While it is not impossible, I would be highly surprised to find bugs in XML signature processing at this stage of life for XML Sec Library. It is actually pretty simple to create a syntactically valid signature that will NOT verify (hint: try to include the Signature node in the Reference digest).
Anyway, xmlsec tool usually prints pretty good and descriptive errors. You might want to start there. Best, Aleksey On 2/4/15 11:10 PM, Henri Salo wrote: > Hi, > > I have been doing some fuzzing with XML Security Library and I have found a > case > where signing a document works[0], but verifying it does not and generates > errors [1]. Do you consider this kind of case as a bug, which should be > reported to correct addresses etc or is this just normal functionality of the > tools? > > This works: > > xmlsec1 --sign --privkey rsakey.pem --output sign1.xml fuzzedinputfile > > This does not: > > xmlsec1 --verify sign1.xml rsapub.pem > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
