[xmlsec] Keys Manager Creation Failed
Aleksey Sanin
aleksey at aleksey.com
Thu Mar 6 09:17:45 PST 2014
This is exactly why there is this check in the configure.in :) The
question is why it didn't work in this case
Aleksey
On 3/5/14, 2:15 PM, Dmitry Belyavsky wrote:
> Hello!
>
> Some time ago Redhat-based Linuxes did not support EC cryptography
> because of patent restrictions.
>
>
> On Wed, Mar 5, 2014 at 9:18 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> File a bug with redhat? Compile OpenSSL manually? xmlsec has a check
> if ecdsa is present:
>
> AC_EGREP_CPP(yes,[
> #include <openssl/opensslconf.h>
> #ifdef OPENSSL_NO_ECDSA
> yes
> #endif
> ],[
> OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DXMLSEC_NO_ECDSA=1"
> ])
> CPPFLAGS=$OLD_CPPFLAGS
>
> Not sure why it doesn't work on redhat
>
> Aleksey
>
> On 3/5/14, 9:12 AM, Derek Nutile wrote:
> > Thanks Aleksey,
> >
> > The openssl-devel package was missing. I installed it and ./configure
> > now finds OpenSSL, which is progress. However, it appears
> RedHat/Centos
> > based distribution's do not include the ec or ecdsa.h header files.
> >
> > Error during make:
> > In file included from app.c:31:0:
> > ../../include/xmlsec/openssl/crypto.h:204:27: fatal error:
> > openssl/ecdsa.h: No such file or directory
> > compilation terminated.
> >
> > It appears these files have been dropped from these distribution's due
> > to legal worries.
> >
> > Reference: https://bugzilla.redhat.com/show_bug.cgi?id=319901
> > Reference: https://bitcointalk.org/index.php?topic=9476.0
> >
> > Any suggestions?
> >
> > Thank you again,
> > Derek
> >
> >
> >
> > On Wed, Mar 5, 2014 at 8:44 AM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
> >
> > I don't know, but I would check if you have openssl-devel package
> > installed
> >
> > Aleksey
> >
> > On 3/5/14, 6:29 AM, Derek Nutile wrote:
> > > Aleksey,
> > >
> > > In my last message, I asked if there was a compatibility
> issue with
> > > OpenSSL 1.x, but I just installed XMLSec on an Ubuntu system
> with
> > > OpenSSL 1.0.1 just fine. So I tried to compile XMLSec on a
> Centos
> > > machine with openssl 1.x and that also fails. To me, the common
> > > denominator is the distribution.
> > >
> > > How can I get XMLSec to compile with OpenSSL on a non-Debian
> linux?
> > > What am I missing?
> > >
> > >
> > > On Wed, Mar 5, 2014 at 4:50 AM, Derek Nutile
> > <dereknutile at gmail.com <mailto:dereknutile at gmail.com>
> <mailto:dereknutile at gmail.com <mailto:dereknutile at gmail.com>>
> > > <mailto:dereknutile at gmail.com <mailto:dereknutile at gmail.com>
> <mailto:dereknutile at gmail.com <mailto:dereknutile at gmail.com>>>> wrote:
> > >
> > > Aleksey,
> > >
> > > I cannot get the compiler to locate openssl.
> > >
> > > Running ./configure with no options has this in the logs:
> > > checking for OPENSSL... no
> > >
> > > Running ./configure --with-openssl=/usr/bin/openssl logs
> this:
> > > checking for openssl libraries >= 0.9.6... no
> > >
> > > Is it possible that xmlsec doesn't work with OpenSSL
> 1.0.1e? Do I
> > > have any other options?
> > >
> > > Thank you,
> > > Derek
> > >
> > >
> > >
> > > On Tue, Mar 4, 2014 at 10:40 AM, Aleksey Sanin
> > <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> > > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
> > >
> > > Yes, you might need to re-compile xmlsec. xmlsec-openssl
> > is the
> > > default
> > > crypto engine thus ./configure probably just didn't find
> > openssl for
> > > whatever reason. Run ./configure and look at the output
> > and logs to
> > > figure out what is happening.
> > >
> > > Aleksey
> > >
> > > On 3/4/14, 10:09 AM, Derek Nutile wrote:
> > > > Thank you for your response Aleksey.
> > > >
> > > > How do I use OpenSSL instead of GCrypt? Do I
> recompile
> > the xmlsec
> > > > source? I looked at the ./configure --help output
> and it's
> > > not clear to
> > > > me how to. Should I add ' --with-openssl=path'?
> Should I
> > > also use '
> > > > --without-gcrypt'?
> > > >
> > > >
> > > > On Tue, Mar 4, 2014 at 6:09 AM, Aleksey Sanin
> > > <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> > > > <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>> wrote:
> > > >
> > > > Sounds like you are using GCrypt and it
> doesn't support
> > > PEM key format.
> > > > Try to use OpenSSL instead.
> > > >
> > > > Aleksey
> > > >
> > > > On 3/1/14, 1:43 PM, Derek Nutile wrote:
> > > > > Hello Aleksey,
> > > > >
> > > > > Hopefully you can help me. I'm implementing
> > Django SAML
> > > > > (https://bitbucket.org/lgs/djangosaml2) in a
> project
> > > which relies on
> > > > > your XMLSec library. The application works
> flawlessly
> > > on my local
> > > > > development environment (Mac), but returns
> errors
> > on my
> > > staging
> > > > server,
> > > > > an Amazon EC2 instance. I'm struggling to
> isolate the
> > > issue. The
> > > > > exception that is generated in my SAML
> application
> > is as
> > > follows:
> > > > >
> > > > > Exception:
> > > > >
> > > >
> > >
> >
> func=xmlSecGCryptAppKeyLoadMemory:file=app.c:line=248:obj=unknown:subj=unknown:error=17:invalid
> > > > > format:format=7
> > > > >
> > > >
> > >
> >
> func=xmlSecGCryptAppKeyLoad:file=app.c:line=176:obj=unknown:subj=xmlSecGCryptAppKeyLoadMemory:error=1:xmlsec
> > > > > library function
> failed:filename=/tmp/tmpZIPa5a.pem
> > > > >
> > > >
> > >
> >
> func=xmlSecAppCryptoSimpleKeysMngrKeyAndCertsLoad:file=crypto.c:line=118:obj=unknown:subj=xmlSecCryptoAppKeyLoad:error=1:xmlsec
> > > > > library function failed:uri=/tmp/tmpZIPa5a.pem
> > > > > Error: failed to load public key from
> > "/tmp/tmpZIPa5a.pem".
> > > > > Error: keys manager creation failed
> > > > >
> > > > > I've installed XMLSec on the Amazon EC2
> instance.
> > To do
> > > so, I had to
> > > > > install from source. The first note is that
> I receive
> > > failures when
> > > > > running a "make check" as I reported here:
> > > > >
> https://bugzilla.gnome.org/show_bug.cgi?id=725279.
> > That
> > > bug post
> > > > has an
> > > > > attachment of the output, but the two main
> > failures are:
> > > > >
> > > > > transform "rsa-1_5" and "rsa-oaep-mgf1p" not
> found
> > > > >
> > > > > My question is this: does this sound like a
> library
> > > issue (missing
> > > > > library or version mismatch)?
> > > > >
> > > > > You ask that I supply following for a
> question or bug
> > > report:
> > > > > XMLSec version number (or the snapshot date):
> > > > > xmlsec version: xmlsec1 1.2.19 (gcrypt)
> > > > >
> > > > > The platform/compiler you are using:
> > > > > Amazon Linux AMI release 2013.09
> > > > > Kernel: 3.4.76-65.111.amzn1.x86_64
> > > > > gcc (GCC) 4.6.3 20120306 (Red Hat 4.6.3-2)
> > > > >
> > > > > The exact xmlsec utility command line:
> > > > > /usr/local/bin/xmlsec1
> > > > >
> > > > > All the files mentioned in this command line:
> > > > > ** I'm not sure how to list these?
> > > > >
> > > > > The xmlsec utility output:
> > > > > ** I don't know how to run the xmlsec utility
> > > > >
> > > > > Additional library information from the
> Amazon EC2
> > > instance that
> > > > may be
> > > > > important:
> > > > > libxml2.x86_64 version: 2.9.1-1.1.28.amzn1
> > > > > libxml2-devel.x86_64 version: 2.9.1-1.1.28.amzn1
> > > > > libxslt.x86_64 version: 1.1.26-2.7.amzn1
> > > > > libxslt-devel.x86_64 version: 1.1.26-2.7.amzn1
> > > > > OpenSSL version: 1.0.1e-fips
> > > > >
> > > > > Thank you for your time and attention,
> > > > > Derek Nutile
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > xmlsec mailing list
> > > > > xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> > > <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> --
> SY, Dmitry Belyavsky
More information about the xmlsec
mailing list