I'm not specifying any directories in the code, only two files in the CWD. Did something change in recent version that requires a cert directory for openssl?
erik On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin <[email protected]> wrote: > The dir might not exists? > > Aleksey > > > On 10/13/10 10:56 AM, Erik Smith wrote: > >> I rebuilt libxml, xmlsec, and libxslt to the latest and I get an x509 >> error for some reason. Any ideas on this? >> >> libxml version: 2.7.7 >> xmlsec version: 1.2.16 >> libxslt version: 1.1.26 >> >> func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto >> library function failed: >> >> func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec >> library function failed: >> >> func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec >> library function failed:xmlSecOpenSSLX509StoreId >> >> func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec >> library function failed: >> >> >> >> 2010/10/13 Aleksey Sanin <[email protected] <mailto:[email protected] >> >> >> >> >> Sounds like you are compiling your application with different flags >> compared to xmlsec. Something like structure members alignment >> or debug vs. release. >> >> Aleksey >> >> >> On 10/13/10 7:32 AM, Erik Smith wrote: >> >> xmlsec output: >> >> OK >> SignedInfo References (ok/all): 1/1 >> Manifests References (ok/all): 0/0 >> = VERIFICATION CONTEXT >> == Status: succeeded >> == flags: 0x00000006 >> == flags2: 0x00000000 >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: exc-c14n >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: rsa-sha1 >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 >> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Public >> === key usage: -1 >> === rsa key: size = 1024 >> === list size: 1 >> === X509 Data: >> ==== Certificate: >> ==== Subject Name: >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Name: >> /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon >> ==== Issuer Serial: 4CAB2D3B >> == SignedInfo References List: >> === list size: 1 >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: >> #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 >> === Transform: xpointer >> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: enveloped-signature >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: exc-c14n >> (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" >> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" >> MinorVersion="1" Recipient="http://amgr.emdeon.com"; >> >> >> ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode >> Value="samlp:Success"></StatusCode></Status><Assertion >> xmlns="urn:oasis:names:tc:SAML:1.0:assertion" >> AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" >> IssueInstant="2010-10-06T16:15:38.906Z" >> Issuer="http://access.emdeon.com"; MajorVersion="1" >> MinorVersion="1"><Conditions NotBefore="2010-10-06T21:15:38.905Z" >> >> >> NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement >> AuthenticationInstant="2010-10-06T16:15:38.906Z" >> >> >> AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response> >> == PreDigest data - end buffer >> == Manifest References List: >> === list size: 0 >> >> >> On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> What is the output of the xmlsec1 command? >> >> Aleksey >> >> >> On 10/12/10 11:36 PM, Erik Smith wrote: >> >> After I call xmlSecDSigCtxVerify, the status in the >> contex is >> corrupted >> with a large number. However xmlsec1 reports >> validation as OK. >> >> xmlsec1 --verify --pubkey-cert-pem cert.crt >> --store-references >> --id-attr:ResponseID >> urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml >> >> Also xmlSecDSigCtxDebugDump output is exactly the same for >> xmlsec1 and >> my program. >> >> I've reduced the code down to what is below and I'm >> having trouble >> seeing what could be wrong. >> >> libxml version: 2.6.27 >> xmlsec version: 1.2.11 >> >> Thanks for any help. >> >> >> >> #include <iostream> >> #include <xmlsec/xmltree.h> >> #include <xmlsec/xmldsig.h> >> #include <xmlsec/crypto.h> >> #include <xmlsec/errors.h> >> >> #ifndef XMLSEC_NO_XSLT >> #include <libxslt/xslt.h> >> #endif >> >> void error(const char *); >> >> int main(int argc, char **argv) { >> using namespace std; >> int status(0); >> >> xmlSecKeysMngrPtr mngr_; >> xmlSecDSigCtxPtr dsigCtx; >> xmlDocPtr doc_; >> >> cout << "libxml version: " << LIBXML_DOTTED_VERSION >> << endl; >> cout << "xmlsec version: " << XMLSEC_VERSION << endl; >> >> xmlInitParser(); >> LIBXML_TEST_VERSION; >> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | >> XML_COMPLETE_ATTRS; >> xmlSubstituteEntitiesDefault(1); >> >> #ifndef XMLSEC_NO_XSLT >> xmlIndentTreeOutput = 1; >> #endif >> // Init xmlsec library >> if (xmlSecInit() < 0) error("xmlSecInit"); >> if (xmlSecCheckVersion() != 1) >> error("xmlSecCheckVersion"); >> >> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING >> if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) >> error("xmlSecCryptoDLLoadLibrary"); >> #endif >> >> if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto >> initialization failed."); >> if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto >> initialization failed."); >> >> mngr_ = xmlSecKeysMngrCreate(); >> if (!mngr_) error("bad"); >> >> if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) >> error("bad"); >> >> xmlSecKeyDataFormat >> format(xmlSecKeyDataFormatCertPem); >> xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", >> format, NULL, >> NULL, NULL); >> if (!key) error("key load error"); >> >> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, >> key) < 0) >> error("could not add key"); >> >> doc_ = xmlParseFile("saml.xml"); >> if (!doc_ || !xmlDocGetRootElement(doc_)) >> error("bad"); >> >> set_id(doc_); >> >> xmlNodePtr node = >> xmlSecFindNode(xmlDocGetRootElement(doc_), >> xmlSecNodeSignature, xmlSecDSigNs); >> if (!node) error("start node not found"); >> >> dsigCtx = xmlSecDSigCtxCreate(mngr_); >> if (!dsigCtx) error("failed to create signature >> context"); >> >> std::cout << "status before: " << dsigCtx->status >> << std::endl; >> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) >> error("signature verify >> error"); >> std::cout << "status: " << dsigCtx->status << >> std::endl; >> //xmlSecDSigCtxDebugDump(dsigCtx, stdout); >> >> return status; >> } >> >> void set_id(xmlDocPtr doc) { >> using namespace std; >> >> xmlNodePtr node = xmlSecFindNode( >> xmlDocGetRootElement(doc), >> BAD_CAST "Response", >> BAD_CAST >> "urn:oasis:names:tc:SAML:1.0:protocol"); >> >> cout << "element name: " << node->name<< endl; >> xmlAttrPtr attr = xmlHasProp(node, BAD_CAST >> "ResponseID"); >> if (!attr) error("attribute not found"); >> cout << "attribute name: " << attr->name<< endl; >> >> xmlChar *value = xmlNodeListGetString(node->doc, >> attr->children, 1); >> if (!value) error("xmlNodeListGetString"); >> cout << "value: " << value << endl; >> >> xmlAttrPtr tmp(xmlGetID(node->doc, value)); >> if (tmp) { >> cout << "id already registered" << endl; >> } else { >> xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST >> value, attr); >> if (!id) { >> xmlFree(value); // fix >> error("xmlAddID error"); >> } >> cout << "id added" << endl; >> } >> >> //xmlFree(value); // fix >> } >> >> void error(const char *e) { >> std::cout << e << std::endl; >> std::cout << "exiting" << std::endl; >> exit(0); >> } >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >>
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
