Re: [xmlsec] xmlsec failing validation tests
It's fine for me. Personally I don't think that you really want to show any detailed error message to the user. Signatures and encryption is a backend stuff. Most errors are total failures and you could not recover from them. For example, in the situation you mentioned the error case is applicaton bug since it gave template with DSA signature and RSA key. User should not see this error message at all and this is a bug in application logic. If you have any non-failure problems (like signature validation failed) the function return success code and the actual problem is described in the xmlSec*Result object (where * is DSig or Enc). However, I understand your concerns and I think there are few ways to solve this problem: 1) Return *negative* error codes from functions (similar to your suggestion). I kept this solution in mind when I did checks ret < 0 everythere :) 2) Some kind of "per-thread" error number (like _errno is c libraries). 3) Per-thread "error context" that holds information about error code, error severity, location (function, line number), message, etc. If you really want to have detailed errors then I would vote for option 3) as the most general solution. However, I suggest to evalute the cost and real requirements to have detailed error codes. BTW, I would suggest to continue this discussion in the xmlsec library mailing list so other guys can join us. Aleksey. dheitmueller wrote: >Hello Aleksey, > >I have put aside the static linking issue for the moment, because it is an acceptable >workaround for now to just dynamic link my binaries. I compiled the dsig2 example, >but I used an RSA key instead of a DSA key. Naturally this failed, as the dsig2.c is >hard-coded for a DSA private key. > >However, it may be worthwhile to rethink how the xmlsec library's return status codes >work. > >It looks like a large number of the functions simply return zero or -1, which makes >it quite difficult to do proper exception handling in conditions where there are >multiple exit points for the function call (unless you have a debug binary, of >course). Either way, the exception cannot be handled programatically (such as >showing more user-friendly failure messages). > >Would you be willing to accept a patch that provides more detailed status codes as >return values? We would substitute all the "-1" return values with more detailed >error codes (which would be #defined and centralized into a single file). We would >also need to modify any example code which checks for (return < 0) to check for >nonzero returns instead. > >Of course, there are still functions in which the return value is not a status code. >For the time being these will stay the same. However in the long term, perhaps it >would be more uniform for all the library calls to use the same calling convention >(returning a status code), which would require us to move the context presently used >as the return value into an argument for all the relevant functions. > >Does this make any sense? > >Thanks, > >Devin >
Re: [xmlsec] xmlsec failing validation tests
To link libraries dynamically comment the following line in apps/Makefile.am: xmlsec_LDFLAGS = -static (and do not forget to run ./autoconf.sh; ./configure after this) The xmlsec library already has two packages: RPM ans RPMS. Personally, I do not see advantages of having xmlsec and xmlsec-devel. The library w/o header and library files is useless. I don't think that my primitive apps/xmlsec application should be distributed separatelly :) Aleksey. dheitmueller wrote: >No luck. I uninstalled the original libxml (v1) rpm that was on the system, and it >produced the same result. > >I pulled down the Mandrake version of libxml2 1.0.17 RPM, as well as compiled it from >xmlsoft.org, with the same result. > >I downloaded and compiled the latest CVS snapshot of OpenSSL 0.9.7 with still no luck. > >Can I get the xmlsec binary to dynamic link the libxml2 and libxslt libraries? Then >perhaps I could track down where it is pulling libraries from. > >Any additional thoughts? > >On a separate note, this experience is prompting me to consider breaking xmlsec into >three different RPMS, instead of just the one. This way we would have a source RPM >for those who want to modify xmlsec itself, a xmlsec-devel RPM for those who want to >develop solutions that use xmlsec, and a xmlsec binary RPM that is to be used for >production systems. It would also eliminate the dependency on libxml2-devel and >libxslt-devel for production environments that don't have the toolchain installed. > >Thanks for all your help, > >-Devin > >Quoting Aleksey Sanin <[EMAIL PROTECTED]>: > >>Looks like there is a problem on LibXML level. One of possible reasons >>is >>library mismatch (xmlsec loads old/wrong version of LibXML2 libraries >>when you are compiling it). I would suggest to do following: >>1) ungzip/untar xmlsec-*.tar.gz into new folder >>2) run the following commands and note the installation prefixes for >> >>both >>packages: >>rpm -ql libxml2-devel >>rpm -ql libxslt-devel >> 3) ./configure --with-libxml= >> --with-libxslt= >>make >>make check >> >>Also I would strongly recommend to switch to OpenSSL 0.9.7. The 0.9.6 >>support >>will be dropped as soon as 0.9.7 will be officially released (probably >>next month). >> >> >>Aleksey. >> >> >> >> >>dheitmueller wrote: >> >>>I have installed the xmlsec-0.0.5 source tree on my Mandrake 8.1 >>> >>system. It appears to compile fine, but it fails all the tests in the >>test suite with errors such as the following: >> >>>validity warning: or: Error: failed to read XML file >>> >>"./merlin-xmldsig-twenty-three/signature-enveloped-dsa.xml" >> >>>I added some debug code, and found that the call to >>> >>xmlCreateFileParserCtxt() in the xmlSecParseFile() in xmltree.c fails. >> >>>I installed the xmlsec binary RPM, which appears to work fine. It >>> >>passes the tests found in the source tree. >> >>>I had to install the following RPMS to get the xmlsec library >>> >>installed: >> >>>libopenssl0-devel-0.9.6c-2mdk >>>openssl-0.9.6b-1mdk >>>libopenssl0-0.9.6c-2mdk >>>libxml2-2.4.21-1mdk >>>libxml2-devel-2.4.21-1mdk >>>libxslt-devel-1.0.17-2 >>>libxslt-1.0.17-2 >>> >>>Has anyone seen this behavior before? Any idea why the binary version >>> >>of xmlsec 0.0.5 would work, but the version compiled from source would >>fail? >> >>>Thanks in advance, >>> >>>Devin Heitmueller >>>Senior Software Engineer >>>Netilla Networks Inc >>> >>>___ >>>xmlsec mailing list >>>[EMAIL PROTECTED] >>>http://www.aleksey.com/mailman/listinfo/xmlsec >>> >> >> > > > >Devin Heitmueller >Senior Software Engineer >Netilla Networks Inc. >
Re: [xmlsec] xmlsec failing validation tests
No luck. I uninstalled the original libxml (v1) rpm that was on the system, and it produced the same result. I pulled down the Mandrake version of libxml2 1.0.17 RPM, as well as compiled it from xmlsoft.org, with the same result. I downloaded and compiled the latest CVS snapshot of OpenSSL 0.9.7 with still no luck. Can I get the xmlsec binary to dynamic link the libxml2 and libxslt libraries? Then perhaps I could track down where it is pulling libraries from. Any additional thoughts? On a separate note, this experience is prompting me to consider breaking xmlsec into three different RPMS, instead of just the one. This way we would have a source RPM for those who want to modify xmlsec itself, a xmlsec-devel RPM for those who want to develop solutions that use xmlsec, and a xmlsec binary RPM that is to be used for production systems. It would also eliminate the dependency on libxml2-devel and libxslt-devel for production environments that don't have the toolchain installed. Thanks for all your help, -Devin Quoting Aleksey Sanin <[EMAIL PROTECTED]>: > Looks like there is a problem on LibXML level. One of possible reasons > is > library mismatch (xmlsec loads old/wrong version of LibXML2 libraries > when you are compiling it). I would suggest to do following: > 1) ungzip/untar xmlsec-*.tar.gz into new folder > 2) run the following commands and note the installation prefixes for > > both > packages: > rpm -ql libxml2-devel > rpm -ql libxslt-devel >3) ./configure --with-libxml= > --with-libxslt= > make > make check > > Also I would strongly recommend to switch to OpenSSL 0.9.7. The 0.9.6 > support > will be dropped as soon as 0.9.7 will be officially released (probably > next month). > > > Aleksey. > > > > > dheitmueller wrote: > > >I have installed the xmlsec-0.0.5 source tree on my Mandrake 8.1 > system. It appears to compile fine, but it fails all the tests in the > test suite with errors such as the following: > > > >validity warning: or: Error: failed to read XML file > "./merlin-xmldsig-twenty-three/signature-enveloped-dsa.xml" > > > >I added some debug code, and found that the call to > xmlCreateFileParserCtxt() in the xmlSecParseFile() in xmltree.c fails. > > > >I installed the xmlsec binary RPM, which appears to work fine. It > passes the tests found in the source tree. > > > >I had to install the following RPMS to get the xmlsec library > installed: > > > >libopenssl0-devel-0.9.6c-2mdk > >openssl-0.9.6b-1mdk > >libopenssl0-0.9.6c-2mdk > >libxml2-2.4.21-1mdk > >libxml2-devel-2.4.21-1mdk > >libxslt-devel-1.0.17-2 > >libxslt-1.0.17-2 > > > >Has anyone seen this behavior before? Any idea why the binary version > of xmlsec 0.0.5 would work, but the version compiled from source would > fail? > > > >Thanks in advance, > > > >Devin Heitmueller > >Senior Software Engineer > >Netilla Networks Inc > > > >___ > >xmlsec mailing list > >[EMAIL PROTECTED] > >http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > Devin Heitmueller Senior Software Engineer Netilla Networks Inc.
Re: [xmlsec] xmlsec failing validation tests
Looks like there is a problem on LibXML level. One of possible reasons is library mismatch (xmlsec loads old/wrong version of LibXML2 libraries when you are compiling it). I would suggest to do following: 1) ungzip/untar xmlsec-*.tar.gz into new folder 2) run the following commands and note the installation prefixes for both packages: rpm -ql libxml2-devel rpm -ql libxslt-devel 3) ./configure --with-libxml= --with-libxslt= make make check Also I would strongly recommend to switch to OpenSSL 0.9.7. The 0.9.6 support will be dropped as soon as 0.9.7 will be officially released (probably next month). Aleksey. dheitmueller wrote: >I have installed the xmlsec-0.0.5 source tree on my Mandrake 8.1 system. It appears >to compile fine, but it fails all the tests in the test suite with errors such as the >following: > >validity warning: or: Error: failed to read XML file >"./merlin-xmldsig-twenty-three/signature-enveloped-dsa.xml" > >I added some debug code, and found that the call to xmlCreateFileParserCtxt() in the >xmlSecParseFile() in xmltree.c fails. > >I installed the xmlsec binary RPM, which appears to work fine. It passes the tests >found in the source tree. > >I had to install the following RPMS to get the xmlsec library installed: > >libopenssl0-devel-0.9.6c-2mdk >openssl-0.9.6b-1mdk >libopenssl0-0.9.6c-2mdk >libxml2-2.4.21-1mdk >libxml2-devel-2.4.21-1mdk >libxslt-devel-1.0.17-2 >libxslt-1.0.17-2 > >Has anyone seen this behavior before? Any idea why the binary version of xmlsec >0.0.5 would work, but the version compiled from source would fail? > >Thanks in advance, > >Devin Heitmueller >Senior Software Engineer >Netilla Networks Inc > >___ >xmlsec mailing list >[EMAIL PROTECTED] >http://www.aleksey.com/mailman/listinfo/xmlsec >
[xmlsec] xmlsec failing validation tests
I have installed the xmlsec-0.0.5 source tree on my Mandrake 8.1 system. It appears to compile fine, but it fails all the tests in the test suite with errors such as the following: validity warning: or: Error: failed to read XML file "./merlin-xmldsig-twenty-three/signature-enveloped-dsa.xml" I added some debug code, and found that the call to xmlCreateFileParserCtxt() in the xmlSecParseFile() in xmltree.c fails. I installed the xmlsec binary RPM, which appears to work fine. It passes the tests found in the source tree. I had to install the following RPMS to get the xmlsec library installed: libopenssl0-devel-0.9.6c-2mdk openssl-0.9.6b-1mdk libopenssl0-0.9.6c-2mdk libxml2-2.4.21-1mdk libxml2-devel-2.4.21-1mdk libxslt-devel-1.0.17-2 libxslt-1.0.17-2 Has anyone seen this behavior before? Any idea why the binary version of xmlsec 0.0.5 would work, but the version compiled from source would fail? Thanks in advance, Devin Heitmueller Senior Software Engineer Netilla Networks Inc
