[xmlsec] corrupt context after verify call
Erik Smith
cruisercoder at gmail.com
Wed Oct 13 07:32:06 PDT 2010
xmlsec output:
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key usage: -1
=== rsa key: size = 1024
=== list size: 1
=== X509 Data:
==== Certificate:
==== Subject Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
==== Issuer Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
==== Issuer Serial: 4CAB2D3B
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
=== Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature (href=
http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="
http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" MinorVersion="1"
Recipient="http://amgr.emdeon.com"
ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
IssueInstant="2010-10-06T16:15:38.906Z" Issuer="http://access.emdeon.com"
MajorVersion="1" MinorVersion="1"><Conditions
NotBefore="2010-10-06T21:15:38.905Z"
NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
AuthenticationInstant="2010-10-06T16:15:38.906Z"
AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
== PreDigest data - end buffer
== Manifest References List:
=== list size: 0
On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> What is the output of the xmlsec1 command?
>
> Aleksey
>
>
> On 10/12/10 11:36 PM, Erik Smith wrote:
>
>> After I call xmlSecDSigCtxVerify, the status in the contex is corrupted
>> with a large number. However xmlsec1 reports validation as OK.
>>
>> xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references
>> --id-attr:ResponseID urn:oasis:names:tc:SAML:1.0:protocol:Response
>> /saml.xml
>>
>> Also xmlSecDSigCtxDebugDump output is exactly the same for xmlsec1 and
>> my program.
>>
>> I've reduced the code down to what is below and I'm having trouble
>> seeing what could be wrong.
>>
>> libxml version: 2.6.27
>> xmlsec version: 1.2.11
>>
>> Thanks for any help.
>>
>>
>>
>> #include <iostream>
>> #include <xmlsec/xmltree.h>
>> #include <xmlsec/xmldsig.h>
>> #include <xmlsec/crypto.h>
>> #include <xmlsec/errors.h>
>>
>> #ifndef XMLSEC_NO_XSLT
>> #include <libxslt/xslt.h>
>> #endif
>>
>> void error(const char *);
>>
>> int main(int argc, char **argv) {
>> using namespace std;
>> int status(0);
>>
>> xmlSecKeysMngrPtr mngr_;
>> xmlSecDSigCtxPtr dsigCtx;
>> xmlDocPtr doc_;
>>
>> cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl;
>> cout << "xmlsec version: " << XMLSEC_VERSION << endl;
>>
>> xmlInitParser();
>> LIBXML_TEST_VERSION;
>> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
>> xmlSubstituteEntitiesDefault(1);
>>
>> #ifndef XMLSEC_NO_XSLT
>> xmlIndentTreeOutput = 1;
>> #endif
>> // Init xmlsec library
>> if (xmlSecInit() < 0) error("xmlSecInit");
>> if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion");
>>
>> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>> if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0)
>> error("xmlSecCryptoDLLoadLibrary");
>> #endif
>>
>> if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto
>> initialization failed.");
>> if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto
>> initialization failed.");
>>
>> mngr_ = xmlSecKeysMngrCreate();
>> if (!mngr_) error("bad");
>>
>> if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) error("bad");
>>
>> xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem);
>> xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", format, NULL,
>> NULL, NULL);
>> if (!key) error("key load error");
>>
>> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0)
>> error("could not add key");
>>
>> doc_ = xmlParseFile("saml.xml");
>> if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad");
>>
>> set_id(doc_);
>>
>> xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_),
>> xmlSecNodeSignature, xmlSecDSigNs);
>> if (!node) error("start node not found");
>>
>> dsigCtx = xmlSecDSigCtxCreate(mngr_);
>> if (!dsigCtx) error("failed to create signature context");
>>
>> std::cout << "status before: " << dsigCtx->status << std::endl;
>> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) error("signature verify
>> error");
>> std::cout << "status: " << dsigCtx->status << std::endl;
>> //xmlSecDSigCtxDebugDump(dsigCtx, stdout);
>>
>> return status;
>> }
>>
>> void set_id(xmlDocPtr doc) {
>> using namespace std;
>>
>> xmlNodePtr node = xmlSecFindNode(
>> xmlDocGetRootElement(doc),
>> BAD_CAST "Response",
>> BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol");
>>
>> cout << "element name: " << node->name<< endl;
>> xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID");
>> if (!attr) error("attribute not found");
>> cout << "attribute name: " << attr->name<< endl;
>>
>> xmlChar *value = xmlNodeListGetString(node->doc, attr->children, 1);
>> if (!value) error("xmlNodeListGetString");
>> cout << "value: " << value << endl;
>>
>> xmlAttrPtr tmp(xmlGetID(node->doc, value));
>> if (tmp) {
>> cout << "id already registered" << endl;
>> } else {
>> xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr);
>> if (!id) {
>> xmlFree(value); // fix
>> error("xmlAddID error");
>> }
>> cout << "id added" << endl;
>> }
>>
>> //xmlFree(value); // fix
>> }
>>
>> void error(const char *e) {
>> std::cout << e << std::endl;
>> std::cout << "exiting" << std::endl;
>> exit(0);
>> }
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20101013/f9443435/attachment-0001.html>
More information about the xmlsec
mailing list