-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Regression] Encrypting against multiple x.509 fails since 1.2.35 #437
Comments
Thanks for report! It's very possible that this changed. I will investigate but probably after Thanksgiving |
Thanks again for the bug report! The PR #438 contains a fix. It looks like it was working before "by mistake" because enc context was not cleaned up. If you will be back-porting the change to the 1.2.35 then you just need the changes in xmlenc.c (everything else is adding a test case and it turned out to be larger than expected). I will include this fix in the next release. |
FYI i can confirm the fix works for me. Thank you! |
Perfect, thank you for confirmation! |
The fix is included in the 1.2.37 release (#452) |
Hello,
encrypting against multiple x.509 fails now. It looks like only the first x.509 gets serialized into the output XML.
Should be reproducible like this:
xmlsec1 --encrypt --xml-data data.xml --output enc_two_cert.xml --pubkey-cert-pem:1 example.com.pem --pubkey-cert-pem:2 example2.com.pem --session-key aes-256 enc_two_cert_tmpl.xml
Template:
With whatever RSA keys and XML data. I just generate key material with something like
openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout example.com.key -days 730 -out example.com.pem
.As far as i can tell https://github.com/lsh123/xmlsec/blob/master/src/keysdata.c#L2020 this check fails for the second x.509 and therefore the x.509 does not get written out. Looks like it is not set to
xmlSecKeyDataTypePublic
. I'm using the OpenSSL backend.Relevant snippet from the result:
Works as expected in 1.2.34 and older.
The text was updated successfully, but these errors were encountered: