[xmlsec] Sign verification problems after SLES 11.3 system security update
Aleksey Sanin
aleksey at aleksey.com
Mon Apr 27 10:08:23 PDT 2015
You might want to file a bug about SLES :) It's hard to say what
have changed.
Aleksey
On 4/27/15 10:05 AM, spam at intlt.ru wrote:
> Yes, I did. I even tried to rebuild it from your latest git sources. This error occurs only with DSA keys, with RSA everything is ok.
>
> 27.04.2015, 19:39, "Aleksey Sanin" <aleksey at aleksey.com>:
>> Did you rebuild xmlsec after the upgrade?
>>
>> Aleksey
>>
>> On 4/26/15 11:20 PM, Igor Sokolov wrote:
>>> Something weird happened after SLES 11.3 system update. There was a bunch of Openssl security updates.
>>> xmlsec1 sign verification is just stop working.
>>> On other systems (non-SLES: Mint, Windows) with the same key and file everything is ok.
>>> Output:
>>> xmlsec1 verify --print-debug --privkey-pem ibrsStubPublicKey.pem request.txt
>>> error : Unknown IO error
>>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=889:obj=unknown:subj=unknown:error=45:key is not found:
>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=581:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
>>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
>>> Error: signature failed
>>> ERROR
>>> SignedInfo References (ok/all): 1/1
>>> Manifests References (ok/all): 0/0
>>> = VERIFICATION CONTEXT
>>> == Status: unknown
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == Key Info Read Ctx:
>>> = KEY INFO READ CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: dsa
>>> ==== keyType: 0x00000001
>>> ==== keyUsage: 0x00000002
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> == Key Info Write Ctx:
>>> = KEY INFO WRITE CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: NULL
>>> ==== keyType: 0x00000001
>>> ==== keyUsage: 0xffffffff
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> == Signature Transform Ctx:
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> === Transform: c14n-with-comments (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
>>> === Transform: dsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#dsa-sha1)
>>> == Signature Method:
>>> === Transform: dsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#dsa-sha1)
>>> == SignedInfo References List:
>>> === list size: 1
>>> = REFERENCE VERIFICATION CONTEXT
>>> == Status: succeeded
>>> == URI: ""
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> === Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: membuf-transform (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == Manifest References List:
>>> === list size: 0
>>> Error: failed to verify file "request.txt"
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list