Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Regression] Encrypting against multiple x.509 fails since 1.2.35 #437

Closed
hendrikdonner opened this issue Nov 22, 2022 · 5 comments
Closed

[Regression] Encrypting against multiple x.509 fails since 1.2.35 #437

hendrikdonner opened this issue Nov 22, 2022 · 5 comments

Comments

@hendrikdonner
Copy link
Contributor

Hello,

encrypting against multiple x.509 fails now. It looks like only the first x.509 gets serialized into the output XML.

Should be reproducible like this:

xmlsec1 --encrypt --xml-data data.xml --output enc_two_cert.xml --pubkey-cert-pem:1 example.com.pem --pubkey-cert-pem:2 example2.com.pem --session-key aes-256 enc_two_cert_tmpl.xml

Template:

<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"> </EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>1</KeyName>
<X509Data>
<X509Certificate/>
</X509Data>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"> </EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>2</KeyName>
<X509Data>
<X509Certificate/>
</X509Data>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedData>

With whatever RSA keys and XML data. I just generate key material with something like openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout example.com.key -days 730 -out example.com.pem.

As far as i can tell https://github.com/lsh123/xmlsec/blob/master/src/keysdata.c#L2020 this check fails for the second x.509 and therefore the x.509 does not get written out. Looks like it is not set to xmlSecKeyDataTypePublic. I'm using the OpenSSL backend.

Relevant snippet from the result:

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>1</KeyName>
<X509Data>
<X509Certificate>MIIFlzCCA3+gAwIBAgIUAxTdQcNx/fjzoRhcrPWVpnAF0Z0wDQYJKoZIhvcNAQEL...

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>2</KeyName>
<X509Data>
<X509Certificate/>
</X509Data>

Works as expected in 1.2.34 and older.
@lsh123
Copy link
Owner

lsh123 commented Nov 22, 2022

Thanks for report! It's very possible that this changed. I will investigate but probably after Thanksgiving

lsh123 added a commit that referenced this issue Nov 23, 2022
@lsh123
fix enc context reset (issue #437)
161c2ae
@lsh123
Copy link
Owner

lsh123 commented Nov 23, 2022

Thanks again for the bug report! The PR #438 contains a fix. It looks like it was working before "by mistake" because enc context was not cleaned up. If you will be back-porting the change to the 1.2.35 then you just need the changes in xmlenc.c (everything else is adding a test case and it turned out to be larger than expected). I will include this fix in the next release.

lsh123 added a commit that referenced this issue Nov 23, 2022
@lsh123
fix enc context reset (issue #437) (#438)
0cdeaba
@lsh123 lsh123 closed this as completed Nov 23, 2022
@hendrikdonner
Copy link
Contributor Author

FYI i can confirm the fix works for me. Thank you!

@lsh123
Copy link
Owner

lsh123 commented Nov 23, 2022

Perfect, thank you for confirmation!

lsh123 added a commit that referenced this issue Nov 28, 2022
@lsh123
fix enc context reset (issue #437) (#438)
d63aef1
@lsh123
Copy link
Owner

lsh123 commented Nov 28, 2022

The fix is included in the 1.2.37 release (#452)

ychartsdeployer pushed a commit to ycharts/xmlsec that referenced this issue Jun 12, 2024
@lsh123 @github-actions
fix enc context reset (issue lsh123#437) (lsh123#438)
83f55c1
ychartsdeployer pushed a commit to ycharts/xmlsec that referenced this issue Jun 13, 2024
@lsh123 @github-actions
fix enc context reset (issue lsh123#437) (lsh123#438)
53a07b8
ychartsdeployer pushed a commit to ycharts/xmlsec that referenced this issue Jul 9, 2024
@lsh123 @github-actions
fix enc context reset (issue lsh123#437) (lsh123#438)
e17babd
ychartsdeployer pushed a commit to ycharts/xmlsec that referenced this issue Jul 9, 2024
@lsh123 @github-actions
fix enc context reset (issue lsh123#437) (lsh123#438)
667aac6
ychartsdeployer pushed a commit to ycharts/xmlsec that referenced this issue Aug 19, 2024
@lsh123 @github-actions
fix enc context reset (issue lsh123#437) (lsh123#438)
76e1e61
ychartsdeployer pushed a commit to ycharts/xmlsec that referenced this issue Aug 20, 2024
@lsh123 @github-actions
fix enc context reset (issue lsh123#437) (lsh123#438)
b5f3c65
ychartsdeployer pushed a commit to ycharts/xmlsec that referenced this issue Aug 21, 2024
@lsh123 @github-actions
fix enc context reset (issue lsh123#437) (lsh123#438)
2197c3b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lsh123 @hendrikdonner