Hm... The only idea I have is that you compile with different flags or link against a different version of xmlsec library. It looks like dsigCtx->status points to a different place in memory.
Aleksey On 5/13/16 2:16 AM, [email protected] wrote: > Hello Aleksey & thank you for reply. > I cannot see obvious error in the dump. > Can you point it out if present? > > Also if indeed a digest is incorrect, would you expect the status to > invalid? (rather than garbage value) > > Attached is the dump. > > Also some code that I added as a result of ID related errors of faq 3.2 > This is main difference to one of your verify examples > Without this code, I get lots of errors. > > With it, the verification runs thru, but with the contradictory result > in status. > > Appreciate your input. > Thank you. > On Friday, 13 May 2016, 2:56:22, Aleksey Sanin <[email protected]> wrote: > > > Look through the whole dump. One of the digests is likely invalid. > > Aleksey > > On 5/12/16 2:37 PM, [email protected] <mailto:[email protected]> > wrote: >> >> Hello >> >> >> Any thoughts on how the following can happen would be much appreciate. >> >> >> Have some code like this which is preceeded by creating a verify contxt >> etc etc just like examples:: >> >> ... >> ... >> /* print verification result to stdout */ >> if(dsigCtx->status == xmlSecDSigStatusSucceeded) { >> fprintf(stdout, "RESULT: Signature is OK %d\n", >> dsigCtx->status); >> } else { >> fprintf(stdout, "RESULT: Signature is INVALID %d\n", >> dsigCtx->status); >> } >> fprintf(stdout, >> "---------------------------------------------------\n"); >> >> >> xmlSecDSigCtxDebugDump(dsigCtx, stdout); >> ... >> ... >> >> >> And get the following output: >> >> >> RESULT: Signature is INVALID 7219120 >> --------------------------------------------------- >> = VERIFICATION CONTEXT >> == Status: succeeded >> == flags: 0x0000000e >> == flags2: 0x00000000 >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: membuf-transform (href=NULL) >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Public >> === key usage: -1 >> === key not valid before: 1458586152 >> === key not valid after: 1774118952 >> === rsa key: size = 2048 >> === list size: 1 >> === X509 Data: >> ==== Key Certificate: >> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> ==== Certificate: >> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> == SignedInfo References List: >> === list size: 1 >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: "#_c4e9522ba1289864766f54df6a04eae5b77fd7c70d" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: #_c4e9522ba1289864766f54df6a04eae5b77fd7c70d >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: enveloped-signature >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> .... >> .... >> >> .... >> >> >> Any ideas how this could happen? >> >> The dump prints the status as being successful. >> This as per the setting of the dsigCtx->status in >> xmlSecDSigCtxDebugDump() function in xmldsig.c >> >> >> But how is it printing some garbage value before hand? (7219120) >> Why is it not initialized or set to unknown/invalid. >> >> >> Would appreciate any insight? No other logs/erros from the xmlsec are >> evident. >> >> Are there any other logs I could refer to? >> Would appreciate any thoughts. > >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> http://www.aleksey.com/mailman/listinfo/xmlsec > >> > > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
