[xmlsec] corrupt context after verify call
Erik Smith
cruisercoder at gmail.com
Wed Oct 13 14:31:02 PDT 2010
It looks like the open SSL Dir issue was a bad library interaction. So I
made sure all relavant libs were up-to-date and dynamically loaded.
libxml version: 2.7.7
xmlsec version: 1.2.16
libxslt version: 1.1.26
When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not found",
which I think has to do with it looking for a cert as a key in the document.
I had tried this to address the open SSL Dir issue which appears to have
been resolve as stated above.
Going back to
xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is
seen originally in the code below gets me back to the same error with the
corrupted status:
status before xmlSecDSigCtxVerify: 0
status after xmlSecDSigCtxVerify: 5361840
compilation is simple:
export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH
g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare -Wno-unused
-m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I.
-I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1
g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1
-lxmlsec1-openssl -m64
erik
On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> It might be hard coded from OpenSSL during compilation
>
>
> On 10/13/10 12:11 PM, Erik Smith wrote:
>
>> The same code run on the earlier library versions did not have this
>> issue (see code below). Do I need to specify a directory if I'm just
>> loading a cert in a manger?
>>
>> erik
>>
>> On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin <aleksey at aleksey.com
>> <mailto:aleksey at aleksey.com>> wrote:
>>
>> No changes, it is a part of xmlsec-openssl init process.
>>
>>
>> On 10/13/10 12:07 PM, Erik Smith wrote:
>>
>> I'm not specifying any directories in the code, only two files
>> in the
>> CWD. Did something change in recent version that requires a cert
>> directory for openssl?
>>
>> erik
>>
>> On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin
>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>>
>> The dir might not exists?
>>
>> Aleksey
>>
>>
>> On 10/13/10 10:56 AM, Erik Smith wrote:
>>
>> I rebuilt libxml, xmlsec, and libxslt to the latest and
>> I get an
>> x509
>> error for some reason. Any ideas on this?
>>
>> libxml version: 2.7.7
>> xmlsec version: 1.2.16
>> libxslt version: 1.1.26
>>
>>
>> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto
>> library function failed:
>>
>>
>> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec
>> library function failed:
>>
>>
>> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec
>> library function failed:xmlSecOpenSSLX509StoreId
>>
>>
>> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec
>> library function failed:
>>
>>
>>
>> 2010/10/13 Aleksey Sanin <aleksey at aleksey.com
>> <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>>
>>
>> Sounds like you are compiling your application with
>> different flags
>> compared to xmlsec. Something like structure members
>> alignment
>> or debug vs. release.
>>
>> Aleksey
>>
>>
>> On 10/13/10 7:32 AM, Erik Smith wrote:
>>
>> xmlsec output:
>>
>> OK
>> SignedInfo References (ok/all): 1/1
>> Manifests References (ok/all): 0/0
>> = VERIFICATION CONTEXT
>> == Status: succeeded
>> == flags: 0x00000006
>> == flags2: 0x00000000
>> == Key Info Read Ctx:
>> = KEY INFO READ CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: rsa
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0x00000002
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Key Info Write Ctx:
>> = KEY INFO WRITE CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: NULL
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0xffffffff
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Signature Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> === Transform: exc-c14n
>> (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>> === Transform: rsa-sha1
>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Signature Method:
>> === Transform: rsa-sha1
>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> == Signature Key:
>> == KEY
>> === method: RSAKeyValue
>> === key type: Public
>> === key usage: -1
>> === rsa key: size = 1024
>> === list size: 1
>> === X509 Data:
>> ==== Certificate:
>> ==== Subject Name:
>>
>> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>> ==== Issuer Name:
>>
>> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>> ==== Issuer Serial: 4CAB2D3B
>> == SignedInfo References List:
>> === list size: 1
>> = REFERENCE VERIFICATION CONTEXT
>> == Status: succeeded
>> == URI:
>> "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri:
>> === uri xpointer expr:
>> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
>> === Transform: xpointer
>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: enveloped-signature
>>
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>> === Transform: exc-c14n
>> (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1
>> (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1
>> (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == PreDigest data - start buffer:
>> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
>> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>>
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> IssueInstant="2010-10-06T21:15:38.906Z"
>> MajorVersion="1"
>> MinorVersion="1" Recipient="http://amgr.emdeon.com
>> "
>>
>>
>>
>> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
>>
>> Value="samlp:Success"></StatusCode></Status><Assertion
>> xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
>>
>> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
>> IssueInstant="2010-10-06T16:15:38.906Z"
>> Issuer="http://access.emdeon.com" MajorVersion="1"
>> MinorVersion="1"><Conditions
>> NotBefore="2010-10-06T21:15:38.905Z"
>>
>>
>>
>> NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
>> AuthenticationInstant="2010-10-06T16:15:38.906Z"
>>
>>
>>
>> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
>> == PreDigest data - end buffer
>> == Manifest References List:
>> === list size: 0
>>
>>
>> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin
>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>> wrote:
>>
>> What is the output of the xmlsec1 command?
>>
>> Aleksey
>>
>>
>> On 10/12/10 11:36 PM, Erik Smith wrote:
>>
>> After I call xmlSecDSigCtxVerify, the
>> status in the
>> contex is
>> corrupted
>> with a large number. However xmlsec1
>> reports
>> validation as OK.
>>
>> xmlsec1 --verify --pubkey-cert-pem cert.crt
>> --store-references
>> --id-attr:ResponseID
>>
>> urn:oasis:names:tc:SAML:1.0:protocol:Response
>> /saml.xml
>>
>> Also xmlSecDSigCtxDebugDump output is
>> exactly
>> the same for
>> xmlsec1 and
>> my program.
>>
>> I've reduced the code down to what is
>> below and I'm
>> having trouble
>> seeing what could be wrong.
>>
>> libxml version: 2.6.27
>> xmlsec version: 1.2.11
>>
>> Thanks for any help.
>>
>>
>>
>> #include <iostream>
>> #include <xmlsec/xmltree.h>
>> #include <xmlsec/xmldsig.h>
>> #include <xmlsec/crypto.h>
>> #include <xmlsec/errors.h>
>>
>> #ifndef XMLSEC_NO_XSLT
>> #include <libxslt/xslt.h>
>> #endif
>>
>> void error(const char *);
>>
>> int main(int argc, char **argv) {
>> using namespace std;
>> int status(0);
>>
>> xmlSecKeysMngrPtr mngr_;
>> xmlSecDSigCtxPtr dsigCtx;
>> xmlDocPtr doc_;
>>
>> cout << "libxml version: " <<
>> LIBXML_DOTTED_VERSION
>> << endl;
>> cout << "xmlsec version: " <<
>> XMLSEC_VERSION << endl;
>>
>> xmlInitParser();
>> LIBXML_TEST_VERSION;
>> xmlLoadExtDtdDefaultValue =
>> XML_DETECT_IDS |
>> XML_COMPLETE_ATTRS;
>> xmlSubstituteEntitiesDefault(1);
>>
>> #ifndef XMLSEC_NO_XSLT
>> xmlIndentTreeOutput = 1;
>> #endif
>> // Init xmlsec library
>> if (xmlSecInit() < 0)
>> error("xmlSecInit");
>> if (xmlSecCheckVersion() != 1)
>> error("xmlSecCheckVersion");
>>
>> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>> if(xmlSecCryptoDLLoadLibrary(BAD_CAST
>> "openssl") < 0)
>> error("xmlSecCryptoDLLoadLibrary");
>> #endif
>>
>> if(xmlSecCryptoAppInit(NULL) < 0)
>> error("Error: crypto
>> initialization failed.");
>> if(xmlSecCryptoInit() < 0)
>> error("Error:
>> xmlsec-crypto
>> initialization failed.");
>>
>> mngr_ = xmlSecKeysMngrCreate();
>> if (!mngr_) error("bad");
>>
>> if
>> (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)
>> error("bad");
>>
>> xmlSecKeyDataFormat
>> format(xmlSecKeyDataFormatCertPem);
>> xmlSecKeyPtr key =
>> xmlSecCryptoAppKeyLoad("cert.crt",
>> format, NULL,
>> NULL, NULL);
>> if (!key) error("key load error");
>>
>>
>> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_,
>> key) < 0)
>> error("could not add key");
>>
>> doc_ = xmlParseFile("saml.xml");
>> if (!doc_ ||
>> !xmlDocGetRootElement(doc_))
>> error("bad");
>>
>> set_id(doc_);
>>
>> xmlNodePtr node =
>> xmlSecFindNode(xmlDocGetRootElement(doc_),
>> xmlSecNodeSignature, xmlSecDSigNs);
>> if (!node) error("start node not
>> found");
>>
>> dsigCtx = xmlSecDSigCtxCreate(mngr_);
>> if (!dsigCtx) error("failed to
>> create signature
>> context");
>>
>> std::cout << "status before: " <<
>> dsigCtx->status
>> << std::endl;
>> if (xmlSecDSigCtxVerify(dsigCtx,
>> node) < 0)
>> error("signature verify
>> error");
>> std::cout << "status: " <<
>> dsigCtx->status <<
>> std::endl;
>> //xmlSecDSigCtxDebugDump(dsigCtx,
>> stdout);
>>
>> return status;
>> }
>>
>> void set_id(xmlDocPtr doc) {
>> using namespace std;
>>
>> xmlNodePtr node = xmlSecFindNode(
>> xmlDocGetRootElement(doc),
>> BAD_CAST "Response",
>> BAD_CAST
>> "urn:oasis:names:tc:SAML:1.0:protocol");
>>
>> cout << "element name: " <<
>> node->name<< endl;
>> xmlAttrPtr attr = xmlHasProp(node,
>> BAD_CAST
>> "ResponseID");
>> if (!attr) error("attribute not
>> found");
>> cout << "attribute name: " <<
>> attr->name<<
>> endl;
>>
>> xmlChar *value =
>> xmlNodeListGetString(node->doc,
>> attr->children, 1);
>> if (!value)
>> error("xmlNodeListGetString");
>> cout << "value: " << value << endl;
>>
>> xmlAttrPtr tmp(xmlGetID(node->doc,
>> value));
>> if (tmp) {
>> cout << "id already registered"
>> << endl;
>> } else {
>> xmlIDPtr id = xmlAddID(NULL,
>> doc, BAD_CAST
>> value, attr);
>> if (!id) {
>> xmlFree(value); // fix
>> error("xmlAddID error");
>> }
>> cout << "id added" << endl;
>> }
>>
>> //xmlFree(value); // fix
>> }
>>
>> void error(const char *e) {
>> std::cout << e << std::endl;
>> std::cout << "exiting" << std::endl;
>> exit(0);
>> }
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>>
>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20101013/3d832613/attachment-0001.html>
More information about the xmlsec
mailing list