Merge pull request #20 from bgaifullin/master

Fixed memory corruption in _KeyData

Author: bgaifullin

src/xmlsec.h

@@ -1,7 +1,9 @@
-#include <xmlsec/xmltree.h>
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/errors.h>
+#include <xmlsec/templates.h>
 #include <xmlsec/xmldsig.h>
 #include <xmlsec/xmlenc.h>
-#include <xmlsec/templates.h>
-#include <xmlsec/errors.h>
+#include <xmlsec/xmltree.h>
 #include <xmlsec/openssl/app.h>
 #include <xmlsec/openssl/crypto.h>
+#include <xmlsec/openssl/x509.h>

src/xmlsec/key.pxd

@@ -98,6 +98,8 @@ cdef extern from "xmlsec.h":  # xmlsec/keys.h
 
     int xmlSecOpenSSLAppDefaultKeysMngrInit(xmlSecKeysMngrPtr) nogil
 
+    int xmlSecOpenSSLKeysMngrInit(xmlSecKeysMngrPtr) nogil
+
     int xmlSecOpenSSLAppDefaultKeysMngrAdoptKey(xmlSecKeysMngrPtr, xmlSecKeyPtr) nogil
 
     int xmlSecOpenSSLAppKeysMngrCertLoad(

src/xmlsec/key.pyx

@@ -238,10 +238,11 @@ cdef class KeysManager(object):
         handle = xmlSecKeysMngrCreate()
         if handle == NULL:
             raise InternalError("failed to create keys manager", -1)
-
         rv = xmlSecOpenSSLAppDefaultKeysMngrInit(handle)
         if rv < 0:
-            raise InternalError("failed to initialize keys manager", rv)
+            xmlSecKeysMngrDestroy(handle)
+            raise InternalError("failed to init manager", rv)
+
         self._handle = handle
 
     def __dealloc__(self):

src/xmlsec/utils.pyx

@@ -16,16 +16,16 @@ def init():
     This is called upon library import and does not need to be called
     again (unless @ref _shutdown is called explicitly).
     """
-    r = xmlSecInit()
-    if r != 0:
+    if xmlSecInit() < 0:
         return False
 
-    r = xmlSecOpenSSLInit()
-    if r != 0:
+    if xmlSecOpenSSLAppInit(NULL) < 0:
+        xmlSecShutdown()
         return False
 
-    r = xmlSecOpenSSLAppInit(NULL)
-    if r != 0:
+    if xmlSecOpenSSLInit() < 0:
+        xmlSecOpenSSLAppShutdown()
+        xmlSecShutdown()
         return False
 
     return True
@@ -37,17 +37,17 @@ def shutdown():
     This is called automatically upon interpreter termination and
     should not need to be called explicitly.
     """
-    r = xmlSecOpenSSLAppShutdown()
-    if r != 0:
+    if xmlSecOpenSSLShutdown() < 0:
         return False
 
-    r = xmlSecOpenSSLShutdown()
-    if r != 0:
+    if xmlSecOpenSSLAppShutdown() < 0:
         return False
 
-    r = xmlSecShutdown()
-    return r == 0
+    if xmlSecShutdown() < 0:
+        return False
+
+    return True
 
 
 def enable_debug_trace(flag):
-    xmlSecErrorsDefaultCallbackEnableOutput(<int>flag)
+    xmlSecErrorsDefaultCallbackEnableOutput(1 if flag else 0)

tests/examples/base.py

@@ -18,4 +18,3 @@ def compare(name, result):
 
     # Compare the results.
     assert expected_text == result_text
-

tests/examples/sign4-doc.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+XML Security Library example: Original XML doc file for sign3 example. 
+-->
+<Envelope xmlns="urn:envelope" ID="ef115a20-cf73-11e5-aed1-3c15c2c2cc88">
+  <Data>
+	Hello, World!
+  </Data>
+</Envelope>

tests/examples/sign4-res.xml

@@ -0,0 +1,55 @@
+<Envelope xmlns="urn:envelope" ID="ef115a20-cf73-11e5-aed1-3c15c2c2cc88">
+  <Data>
+	Hello, World!
+  </Data>
+<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:SignedInfo>
+<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+<ds:Reference URI="#ef115a20-cf73-11e5-aed1-3c15c2c2cc88">
+<ds:Transforms>
+<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</ds:Transforms>
+<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+<ds:DigestValue>ERS7F/ifxZoyTe0mhco+HeAEKGo=</ds:DigestValue>
+</ds:Reference>
+</ds:SignedInfo>
+<ds:SignatureValue>G+mZNFqh9w0wIkDSbuYwvVDu7CMP8PEsw7jfwiZBC8nyF3loAtYKKAkdi6Zy3dJs
+tU8qKfhzvabmCjdIrGkFTdtlCNCVKDMzwogFtxEX4Oh77X6jjx4b22XNJx4AbnUG
+JV/EcsD+po8s5qVEXw62lRRd8cMDafbzOA/rBH96CMNgZhzxyaF9VRLa/vbt1ht2
+hE1KkdZCB4Y0Lv3QyeDL2jax3NFks9FUv8IqoWYQSvywdMLY2ZMiQ9UpPeVfMizi
+trd5zDUSD/s3hyIEs4gD5NJF3HZPD/Fe2Zw1PBPj9eLADdEzcdueyCdPJ2YioFIi
+1sMW/qPDhR/DoOJwGpUxwQ==</ds:SignatureValue>
+<ds:KeyInfo>
+<ds:X509Data>
+<ds:X509Certificate>MIIE3zCCBEigAwIBAgIBBTANBgkqhkiG9w0BAQQFADCByzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTE9MDsGA1UE
+ChM0WE1MIFNlY3VyaXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20v
+eG1sc2VjKTEZMBcGA1UECxMQUm9vdCBDZXJ0aWZpY2F0ZTEWMBQGA1UEAxMNQWxl
+a3NleSBTYW5pbjEhMB8GCSqGSIb3DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tMB4X
+DTAzMDMzMTA0MDIyMloXDTEzMDMyODA0MDIyMlowgb8xCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIEwpDYWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFy
+eSAoaHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMSEwHwYDVQQLExhFeGFt
+cGxlcyBSU0EgQ2VydGlmaWNhdGUxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAf
+BgkqhkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAJe4/rQ/gzV4FokE7CthjL/EXwCBSkXm2c3p4jyXO0Wt
+quaNC3dxBwFPfPl94hmq3ZFZ9PHPPbp4RpYRnLZbRjlzVSOq954AXOXpSew7nD+E
+mTqQrd9+ZIbGJnLOMQh5fhMVuOW/1lYCjWAhTCcYZPv7VXD2M70vVXDVXn6ZrqTg
+qkVHE6gw1aCKncwg7OSOUclUxX8+Zi10v6N6+PPslFc5tKwAdWJhVLTQ4FKG+F53
+7FBDnNK6p4xiWryy/vPMYn4jYGvHUUk3eH4lFTCr+rSuJY8i/KNIf/IKim7g/o3w
+Ae3GM8xrof2mgO8GjK/2QDqOQhQgYRIf4/wFsQXVZcMCAwEAAaOCAVcwggFTMAkG
+A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBQkhCzy1FkgYosuXIaQo6owuicanDCB+AYDVR0jBIHw
+MIHtgBS0ue+a5pcOaGUemM76VQ2JBttMfKGB0aSBzjCByzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTE9MDsGA1UE
+ChM0WE1MIFNlY3VyaXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20v
+eG1sc2VjKTEZMBcGA1UECxMQUm9vdCBDZXJ0aWZpY2F0ZTEWMBQGA1UEAxMNQWxl
+a3NleSBTYW5pbjEhMB8GCSqGSIb3DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tggEA
+MA0GCSqGSIb3DQEBBAUAA4GBALU/mzIxSv8vhDuomxFcplzwdlLZbvSQrfoNkMGY
+1UoS3YJrN+jZLWKSyWE3mIaPpElqXiXQGGkwD5iPQ1iJMbI7BeLvx6ZxX/f+c8Wn
+ss0uc1NxfahMaBoyG15IL4+beqO182fosaKJTrJNG3mc//ANGU9OsQM9mfBEt4oL
+NJ2D</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</ds:Signature></Envelope>

tests/examples/test_sign.py

@@ -158,6 +158,70 @@ def test_sign_generated_template_pem_with_x509():
     compare('sign3-res.xml', template)
 
 
+def test_sign_generated_template_pem_with_x509_with_custom_ns():
+    """
+    Should sign a file using a dynamicaly created template, key from PEM
+    file and an X509 certificate with custom ns.
+    """
+
+    # Load document file.
+    template = parse_xml('sign4-doc.xml')
+    xmlsec.tree.add_ids(template, ["ID"])
+    elem_id = template.get('ID', None)
+    if elem_id:
+        elem_id = '#' + elem_id
+    # Create a signature template for RSA-SHA1 enveloped signature.
+    signature_node = xmlsec.template.create(
+        template,
+        xmlsec.Transform.EXCL_C14N,
+        xmlsec.Transform.RSA_SHA1, ns='ds')
+
+    assert signature_node is not None
+
+    # Add the <ds:Signature/> node to the document.
+    template.append(signature_node)
+
+    # Add the <ds:Reference/> node to the signature template.
+    ref = xmlsec.template.add_reference(signature_node, xmlsec.Transform.SHA1, uri=elem_id)
+
+    # Add the enveloped transform descriptor.
+    xmlsec.template.add_transform(ref, xmlsec.Transform.ENVELOPED)
+    # Add the excl_c14n transform descriptor.
+    xmlsec.template.add_transform(ref, xmlsec.Transform.EXCL_C14N)
+
+    # Add the <ds:KeyInfo/> and <ds:KeyName/> nodes.
+    key_info = xmlsec.template.ensure_key_info(signature_node)
+    xmlsec.template.add_x509_data(key_info)
+
+    # Create a digital signature context (no key manager is needed).
+    ctx = xmlsec.SignatureContext()
+
+    # Load private key (assuming that there is no password).
+    filename = path.join(BASE_DIR, 'rsakey.pem')
+    key = xmlsec.Key.from_file(filename, xmlsec.KeyFormat.PEM)
+
+    assert key is not None
+
+    # Load the certificate and add it to the key.
+    filename = path.join(BASE_DIR, 'rsacert.pem')
+    key.load_cert_from_file(filename, xmlsec.KeyFormat.PEM)
+
+    # Set key name to the file name (note: this is just a test).
+    key.name = path.basename(filename)
+
+    # Set the key on the context.
+    ctx.key = key
+
+    assert ctx.key is not None
+    assert ctx.key.name == path.basename(filename)
+
+    # Sign the template.
+    ctx.sign(signature_node)
+
+    # Assert the contents of the XML document against the expected result.
+    compare('sign4-res.xml', template)
+
+
 def test_sign_binary():
     ctx = xmlsec.SignatureContext()
     filename = path.join(BASE_DIR, 'rsakey.pem')

tests/examples/test_verify.py

@@ -4,14 +4,14 @@
 from .base import parse_xml, BASE_DIR
 
 
-@mark.parametrize('index', range(1, 4))
+@mark.parametrize('index', range(1, 5))
 def test_verify_with_pem_file(index):
     """Should verify a signed file using a key from a PEM file.
     """
 
     # Load the XML document.
     template = parse_xml('sign%d-res.xml' % index)
-
+    xmlsec.tree.add_ids(template, ["ID"])
     # Find the <Signature/> node.
     signature_node = xmlsec.tree.find_node(template, xmlsec.Node.SIGNATURE)