Closed FCarterV closed 1 month ago
На 11.05.24 г. в 1:07 ч., FCarterV написа:
on a fresh install with updates of
OS - Rocky Linux release 9.3 (Blue Onyx) Dunno about this OS.
I have: xmlsec1-1.2.29-9.el9.x86_64 xmlsec1-openssl-1.2.29-9.el9.x86_64 openssl-libs-3.0.7-25.el9_3.x86_64 openssl-3.0.7-25.el9_3.x86_64
I guess el9 like RHEL9.
when I execute xmlsig1, I get the following error:
$ xmlsec1 sign --output signed.xml --privkey-pem my_key.pem file2sign.xml func=xmlSecTransformNodeRead:file=transforms.c:line=1314:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec library function failed:href=http://www.w3.org/2000/09/xmldsig#rsa-sha1 func=xmlSecTransformCtxNodeRead:file=transforms.c:line=595:obj=SignatureMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=661:obj=SignatureMethod:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: Error: signature failed
[SNIP] Works OK with sha256 but I need to use sha1 with rsa or dsa
[SNIP]
RedHat activates system security policy that disables SHA1 and etc. DSA is also in list.
Please, consult vendor documentation how to change system policies. Usually regression tests has some setting that deactivate system restrictions but this is not suitable for production.
Regards, Roumen
thanks, but does not seems to work.
i tried with
update-crypto-policies --set DEFAULT:SHA1
update-crypto-policies --set LEGACY
even i make sure that :
[ crypto_policy ]
.include = /etc/crypto-policies/back-ends/opensslcnf.config
was on : /etc/pki/tls/openssl.cnf
and opensslcnf.config:
CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
TLS.MinProtocol = TLSv1.2
TLS.MaxProtocol = TLSv1.3
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
[evp_properties]
rh-allow-sha1-signatures = yes
with regards Fernando Carter
Can you share the options for ./configure script on how XMLSec library was compiled?
I m not compiling, im just using what cames with the system.
if I compile, I would not know exactly what to use :-(
Can you run:
xmlsec1 check-transforms rsa-sha1 sha1
and paste output here?
This is what I get on my system for example:
$ xmlsec1 check-transforms rsa-sha1 sha1
Transforms "rsa-sha1" found
Transforms "sha1" found
xmlsec1 check-transforms rsa-sha1 sha1 Error: transform "rsa-sha1" not found
Unfortunately this means that rsa-sha1 was disabled during compilation. You can download source code and build xmlsec yourself, or try to use another linux distribution.
Ok, thank you very much :+1:
any sugestion on configure options?
regards Fernando Carter
There is nothing special, ./configure --help
will give you a complete list of options. The only algorithm which is disabled by default is MD5 (add --enable-md5
to re-enable it).
Thank you for your time. I recompiled it, but it still isn't available. Therefore, I'm opting for a different operating system.
With regards, Fernando Carter
Did you compile using sources from XMLSec website or github? Can you post configure output?
sure:
download from
https://www.aleksey.com/xmlsec/download/older-releases/xmlsec1-1.2.29.tar.gz
$./configure
config.out.txt
config.log
with regards Fernando Carter
Thanks, logs say that all is enabled:
checking for MD5 support... yes
checking for RIPEMD-160 support... yes
checking for SHA1 support... yes
checking for SHA224 support... yes
checking for SHA256 support... yes
checking for SHA384 support... yes
checking for SHA512 support... yes
checking for HMAC support... yes
checking for DSA support... yes
checking for RSA support... yes
checking for x509 support... yes
checking for DES support... yes
checking for AES support... yes
checking for GOST support... disabled
checking for EXPERMIENTAL GOST2012 support... disabled
checking for XMLDSig support... yes
checking for XMLEnc support... yes
So I wonder if you are still picking up the system libraries with support disabled. Can you try compiling statically?
make clean
./configure --enable-static-linking --without-libltdl
make
./apps/xmlsec1 check-transforms rsa-sha1 sha1
Exelent!!
./apps/xmlsec1 check-transforms rsa-sha1 sha1
Transforms "rsa-sha1" found
Transforms "sha1" found
shoud do
make install
or still is it possible to use dynamic linking?
Regards Fernando Carter
Yes you can use dynamic linking. Specify --prefix <path>
for ./configure
and then make sure to add <path>/lib
or <path>/lib64
depending on your OS to both LD_LIBRARY_PATH
and LTDL_LIBRARY_PATH
environment variables.
on a fresh install with updates of
OS - Rocky Linux release 9.3 (Blue Onyx)
I have: xmlsec1-1.2.29-9.el9.x86_64 xmlsec1-openssl-1.2.29-9.el9.x86_64 openssl-libs-3.0.7-25.el9_3.x86_64 openssl-3.0.7-25.el9_3.x86_64
when I execute xmlsig1, I get the following error:
file2sign.xml content:
Works OK with sha256 but I need to use sha1 with rsa or dsa
Is it possible to use sha1 with rsa ?
with Regards Fernando Carter