Well, I have no idea how xmlsec was compiled. Aleksey
On 10/13/10 2:31 PM, Erik Smith wrote:
It looks like the open SSL Dir issue was a bad library interaction. So I made sure all relavant libs were up-to-date and dynamically loaded. libxml version: 2.7.7 xmlsec version: 1.2.16 libxslt version: 1.1.26 When I use xmlSecCryptoAppKeysMngrCertLoad, I do get a "key is not found", which I think has to do with it looking for a cert as a key in the document. I had tried this to address the open SSL Dir issue which appears to have been resolve as stated above. Going back to xmlSecCryptoAppKeyLoad / xmlSecCryptoAppDefaultKeysMngrAdoptKey as it is seen originally in the code below gets me back to the same error with the corrupted status: status before xmlSecDSigCtxVerify: 0 status after xmlSecDSigCtxVerify: 5361840 compilation is simple: export LD_LIBRARY_PATH=$NDTOOLS/lib:$LD_LIBRARY_PATH g++ -c xs2.cpp -o xs2.o -g -fexceptions -Wall -Wno-sign-compare -Wno-unused -m64 -g -D_REENTRANT -D_PTHREADS -DXMLSEC_CRYPTO_OPENSSL -I. -I$NDTOOLS/include -I$NDTOOLS/include/libxml2 -I$NDTOOLS/include/xmlsec1 g++ -o xs2 xs2.o -lxml2 -lxslt -lssl -lcrypto -lz -ldl -lxmlsec1 -lxmlsec1-openssl -m64 erik On Wed, Oct 13, 2010 at 1:47 PM, Aleksey Sanin <[email protected] <mailto:[email protected]>> wrote: It might be hard coded from OpenSSL during compilation On 10/13/10 12:11 PM, Erik Smith wrote: The same code run on the earlier library versions did not have this issue (see code below). Do I need to specify a directory if I'm just loading a cert in a manger? erik On Wed, Oct 13, 2010 at 12:09 PM, Aleksey Sanin <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> wrote: No changes, it is a part of xmlsec-openssl init process. On 10/13/10 12:07 PM, Erik Smith wrote: I'm not specifying any directories in the code, only two files in the CWD. Did something change in recent version that requires a cert directory for openssl? erik On Wed, Oct 13, 2010 at 12:04 PM, Aleksey Sanin <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>> wrote: The dir might not exists? Aleksey On 10/13/10 10:56 AM, Erik Smith wrote: I rebuilt libxml, xmlsec, and libxslt to the latest and I get an x509 error for some reason. Any ideas on this? libxml version: 2.7.7 xmlsec version: 1.2.16 libxslt version: 1.1.26 func=xmlSecOpenSSLX509StoreInitialize:file=x509vfy.c:line=657:obj=x509-store:subj=X509_LOOKUP_add_dir:error=4:crypto library function failed: func=xmlSecKeyDataStoreCreate:file=keysdata.c:line=1330:obj=x509-store:subj=id->initialize:error=1:xmlsec library function failed: func=xmlSecOpenSSLKeysMngrInit:file=crypto.c:line=330:obj=unknown:subj=xmlSecKeyDataStoreCreate:error=1:xmlsec library function failed:xmlSecOpenSSLX509StoreId func=xmlSecOpenSSLAppDefaultKeysMngrInit:file=app.c:line=1331:obj=unknown:subj=xmlSecOpenSSLKeysMngrInit:error=1:xmlsec library function failed: 2010/10/13 Aleksey Sanin <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>>> Sounds like you are compiling your application with different flags compared to xmlsec. Something like structure members alignment or debug vs. release. Aleksey On 10/13/10 7:32 AM, Erik Smith wrote: xmlsec output: OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: succeeded == flags: 0x00000006 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) === Transform: membuf-transform (href=NULL) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Key: == KEY === method: RSAKeyValue === key type: Public === key usage: -1 === rsa key: size = 1024 === list size: 1 === X509 Data: ==== Certificate: ==== Subject Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon ==== Issuer Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon ==== Issuer Serial: 4CAB2D3B == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: === uri xpointer expr: #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) === Transform: membuf-transform (href=NULL) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == PreDigest data - start buffer: <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" MinorVersion="1" Recipient="http://amgr.emdeon.com"; ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" IssueInstant="2010-10-06T16:15:38.906Z" Issuer="http://access.emdeon.com"; MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2010-10-06T21:15:38.905Z" NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement AuthenticationInstant="2010-10-06T16:15:38.906Z" AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response> == PreDigest data - end buffer == Manifest References List: === list size: 0 On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>>>> wrote: What is the output of the xmlsec1 command? Aleksey On 10/12/10 11:36 PM, Erik Smith wrote: After I call xmlSecDSigCtxVerify, the status in the contex is corrupted with a large number. However xmlsec1 reports validation as OK. xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references --id-attr:ResponseID urn:oasis:names:tc:SAML:1.0:protocol:Response /saml.xml Also xmlSecDSigCtxDebugDump output is exactly the same for xmlsec1 and my program. I've reduced the code down to what is below and I'm having trouble seeing what could be wrong. libxml version: 2.6.27 xmlsec version: 1.2.11 Thanks for any help. #include <iostream> #include <xmlsec/xmltree.h> #include <xmlsec/xmldsig.h> #include <xmlsec/crypto.h> #include <xmlsec/errors.h> #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> #endif void error(const char *); int main(int argc, char **argv) { using namespace std; int status(0); xmlSecKeysMngrPtr mngr_; xmlSecDSigCtxPtr dsigCtx; xmlDocPtr doc_; cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl; cout << "xmlsec version: " << XMLSEC_VERSION << endl; xmlInitParser(); LIBXML_TEST_VERSION; xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS; xmlSubstituteEntitiesDefault(1); #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif // Init xmlsec library if (xmlSecInit() < 0) error("xmlSecInit"); if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion"); #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) error("xmlSecCryptoDLLoadLibrary"); #endif if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto initialization failed."); if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto initialization failed."); mngr_ = xmlSecKeysMngrCreate(); if (!mngr_) error("bad"); if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) error("bad"); xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem); xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", format, NULL, NULL, NULL); if (!key) error("key load error"); if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0) error("could not add key"); doc_ = xmlParseFile("saml.xml"); if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad"); set_id(doc_); xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_), xmlSecNodeSignature, xmlSecDSigNs); if (!node) error("start node not found"); dsigCtx = xmlSecDSigCtxCreate(mngr_); if (!dsigCtx) error("failed to create signature context"); std::cout << "status before: " << dsigCtx->status << std::endl; if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) error("signature verify error"); std::cout << "status: " << dsigCtx->status << std::endl; //xmlSecDSigCtxDebugDump(dsigCtx, stdout); return status; } void set_id(xmlDocPtr doc) { using namespace std; xmlNodePtr node = xmlSecFindNode( xmlDocGetRootElement(doc), BAD_CAST "Response", BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol"); cout << "element name: " << node->name<< endl; xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID"); if (!attr) error("attribute not found"); cout << "attribute name: " << attr->name<< endl; xmlChar *value = xmlNodeListGetString(node->doc, attr->children, 1); if (!value) error("xmlNodeListGetString"); cout << "value: " << value << endl; xmlAttrPtr tmp(xmlGetID(node->doc, value)); if (tmp) { cout << "id already registered" << endl; } else { xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr); if (!id) { xmlFree(value); // fix error("xmlAddID error"); } cout << "id added" << endl; } //xmlFree(value); // fix } void error(const char *e) { std::cout << e << std::endl; std::cout << "exiting" << std::endl; exit(0); } _______________________________________________ xmlsec mailing list [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
