[xmlsec] Inconsistent dsigCtx->status value
Aleksey Sanin
aleksey at aleksey.com
Fri May 13 13:46:46 PDT 2016
Yes, looks like it. Plus value 7219120 is very weird and not expected
for status. This is why I think there is a problem with either
compilation flags or library version.
Aleksey
On 5/13/16 1:44 PM, moore43132 at yahoo.com wrote:
>
>
>
> It is very strange.
> I did a new build and the run time is using exact same version.
>
> It is latest .22 version.
> Same result.
> Will try debug further.
>
> BTW, was the dump produced actually a valid verify ( verify ok )?
>
>
>
>
>
> On Fri, 13 May, 2016 at 16:56, Aleksey Sanin
> <aleksey at aleksey.com> wrote:
>
> Hm... The only idea I have is that you compile with different
> flags or link against a different version of xmlsec library.
> It looks like dsigCtx->status points to a different place in
> memory.
>
> Aleksey
>
> On 5/13/16 2:16 AM, moore43132 at yahoo.com <javascript:return> wrote:
> > Hello Aleksey & thank you for reply.
> > I cannot see obvious error in the dump.
> > Can you point it out if present?
> >
> > Also if indeed a digest is incorrect, would you expect the status to
> > invalid? (rather than garbage value)
> >
> > Attached is the dump.
> >
> > Also some code that I added as a result of ID related errors of
> faq 3.2
> > This is main difference to one of your verify examples
> > Without this code, I get lots of errors.
> >
> > With it, the verification runs thru, but with the contradictory result
> > in status.
> >
> > Appreciate your input.
> > Thank you.
> > On Friday, 13 May 2016, 2:56:22, Aleksey Sanin
> <aleksey at aleksey.com <javascript:return>> wrote:
> >
> >
> > Look through the whole dump. One of the digests is likely invalid.
> >
> > Aleksey
> >
> > On 5/12/16 2:37 PM, moore43132 at yahoo.com <javascript:return>
> <mailto:moore43132 at yahoo.com <javascript:return>>
> > wrote:
> >>
> >> Hello
> >>
> >>
> >> Any thoughts on how the following can happen would be much
> appreciate.
> >>
> >>
> >> Have some code like this which is preceeded by creating a verify
> contxt
> >> etc etc just like examples::
> >>
> >> ...
> >> ...
> >> /* print verification result to stdout */
> >> if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
> >> fprintf(stdout, "RESULT: Signature is OK %d\n",
> >> dsigCtx->status);
> >> } else {
> >> fprintf(stdout, "RESULT: Signature is INVALID %d\n",
> >> dsigCtx->status);
> >> }
> >> fprintf(stdout,
> >> "---------------------------------------------------\n");
> >>
> >>
> >> xmlSecDSigCtxDebugDump(dsigCtx, stdout);
> >> ...
> >> ...
> >>
> >>
> >> And get the following output:
> >>
> >>
> >> RESULT: Signature is INVALID 7219120
> >> ---------------------------------------------------
> >> = VERIFICATION CONTEXT
> >> == Status: succeeded
> >> == flags: 0x0000000e
> >> == flags2: 0x00000000
> >> == Key Info Read Ctx:
> >> = KEY INFO READ CONTEXT
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled key data: all
> >> == RetrievalMethod level (cur/max): 0/1
> >> == TRANSFORMS CTX (status=0)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: NULL
> >> === uri xpointer expr: NULL
> >> == EncryptedKey level (cur/max): 0/1
> >> === KeyReq:
> >> ==== keyId: rsa
> >> ==== keyType: 0x00000001
> >> ==== keyUsage: 0x00000002
> >> ==== keyBitsSize: 0
> >> === list size: 0
> >> == Key Info Write Ctx:
> >> = KEY INFO WRITE CONTEXT
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled key data: all
> >> == RetrievalMethod level (cur/max): 0/1
> >> == TRANSFORMS CTX (status=0)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: NULL
> >> === uri xpointer expr: NULL
> >> == EncryptedKey level (cur/max): 0/1
> >> === KeyReq:
> >> ==== keyId: NULL
> >> ==== keyType: 0x00000001
> >> ==== keyUsage: 0xffffffff
> >> ==== keyBitsSize: 0
> >> === list size: 0
> >> == Signature Transform Ctx:
> >> == TRANSFORMS CTX (status=2)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: NULL
> >> === uri xpointer expr: NULL
> >> === Transform: exc-c14n
> (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> >> === Transform: membuf-transform (href=NULL)
> >> === Transform: rsa-sha1
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> >> === Transform: membuf-transform (href=NULL)
> >> == Signature Method:
> >> === Transform: rsa-sha1
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> >> == Signature Key:
> >> == KEY
> >> === method: RSAKeyValue
> >> === key type: Public
> >> === key usage: -1
> >> === key not valid before: 1458586152
> >> === key not valid after: 1774118952
> >> === rsa key: size = 2048
> >> === list size: 1
> >> === X509 Data:
> >> ==== Key Certificate:
> >> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >> ==== Certificate:
> >> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >> == SignedInfo References List:
> >> === list size: 1
> >> = REFERENCE VERIFICATION CONTEXT
> >> == Status: succeeded
> >> == URI: "#_c4e9522ba1289864766f54df6a04eae5b77fd7c70d"
> >> == Reference Transform Ctx:
> >> == TRANSFORMS CTX (status=2)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri:
> >> === uri xpointer expr: #_c4e9522ba1289864766f54df6a04eae5b77fd7c70d
> >> === Transform: xpointer
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> >> === Transform: enveloped-signature
> >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> >> === Transform: exc-c14n
> (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> >> === Transform: membuf-transform (href=NULL)
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> === Transform: membuf-transform (href=NULL)
> >> == Digest Method:
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> == PreDigest data - start buffer:
> >> ....
> >> ....
> >>
> >> ....
> >>
> >>
> >> Any ideas how this could happen?
> >>
> >> The dump prints the status as being successful.
> >> This as per the setting of the dsigCtx->status in
> >> xmlSecDSigCtxDebugDump() function in xmldsig.c
> >>
> >>
> >> But how is it printing some garbage value before hand? (7219120)
> >> Why is it not initialized or set to unknown/invalid.
> >>
> >>
> >> Would appreciate any insight? No other logs/erros from the xmlsec are
> >> evident.
> >>
> >> Are there any other logs I could refer to?
> >> Would appreciate any thoughts.
> >
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> xmlsec mailing list
> >> xmlsec at aleksey.com <javascript:return> <mailto:xmlsec at aleksey.com
> <javascript:return>>
> >> http://www.aleksey.com/mailman/listinfo/xmlsec
>
> >
> >>
> >
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com <javascript:return>
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
More information about the xmlsec
mailing list