Closed Thomas-Barbier-1A closed 3 years ago
Probably API changes in OpenSSL 3.0.0 --- need to look and fix whatever they broke. I didn't try to compile against it yet, I usually wait for stable release however I love patches :)
Does above command pass with absolute name?
If I remember well openssl master (future 3.0) switch utilities to use STORE2 API for loads. Unfortunatelly stable release support only absolute paths. Dunno for master. This is reason to ask to test with absolute name.
I just tried with absolute path instead of relative path and I have the same error
xmlsec1 \
sign \
--crypto openssl \
--crypto-config /tmp/xmlsec-crypto-config \
--pkcs12:key2 ${PWD}/tests/keys/rsakey.p12 \
--pwd secret123 \
--url-map:http://www.w3.org/TR/xml-stylesheet \
${PWD}/tests/external-data/xml-stylesheet-2018 \
--output ${PWD}/testDSig.sh.20210108_164235-39076.tmp \
${PWD}/tests/aleksey-xmldsig-01/signature-two-keynames.tmpl
I also checked the commands run by the Unit Tests and they seem to all use absolute path as well.
Hello, The error comes from the fact OpenSSL v3 comes with the concept of "providers". In fact, old deprecated algorithms have been transfered into a module that is loaded at runtime. This module is called the "legacy" provider.
In this test case, the rsakey.p12 uses the RC2-40-CBC which is no more provided by default. So make sure your OpenSSLv3 configuration files enable the legacy provider. As mentioned there https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers, this can be done with the following openssl.cnf file:
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
With this configured, the whole xmlsec test suite works. Regards
Thank you for detailed explanation!
Hello,
I am trying to compile xmlsec 1.2.31 with openssl 3.0.0 alpha10 and I have openssl related test failing:
Makefile:1184: recipe for target 'check-crypto-openssl' failed
It seems that all openssl tests fails at "Create new signature" or "Verify existing signature"
Here is an example of error during unit test:
/remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/apps/xmlsec1 sign --crypto openssl --crypto-config /tmp/xmlsec-crypto-config --pkcs12:key2 /remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/keys/rsakey.p12 --pwd secret123 --url-map:http://www.w3.org/TR/xml-stylesheet /remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/external-data/xml-stylesheet-2018 --output /tmp/testDSig.sh.20210108_164235-39076.tmp /remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/aleksey-xmldsig-01/signature-two-keynames.tmpl func=xmlSecOpenSSLEvpKeyAdopt:file=evp.c:line=351:obj=unknown:subj=pKey != NULL:error=100:assertion: func=xmlSecOpenSSLAppPkcs12LoadBIO:file=app.c:line=639:obj=unknown:subj=xmlSecOpenSSLEvpKeyAdopt:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=314:obj=unknown:subj=xmlSecOpenSSLAppPkcs12LoadBIO:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=175:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/keys/rsakey.p12 Error: xmlSecCryptoAppKeyLoad failed: filename=/remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/keys/rsakey.p12 Error: failed to load pkcs12 key from "/remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/keys/rsakey.p12". Error: keys manager creation failed
It is unclear to me if the command generated by the test is bogus or if it is an internal error due to OpenSSL API changes
Here is a reproducer (simplified command taken from unit tests) ` tar -xzvf reproducer.tar.gz xmlsec1 \ sign \ --crypto openssl \ --crypto-config /tmp/xmlsec-crypto-config \ --pkcs12:key2 ./tests/keys/rsakey.p12 \ --pwd secret123 \ --url-map:http://www.w3.org/TR/xml-stylesheet \ ./tests/external-data/xml-stylesheet-2018 \ --output ./testDSig.sh.20210108_164235-39076.tmp \ ./tests/aleksey-xmldsig-01/signature-two-keynames.tmpl
func=xmlSecOpenSSLEvpKeyAdopt:file=evp.c:line=351:obj=unknown:subj=pKey != NULL:error=100:assertion: func=xmlSecOpenSSLAppPkcs12LoadBIO:file=app.c:line=639:obj=unknown:subj=xmlSecOpenSSLEvpKeyAdopt:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=314:obj=unknown:subj=xmlSecOpenSSLAppPkcs12LoadBIO:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=175:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=./tests/keys/rsakey.p12 [] []
`
Error: xmlSecCryptoAppKeyLoad failed: filename=./tests/keys/rsakey.p12 Error: failed to load pkcs12 key from "./tests/keys/rsakey.p12". Error: keys manager creation failed Unknown command Usage: xmlsec
Do you have any hint of what the issue could be?
Cheers Thomas reproducer.tar.gz