[xmlsec] nssdb problems ... still : (

Ed Shallow ed.shallow at rogers.com
Thu Sep 22 21:51:06 PDT 2005 

Hi Aleksey,

     I thought I had this crypto nss problem licked until I did a clean 
install on a fresh Fedora Core 4 machine today.

- all pre-requisite packages are already on Fedora Core 4 for 
preparation of xmlsec

- installed xmlsec1-1.2.9 from source without problems I used only 
--without-gnutls and --without-openssl configure options, no problem

- make, make install, make check looked great ... mosts tests pass as 
explained in nss doc

- problem is there are no tests for operations against loaded cert8.db 
and key3.db (i.e. nssdb) to check your install with

Here are 2 working and 1 failing command line tests:

1) xmlsec1 sign --crypto-config xmlsec-crypto-config --pkcs12 
keys/nss/rsakey.p12 --pwd secret --enabled-key-data key-name --output 
inout/edsign-enveloped.xml tmpl/signing/tmpl-sign-enveloped.xml

2) xmlsec1 verify --store-references --trusted-der keys/nss/cacert.der 
inout/edsign-enveloped.xml

3) xmlsec1 sign --crypto-config xmlsec-crypto-config-test --output 
inout/edsign-enveloped-keyname.xml 
tmpl/signing/tmpl-sign-enveloped-keyname.xml

1) and 2) above work fine with pkcs#12 based keys, but as soon as I 
switch to the nssdb-resident equivalent I am unsuccessful.


The template is fairly straightforward with simply a 
<KeyName>TestRsaKey</KeyName> in the <KeyInfo>

This is what I get:

[root at localhost bin]# xmlsec.sh
--- 
PATH=/usr/local/bin:/usr/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin
--- 
LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:/usr/local/src/xmlsec1-1.2.9/src/nss/.libs
Press any key to continue with next XMLSec operation
... about to execute sign with nssdb operation

/usr/local/bin/xmlsec.sh: line 21:  7151 Segmentation fault      xmlsec1 
sign --crypto-config xmlsec-crypto-config-test --output 
inout/edsign-enveloped-keyname.xml 
tmpl/signing/tmpl-sign-enveloped-keyname.xml
Press any key to continue with next XMLSec operation

However, if I include the  --enabled-key-data x509 option (instead of 
key-name) on the sign  I get:

func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec 
library function failed: ;last nss error=0 (0x00000000)
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key 
is not found: ;last nss error=0 (0x00000000)
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec 
library function failed: ;last nss error=0 (0x00000000)
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec 
library function failed: ;last nss error=0 (0x00000000)
Error: signature failed
Error: failed to sign file 
"tmpl/signing/tmpl-EPM-sign-enveloped-keyname.xml"

leaving out the --enabled-key-data also produces the segmentation fault

As with yesterday, I am verifying nssdb content with Firefox which 
imports and presents certs/keys without problems. I am hoping to use 
Firefox as my cert/key admin tool.

Any insight to get me examining the right areas would be appreciated.

Thanks again,
Ed

More information about the xmlsec mailing list