[xmlsec] corrupt context after verify call
Aleksey Sanin
aleksey at aleksey.com
Wed Oct 13 18:38:10 PDT 2010
Well, I have no idea how xmlsec was compiled.
Aleksey
On 10/13/10 2:31 PM, Erik Smith wrote:
> It looks like the open SSL Dir issue was a bad library interaction. So
> I made sure all relavant libs were up-to-date and dynamically loaded.
>
> libxml version: 2.7.7
> xmlsec version: 1.2.16
> libxslt version: 1.1.26
>
> When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not
> found", which I think has to do with it looking for a cert as a key in
> the document. I had tried this to address the open SSL Dir issue which
> appears to have been resolve as stated above.
>
> Going back to
> xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is
> seen originally in the code below gets me back to the same error with
> the corrupted status:
>
> status before xmlSecDSigCtxVerify: 0
> status after xmlSecDSigCtxVerify: 5361840
>
> compilation is simple:
>
> export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH
>
> g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare
> -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I.
> -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1
>
> g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1
> -lxmlsec1-openssl -m64
>
> erik
>
>
>
> On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> It might be hard coded from OpenSSL during compilation
>
>
> On 10/13/10 12:11 PM, Erik Smith wrote:
>
> The same code run on the earlier library versions did not have this
> issue (see code below). Do I need to specify a directory if
> I'm just
> loading a cert in a manger?
>
> erik
>
> On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>
> No changes, it is a part of xmlsec-openssl init process.
>
>
> On 10/13/10 12:07 PM, Erik Smith wrote:
>
> I'm not specifying any directories in the code, only two
> files
> in the
> CWD. Did something change in recent version that
> requires a cert
> directory for openssl?
>
> erik
>
> On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
>
> The dir might not exists?
>
> Aleksey
>
>
> On 10/13/10 10:56 AM, Erik Smith wrote:
>
> I rebuilt libxml, xmlsec, and libxslt to the
> latest and
> I get an
> x509
> error for some reason. Any ideas on this?
>
> libxml version: 2.7.7
> xmlsec version: 1.2.16
> libxslt version: 1.1.26
>
>
> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto
> library function failed:
>
>
> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec
> library function failed:
>
>
> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec
> library function failed:xmlSecOpenSSLX509StoreId
>
>
> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec
> library function failed:
>
>
>
> 2010/10/13 Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>
>
> Sounds like you are compiling your
> application with
> different flags
> compared to xmlsec. Something like structure
> members
> alignment
> or debug vs. release.
>
> Aleksey
>
>
> On 10/13/10 7:32 AM, Erik Smith wrote:
>
> xmlsec output:
>
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> = VERIFICATION CONTEXT
> == Status: succeeded
> == flags: 0x00000006
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: exc-c14n
>
> (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> === Transform: rsa-sha1
>
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL)
> == Signature Method:
> === Transform: rsa-sha1
>
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key usage: -1
> === rsa key: size = 1024
> === list size: 1
> === X509 Data:
> ==== Certificate:
> ==== Subject Name:
>
> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
> ==== Issuer Name:
>
> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
> ==== Issuer Serial: 4CAB2D3B
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI:
> "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri:
> === uri xpointer expr:
>
> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
> === Transform: xpointer
>
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: enveloped-signature
>
>
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: exc-c14n
>
> (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1
> (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1
> (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
>
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> IssueInstant="2010-10-06T21:15:38.906Z"
> MajorVersion="1"
> MinorVersion="1"
> Recipient="http://amgr.emdeon.com"
>
>
>
> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
>
> Value="samlp:Success"></StatusCode></Status><Assertion
>
> xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
>
> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
> IssueInstant="2010-10-06T16:15:38.906Z"
> Issuer="http://access.emdeon.com"
> MajorVersion="1"
> MinorVersion="1"><Conditions
> NotBefore="2010-10-06T21:15:38.905Z"
>
>
>
> NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
>
> AuthenticationInstant="2010-10-06T16:15:38.906Z"
>
>
>
> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
> == PreDigest data - end buffer
> == Manifest References List:
> === list size: 0
>
>
> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey
> Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>> wrote:
>
> What is the output of the xmlsec1
> command?
>
> Aleksey
>
>
> On 10/12/10 11:36 PM, Erik Smith wrote:
>
> After I call
> xmlSecDSigCtxVerify, the
> status in the
> contex is
> corrupted
> with a large number. However
> xmlsec1
> reports
> validation as OK.
>
> xmlsec1 --verify
> --pubkey-cert-pem cert.crt
> --store-references
> --id-attr:ResponseID
>
> urn:oasis:names:tc:SAML:1.0:protocol:Response
> /saml.xml
>
> Also xmlSecDSigCtxDebugDump
> output is
> exactly
> the same for
> xmlsec1 and
> my program.
>
> I've reduced the code down to
> what is
> below and I'm
> having trouble
> seeing what could be wrong.
>
> libxml version: 2.6.27
> xmlsec version: 1.2.11
>
> Thanks for any help.
>
>
>
> #include <iostream>
> #include <xmlsec/xmltree.h>
> #include <xmlsec/xmldsig.h>
> #include <xmlsec/crypto.h>
> #include <xmlsec/errors.h>
>
> #ifndef XMLSEC_NO_XSLT
> #include <libxslt/xslt.h>
> #endif
>
> void error(const char *);
>
> int main(int argc, char **argv) {
> using namespace std;
> int status(0);
>
> xmlSecKeysMngrPtr mngr_;
> xmlSecDSigCtxPtr dsigCtx;
> xmlDocPtr doc_;
>
> cout << "libxml version: " <<
> LIBXML_DOTTED_VERSION
> << endl;
> cout << "xmlsec version: " <<
> XMLSEC_VERSION << endl;
>
> xmlInitParser();
> LIBXML_TEST_VERSION;
> xmlLoadExtDtdDefaultValue =
> XML_DETECT_IDS |
> XML_COMPLETE_ATTRS;
>
> xmlSubstituteEntitiesDefault(1);
>
> #ifndef XMLSEC_NO_XSLT
> xmlIndentTreeOutput = 1;
> #endif
> // Init xmlsec library
> if (xmlSecInit() < 0)
> error("xmlSecInit");
> if (xmlSecCheckVersion() != 1)
> error("xmlSecCheckVersion");
>
> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
>
> if(xmlSecCryptoDLLoadLibrary(BAD_CAST
> "openssl") < 0)
> error("xmlSecCryptoDLLoadLibrary");
> #endif
>
>
> if(xmlSecCryptoAppInit(NULL) < 0)
> error("Error: crypto
> initialization failed.");
> if(xmlSecCryptoInit() < 0)
> error("Error:
> xmlsec-crypto
> initialization failed.");
>
> mngr_ = xmlSecKeysMngrCreate();
> if (!mngr_) error("bad");
>
> if
> (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)
> error("bad");
>
> xmlSecKeyDataFormat
> format(xmlSecKeyDataFormatCertPem);
> xmlSecKeyPtr key =
> xmlSecCryptoAppKeyLoad("cert.crt",
> format, NULL,
> NULL, NULL);
> if (!key) error("key load
> error");
>
>
> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_,
> key) < 0)
> error("could not add key");
>
> doc_ =
> xmlParseFile("saml.xml");
> if (!doc_ ||
> !xmlDocGetRootElement(doc_))
> error("bad");
>
> set_id(doc_);
>
> xmlNodePtr node =
> xmlSecFindNode(xmlDocGetRootElement(doc_),
> xmlSecNodeSignature, xmlSecDSigNs);
> if (!node) error("start
> node not
> found");
>
> dsigCtx =
> xmlSecDSigCtxCreate(mngr_);
> if (!dsigCtx) error("failed to
> create signature
> context");
>
> std::cout << "status
> before: " <<
> dsigCtx->status
> << std::endl;
> if
> (xmlSecDSigCtxVerify(dsigCtx,
> node) < 0)
> error("signature verify
> error");
> std::cout << "status: " <<
> dsigCtx->status <<
> std::endl;
>
> //xmlSecDSigCtxDebugDump(dsigCtx,
> stdout);
>
> return status;
> }
>
> void set_id(xmlDocPtr doc) {
> using namespace std;
>
> xmlNodePtr node =
> xmlSecFindNode(
>
> xmlDocGetRootElement(doc),
> BAD_CAST "Response",
> BAD_CAST
> "urn:oasis:names:tc:SAML:1.0:protocol");
>
> cout << "element name: " <<
> node->name<< endl;
> xmlAttrPtr attr =
> xmlHasProp(node,
> BAD_CAST
> "ResponseID");
> if (!attr) error("attribute not
> found");
> cout << "attribute name: " <<
> attr->name<<
> endl;
>
> xmlChar *value =
> xmlNodeListGetString(node->doc,
> attr->children, 1);
> if (!value)
> error("xmlNodeListGetString");
> cout << "value: " << value
> << endl;
>
> xmlAttrPtr
> tmp(xmlGetID(node->doc,
> value));
> if (tmp) {
> cout << "id already
> registered"
> << endl;
> } else {
> xmlIDPtr id =
> xmlAddID(NULL,
> doc, BAD_CAST
> value, attr);
> if (!id) {
> xmlFree(value); // fix
> error("xmlAddID
> error");
> }
> cout << "id added" << endl;
> }
>
> //xmlFree(value); // fix
> }
>
> void error(const char *e) {
> std::cout << e << std::endl;
> std::cout << "exiting" <<
> std::endl;
> exit(0);
> }
>
>
>
>
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>>
>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
>
>
More information about the xmlsec
mailing list