Bug 666748 – xmlsec1 sign and verify don't report HTTP 404 errors for external References

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 666748 - xmlsec1 sign and verify don't report HTTP 404 errors for external References


Summary:	xmlsec1 sign and verify don't report HTTP 404 errors for external References


Status:	RESOLVED OBSOLETE

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2011-12-23 05:38 UTC by Neal McBurnett
Modified:	2021-07-05 13:27 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Template for xmlsec sign command (19.38 KB, text/xml) 2011-12-23 05:38 UTC, Neal McBurnett	Details

Description Neal McBurnett 2011-12-23 05:38:47 UTC

Created attachment 204128 [details]
Template for xmlsec sign command

Running the xmlsec1 "sign" command (or "verify") on an xml file with an external http Reference does not complain if retrieving the referenced URI reports an error such as "404 Not Found"

This happened to me on xmlsec1 1.2.14 (openssl), on Ubuntu 10.10.  The full command line was

$ xmlsec1 sign --privkey rsakey.pem --output EML505-example.xml EML505-example-tmpl.xml

It produced no output, even though there are two URIs to non-existant resources in the file.

Adding the "--store-references" option makes it clear that 404 error input was returned, and running wget on the URI returns a 404 return code.

Here is the command line and output from a "verify" of the resulting signed xml file:

$ xmlsec1 verify --pubkey rsapub.pem EML505-example.xml
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 2/2

Attached is the input file.  (Note that the URI's for this file may show up soon, so just change them to something that doesn't exist....)

Instead, an error should be raised, like what happens if a URI with a bad protocol scheme like "httpzz://example.com/file.pdf" is used.

I don't see a way to add more than one file as an attachment, but can do so if desired.  The key (rsakey.pem) used here is the public example provided by xmlsec itself.

Comment 1 GNOME Infrastructure Team 2021-07-05 13:27:06 UTC

GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/libxml2/-/issues/

Thank you for your understanding and your help.