search

lsh123 / xmlsec

XML Security Library
Other
128 stars 97 forks source link

Ubuntu 23.03 xmlsec1's fails to sign (worked on 22.04) (vanilla 1.3.1 has same problem) #708

Closed polesapart closed 8 months ago

polesapart commented 8 months ago

When running:

`xmlsec1 --sign --output "signed/12853990.xml" --pwd 0000 --privkey-pem /x/p.pem,x/cert.pem --id-attr:id nfse "12853990.xml"

I get the following error:

func=xmlSecOpenSSLEvpSignatureExecute:file=evp_signatures.c:line=546:obj=rsa-sha1:subj=EVP_PKEY_size:error=4:crypto library function failed:openssl error: error:00000000:lib(0)::reason(0)
func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1934:obj=rsa-sha1:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:final=1
func=xmlSecTransformIOBufferClose:file=transforms.c:line=2563:obj=rsa-sha1:subj=xmlSecTransformPushBin:error=1:xmlsec library function failed: 
func=xmlSecTransformC14NPushXml:file=c14n.c:line=243:obj=c14n:subj=xmlOutputBufferClose:error=5:libxml2 library function failed:xml error: 0: NULL
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1052:obj=c14n:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=561:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxSign:file=xmldsig.c:line=296:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: 
Error: signature failed

The xmlsec version:

xmlsec1 1.2.37 (openssl)

It used to work on older xmlsec (1.2.27 IIRC)

btw, I compiled both 1.2.38 and 1.3.1 from source, using the same openssl libs on ubuntu (3.0.8-1ubuntu1.2), to no avail.

The example file content is below:

<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?><nfse id="nota"><identificador>redacted</identificador><nf><valor_total>48,67</valor_total><valor_desconto>0,00</valor_desconto><valor_ir>0,00</valor_ir><valor_contribuicao_social>0,00</valor_contribuicao_social><valor_rps>0,00</valor_rps><valor_pis>0,00</valor_pis><valor_cofins>0,00</valor_cofins><observacao/></nf><prestador><cpfcnpj>39782877000117</cpfcnpj><cidade>8291</cidade></prestador><tomador><tipo>F</tipo><cpfcnpj>redacted</cpfcnpj><ie/><nome_razao_social>Fulano</nome_razao_social><sobrenome_nome_fantasia/><logradouro>Rs 239</logradouro><email>fulano@yahoo.com.bX</email><numero_residencia>13225</numero_residencia><complemento/><ponto_referencia/><bairro>Alto Rolante</bairro><cidade>7353</cidade><cep>95695000</cep><ddd_fone_comercial>51</ddd_fone_comercial><fone_comercial>redacted</fone_comercial><ddd_fone_residencial/><fone_residencial/></tomador><itens><lista><codigo_local_prestacao_servico>8291</codigo_local_prestacao_servico><codigo_item_lista_servico>802</codigo_item_lista_servico><descritivo>Example</descritivo><aliquota_item_lista_servico>2,00</aliquota_item_lista_servico><situacao_tributaria>0</situacao_tributaria><valor_tributavel>48,67</valor_tributavel><valor_deducao>0,00</valor_deducao><valor_issrf>0,00</valor_issrf><tributa_municipio_prestador>S</tributa_municipio_prestador><unidade_codigo/><unidade_quantidade/><unidade_valor_unitario/></lista></itens>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#nota">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
                    <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                        <ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue/>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                </ds:X509Certificate>
            </ds:X509Data>
            <ds:KeyValue>
                <ds:RSAKeyValue>
                    <ds:Modulus>
                    </ds:Modulus>
                    <ds:Exponent/>
                </ds:RSAKeyValue>
            </ds:KeyValue>
        </ds:KeyInfo>
    </ds:Signature>
</nfse>
lsh123 commented 8 months ago

I think you will find that older xmlsec libraries likely don't work on the Ubuntu 23.03 either. Let me take a look, seems like Ubuntu patched openssl in some interesting way to break things.

lsh123 commented 8 months ago

The root cause of the problem is that recent Ubuntu version removed access to the "raw" OpenSSL key. So you will need to remove <ds:KeyValue> and switch to use pkcs12 files instead so you can include the certificate in the output. For xmlsec 1.3.0 or greater you will also need to add --lax-key-search option as well:

$ xmlsec1  --sign  --output /tmp/test.out  --pkcs12 tests/keys/largersakey.p12 --pwd secret123   --id-attr:id nfse --lax-key-search ./test.xml 
Signature status: OK
$ cat ./test.xml 
<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?><nfse id="nota"><identificador>redacted</identificador><nf><valor_total>48,67</valor_total><valor_desconto>0,00</valor_desconto><valor_ir>0,00</valor_ir><valor_contribuicao_social>0,00</valor_contribuicao_social><valor_rps>0,00</valor_rps><valor_pis>0,00</valor_pis><valor_cofins>0,00</valor_cofins><observacao/></nf><prestador><cpfcnpj>39782877000117</cpfcnpj><cidade>8291</cidade></prestador><tomador><tipo>F</tipo><cpfcnpj>redacted</cpfcnpj><ie/><nome_razao_social>Fulano</nome_razao_social><sobrenome_nome_fantasia/><logradouro>Rs 239</logradouro><email>fulano@yahoo.com.bX</email><numero_residencia>13225</numero_residencia><complemento/><ponto_referencia/><bairro>Alto Rolante</bairro><cidade>7353</cidade><cep>95695000</cep><ddd_fone_comercial>51</ddd_fone_comercial><fone_comercial>redacted</fone_comercial><ddd_fone_residencial/><fone_residencial/></tomador><itens><lista><codigo_local_prestacao_servico>8291</codigo_local_prestacao_servico><codigo_item_lista_servico>802</codigo_item_lista_servico><descritivo>Example</descritivo><aliquota_item_lista_servico>2,00</aliquota_item_lista_servico><situacao_tributaria>0</situacao_tributaria><valor_tributavel>48,67</valor_tributavel><valor_deducao>0,00</valor_deducao><valor_issrf>0,00</valor_issrf><tributa_municipio_prestador>S</tributa_municipio_prestador><unidade_codigo/><unidade_quantidade/><unidade_valor_unitario/></lista></itens>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#nota">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
                    <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                        <ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue/>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</nfse>
lsh123 commented 8 months ago

Closing, please re-open if you still have problems