[xmlsec] corrupt context after verify call
Erik Smith
cruisercoder at gmail.com
Wed Oct 13 19:16:43 PDT 2010
The problem went away when I added -DXMLSEC_NO_SIZE_T to my build. I must
have missed some important details in the documentation about this...
erik
On Wed, Oct 13, 2010 at 7:04 PM, Erik Smith <cruisercoder at gmail.com> wrote:
> gcc -m64 -DHAVE_CONFIG_H -I. -I.. -DXMLSEC_CRYPTO=\"openssl\"
> -DPACKAGE=\"xmlsec1\" -I../include -I../include
> -D__XMLSEC_FUNCTION__=__FUNCTION__ -DXMLSEC_NO_SIZE_T -DXMLSEC_NO_GOST=1
> -DXMLSEC_NO_XKMS=1 -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1
> -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 -I/usr/include/libxml2
> -I/usr/include/libxml2 -g -O2 -MT xmlsec.o -MD -MP -MF
> .deps/xmlsec.Tpo -c -o xmlsec.o xmlsec.c
>
>
> On Wed, Oct 13, 2010 at 6:38 PM, Aleksey Sanin <aleksey at aleksey.com>wrote:
>
>> Well, I have no idea how xmlsec was compiled.
>>
>> Aleksey
>>
>>
>> On 10/13/10 2:31 PM, Erik Smith wrote:
>>
>>> It looks like the open SSL Dir issue was a bad library interaction. So
>>> I made sure all relavant libs were up-to-date and dynamically loaded.
>>>
>>> libxml version: 2.7.7
>>> xmlsec version: 1.2.16
>>> libxslt version: 1.1.26
>>>
>>> When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not
>>> found", which I think has to do with it looking for a cert as a key in
>>> the document. I had tried this to address the open SSL Dir issue which
>>> appears to have been resolve as stated above.
>>>
>>> Going back to
>>> xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is
>>> seen originally in the code below gets me back to the same error with
>>> the corrupted status:
>>>
>>> status before xmlSecDSigCtxVerify: 0
>>> status after xmlSecDSigCtxVerify: 5361840
>>>
>>> compilation is simple:
>>>
>>> export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH
>>>
>>> g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare
>>> -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I.
>>> -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1
>>>
>>> g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1
>>> -lxmlsec1-openssl -m64
>>>
>>> erik
>>>
>>>
>>>
>>> On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin <aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com>> wrote:
>>>
>>> It might be hard coded from OpenSSL during compilation
>>>
>>>
>>> On 10/13/10 12:11 PM, Erik Smith wrote:
>>>
>>> The same code run on the earlier library versions did not have
>>> this
>>> issue (see code below). Do I need to specify a directory if
>>> I'm just
>>> loading a cert in a manger?
>>>
>>> erik
>>>
>>> On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin
>>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>>>
>>> No changes, it is a part of xmlsec-openssl init process.
>>>
>>>
>>> On 10/13/10 12:07 PM, Erik Smith wrote:
>>>
>>> I'm not specifying any directories in the code, only two
>>> files
>>> in the
>>> CWD. Did something change in recent version that
>>> requires a cert
>>> directory for openssl?
>>>
>>> erik
>>>
>>> On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin
>>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>>> wrote:
>>>
>>> The dir might not exists?
>>>
>>> Aleksey
>>>
>>>
>>> On 10/13/10 10:56 AM, Erik Smith wrote:
>>>
>>> I rebuilt libxml, xmlsec, and libxslt to the
>>> latest and
>>> I get an
>>> x509
>>> error for some reason. Any ideas on this?
>>>
>>> libxml version: 2.7.7
>>> xmlsec version: 1.2.16
>>> libxslt version: 1.1.26
>>>
>>>
>>>
>>> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto
>>> library function failed:
>>>
>>>
>>>
>>> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec
>>> library function failed:
>>>
>>>
>>>
>>> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec
>>> library function failed:xmlSecOpenSSLX509StoreId
>>>
>>>
>>>
>>> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec
>>> library function failed:
>>>
>>>
>>>
>>> 2010/10/13 Aleksey Sanin <aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>>>
>>>
>>> Sounds like you are compiling your
>>> application with
>>> different flags
>>> compared to xmlsec. Something like structure
>>> members
>>> alignment
>>> or debug vs. release.
>>>
>>> Aleksey
>>>
>>>
>>> On 10/13/10 7:32 AM, Erik Smith wrote:
>>>
>>> xmlsec output:
>>>
>>> OK
>>> SignedInfo References (ok/all): 1/1
>>> Manifests References (ok/all): 0/0
>>> = VERIFICATION CONTEXT
>>> == Status: succeeded
>>> == flags: 0x00000006
>>> == flags2: 0x00000000
>>> == Key Info Read Ctx:
>>> = KEY INFO READ CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: rsa
>>> ==== keyType: 0x00000001
>>> ==== keyUsage: 0x00000002
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> == Key Info Write Ctx:
>>> = KEY INFO WRITE CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: NULL
>>> ==== keyType: 0x00000001
>>> ==== keyUsage: 0xffffffff
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> == Signature Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> === Transform: exc-c14n
>>>
>>> (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>> === Transform: rsa-sha1
>>>
>>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>> === Transform: membuf-transform
>>> (href=NULL)
>>> == Signature Method:
>>> === Transform: rsa-sha1
>>>
>>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>> == Signature Key:
>>> == KEY
>>> === method: RSAKeyValue
>>> === key type: Public
>>> === key usage: -1
>>> === rsa key: size = 1024
>>> === list size: 1
>>> === X509 Data:
>>> ==== Certificate:
>>> ==== Subject Name:
>>>
>>> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>>> ==== Issuer Name:
>>>
>>> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon
>>> ==== Issuer Serial: 4CAB2D3B
>>> == SignedInfo References List:
>>> === list size: 1
>>> = REFERENCE VERIFICATION CONTEXT
>>> == Status: succeeded
>>> == URI:
>>> "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri:
>>> === uri xpointer expr:
>>>
>>> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404
>>> === Transform: xpointer
>>>
>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>> === Transform: enveloped-signature
>>>
>>>
>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>> === Transform: exc-c14n
>>>
>>> (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>> === Transform: membuf-transform
>>> (href=NULL)
>>> === Transform: sha1
>>> (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: membuf-transform
>>> (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1
>>> (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == PreDigest data - start buffer:
>>> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
>>>
>>> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>>>
>>> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
>>> xmlns:xsd="
>>> http://www.w3.org/2001/XMLSchema"
>>>
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> IssueInstant="2010-10-06T21:15:38.906Z"
>>> MajorVersion="1"
>>> MinorVersion="1"
>>> Recipient="http://amgr.emdeon.com"
>>>
>>>
>>>
>>>
>>> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode
>>>
>>> Value="samlp:Success"></StatusCode></Status><Assertion
>>>
>>> xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
>>>
>>>
>>> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761"
>>> IssueInstant="2010-10-06T16:15:38.906Z"
>>> Issuer="http://access.emdeon.com"
>>> MajorVersion="1"
>>> MinorVersion="1"><Conditions
>>> NotBefore="2010-10-06T21:15:38.905Z"
>>>
>>>
>>>
>>>
>>> NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement
>>>
>>> AuthenticationInstant="2010-10-06T16:15:38.906Z"
>>>
>>>
>>>
>>>
>>> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>
>>> == PreDigest data - end buffer
>>> == Manifest References List:
>>> === list size: 0
>>>
>>>
>>> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey
>>> Sanin
>>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>>
>>> wrote:
>>>
>>> What is the output of the xmlsec1
>>> command?
>>>
>>> Aleksey
>>>
>>>
>>> On 10/12/10 11:36 PM, Erik Smith
>>> wrote:
>>>
>>> After I call
>>> xmlSecDSigCtxVerify, the
>>> status in the
>>> contex is
>>> corrupted
>>> with a large number. However
>>> xmlsec1
>>> reports
>>> validation as OK.
>>>
>>> xmlsec1 --verify
>>> --pubkey-cert-pem cert.crt
>>> --store-references
>>> --id-attr:ResponseID
>>>
>>> urn:oasis:names:tc:SAML:1.0:protocol:Response
>>> /saml.xml
>>>
>>> Also xmlSecDSigCtxDebugDump
>>> output is
>>> exactly
>>> the same for
>>> xmlsec1 and
>>> my program.
>>>
>>> I've reduced the code down to
>>> what is
>>> below and I'm
>>> having trouble
>>> seeing what could be wrong.
>>>
>>> libxml version: 2.6.27
>>> xmlsec version: 1.2.11
>>>
>>> Thanks for any help.
>>>
>>>
>>>
>>> #include <iostream>
>>> #include <xmlsec/xmltree.h>
>>> #include <xmlsec/xmldsig.h>
>>> #include <xmlsec/crypto.h>
>>> #include <xmlsec/errors.h>
>>>
>>> #ifndef XMLSEC_NO_XSLT
>>> #include <libxslt/xslt.h>
>>> #endif
>>>
>>> void error(const char *);
>>>
>>> int main(int argc, char **argv) {
>>> using namespace std;
>>> int status(0);
>>>
>>> xmlSecKeysMngrPtr mngr_;
>>> xmlSecDSigCtxPtr dsigCtx;
>>> xmlDocPtr doc_;
>>>
>>> cout << "libxml version: " <<
>>> LIBXML_DOTTED_VERSION
>>> << endl;
>>> cout << "xmlsec version: " <<
>>> XMLSEC_VERSION << endl;
>>>
>>> xmlInitParser();
>>> LIBXML_TEST_VERSION;
>>> xmlLoadExtDtdDefaultValue =
>>> XML_DETECT_IDS |
>>> XML_COMPLETE_ATTRS;
>>>
>>> xmlSubstituteEntitiesDefault(1);
>>>
>>> #ifndef XMLSEC_NO_XSLT
>>> xmlIndentTreeOutput = 1;
>>> #endif
>>> // Init xmlsec library
>>> if (xmlSecInit() < 0)
>>> error("xmlSecInit");
>>> if (xmlSecCheckVersion() !=
>>> 1)
>>> error("xmlSecCheckVersion");
>>>
>>> #ifdef
>>> XMLSEC_CRYPTO_DYNAMIC_LOADING
>>>
>>> if(xmlSecCryptoDLLoadLibrary(BAD_CAST
>>> "openssl") < 0)
>>>
>>> error("xmlSecCryptoDLLoadLibrary");
>>> #endif
>>>
>>>
>>> if(xmlSecCryptoAppInit(NULL) < 0)
>>> error("Error: crypto
>>> initialization failed.");
>>> if(xmlSecCryptoInit() < 0)
>>> error("Error:
>>> xmlsec-crypto
>>> initialization failed.");
>>>
>>> mngr_ =
>>> xmlSecKeysMngrCreate();
>>> if (!mngr_) error("bad");
>>>
>>> if
>>> (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0)
>>> error("bad");
>>>
>>> xmlSecKeyDataFormat
>>> format(xmlSecKeyDataFormatCertPem);
>>> xmlSecKeyPtr key =
>>> xmlSecCryptoAppKeyLoad("cert.crt",
>>> format, NULL,
>>> NULL, NULL);
>>> if (!key) error("key load
>>> error");
>>>
>>>
>>> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_,
>>> key) < 0)
>>> error("could not add key");
>>>
>>> doc_ =
>>> xmlParseFile("saml.xml");
>>> if (!doc_ ||
>>> !xmlDocGetRootElement(doc_))
>>> error("bad");
>>>
>>> set_id(doc_);
>>>
>>> xmlNodePtr node =
>>> xmlSecFindNode(xmlDocGetRootElement(doc_),
>>> xmlSecNodeSignature,
>>> xmlSecDSigNs);
>>> if (!node) error("start
>>> node not
>>> found");
>>>
>>> dsigCtx =
>>> xmlSecDSigCtxCreate(mngr_);
>>> if (!dsigCtx) error("failed
>>> to
>>> create signature
>>> context");
>>>
>>> std::cout << "status
>>> before: " <<
>>> dsigCtx->status
>>> << std::endl;
>>> if
>>> (xmlSecDSigCtxVerify(dsigCtx,
>>> node) < 0)
>>> error("signature verify
>>> error");
>>> std::cout << "status: " <<
>>> dsigCtx->status <<
>>> std::endl;
>>>
>>> //xmlSecDSigCtxDebugDump(dsigCtx,
>>> stdout);
>>>
>>> return status;
>>> }
>>>
>>> void set_id(xmlDocPtr doc) {
>>> using namespace std;
>>>
>>> xmlNodePtr node =
>>> xmlSecFindNode(
>>>
>>> xmlDocGetRootElement(doc),
>>> BAD_CAST "Response",
>>> BAD_CAST
>>> "urn:oasis:names:tc:SAML:1.0:protocol");
>>>
>>> cout << "element name: " <<
>>> node->name<< endl;
>>> xmlAttrPtr attr =
>>> xmlHasProp(node,
>>> BAD_CAST
>>> "ResponseID");
>>> if (!attr) error("attribute
>>> not
>>> found");
>>> cout << "attribute name: " <<
>>> attr->name<<
>>> endl;
>>>
>>> xmlChar *value =
>>> xmlNodeListGetString(node->doc,
>>> attr->children, 1);
>>> if (!value)
>>> error("xmlNodeListGetString");
>>> cout << "value: " << value
>>> << endl;
>>>
>>> xmlAttrPtr
>>> tmp(xmlGetID(node->doc,
>>> value));
>>> if (tmp) {
>>> cout << "id already
>>> registered"
>>> << endl;
>>> } else {
>>> xmlIDPtr id =
>>> xmlAddID(NULL,
>>> doc, BAD_CAST
>>> value, attr);
>>> if (!id) {
>>> xmlFree(value); //
>>> fix
>>> error("xmlAddID
>>> error");
>>> }
>>> cout << "id added" <<
>>> endl;
>>> }
>>>
>>> //xmlFree(value); // fix
>>> }
>>>
>>> void error(const char *e) {
>>> std::cout << e << std::endl;
>>> std::cout << "exiting" <<
>>> std::endl;
>>> exit(0);
>>> }
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>>
>>>
>>>
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20101013/e20dc080/attachment-0001.html>
More information about the xmlsec
mailing list