Xmlsec1 fails to sign with rsa-sha1

[FCarterV]

on a fresh install with updates of

OS - Rocky Linux release 9.3 (Blue Onyx)

I have: xmlsec1-1.2.29-9.el9.x86_64 xmlsec1-openssl-1.2.29-9.el9.x86_64 openssl-libs-3.0.7-25.el9_3.x86_64 openssl-3.0.7-25.el9_3.x86_64

when I execute xmlsig1, I get the following error:

$ xmlsec1 sign --output signed.xml --privkey-pem my_key.pem file2sign.xml

func=xmlSecTransformNodeRead:file=transforms.c:line=1314:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec library function failed:href=http://www.w3.org/2000/09/xmldsig#rsa-sha1
func=xmlSecTransformCtxNodeRead:file=transforms.c:line=595:obj=SignatureMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=661:obj=SignatureMethod:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: 
Error: signature failed 

file2sign.xml content:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE test [
<!ATTLIST Content ID ID #IMPLIED>
]>
<DOC version="1.0">
<Content ID="3201">
<Tmst>2010-09-28T10:23:48</Tmst>
</Content>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#3201">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<DigestValue/>
</Reference>
</SignedInfo>
<SignatureValue/>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus/>
<Exponent/>
</RSAKeyValue>
</KeyValue>
<X509Data/>
</KeyInfo>
</Signature>
</DOC>

Works OK with sha256 but I need to use sha1 with rsa or dsa

Is it possible to use sha1 with rsa ?

with Regards Fernando Carter

[petrovr]

На 11.05.24 г. в 1:07 ч., FCarterV написа:

on a fresh install with updates of

OS - Rocky Linux release 9.3 (Blue Onyx) Dunno about this OS.

I have: xmlsec1-1.2.29-9.el9.x86_64 xmlsec1-openssl-1.2.29-9.el9.x86_64 openssl-libs-3.0.7-25.el9_3.x86_64 openssl-3.0.7-25.el9_3.x86_64

I guess el9 like RHEL9.

when I execute xmlsig1, I get the following error:

$ xmlsec1 sign --output signed.xml --privkey-pem my_key.pem file2sign.xml

func=xmlSecTransformNodeRead:file=transforms.c:line=1314:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec library function failed:href=http://www.w3.org/2000/09/xmldsig#rsa-sha1
func=xmlSecTransformCtxNodeRead:file=transforms.c:line=595:obj=SignatureMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=661:obj=SignatureMethod:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed:
Error: signature failed

[SNIP] Works OK with sha256 but I need to use sha1 with rsa or dsa

[SNIP]

RedHat activates system security policy that disables SHA1 and etc. DSA is also in list.

Please, consult vendor documentation how to change system policies. Usually regression tests has some setting that deactivate system restrictions but this is not suitable for production.

Regards, Roumen

[lsh123]

For more details:

https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/9/html/security_hardening/proc_re-enabling-sha-1_using-the-system-wide-cryptographic-policies

[FCarterV]

thanks, but does not seems to work.

i tried with

update-crypto-policies --set DEFAULT:SHA1
update-crypto-policies --set LEGACY

even i make sure that :

[ crypto_policy ]
.include = /etc/crypto-policies/back-ends/opensslcnf.config

was on : /etc/pki/tls/openssl.cnf

and opensslcnf.config:

CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
TLS.MinProtocol = TLSv1.2
TLS.MaxProtocol = TLSv1.3
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192

[openssl_init]
alg_section = evp_properties

[evp_properties]
rh-allow-sha1-signatures = yes

with regards Fernando Carter

[lsh123]

Can you share the options for ./configure script on how XMLSec library was compiled?

[FCarterV]

I m not compiling, im just using what cames with the system.

if I compile, I would not know exactly what to use :-(

[lsh123]

Can you run:

xmlsec1 check-transforms rsa-sha1 sha1

and paste output here?

[lsh123]

This is what I get on my system for example:

$ xmlsec1 check-transforms rsa-sha1 sha1
Transforms "rsa-sha1" found
Transforms "sha1" found

[FCarterV]

xmlsec1 check-transforms rsa-sha1 sha1 Error: transform "rsa-sha1" not found

[lsh123]

Unfortunately this means that rsa-sha1 was disabled during compilation. You can download source code and build xmlsec yourself, or try to use another linux distribution.

[FCarterV]

Ok, thank you very much :+1:

any sugestion on configure options?

regards Fernando Carter

[lsh123]

There is nothing special, ./configure --help will give you a complete list of options. The only algorithm which is disabled by default is MD5 (add --enable-md5 to re-enable it).

[FCarterV]

Thank you for your time. I recompiled it, but it still isn't available. Therefore, I'm opting for a different operating system.

With regards, Fernando Carter

[lsh123]

Did you compile using sources from XMLSec website or github? Can you post configure output?

[FCarterV]

sure: download from https://www.aleksey.com/xmlsec/download/older-releases/xmlsec1-1.2.29.tar.gz

$./configure config.out.txt config.log

with regards Fernando Carter

[lsh123]

Thanks, logs say that all is enabled:

checking for MD5 support... yes
checking for RIPEMD-160 support... yes
checking for SHA1 support... yes
checking for SHA224 support... yes
checking for SHA256 support... yes
checking for SHA384 support... yes
checking for SHA512 support... yes
checking for HMAC support... yes
checking for DSA support... yes
checking for RSA support... yes
checking for x509 support... yes
checking for DES support... yes
checking for AES support... yes
checking for GOST support... disabled
checking for EXPERMIENTAL GOST2012 support... disabled
checking for XMLDSig support... yes
checking for XMLEnc support... yes

So I wonder if you are still picking up the system libraries with support disabled. Can you try compiling statically?

make clean
./configure --enable-static-linking --without-libltdl
make 
./apps/xmlsec1 check-transforms rsa-sha1 sha1

[FCarterV]

Exelent!!

./apps/xmlsec1 check-transforms rsa-sha1 sha1
Transforms "rsa-sha1" found
Transforms "sha1" found

shoud do make install

or still is it possible to use dynamic linking?

Regards Fernando Carter

[lsh123]

Yes you can use dynamic linking. Specify --prefix <path> for ./configure and then make sure to add <path>/lib or <path>/lib64 depending on your OS to both LD_LIBRARY_PATH and LTDL_LIBRARY_PATH environment variables.