Yes, looks like it. Plus value 7219120 is very weird and not expected for status. This is why I think there is a problem with either compilation flags or library version.
Aleksey On 5/13/16 1:44 PM, [email protected] wrote: > > > > It is very strange. > I did a new build and the run time is using exact same version. > > It is latest .22 version. > Same result. > Will try debug further. > > BTW, was the dump produced actually a valid verify ( verify ok )? > > > > > > On Fri, 13 May, 2016 at 16:56, Aleksey Sanin > <[email protected]> wrote: > > Hm... The only idea I have is that you compile with different > flags or link against a different version of xmlsec library. > It looks like dsigCtx->status points to a different place in > memory. > > Aleksey > > On 5/13/16 2:16 AM, [email protected] <javascript:return> wrote: > > Hello Aleksey & thank you for reply. > > I cannot see obvious error in the dump. > > Can you point it out if present? > > > > Also if indeed a digest is incorrect, would you expect the status to > > invalid? (rather than garbage value) > > > > Attached is the dump. > > > > Also some code that I added as a result of ID related errors of > faq 3.2 > > This is main difference to one of your verify examples > > Without this code, I get lots of errors. > > > > With it, the verification runs thru, but with the contradictory result > > in status. > > > > Appreciate your input. > > Thank you. > > On Friday, 13 May 2016, 2:56:22, Aleksey Sanin > <[email protected] <javascript:return>> wrote: > > > > > > Look through the whole dump. One of the digests is likely invalid. > > > > Aleksey > > > > On 5/12/16 2:37 PM, [email protected] <javascript:return> > <mailto:[email protected] <javascript:return>> > > wrote: > >> > >> Hello > >> > >> > >> Any thoughts on how the following can happen would be much > appreciate. > >> > >> > >> Have some code like this which is preceeded by creating a verify > contxt > >> etc etc just like examples:: > >> > >> ... > >> ... > >> /* print verification result to stdout */ > >> if(dsigCtx->status == xmlSecDSigStatusSucceeded) { > >> fprintf(stdout, "RESULT: Signature is OK %d\n", > >> dsigCtx->status); > >> } else { > >> fprintf(stdout, "RESULT: Signature is INVALID %d\n", > >> dsigCtx->status); > >> } > >> fprintf(stdout, > >> "---------------------------------------------------\n"); > >> > >> > >> xmlSecDSigCtxDebugDump(dsigCtx, stdout); > >> ... > >> ... > >> > >> > >> And get the following output: > >> > >> > >> RESULT: Signature is INVALID 7219120 > >> --------------------------------------------------- > >> = VERIFICATION CONTEXT > >> == Status: succeeded > >> == flags: 0x0000000e > >> == flags2: 0x00000000 > >> == Key Info Read Ctx: > >> = KEY INFO READ CONTEXT > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled key data: all > >> == RetrievalMethod level (cur/max): 0/1 > >> == TRANSFORMS CTX (status=0) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: NULL > >> === uri xpointer expr: NULL > >> == EncryptedKey level (cur/max): 0/1 > >> === KeyReq: > >> ==== keyId: rsa > >> ==== keyType: 0x00000001 > >> ==== keyUsage: 0x00000002 > >> ==== keyBitsSize: 0 > >> === list size: 0 > >> == Key Info Write Ctx: > >> = KEY INFO WRITE CONTEXT > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled key data: all > >> == RetrievalMethod level (cur/max): 0/1 > >> == TRANSFORMS CTX (status=0) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: NULL > >> === uri xpointer expr: NULL > >> == EncryptedKey level (cur/max): 0/1 > >> === KeyReq: > >> ==== keyId: NULL > >> ==== keyType: 0x00000001 > >> ==== keyUsage: 0xffffffff > >> ==== keyBitsSize: 0 > >> === list size: 0 > >> == Signature Transform Ctx: > >> == TRANSFORMS CTX (status=2) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: NULL > >> === uri xpointer expr: NULL > >> === Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > >> === Transform: membuf-transform (href=NULL) > >> === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > >> === Transform: membuf-transform (href=NULL) > >> == Signature Method: > >> === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > >> == Signature Key: > >> == KEY > >> === method: RSAKeyValue > >> === key type: Public > >> === key usage: -1 > >> === key not valid before: 1458586152 > >> === key not valid after: 1774118952 > >> === rsa key: size = 2048 > >> === list size: 1 > >> === X509 Data: > >> ==== Key Certificate: > >> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >> ==== Certificate: > >> ==== Subject Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >> ==== Issuer Name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >> ==== Issuer Serial: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >> == SignedInfo References List: > >> === list size: 1 > >> = REFERENCE VERIFICATION CONTEXT > >> == Status: succeeded > >> == URI: "#_c4e9522ba1289864766f54df6a04eae5b77fd7c70d" > >> == Reference Transform Ctx: > >> == TRANSFORMS CTX (status=2) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: > >> === uri xpointer expr: #_c4e9522ba1289864766f54df6a04eae5b77fd7c70d > >> === Transform: xpointer > (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > >> === Transform: enveloped-signature > >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) > >> === Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#) > >> === Transform: membuf-transform (href=NULL) > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> === Transform: membuf-transform (href=NULL) > >> == Digest Method: > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> == PreDigest data - start buffer: > >> .... > >> .... > >> > >> .... > >> > >> > >> Any ideas how this could happen? > >> > >> The dump prints the status as being successful. > >> This as per the setting of the dsigCtx->status in > >> xmlSecDSigCtxDebugDump() function in xmldsig.c > >> > >> > >> But how is it printing some garbage value before hand? (7219120) > >> Why is it not initialized or set to unknown/invalid. > >> > >> > >> Would appreciate any insight? No other logs/erros from the xmlsec are > >> evident. > >> > >> Are there any other logs I could refer to? > >> Would appreciate any thoughts. > > > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> _______________________________________________ > >> xmlsec mailing list > >> [email protected] <javascript:return> <mailto:[email protected] > <javascript:return>> > >> http://www.aleksey.com/mailman/listinfo/xmlsec > > > > >> > > > > > > > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] <javascript:return> > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
