Hello Aleksey & thank you for reply.I cannot see obvious error in the dump.Can
you point it out if present?
Also if indeed a digest is incorrect, would you expect the status to invalid?
(rather than garbage value)
Attached is the dump.
Also some code that I added as a result of ID related errors of faq 3.2This is
main difference to one of your verify examplesWithout this code, I get lots of
errors.
With it, the verification runs thru, but with the contradictory result in
status.
Appreciate your input. Thank you. On Friday, 13 May 2016, 2:56:22, Aleksey
Sanin <[email protected]> wrote:
Look through the whole dump. One of the digests is likely invalid.
Aleksey
On 5/12/16 2:37 PM, [email protected] wrote:
>
> Hello
>
>
> Any thoughts on how the following can happen would be much appreciate.
>
>
> Have some code like this which is preceeded by creating a verify contxt
> etc etc just like examples::
>
> ...
> ...
> /* print verification result to stdout */
> if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
> fprintf(stdout, "RESULT: Signature is OK %d\n",
> dsigCtx->status);
> } else {
> fprintf(stdout, "RESULT: Signature is INVALID %d\n",
> dsigCtx->status);
> }
> fprintf(stdout,
> "---------------------------------------------------\n");
>
>
> xmlSecDSigCtxDebugDump(dsigCtx, stdout);
> ...
> ...
>
>
> And get the following output:
>
>
> RESULT: Signature is INVALID 7219120
> ---------------------------------------------------
> = VERIFICATION CONTEXT
> == Status: succeeded
> == flags: 0x0000000e
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000001
> ==== keyUsage: 0x00000002
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> === Transform: membuf-transform (href=NULL)
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: membuf-transform (href=NULL)
> == Signature Method:
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key usage: -1
> === key not valid before: 1458586152
> === key not valid after: 1774118952
> === rsa key: size = 2048
> === list size: 1
> === X509 Data:
> ==== Key Certificate:
> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Certificate:
> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: succeeded
> == URI: "#_c4e9522ba1289864766f54df6a04eae5b77fd7c70d"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri:
> === uri xpointer expr: #_c4e9522ba1289864766f54df6a04eae5b77fd7c70d
> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> ....
> ....
>
> ....
>
>
> Any ideas how this could happen?
>
> The dump prints the status as being successful.
> This as per the setting of the dsigCtx->status in
> xmlSecDSigCtxDebugDump() function in xmldsig.c
>
>
> But how is it printing some garbage value before hand? (7219120)
> Why is it not initialized or set to unknown/invalid.
>
>
> Would appreciate any insight? No other logs/erros from the xmlsec are
> evident.
>
> Are there any other logs I could refer to?
> Would appreciate any thoughts.
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> [email protected]
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
// code per FAQ 3.2
xmlNodePtr rnode = NULL;
rnode = xmlDocGetRootElement(doc);
xmlAttrPtr attr;
xmlAttrPtr tmp;
int i;
xmlChar* name;
xmlNodePtr cur = rnode;
xmlChar *id = "ID";
for(attr = cur->properties; attr != NULL; attr = attr->next) {
if(xmlStrEqual(attr->name, id)) {
name = xmlNodeListGetString(doc, attr->children, 1);
if(name != NULL) {
tmp = xmlGetID(doc, name);
if(tmp == NULL) {
xmlAddID(NULL, doc, name, attr);
} else if(tmp != attr) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
NULL,
XMLSEC_ERRORS_R_INVALID_DATA,
"id=%s already defined",
xmlSecErrorsSafeString(name));
}
xmlFree(name);
}
}
}
There are 2 Sig nodes in the XML.
The doc root element has an ID attribbute and the Signature node is direct
child of the root
with reference URI to the ID attr in the doc root.
I was assuming I can just ignore the Sig element that exists deeper in the doc.
Or does some ordering come into play?
RESULT: Signature is INVALID -1006498752
---------------------------------------------------
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key usage: -1
=== key not valid before: 1458586152
=== key not valid after: 1774118952
=== rsa key: size = 2048
=== list size: 1
=== X509 Data:
==== Key Certificate:
==== Subject Name: /C=US/ST=New York/L=Melville/O=KEMP Technologies,
Inc/OU=RABID TEAM/CN=saml-sp/[email protected]
==== Issuer Name: /C=US/ST=New York/L=Melville/O=KEMP Technologies,
Inc/OU=RABID TEAM/CN=saml-sp/[email protected]
==== Issuer Serial: 9E2A9BFB723DC4D7
==== Certificate:
==== Subject Name: /C=US/ST=New York/L=Melville/O=KEMP Technologies,
Inc/OU=RABID TEAM/CN=saml-sp/[email protected]
==== Issuer Name: /C=US/ST=New York/L=Melville/O=KEMP Technologies,
Inc/OU=RABID TEAM/CN=saml-sp/[email protected]
==== Issuer Serial: 9E2A9BFB723DC4D7
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#_cd9f2da882db1145341bd06067816a00826eb28512"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #_cd9f2da882db1145341bd06067816a00826eb28512
=== Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key usage: -1
=== key not valid before: 1458586152
=== key not valid after: 1774118952
=== rsa key: size = 2048
=== list size: 1
=== X509 Data:
==== Key Certificate:
==== Subject Name: xxxxxxxxxxxxxxxx
==== Issuer Name: xxxxxxxxxxxxxxxx
==== Issuer Serial: 9E2A9BFB723DC4D7
==== Certificate:
==== Subject Name: xxxxxxxxxxxx
==== Issuer Name: xxxxxxxxxxxx
==== Issuer Serial: 9E2A9BFB723DC4D7
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#_cd9f2da882db1145341bd06067816a00826eb28512"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #_cd9f2da882db1145341bd06067816a00826eb28512
=== Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
