Re: [xmlsec] Usage of XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN

Thu, 20 Jun 2019 06:10:47 -0700

Yes, I found in keyinfo.c (line 692) where to stop the process and return (see following): 

       tmpKey = xmlSecKeysMngrFindKey(keyInfoCtx->keysMngr, newName, 
keyInfoCtx);
        if(tmpKey != NULL) {

       XXXX

        } else if 
(keyInfoCtx->flags&XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN) {
          xmlSecOtherError(XMLSEC_ERRORS_R_KEY_NOT_FOUND, xmlSecKeyDataKlassGetName(id), 
"Unknown key name");
          xmlFree(newName);
          return(-1);
        }
But then at some point I return from xmlSecKeyDataEncryptedKeyXmlRead() with a return value of 0, instead of -1, because xmlSecEncCtxDecryptToBuffer(keyInfoCtx->encCtx, node) result is NULL at line 1354,
and I finally go back in function xmlSecKeysMngrGetKey() where xmlSecKeyInfoNodeRead() returns 0 and without a valid key (what is expected), but there is no status saying that the key was not found due to the name. Then, as there is a keystore set, we go for a new run in xmlSecKeysMngrFindKey(keyInfoCtx->keysMngr, NULL, keyInfoCtx) where of course, we gonna find the key without name.
Actually, in xmlSecKeysMngrGetKey() when xmlSecKeyInfoNodeRead() is called and no key is found (in the key store), we search again for a key in the key store, isn't is doing twice the same job ? And is there a way to return a status from xmlSecKeyInfoNodeRead(), saying that the key was not found due to the name, to avoid searching again ? 

Thanks,

Frank


Le 19/06/2019 à 18:40, Aleksey Sanin a écrit :

Doesn't look like it was implemented :)
https://github.com/lsh123/xmlsec/search?q=XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN
https://github.com/lsh123/xmlsec/commit/914f5ba36b26682b1857caecd63145c141f98663 

Should be a simple change around here:
https://github.com/lsh123/xmlsec/blob/a181a96b5f73a4ac27be2fc51644326c2b89fe4d/src/keyinfo.c#L663 




Aleksey

On 6/19/19 3:50 AM, Frank Gross wrote:

Hi,
Can someone tell me how the flag XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN is suppose to work ?
I was expecting that xmlSecEncCtxDecrypt() fails when that flag is set because the KeyName in my encrypted document is not available in the key store, but it found actually the key because I registered that same key but with a different name. 

Thanks,

Frank




--
Frank GROSS
Software Engineer - Web Services
Four J's Development Tools - http://www.4js.com


_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to