[xmlsec] corrupt context after verify call

Erik Smith cruisercoder at gmail.com
Wed Oct 13 19:04:19 PDT 2010


gcc -m64 -DHAVE_CONFIG_H -I. -I.. -DXMLSEC_CRYPTO=\"openssl\"
-DPACKAGE=\"xmlsec1\" -I../include -I../include
-D__XMLSEC_FUNCTION__=__FUNCTION__ -DXMLSEC_NO_SIZE_T -DXMLSEC_NO_GOST=1
-DXMLSEC_NO_XKMS=1 -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1
-DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 -I/usr/include/libxml2
-I/usr/include/libxml2        -g -O2 -MT xmlsec.o -MD -MP -MF
.deps/xmlsec.Tpo -c -o xmlsec.o xmlsec.c


On Wed, Oct 13, 2010 at 6:38 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> Well, I have no idea how xmlsec was compiled.
>
> Aleksey
>
>
> On 10/13/10 2:31 PM, Erik Smith wrote:
>
>> It looks like the open SSL Dir issue was a bad library interaction.  So
>> I made sure all relavant libs were up-to-date and dynamically loaded.
>>
>> libxml version: 2.7.7
>> xmlsec version: 1.2.16
>> libxslt version: 1.1.26
>>
>> When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not
>> found", which I think has to do with it looking for a cert as a key in
>> the document.  I had tried this to address the open SSL Dir issue which
>> appears to have been resolve as stated above.
>>
>> Going back to
>> xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is
>> seen originally in the code below gets me back to the same error with
>> the corrupted status:
>>
>> status before xmlSecDSigCtxVerify: 0
>> status after xmlSecDSigCtxVerify: 5361840
>>
>> compilation is simple:
>>
>> export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH
>>
>> g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare
>> -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I.
>> -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1
>>
>> g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1
>> -lxmlsec1-openssl -m64
>>
>> erik
>>
>>
>>
>> On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin <aleksey at aleksey.com
>> <mailto:aleksey at aleksey.com>> wrote:
>>
>>    It might be hard coded from OpenSSL during compilation
>>
>>
>>    On 10/13/10 12:11 PM, Erik Smith wrote:
>>
>>        The same code run on the earlier library versions did not have this
>>        issue (see code below).    Do I need to specify a directory if
>>        I'm just
>>        loading a cert in a manger?
>>
>>        erik
>>
>>        On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin
>>        <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>>
>>            No changes, it is a part of xmlsec-openssl init process.
>>
>>
>>            On 10/13/10 12:07 PM, Erik Smith wrote:
>>
>>                I'm not specifying any directories in the code, only two
>>        files
>>                in the
>>                CWD.    Did something change in recent version that
>>        requires a cert
>>                directory for openssl?
>>
>>                erik
>>
>>                On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin
>>        <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
>>
>>                    The dir might not exists?
>>
>>                    Aleksey
>>
>>
>>                    On 10/13/10 10:56 AM, Erik Smith wrote:
>>
>>                        I rebuilt libxml, xmlsec, and libxslt to the
>>        latest and
>>                I get an
>>                        x509
>>                        error for some reason.  Any ideas on this?
>>
>>                        libxml version: 2.7.7
>>                        xmlsec version: 1.2.16
>>                        libxslt version: 1.1.26
>>
>>
>>
>>  func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto
>>                        library function failed:
>>
>>
>>
>>  func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec
>>                        library function failed:
>>
>>
>>
>>  func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec
>>                        library function failed:xmlSecOpenSSLX509StoreId
>>
>>
>>
>>  func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec
>>                        library function failed:
>>
>>
>>
>>                        2010/10/13 Aleksey Sanin <aleksey at aleksey.com
>>        <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>>
>>
>>                            Sounds like you are compiling your
>>        application with
>>                        different flags
>>                            compared to xmlsec. Something like structure
>>        members
>>                alignment
>>                            or debug vs. release.
>>
>>                            Aleksey
>>
>>
>>                            On 10/13/10 7:32 AM, Erik Smith wrote:
>>
>>                                xmlsec output:
>>
>>                                OK
>>                                SignedInfo References (ok/all): 1/1
>>                                Manifests References (ok/all): 0/0
>>                                = VERIFICATION CONTEXT
>>                                == Status: succeeded
>>                                == flags: 0x00000006
>>                                == flags2: 0x00000000
>>                                == Key Info Read Ctx:
>>                                = KEY INFO READ CONTEXT
>>                                == flags: 0x00000000
>>                                == flags2: 0x00000000
>>                                == enabled key data: all
>>                                == RetrievalMethod level (cur/max): 0/1
>>                                == TRANSFORMS CTX (status=0)
>>                                == flags: 0x00000000
>>                                == flags2: 0x00000000
>>                                == enabled transforms: all
>>                                === uri: NULL
>>                                === uri xpointer expr: NULL
>>                                == EncryptedKey level (cur/max): 0/1
>>                                === KeyReq:
>>                                ==== keyId: rsa
>>                                ==== keyType: 0x00000001
>>                                ==== keyUsage: 0x00000002
>>                                ==== keyBitsSize: 0
>>                                === list size: 0
>>                                == Key Info Write Ctx:
>>                                = KEY INFO WRITE CONTEXT
>>                                == flags: 0x00000000
>>                                == flags2: 0x00000000
>>                                == enabled key data: all
>>                                == RetrievalMethod level (cur/max): 0/1
>>                                == TRANSFORMS CTX (status=0)
>>                                == flags: 0x00000000
>>                                == flags2: 0x00000000
>>                                == enabled transforms: all
>>                                === uri: NULL
>>                                === uri xpointer expr: NULL
>>                                == EncryptedKey level (cur/max): 0/1
>>                                === KeyReq:
>>                                ==== keyId: NULL
>>                                ==== keyType: 0x00000001
>>                                ==== keyUsage: 0xffffffff
>>                                ==== keyBitsSize: 0
>>                                === list size: 0
>>                                == Signature Transform Ctx:
>>                                == TRANSFORMS CTX (status=2)
>>                                == flags: 0x00000000
>>                                == flags2: 0x00000000
>>                                == enabled transforms: all
>>                                === uri: NULL
>>                                === uri xpointer expr: NULL
>>                                === Transform: exc-c14n
>>
>>          (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>                                === Transform: rsa-sha1
>>
>>          (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>                                === Transform: membuf-transform (href=NULL)
>>                                == Signature Method:
>>                                === Transform: rsa-sha1
>>
>>          (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>                                == Signature Key:
>>                                == KEY
>>                                === method: RSAKeyValue
>>                                === key type: Public
>>                                === key usage: -1
>>                                === rsa key: size = 1024
>>                                === list size: 1
>>                                === X509 Data:
>>                                ==== Certificate:
>>                                ==== Subject Name:
>>
>>          /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>>                                ==== Issuer Name:
>>
>>          /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>>                                ==== Issuer Serial: 4CAB2D3B
>>                                == SignedInfo References List:
>>                                === list size: 1
>>                                = REFERENCE VERIFICATION CONTEXT
>>                                == Status: succeeded
>>                                == URI:
>>        "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
>>                                == Reference Transform Ctx:
>>                                == TRANSFORMS CTX (status=2)
>>                                == flags: 0x00000000
>>                                == flags2: 0x00000000
>>                                == enabled transforms: all
>>                                === uri:
>>                                === uri xpointer expr:
>>
>>          #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
>>                                === Transform: xpointer
>>
>>          (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>                                === Transform: enveloped-signature
>>
>>
>>          (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>                                === Transform: exc-c14n
>>
>>          (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>                                === Transform: membuf-transform (href=NULL)
>>                                === Transform: sha1
>>                        (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>                                === Transform: membuf-transform (href=NULL)
>>                                == Digest Method:
>>                                === Transform: sha1
>>                        (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>                                == PreDigest data - start buffer:
>>        <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
>>
>>          xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>>
>>          xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
>>                                xmlns:xsd="
>> http://www.w3.org/2001/XMLSchema"
>>
>>                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>                                IssueInstant="2010-10-06T21:15:38.906Z"
>>                MajorVersion="1"
>>                                MinorVersion="1"
>>        Recipient="http://amgr.emdeon.com"
>>
>>
>>
>>
>>  ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
>>
>>                  Value="samlp:Success"></StatusCode></Status><Assertion
>>
>>          xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
>>
>>                  AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
>>                                IssueInstant="2010-10-06T16:15:38.906Z"
>>                                Issuer="http://access.emdeon.com"
>>        MajorVersion="1"
>>                                MinorVersion="1"><Conditions
>>                        NotBefore="2010-10-06T21:15:38.905Z"
>>
>>
>>
>>
>>  NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
>>
>>          AuthenticationInstant="2010-10-06T16:15:38.906Z"
>>
>>
>>
>>
>>  AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
>>                                == PreDigest data - end buffer
>>                                == Manifest References List:
>>                                === list size: 0
>>
>>
>>                                On Wed, Oct 13, 2010 at 7:28 AM, Aleksey
>>        Sanin
>>        <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>>
>> wrote:
>>
>>                                    What is the output of the xmlsec1
>>        command?
>>
>>                                    Aleksey
>>
>>
>>                                    On 10/12/10 11:36 PM, Erik Smith wrote:
>>
>>                                        After I call
>>        xmlSecDSigCtxVerify, the
>>                status in the
>>                                contex is
>>                                        corrupted
>>                                        with a large number.   However
>>        xmlsec1
>>                reports
>>                                validation as OK.
>>
>>                                        xmlsec1 --verify
>>        --pubkey-cert-pem cert.crt
>>                                --store-references
>>                                        --id-attr:ResponseID
>>
>>                  urn:oasis:names:tc:SAML:1.0:protocol:Response
>>                        /saml.xml
>>
>>                                        Also xmlSecDSigCtxDebugDump
>>        output is
>>                exactly
>>                        the same for
>>                                        xmlsec1 and
>>                                        my program.
>>
>>                                        I've reduced the code down to
>>        what is
>>                below and I'm
>>                                having trouble
>>                                        seeing what could be wrong.
>>
>>                                        libxml version: 2.6.27
>>                                        xmlsec version: 1.2.11
>>
>>                                        Thanks for any help.
>>
>>
>>
>>                                        #include <iostream>
>>                                        #include <xmlsec/xmltree.h>
>>                                        #include <xmlsec/xmldsig.h>
>>                                        #include <xmlsec/crypto.h>
>>                                        #include <xmlsec/errors.h>
>>
>>                                        #ifndef XMLSEC_NO_XSLT
>>                                        #include <libxslt/xslt.h>
>>                                        #endif
>>
>>                                        void error(const char *);
>>
>>                                        int main(int argc, char **argv) {
>>                                             using namespace std;
>>                                             int status(0);
>>
>>                                             xmlSecKeysMngrPtr mngr_;
>>                                             xmlSecDSigCtxPtr dsigCtx;
>>                                             xmlDocPtr doc_;
>>
>>                                             cout << "libxml version: " <<
>>                        LIBXML_DOTTED_VERSION
>>        << endl;
>>                                             cout << "xmlsec version: " <<
>>                        XMLSEC_VERSION << endl;
>>
>>                                             xmlInitParser();
>>                                             LIBXML_TEST_VERSION;
>>                                             xmlLoadExtDtdDefaultValue =
>>                XML_DETECT_IDS |
>>                                        XML_COMPLETE_ATTRS;
>>
>>        xmlSubstituteEntitiesDefault(1);
>>
>>                                        #ifndef XMLSEC_NO_XSLT
>>                                             xmlIndentTreeOutput = 1;
>>                                        #endif
>>                                             // Init xmlsec library
>>                                             if (xmlSecInit() < 0)
>>                error("xmlSecInit");
>>                                             if (xmlSecCheckVersion() != 1)
>>                                error("xmlSecCheckVersion");
>>
>>                                        #ifdef
>> XMLSEC_CRYPTO_DYNAMIC_LOADING
>>
>>        if(xmlSecCryptoDLLoadLibrary(BAD_CAST
>>        "openssl") < 0)
>>                                        error("xmlSecCryptoDLLoadLibrary");
>>                                        #endif
>>
>>
>>        if(xmlSecCryptoAppInit(NULL) < 0)
>>                        error("Error: crypto
>>                                        initialization failed.");
>>                                             if(xmlSecCryptoInit() < 0)
>>                error("Error:
>>                        xmlsec-crypto
>>                                        initialization failed.");
>>
>>                                             mngr_ =
>> xmlSecKeysMngrCreate();
>>                                             if (!mngr_) error("bad");
>>
>>                                             if
>>                        (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)
>>                                        error("bad");
>>
>>                                             xmlSecKeyDataFormat
>>                        format(xmlSecKeyDataFormatCertPem);
>>                                             xmlSecKeyPtr key =
>>                        xmlSecCryptoAppKeyLoad("cert.crt",
>>                                        format, NULL,
>>                                        NULL, NULL);
>>                                             if (!key) error("key load
>>        error");
>>
>>
>>                        if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_,
>>                                key) < 0)
>>                                        error("could not add key");
>>
>>                                             doc_ =
>>        xmlParseFile("saml.xml");
>>                                             if (!doc_ ||
>>                !xmlDocGetRootElement(doc_))
>>                        error("bad");
>>
>>                                             set_id(doc_);
>>
>>                                             xmlNodePtr node =
>>                                xmlSecFindNode(xmlDocGetRootElement(doc_),
>>                                        xmlSecNodeSignature, xmlSecDSigNs);
>>                                             if (!node) error("start
>>        node not
>>                found");
>>
>>                                             dsigCtx =
>>        xmlSecDSigCtxCreate(mngr_);
>>                                             if (!dsigCtx) error("failed to
>>                create signature
>>                                context");
>>
>>                                             std::cout << "status
>>        before: " <<
>>                        dsigCtx->status
>>        << std::endl;
>>                                             if
>>        (xmlSecDSigCtxVerify(dsigCtx,
>>                node) < 0)
>>                                        error("signature verify
>>                                        error");
>>                                             std::cout << "status: " <<
>>                dsigCtx->status <<
>>                                std::endl;
>>
>>        //xmlSecDSigCtxDebugDump(dsigCtx,
>>                stdout);
>>
>>                                             return status;
>>                                        }
>>
>>                                        void set_id(xmlDocPtr doc) {
>>                                             using namespace std;
>>
>>                                             xmlNodePtr node =
>>        xmlSecFindNode(
>>
>>        xmlDocGetRootElement(doc),
>>                                                     BAD_CAST "Response",
>>                                                     BAD_CAST
>>        "urn:oasis:names:tc:SAML:1.0:protocol");
>>
>>                                             cout << "element name: " <<
>>                node->name<< endl;
>>                                             xmlAttrPtr attr =
>>        xmlHasProp(node,
>>                BAD_CAST
>>        "ResponseID");
>>                                             if (!attr) error("attribute
>> not
>>                found");
>>                                             cout << "attribute name: " <<
>>                attr->name<<
>>                        endl;
>>
>>                                             xmlChar *value =
>>                        xmlNodeListGetString(node->doc,
>>                                        attr->children, 1);
>>                                             if (!value)
>>                error("xmlNodeListGetString");
>>                                             cout << "value: " << value
>>        << endl;
>>
>>                                             xmlAttrPtr
>>        tmp(xmlGetID(node->doc,
>>                value));
>>                                             if (tmp) {
>>                                                 cout << "id already
>>        registered"
>>        << endl;
>>                                             } else {
>>                                                 xmlIDPtr id =
>>        xmlAddID(NULL,
>>                doc, BAD_CAST
>>                                value, attr);
>>                                                 if (!id) {
>>                                                     xmlFree(value); // fix
>>                                                     error("xmlAddID
>>        error");
>>                                                 }
>>                                                 cout << "id added" <<
>> endl;
>>                                             }
>>
>>                                             //xmlFree(value); // fix
>>                                        }
>>
>>                                        void error(const char *e) {
>>                                             std::cout << e << std::endl;
>>                                             std::cout << "exiting" <<
>>        std::endl;
>>                                             exit(0);
>>                                        }
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>                  _______________________________________________
>>                                        xmlsec mailing list
>>        xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>>
>>
>>
>>        http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20101013/1776a08e/attachment-0001.html>


More information about the xmlsec mailing list