec operation failed : xmlSecCipherDataNodeRead 
- -1
Error: decryption failed


-- 

  Doug Royer                     |   http://INET-Consulting.com
  -------------------------------|-----------------------------
  Doug@Royer.com                 | Office: (208)612-INET
  http://Royer.com/People/Doug   |    Fax: (866)594-8574
                                 |   Cell: (208)520-4044

                 We Do Standards - You Need Standards

--------------ms030505040208010907090409
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINSDCC
A2YwggLPoAMCAQICEA2LT+6q0hhb9HVqnSnhf/swDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp
YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4
MDUxMjIzNTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp
U2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv
cnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2ln
biBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0
ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJv
nFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpd
trA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMB
AAGjgbQwgbEwEQYJYIZIAYb4QgEBBAQDAgEGMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9j
cmwudmVyaXNpZ24uY29tL3BjYTEuMS4xLmNybDBHBgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEB
MC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEwDwYDVR0T
BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEAQnwO34x5TKy/COxN
VS9QiaDFXk4uXpUym3mtZRELHEpSxNWoMSGO3hCbbAjFB+YDuefINHgJCfK8BkL4WoyD0Yre
qiL12eMh0s9ljAYzsM0gsjPNCr0+4Z3BNalksKelJFvp8WjrE8R8N/SUZA2axb0zF++DM6A+
5ao+rthzH60wggTrMIIEVKADAgECAhAejFNQR/pY9ailMryViTyhMA0GCSqGSIb3DQEBBAUA
MIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg
TmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv
cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBD
QSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTAyMDkx
ODAwMDAwMFoXDTAzMDkxODIzNTk1OVowggELMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf
MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWdu
LmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwG
A1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNz
IDEgLSBOZXRzY2FwZSBGdWxsIFNlcnZpY2UxEzARBgNVBAMUCkRvdWcgUm95ZXIxHTAbBgkq
hkiG9w0BCQEWDmRvdWdAcm95ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwxBHUCJd14lkzkJJKSLcpUSNqym8VYNSM5HEKWdv43FbjoxKdvfMSpimkqD5mOFrqU34
1TL6G3I/KkvQ9TzGWprYryi/qJveMah6Pz7HPQOe4m2YlebpkqpRiBMF+rtoNpX4SSBtZwGA
gCLaQSV7jA6QyAiEv5/QPYY5KcA9N3I4PemEoC5kS1jPD7x876t4BohIOJI1figvqXmSwfWK
YrhBcd/tXNk68VpOqUOZSuSrn+RHHKEuIS2eOj285IAn0W6r37zHFCnc0bm9xfxjbw4LunXd
SaudrVa5UdYSxkTgxF4WgXwh3JfZM8ioRCVESN3DpsgKbpWFSSSpJGUWmQIDAQABo4IBBjCC
AQIwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBUWDlZl
cmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNl
IGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQs
MCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcN
AQEEBQADgYEAoIZ4BrBjrJxUvZW7bAmWyHrGWv+oBfdkOPGBvbbcEmJ1bBz0tT3Iy8Ri+YEq
1sTdRlTWp1XTKo8/hfCudzbRqUN2CNcojkBAy0zH3hiWyFDnFIqKJoHmHPNXBn0dXYlje5p2
TRbl2WbW/hvpM1DstHIhyOB5WadIC14xmrS66eIwggTrMIIEVKADAgECAhAejFNQR/pY9ail
MryViTyhMA0GCSqGSIb3DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G
A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNv
bS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UE
AxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBO
b3QgVmFsaWRhdGVkMB4XDTAyMDkxODAwMDAwMFoXDTAzMDkxODIzNTk1OVowggELMRcwFQYD
VQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFG
MEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJl
Zi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYD
VQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBOZXRzY2FwZSBGdWxsIFNlcnZpY2UxEzARBgNV
BAMUCkRvdWcgUm95ZXIxHTAbBgkqhkiG9w0BCQEWDmRvdWdAcm95ZXIuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwxBHUCJd14lkzkJJKSLcpUSNqym8VYNSM5HEKWdv
43FbjoxKdvfMSpimkqD5mOFrqU341TL6G3I/KkvQ9TzGWprYryi/qJveMah6Pz7HPQOe4m2Y
lebpkqpRiBMF+rtoNpX4SSBtZwGAgCLaQSV7jA6QyAiEv5/QPYY5KcA9N3I4PemEoC5kS1jP
D7x876t4BohIOJI1figvqXmSwfWKYrhBcd/tXNk68VpOqUOZSuSrn+RHHKEuIS2eOj285IAn
0W6r37zHFCnc0bm9xfxjbw4LunXdSaudrVa5UdYSxkTgxF4WgXwh3JfZM8ioRCVESN3DpsgK
bpWFSSSpJGUWmQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtg
hkgBhvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ
UzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BT
IGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZI
AYb4QgEBBAQDAgeAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29t
L2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQADgYEAoIZ4BrBjrJxUvZW7bAmWyHrGWv+oBfdk
OPGBvbbcEmJ1bBz0tT3Iy8Ri+YEq1sTdRlTWp1XTKo8/hfCudzbRqUN2CNcojkBAy0zH3hiW
yFDnFIqKJoHmHPNXBn0dXYlje5p2TRbl2WbW/hvpM1DstHIhyOB5WadIC14xmrS66eIxggO1
MIIDsQIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
eS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWdu
IENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRl
ZAIQHoxTUEf6WPWopTK8lYk8oTAJBgUrDgMCGgUAoIIBqDAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzAxMjYxOTQ0NTBaMCMGCSqGSIb3DQEJBDEWBBSI
PePbOQWlx/LDu9LzzE8U1lq46DBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqG
SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCB9AYL
KoZIhvcNAQkQAgsxgeSggeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3Jl
cG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9W
ZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBW
YWxpZGF0ZWQCEB6MU1BH+lj1qKUyvJWJPKEwDQYJKoZIhvcNAQEBBQAEggEAH5zRh2st1OCB
mh10zAYP9tZy4gWZFlbLA4S+wJto+TQTJMiJ99RlxM6qQFr662lhJy9alCLLGExkUql4XZh0
pBUR6KFF5CTzIlETKFZ2VdF5vWhUSkSTvR9fxVwpeuhCDyeIJUhA+OuaRfC8iyiH4cPOjCbC
SU32QqhOL853eqQw60kfNC8u4vsecdm0o9nKmfCa8VRZ/uH3gpXJZn8n2dmvfcc2hgMglNNE
hRYNHWDbjEb9o7xbsXI/n4H2jZg9VXL59kiLv24/zbXIiD3c7JMaa7ecKQzdsVy4IzQNZIMO
/7b5JPjt2G+HSILG60IpZsAjeNhaLvy74ajScJCn2AAAAAAAAA==
--------------ms030505040208010907090409--