XMLSec 1.3.0-rc2

[lsh123]

Soruce tar file:

Changes from 1.3.0-RC1

• Added missed include/xmlsec/x509.h (thanks @vmiklos for bug report)
• Updated README file to new version LibGnuTLS

XMLSec 1.3.0-RC1

The XMLSec 1.3.0 release includes a large number of changes including several API / ABI breaking changes (hence version bump). Please test the release candidate and let me know if you run into any issues! I plan to have at least one more release candidate in 2-3 weeks before the release mid-April.

core xmlsec and all xmlsec-crypto libraries:

• (ABI breaking change) Added support for the KeyInfoReference Element.
• (ABI breaking change) Switched xmlSecSize to use size_t by default. Use "--enable-size-t=no" configure option ("size_t=no" on Windows) to restore the old behaviour (note that support for xmlSecSize being different from size_t will be removed in the future).
• (API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.
• (API breaking change) The KeyName element content is now trimmed before key search is performed.
• (API breaking change) Disabled FTP support by default. Use "--enable-ftp" configure option to restore it. Also added "--enable-http" and "--enable-files" configure options to control support for loading files over HTTP or locally.
• (API/ABI breaking change) Disabled MD5 digest method by default. Use "--enable-md5" configure options ("legacy-crypto" option on Windows) to re-enable MD5.
• (ABI breaking change) Removed deprecated functions.
• Added support for loading keys through ossl-store interface (e.g. for using keys from an HSM). Also see '--privkey-openssl-store' and '--pubkey-openssl-store ' command line options for XMLSec utility.
• Added ability to control transforms binary chunk size to improve performance (see '--transform-binary-chunk-size' command line option for XMLSec utility).
• Fixed all potentially unsafe integer conversions and all the other warnings.
• Added XML Signature 1.1 interop (2012) and XML Encryption 1.1 interop (2012) tests.

xmlsec-openssl library:

• Added support for SHA3 digests.
• Added support for ECDSA-SHA3 signatures.
• Added support for RSA PSS signatures (withtout parameters).
• Added support for ConcatKDF key and PBKDF2 derivation algorithms.
• (ABI breaking change) Added support for ECDH-ES Key Agreement algorithm.
• (ABI breaking change) Added support for DH-ES Key Agreement algorithm with explicit KDF.
• Added support for MGF1 algorithm to RSA OAEP key transport.
• Added support for X509Digest element and ability to lookup keys using other X509Data elements.
• Added support for DEREncodedKeyValue element.
• Automatically set key name from PKCS12 key name.
• Removed support for OpenSSL 1.0.0 and LibreSSL before 2.7.0.

xmlsec-nss library:

• Added support for RSA PSS signatures (withtout parameters).
• Added support for RSA OAEP key transport including MGF1 algorithms.
• Added support for AES GCM ciphers.
• Added support for PBKDF2 derivation algorithms.
• Added support for X509Digest element and ability to lookup keys using other X509Data elements.
• Added support for DEREncodedKeyValue element.
• Automatically set key name from PKCS12 key name.

xmlsec-gnutls library:

• (API/ABI breaking change) Removed dependency on xmlsec-gcrypt and libgcrypt libraries (including API functions) to enable support for different GnuTLS backends.
• Bumped minimal GnuTLS version to 3.6.13.
• Added support for SHA3 digests.
• Added support for ECDSA signatures.
• Added support for DSA-SHA256 signatures.
• Added support for RSA PSS signatures (withtout parameters).
• Added support for RSA PKCS 1.5 key transport.
• Added support for AES GCM ciphers.
• Added support for PBKDF2 derivation algorithms.
• Added support for X509Digest element and ability to lookup keys using other X509Data elements.
• Added support for DEREncodedKeyValue element.
• Automatically set key name from PKCS12 key name.

xmlsec-mscng library:

• Added support for RSA PSS signatures (withtout parameters).
• Added support for MGF1 algorithm to RSA OAEP key transport.
• (ABI breaking change) Added support for ECDH-ES Key Agreement algorithm.
• Added support for ConcatKDF key and PBKDF2 derivation algorithms.
• Added support for X509Digest element for keys and certificates lookup from the system stores (only SHA1 is supported).
• Added support for DEREncodedKeyValue element.
• Automatically set key name from PKCS12 key name.

xmlsec-mscrypto library:

• In maintenance mode starting from this release.
• Disabled by default support for NT4. Use "nt4=yes" configure option on Windows to re-enable it.

xmlsec-gcrypt library:

• In maintenance mode starting from this release.
• Added support for SHA3 digests.
• Added support for ECDSA signatures.
• Added support for RSA PSS signatures (withtout parameters).
• Added support for RSA PKCS 1.5 key transport.
• Added support for RSA OAEP key transport including MGF1 algorithms.

xmlsec command line utility:

• (API breaking change) The XMLSec command line utility is using 'strict' key search mode by default. To restore the old 'lax' key search mode, use the new '--lax-key-search' option.
• Added '--transform-binary-chunk-size' option to control transforms binary chunk size (increasing the chunk size should improve performance at the expense of memory usage.
• Added support for loading keys through ossl-store interface (e.g. for using keys from an HSM). Also see '--privkey-openssl-store' and '--pubkey-openssl-store ' command line options for XMLSec utility.
• Added '--enabled-key-info-reference-uris' option to control processing of the the KeyInfoReference Element.
• Added '--pbkdf2-key' option for loading PBKDF2 keys.
• Added '--concatkdf-key' option for loading ConcatKDF keys.
• Added '--hmac-min-out-len' option to control the min accepted HMAC Output length.
• Added '--pubkey-openssl-engine' option to load public keys from OpenSSL engine.
• Added '--crl-pem' and '--crl-der' options to load CRLs.
• Added '--verify-keys' option to verify key's certificate before loading into Keys Manager (only supported for OpenSSL currently).
• Enabled templatized output filenames to facilitate batch operations on multiple input files.

---

This discussion was created from the release 1.3.0-rc2.

[vmiklos]

This builds. :-)

When running the libreoffice tests, I hit a case where we insert some certificates and a signing certificate from code, try to sign a template and that works with 1.2.37 but not with 1.3.0-rc2. I'm not sure if the problem is on your end or on our end. Let me describe what we try to do and perhaps you can guess; if not, then I'll try to write some standalone reproducer (if you want).

First, here is the xmlDocDump(() output for the template we try to sign:

<?xml version="1.0"?>
<root>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="ID_00d000f40039008300990004004f001b008b00f4006e00f400af00cd00b90074">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <Reference URI="Thumbnails/thumbnail.png">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="settings.xml">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="manifest.rdf">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="content.xml">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="meta.xml">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="Configurations2/accelerator/current.xml">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="META-INF/manifest.xml">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="styles.xml">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="mimetype">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="#ID_00c700e300650058002200b2004400be00aa004600190063000c009000bb00a0">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
      <Reference URI="#idSignedProperties_ID_00d000f40039008300990004004f001b008b00f4006e00f400af00cd00b90074" Type="http://uri.etsi.org/01903#SignedProperties">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue> </DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue> </SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509IssuerSerial>
          <X509IssuerName>CN=Xmlsecurity Intermediate Root CA,O=Xmlsecurity RSA Test,ST=England,C=UK</X509IssuerName>
          <X509SerialNumber>4096</X509SerialNumber>
        </X509IssuerSerial>
        <X509Certificate>MIIFGDCCAwCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1lZGlhdGUgUm9vdCBDQTAgFw0xODEwMDYxOTQyNThaGA8yMTE4MDkxMjE5NDI1OFowazELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSswKQYDVQQDDCJYbWxzZWN1cml0eSBSU0EgVGVzdCBleGFtcGxlIEFsaWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00dJeduvg67xONvWDWdmypspZKzorkuWiYvFtLZ/WUQG5+CExovOOMX5xNwxFFwgfH5goJtW/+Jz2CIu9P7EVaPAWWCL554WUsu0plY9hXmJcgkkK52iUde/IcsdlovRervJNbjtZZX+NTwKhIB1PdMRbWFlYz8h65/ysK3xal9NfnkcUnvjoUX6ANL5auSAnTteMJJJgpEh2lyVE3+v9ydRrGTfdjSikum2GP3OD9AMQKRSNcUiVZ9P6sUO31UAK555JLC27KI6a48k4gLDa1AqXUPaX9kxen9FKk1aClzgl+fQ/RQEShjC3LUNczOCyY+j0ou6d+0XXpib0QoUYQIDAQABo4HFMIHCMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAY/LzoPqu7RihAD7zIAUiddVAkkMB8GA1UdIwQYMBaAFB5MARhhq/go7y+tqaL9J1uXDrj1MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBABt5pNVN+hx+ZKRMlxRVlcgNGIeGZDE574GKoizHhL2LzAnEorG1OzRMyppH/FUhV6JETciaQ2lqDZTa7wRe4L3pKYx1NXiyLniu2uRyLPy5yRXWof4DBw4E/WGuPKuRTioSHS5aeJ/V1oVO0S0bXRF9DQasZtMrzF5RsAeJjKlrUvEg8/6buHIXzsa8077BGzUb8F2uIUCcfZZowf66EgRoSSRp3N2wU6tYgz4uqyQZR/OaOzhxBxAnElBInVwQyyGz66Nm6jmZbkRylPyyDUslIto+2riT37RhQLkFAOt8THqFc4JBtvolowLg4N5rtxz5Xgr0rD+h7VVf7FLEEeK4ckAmMOImBaKAavvMoSei8N9BfcwE7z9rJNcNYbIdUGwgc6wh8IuQel+hFb3wjuGzhH7QlJBsjC90ZqzJEJAv/vzm60nd/hg6tCFqQ5QnbzZaTXLB6S8P6cBOf3q9jStLxGd8VhoQxDUC08rVJd6cEvaYLMOeYrkp6DqtG8zLqeuflsmchSsGtqCxiVxSNO3pKOSfLlVmy5hnJccUtG95AiRSVCbg5bA8t/o7GHGw0JaC28yuptyVhomtt7qTm3esnpf7CkxIT1OlcUAfVt0ab4cIPLwnyD/UL5VWK9QEiqQLHgrlxahPw372fZBeXyJc/SWz2uMk0HhsMQwq+WZB</X509Certificate>
      </X509Data>
    </KeyInfo>
    <Object>
      <SignatureProperties>
        <SignatureProperty Id="ID_00c700e300650058002200b2004400be00aa004600190063000c009000bb00a0" Target="#ID_00d000f40039008300990004004f001b008b00f4006e00f400af00cd00b90074">
          <dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">2023-03-08T14:50:48.675273727</dc:date>
        </SignatureProperty>
      </SignatureProperties>
    </Object>
    <Object xmlns:xd="http://uri.etsi.org/01903/v1.3.2#">
      <xd:QualifyingProperties Target="#ID_00d000f40039008300990004004f001b008b00f4006e00f400af00cd00b90074">
        <xd:SignedProperties Id="idSignedProperties_ID_00d000f40039008300990004004f001b008b00f4006e00f400af00cd00b90074">
          <xd:SignedSignatureProperties>
            <xd:SigningTime>2023-03-08T14:50:48.675273727</xd:SigningTime>
            <xd:SigningCertificate>
              <xd:Cert>
                <xd:CertDigest>
                  <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <DigestValue>ufzDPbCPFziJ+9J/nUKkcF7ZFySwxXA8Q+bQMvXDHtg=</DigestValue>
                </xd:CertDigest>
                <xd:IssuerSerial>
                  <X509IssuerName>CN=Xmlsecurity Intermediate Root CA,O=Xmlsecurity RSA Test,ST=England,C=UK</X509IssuerName>
                  <X509SerialNumber>4096</X509SerialNumber>
                </xd:IssuerSerial>
              </xd:Cert>
            </xd:SigningCertificate>
            <xd:SignaturePolicyIdentifier>
              <xd:SignaturePolicyImplied/>
            </xd:SignaturePolicyIdentifier>
          </xd:SignedSignatureProperties>
        </xd:SignedProperties>
        <xd:UnsignedProperties Id="idUnsignedProperties_ID_00d000f40039008300990004004f001b008b00f4006e00f400af00cd00b90074">
          <xd:UnsignedSignatureProperties>
            <xd:CertificateValues>
              <xd:EncapsulatedX509Certificate>MIIFGDCCAwCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1lZGlhdGUgUm9vdCBDQTAgFw0xODEwMDYxOTQyNThaGA8yMTE4MDkxMjE5NDI1OFowazELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSswKQYDVQQDDCJYbWxzZWN1cml0eSBSU0EgVGVzdCBleGFtcGxlIEFsaWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00dJeduvg67xONvWDWdmypspZKzorkuWiYvFtLZ/WUQG5+CExovOOMX5xNwxFFwgfH5goJtW/+Jz2CIu9P7EVaPAWWCL554WUsu0plY9hXmJcgkkK52iUde/IcsdlovRervJNbjtZZX+NTwKhIB1PdMRbWFlYz8h65/ysK3xal9NfnkcUnvjoUX6ANL5auSAnTteMJJJgpEh2lyVE3+v9ydRrGTfdjSikum2GP3OD9AMQKRSNcUiVZ9P6sUO31UAK555JLC27KI6a48k4gLDa1AqXUPaX9kxen9FKk1aClzgl+fQ/RQEShjC3LUNczOCyY+j0ou6d+0XXpib0QoUYQIDAQABo4HFMIHCMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAY/LzoPqu7RihAD7zIAUiddVAkkMB8GA1UdIwQYMBaAFB5MARhhq/go7y+tqaL9J1uXDrj1MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBABt5pNVN+hx+ZKRMlxRVlcgNGIeGZDE574GKoizHhL2LzAnEorG1OzRMyppH/FUhV6JETciaQ2lqDZTa7wRe4L3pKYx1NXiyLniu2uRyLPy5yRXWof4DBw4E/WGuPKuRTioSHS5aeJ/V1oVO0S0bXRF9DQasZtMrzF5RsAeJjKlrUvEg8/6buHIXzsa8077BGzUb8F2uIUCcfZZowf66EgRoSSRp3N2wU6tYgz4uqyQZR/OaOzhxBxAnElBInVwQyyGz66Nm6jmZbkRylPyyDUslIto+2riT37RhQLkFAOt8THqFc4JBtvolowLg4N5rtxz5Xgr0rD+h7VVf7FLEEeK4ckAmMOImBaKAavvMoSei8N9BfcwE7z9rJNcNYbIdUGwgc6wh8IuQel+hFb3wjuGzhH7QlJBsjC90ZqzJEJAv/vzm60nd/hg6tCFqQ5QnbzZaTXLB6S8P6cBOf3q9jStLxGd8VhoQxDUC08rVJd6cEvaYLMOeYrkp6DqtG8zLqeuflsmchSsGtqCxiVxSNO3pKOSfLlVmy5hnJccUtG95AiRSVCbg5bA8t/o7GHGw0JaC28yuptyVhomtt7qTm3esnpf7CkxIT1OlcUAfVt0ab4cIPLwnyD/UL5VWK9QEiqQLHgrlxahPw372fZBeXyJc/SWz2uMk0HhsMQwq+WZB</xd:EncapsulatedX509Certificate>
              <xd:EncapsulatedX509Certificate>MIIFsjCCA5qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSUwIwYDVQQDDBxYbWxzZWN1cml0eSBSU0EgVGVzdCBSb290IENBMCAXDTE4MTAwNjE5NDI1OFoYDzIxMTgwOTEyMTk0MjU4WjBpMQswCQYDVQQGEwJVSzEQMA4GA1UECAwHRW5nbGFuZDEdMBsGA1UECgwUWG1sc2VjdXJpdHkgUlNBIFRlc3QxKTAnBgNVBAMMIFhtbHNlY3VyaXR5IEludGVybWVkaWF0ZSBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAucO6ddHjhnHrjGskcCjdiG78H8gpjVkNw6dqGuQjy3a8WzlovjgSw3s+0brK9QtclqSZJS1RtTZqpgLsEnSE6fbuNlRQMlSOWpM3MR0zF7wDitwzgrHPqPEtQGKXwZzDwzm+RvxeIp9SW5lDTJJ+38eFBnEVj6BrctQsGAEMsMCAfgAIw3a5h0WbQCrmQRy2kEeRY+JXm1HaJk3bKTCzUVtQxqrA7wweMq0l0Urahvf0J218QMUN5mAFKG5wUmG+yJih9sjn/HXGbkAfivzlf7/DUYMJmBb95fmBJQh+l2UfmRVnn8lOFL4YG2VnJsZc5Q3WwkVmo2lyLS2mR3N/j1aNkHuO0NbYd1zGqPwhT0US14vVhwKsaTSSV0xTxxFIkHc//Wp9KVOEAVHUXZ509FWbhsyGIDVdYyTTs7/7Bp6uql9IUcIazSa8JJXTy8zV38Ps/NHthHHgNdYnU0XPk/qkV6mLb9O3S5n3M01JvnhyC/ZVY42Eoy160L9plu/+ZFyHEDesXIQbSLBxcrbzV4J2iJGFuIsm2pyrULcFcl30F9wOC9kkckVrVJBnmO3qZIG6MWlcA+ANJJKwcQA00bnh9oDI5ytTVXrftzIDF+4hpVntmHzb2hDSzk1t8rVH44jNYSTC5SI3g5b/RodGihrqyjSb4OVYWa0xI/sco2sCAwEAAaNmMGQwHQYDVR0OBBYEFB5MARhhq/go7y+tqaL9J1uXDrj1MB8GA1UdIwQYMBaAFFsP4qL6k7Rl1I/1o2ikkkiwETzMMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCZNKPnL0YfkXtJRG21C53zR4sSAzsv6SjgGtyimAYgA0zgVMsdQqdENFACnx5BFUxAa1AA5NDPexNtCjJ3KVZhLAKaW1jqlrBZ3vIdp8BdSvHm14Ldydzs7a3JjJ7uJrdXCJKoB4YdW9QB2umvzSJ4ZkquQndWs0HW68a7/C3LSI6etMtotwDFUfnnxo+WDquImaQZtgaHtHg3bWa7NxZjTnodPKi4lNzMXVww/jMd/pxIEax2zOLLypk5oURemVk2tQgqYGF84YQ/O8Gc6qz0woLDhDA9h+5uEIMWpK2pN4yGkbxckCVa24NQkF3aBcPOe4/+x4M7ihHeG6bnb0uZPy+uHsPh3xSG+RLVneiSbXqK8OtB7gTo9ZpnrB2DuGaIl8UM+Xiaztt6cD1iELmypwm2bhcS+I88baqfdh50XV+vSGK54EawSlKAcxPV/kekrkI6IwVETIXauZY0XroPhMxIPcew+XCHVE9sSebiJLUINvZM8rYVb74s7UgpDpqh6E+HC2YQ11VsxDj6myKdzScFjExawmbWcNzCfaa3+ipo6YBFmEDp18U0NtgJ/d6KCVX/5kkKoC9bObw+FbSxyj5zKH9u1bwJ/FEj90GjC4DYS2hITg3Opfdv4dZNXC2pcVhkuhfLgR7Ln5nuXD8r3EcTwHMXUJmfLttUuy2t2A==</xd:EncapsulatedX509Certificate>
              <xd:EncapsulatedX509Certificate>MIIFsjCCA5qgAwIBAgIJAPJADUvpvkgVMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIDAdFbmdsYW5kMR0wGwYDVQQKDBRYbWxzZWN1cml0eSBSU0EgVGVzdDElMCMGA1UEAwwcWG1sc2VjdXJpdHkgUlNBIFRlc3QgUm9vdCBDQTAgFw0xODEwMDYxOTQyNTdaGA8yMTE4MDkxMjE5NDI1N1owZTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSUwIwYDVQQDDBxYbWxzZWN1cml0eSBSU0EgVGVzdCBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyBdQk8Rgdo2QuRS/c9wndqe9RmpxexqctOWJMTS/OstsYMsiCngh9t7jY3nDylnW+GZdEqELHC5RpU+eO/VvWar5+QSt1E8wVSOOoD430+EdRuDZCXKzBz1s2ByQgh0FhR15EWk67IO7U9u/i9Simoevt3fqYtzZfGy+mlpuuq6UVCIR/aIxO3/3lhzz1BIrNerShBbvGuCPJ7EPcoPzJSsRxkyY6M5+yJcqcQtG6CTyQSPuaXAXZIv89Ax31zOEcA7UxI4iS6Q6ppEhCTbs/J5rB/xdjKUsB1HI2VL2cXA8UKRoRQgc5wPzhv9aViEjQRvx7jvo7oUa1hZaUt6ypMUVaST3OolJDGUjqy8OkyDlgWIc4IFOdpzJzfn+43k4J2pL0cRNjadhh4mlkzQV4HGYIi3xctcOdmsojpOHNVVf1GxDDFmbKk/rP9AvIA0+rFLKBSrxososweSZ0FM4jFwNDB/p+Pv2AKRhRL9Eg44v1dysEVtvZaXjACD/uZT0I5pOFdERRjRZJhlchWK3SAFvUg8JNraw/Ze667j1kPTTjaMuM7loUNpAdk0Erda0LW+mgu9LtmS13KbydLCczVcVx1Djeq99qB5vwfzuNdiVsTUA+G05lQJXKZWUmPjVKNa97EfSAVR+WW5R3EmQPhk1LLdqS/wERuEzKjj+NRMCAwEAAaNjMGEwHQYDVR0OBBYEFFsP4qL6k7Rl1I/1o2ikkkiwETzMMB8GA1UdIwQYMBaAFFsP4qL6k7Rl1I/1o2ikkkiwETzMMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCkBpjUgsrUJ7ElcI73N7/H+8pk6XqGf2HiockrxhCQtqllhrQ2FH4qWBD4yk8tT1Mq6osWWUHstLRElhmdLl/+B8hsQDwYRm3OTiWE5XBN//vkacI8d8t6dyYCCTh4XCLyfmefPtji0fzdG32sRWIvj5BHZmYb2lTj/6ch8xIrp6EV63kK+A9RrF8zyqDzMZKa0+CSiE/dOOZ2iGRzfhXXw+nROQfAm7xBeLSqMvAKDJrrbn7eX6iGZHU2aYyEzzB95vXBeuxyut/P3AmhlsjgvvJnV5CCTKQyJD6s4LbKGF+liS1NtbrnbWpcKXNP3j4qLDZRL8bgckQYn33onIpS6kdYADw3Mb5gWgpEGq65zRE5gfMQhQjgefTGfIGOSt+3bsPW/TYSBy2JnfLwsNvRS626TV9l+x3kZ9MYPUjc29TZ39Odu9bceclblyaOVD2lauUtaqHWuwsEbrnmuVVGwUe9YCOHnAlbXvLid17+SE5J0Qx8RU/2stwEaYGSsohUAUkEcWUldWQH0PkXuTyQGf+Qr4S0ePbgF9u5NovfLGtsqh4BZD2JrHDHprFA6IGi6zTrtwKztb4B1U20wGzU5jQXQ8Af5cSizeA2yi2DNmKBZKQJbekwNJ+jhjQlbnBjx6XrGKxd5294D+spXUHmsGZsRdnl5R3JeVXviNXYQg==</xd:EncapsulatedX509Certificate>
            </xd:CertificateValues>
          </xd:UnsignedSignatureProperties>
        </xd:UnsignedProperties>
      </xd:QualifyingProperties>
    </Object>
  </Signature>
</root>

(In the unlikely case you would be interested in building the libreoffice code, the local change is:

diff --git a/download.lst b/download.lst
index a73e7be7dc30..d1ce43713e5b 100644
--- a/download.lst
+++ b/download.lst
@@ -335,7 +335,7 @@ LIBWEBP_TARBALL := libwebp-1.3.0-rc1.tar.gz
 # so that git cherry-pick
 # will not run into conflicts
 XMLSEC_SHA256SUM := 5f8dfbcb6d1e56bddd0b5ec2e00a3d0ca5342a9f57c24dffde5c796b2be2871c
-XMLSEC_TARBALL := xmlsec1-1.2.37.tar.gz
+XMLSEC_TARBALL := xmlsec1-1.3.0-rc2.tar.gz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h
index e4048de94bf2..7c6d267e8b73 100644
--- a/xmlsecurity/inc/xmlsec-wrapper.h
+++ b/xmlsecurity/inc/xmlsec-wrapper.h
@@ -23,11 +23,6 @@
 
 #include <sal/types.h>
 
-// Cf. xmlsec's configure.in:
-#if SAL_TYPES_SIZEOFPOINTER != 4 && !defined SYSTEM_XMLSEC
-#define XMLSEC_NO_SIZE_T
-#endif
-
 #include <xmlsec/base64.h>
 #include <xmlsec/bn.h>
 #include <xmlsec/errors.h>

and to run the problematic testcase from the problematic suite:

make -C desktop -sr CppunitTest_desktop_lib CPPUNIT_TEST_NAME="DesktopLOKTest::testInsertCertificate_DER_ODT"

But I guess you want to avoid building that codebase. :-) )

Anyhow, when we use the NSS backend on Linux, we call xmlSecDSigCtxSign(), the output we get is:

warn:xmlsecurity.xmlsec:29638:29638:xmlsecurity/source/xmlsec/errorcallback.cxx:53: x509vfy.c:226: xmlSecNssX509StoreFindCertByValue() '' 'ctx->certsList != NULL' 100 ' '
warn:xmlsecurity.xmlsec:29638:29638:xmlsecurity/source/xmlsec/errorcallback.cxx:53: keys.c:1347: xmlSecKeysMngrGetKey() '' '' 45 'details=NULL'
warn:xmlsecurity.xmlsec:29638:29638:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:800: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL'
warn:xmlsecurity.xmlsec:29638:29638:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:514: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' '
warn:xmlsecurity.xmlsec:29638:29638:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:296: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxProcessSignatureNode' 1 ' '

So far I only investigating that NULL certsList. It seems 1.2.x had no assert for that, at least in 1.2.x I guess the equivalent NSS function was xmlSecNssX509StoreFindCert_ex(), and there I see in gdb that also ctx->certsList is NULL, but no error is emitted.

Perhaps the first question would be if I'm OK to ignore that assertion failure for now (because it's not relevant for why the whole signing fails) or not.

If it helps, here is the testcase:

https://github.com/libreoffice/core/blob/503b14eee1f05e987fb415d25da1086defe8c772/desktop/qa/desktop_lib/test_desktop_lib.cxx#L2712-L2765

I.e. we load the certs & signing key from DER files, try to sign and for some reason now this stopped working.

Do you have a hint where to start debugging this? It's also possible that our test .der files are in some strange format and that needs changing. I also thought about trying to bisect this, if I can find out how to generate a release tarball from a given commit.

Thanks.

[vmiklos]

@vmiklos could you please try PR #597 -- I replaced assert with just returning null?

Yes, that eliminated the warning, thanks.

So the new output when callingxmlSecDSigCtxSign() is:

warn:xmlsecurity.xmlsec:9102:9102:xmlsecurity/source/xmlsec/errorcallback.cxx:53: keys.c:1347: xmlSecKeysMngrGetKey() '' '' 45 'details=NULL'
warn:xmlsecurity.xmlsec:9102:9102:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:800: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL'
warn:xmlsecurity.xmlsec:9102:9102:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:514: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' '
warn:xmlsecurity.xmlsec:9102:9102:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:296: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxProcessSignatureNode' 1 ' '

You can quickly fix the unit tests by setting XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH

Hmm, there is a single place where we already set XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS. If I add:

        pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH;

there, the output is still the same.

I can't find how is the key loaded in the key store in the unit tests.

When we add certificates, we use NSS functions to add them. CERT_DecodeCertFromPackage() creates a CERTCertificate*, then PK11_ImportCert() does the actual work. See the code here:

https://github.com/libreoffice/core/blob/503b14eee1f05e987fb415d25da1086defe8c772/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx#L390-L437

When we import a signing certificate (certificate + private key), then we import the private key to have a SECKEYPrivateKey*, see the code here:

https://github.com/libreoffice/core/blob/503b14eee1f05e987fb415d25da1086defe8c772/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx#L828-L850

and the above code also imports the matching certificate.

Anyhow, thanks for the clarification on the cert list warning, at least I now know that was not the root cause, I'll try to investigate how xmlSecKeysMngrGetKey() used to work in 1.2 and not in 1.3 for this use-case.

[lsh123]

Ah that makes sense, I was looking for XMLsec key loading functions and didn't find any :)

Anyway, I understand why 1.3.0 doesn't work and there is an improvement I am going to make to improve the situation (namely, ensure to search NSS keys db using X509Data as well). However, I don't understand how it is working with xmlsec 1.2.x. In order to search the key in NSS database, one needs to have a key name (and this code was there forever):

https://github.com/lsh123/xmlsec/blame/686026bde263c85f65dbf146ce6cd9d9d2f5df3a/src/nss/keysstore.c#L220

Until xmlsec 1.3.0, then X509Data was not used to search the key so I am really puzzled to understand how it worked before.

Would it be possible to put a breakpoint or print a debug statement in xmlSecNssKeysStoreFindKey (for xmlsec 1.2.x) and see what is the key name value when it;s called? I believe in this test it should be called once and key name to search for should be NULL.

[lsh123]

@vmiklos could you please try PR #598 -- it should fix the test (and key search) for 1.3.0. I am still very much puzzled by how 1.2.x finds the key in this test.

[lsh123]

Any chance you can run tests with 1.2.x and put a breakpoint in xmlSecNssPKIKeyDataAdoptKey() here:

https://github.com/lsh123/xmlsec/blob/xmlsec-1_2_x/src/nss/pkikeys.c#L153

And share the stack trace? it will give us a hint where the private key for the signature is coming from.

[lsh123]

BTW, by setting XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS you are completely disabling all verifications for certs which is not a good thing to do unless you are doing post-verification yourself

[vmiklos]

BTW, by setting XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS you are completely disabling all verifications for certs which is not a good thing to do unless you are doing post-verification yourself

Yes, that's the case here, we ask NSS / mscrypto to do the verification separately so we can inform the user if the failure is around the certificates or something else (digest mismatch, etc). It was done like this before my time (in openoffice), but given that the verification does happen, I think it's reasonable.

For everything else: thanks, will try out and report back. :-)

[lsh123]

Ah cool, that makes sense. Alternatively, I am going to add a more detailed reason to xmlSecDsigCtx and xmlSecEncCtx (likely after 1.3.0) -- see issue #600

[vmiklos]

Would it be possible to put a breakpoint or print a debug statement in xmlSecNssKeysStoreFindKey (for xmlsec 1.2.x)

Thread 1 "cppunittester" hit Breakpoint 1, xmlSecNssKeysStoreFindKey (store=0x4938540, name=0x0, keyInfoCtx=0x496fe40) at keysstore.c:191
191         xmlSecKeyPtr key = NULL;
(gdb) bt
#0  xmlSecNssKeysStoreFindKey (store=0x4938540, name=0x0, keyInfoCtx=0x496fe40) at keysstore.c:191
#1  0x00007fffd298f95c in xmlSecKeyStoreFindKey (store=0x4938540, name=0x0, keyInfoCtx=0x496fe40) at keysmngr.c:298
#2  0x00007fffd298f7a6 in xmlSecKeysMngrFindKey (mngr=0x4943be0, name=0x0, keyInfoCtx=0x496fe40) at keysmngr.c:119
#3  0x00007fffd298404d in xmlSecKeysMngrGetKey (keyInfoNode=0x4942910, keyInfoCtx=0x496fe40) at keys.c:1254
#4  0x00007fffd29a5777 in xmlSecDSigCtxProcessKeyInfoNode (dsigCtx=0x496fe30, node=0x4942910) at xmldsig.c:795
#5  0x00007fffd29a1f52 in xmlSecDSigCtxProcessSignatureNode (dsigCtx=0x496fe30, node=0x492a490) at xmldsig.c:512
#6  0x00007fffd29a1410 in xmlSecDSigCtxSign (dsigCtx=0x496fe30, tmpl=0x492a490) at xmldsig.c:294

@vmiklos could you please try PR #598

Thanks, this indeed fixes all reported errors from xmlsec (all of them were during xmlSecDSigCtxSign() previously). The test still fails, but now it's some assert on our side, so I need to investigate:

warn:xmlsecurity.comp:23359:23359:xmlsecurity/source/helper/xmlsignaturehelper.cxx:604: X509Data do not form a chain: certificate has no issuer but already have start of chain: CN=Xmlsecurity RSA Test example Alice,O=Xmlsecurity RSA Test,ST=England,C=UK
cppunittester: /home/vmiklos/git/libreoffice/master/xmlsecurity/source/helper/xsecctl.cxx:765: static void XSecController::exportSignature(const com::sun::star::uno::Reference<com::sun::star::xml::sax::XDocumentHandler>&, const SignatureInformation&, bool): Assertion `signatureInfo.GetSigningCertificate()' failed.

I'll check what is the output from the template we give to xmlSecDSigCtxSign(), if that's unchanged then the root cause will be on our side, I guess.

Any chance you can run tests with 1.2.x and put a breakpoint in xmlSecNssPKIKeyDataAdoptKey() here:
https://github.com/lsh123/xmlsec/blob/xmlsec-1_2_x/src/nss/pkikeys.c#L153

First hit:

#0  xmlSecNssPKIKeyDataAdoptKey (data=0x4945980, privkey=0x496ddb0, pubkey=0x0) at pkikeys.c:153
#1  0x00007fffd29d1883 in xmlSecNssPKIAdoptKey (privkey=0x496ddb0, pubkey=0x0) at pkikeys.c:258
#2  0x00007fffd295d78b in SecurityEnvironment_NssImpl::createKeysManager() (this=0x49615d0) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:806

Next hit:

#0  xmlSecNssPKIKeyDataAdoptKey (data=0x49728b0, privkey=0x0, pubkey=0x4970cd0) at pkikeys.c:153
#1  0x00007fffd29d1883 in xmlSecNssPKIAdoptKey (privkey=0x0, pubkey=0x4970cd0) at pkikeys.c:258
#2  0x00007fffd29dd4e9 in xmlSecNssX509CertGetKey (cert=0x4954970) at x509.c:1056
#3  0x00007fffd29e0128 in xmlSecNssKeyDataX509VerifyAndExtractKey (data=0x4943d90, key=0x49473f0, keyInfoCtx=0x4970520) at x509.c:965
#4  0x00007fffd29de732 in xmlSecNssKeyDataX509XmlRead (id=0x7fffd2a48250 <xmlSecNssKeyDataX509Klass>, key=0x49473f0, node=0x4942c70, keyInfoCtx=0x4970520) at x509.c:585
#5  0x00007fffd2984d4a in xmlSecKeyDataXmlRead (id=0x7fffd2a48250 <xmlSecNssKeyDataX509Klass>, key=0x49473f0, node=0x4942c70, keyInfoCtx=0x4970520) at keysdata.c:278
#6  0x00007fffd29b665a in xmlSecKeyInfoNodeRead (keyInfoNode=0x4942fa0, key=0x49473f0, keyInfoCtx=0x4970520) at keyinfo.c:120
#7  0x00007fffd2983f01 in xmlSecKeysMngrGetKey (keyInfoNode=0x4942fa0, keyInfoCtx=0x4970520) at keys.c:1235
#8  0x00007fffd29a5777 in xmlSecDSigCtxProcessKeyInfoNode (dsigCtx=0x4970510, node=0x4942fa0) at xmldsig.c:795
#9  0x00007fffd29a1f52 in xmlSecDSigCtxProcessSignatureNode (dsigCtx=0x4970510, node=0x492aad0) at xmldsig.c:512
#10 0x00007fffd29a1410 in xmlSecDSigCtxSign (dsigCtx=0x4970510, tmpl=0x492aad0) at xmldsig.c:294

Next hit:

#0  xmlSecNssPKIKeyDataAdoptKey (data=0x4a00dd0, privkey=0x4a02480, pubkey=0x0) at pkikeys.c:153
#1  0x00007fffd29d1883 in xmlSecNssPKIAdoptKey (privkey=0x4a02480, pubkey=0x0) at pkikeys.c:258
#2  0x00007fffd295d78b in SecurityEnvironment_NssImpl::createKeysManager() (this=0x49615d0) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:806

Next hit:

#0  xmlSecNssPKIKeyDataAdoptKey (data=0x4a03790, privkey=0x0, pubkey=0x49c7300) at pkikeys.c:153
#1  0x00007fffd29d1883 in xmlSecNssPKIAdoptKey (privkey=0x0, pubkey=0x49c7300) at pkikeys.c:258
#2  0x00007fffd29dd4e9 in xmlSecNssX509CertGetKey (cert=0x4954970) at x509.c:1056
#3  0x00007fffd29e0128 in xmlSecNssKeyDataX509VerifyAndExtractKey (data=0x4a03740, key=0x4967290, keyInfoCtx=0x4a01840) at x509.c:965
#4  0x00007fffd29de732 in xmlSecNssKeyDataX509XmlRead (id=0x7fffd2a48250 <xmlSecNssKeyDataX509Klass>, key=0x4967290, node=0x494a080, keyInfoCtx=0x4a01840) at x509.c:585
#5  0x00007fffd2984d4a in xmlSecKeyDataXmlRead (id=0x7fffd2a48250 <xmlSecNssKeyDataX509Klass>, key=0x4967290, node=0x494a080, keyInfoCtx=0x4a01840) at keysdata.c:278
#6  0x00007fffd29b665a in xmlSecKeyInfoNodeRead (keyInfoNode=0x4949f70, key=0x4967290, keyInfoCtx=0x4a01840) at keyinfo.c:120
#7  0x00007fffd2983f01 in xmlSecKeysMngrGetKey (keyInfoNode=0x4949f70, keyInfoCtx=0x4a01840) at keys.c:1235
#8  0x00007fffd29a5777 in xmlSecDSigCtxProcessKeyInfoNode (dsigCtx=0x4a01830, node=0x4949f70) at xmldsig.c:795
#9  0x00007fffd29a1f52 in xmlSecDSigCtxProcessSignatureNode (dsigCtx=0x4a01830, node=0x494a7e0) at xmldsig.c:512
#10 0x00007fffd29a240c in xmlSecDSigCtxVerify (dsigCtx=0x4a01830, node=0x494a7e0) at xmldsig.c:350

Next hit:

#0  xmlSecNssPKIKeyDataAdoptKey (data=0x49675b0, privkey=0x0, pubkey=0x49342f0) at pkikeys.c:153
#1  0x00007fffd29d1883 in xmlSecNssPKIAdoptKey (privkey=0x0, pubkey=0x49342f0) at pkikeys.c:258
#2  0x00007fffd29dd4e9 in xmlSecNssX509CertGetKey (cert=0x4954970) at x509.c:1056
#3  0x00007fffd29e0128 in xmlSecNssKeyDataX509VerifyAndExtractKey (data=0x495d4a0, key=0x4921d40, keyInfoCtx=0x4933cb0) at x509.c:965
#4  0x00007fffd29de732 in xmlSecNssKeyDataX509XmlRead (id=0x7fffd2a48250 <xmlSecNssKeyDataX509Klass>, key=0x4921d40, node=0x4921c30, keyInfoCtx=0x4933cb0) at x509.c:585
#5  0x00007fffd2984d4a in xmlSecKeyDataXmlRead (id=0x7fffd2a48250 <xmlSecNssKeyDataX509Klass>, key=0x4921d40, node=0x4921c30, keyInfoCtx=0x4933cb0) at keysdata.c:278
#6  0x00007fffd29b665a in xmlSecKeyInfoNodeRead (keyInfoNode=0x4923850, key=0x4921d40, keyInfoCtx=0x4933cb0) at keyinfo.c:120
#7  0x00007fffd2983f01 in xmlSecKeysMngrGetKey (keyInfoNode=0x4923850, keyInfoCtx=0x4933cb0) at keys.c:1235
#8  0x00007fffd29a5777 in xmlSecDSigCtxProcessKeyInfoNode (dsigCtx=0x4933ca0, node=0x4923850) at xmldsig.c:795
#9  0x00007fffd29a1f52 in xmlSecDSigCtxProcessSignatureNode (dsigCtx=0x4933ca0, node=0x4484d30) at xmldsig.c:512
#10 0x00007fffd29a240c in xmlSecDSigCtxVerify (dsigCtx=0x4933ca0, node=0x4484d30) at xmldsig.c:350

Last hit:

#0  xmlSecNssPKIKeyDataAdoptKey (data=0x4524b90, privkey=0x0, pubkey=0x49c6790) at pkikeys.c:153
#1  0x00007fffd29d1883 in xmlSecNssPKIAdoptKey (privkey=0x0, pubkey=0x49c6790) at pkikeys.c:258
#2  0x00007fffd29dd4e9 in xmlSecNssX509CertGetKey (cert=0x4954970) at x509.c:1056
#3  0x00007fffd29e0128 in xmlSecNssKeyDataX509VerifyAndExtractKey (data=0x4967840, key=0x495ff20, keyInfoCtx=0x4960e00) at x509.c:965
#4  0x00007fffd29de732 in xmlSecNssKeyDataX509XmlRead (id=0x7fffd2a48250 <xmlSecNssKeyDataX509Klass>, key=0x495ff20, node=0x4935c20, keyInfoCtx=0x4960e00) at x509.c:585
#5  0x00007fffd2984d4a in xmlSecKeyDataXmlRead (id=0x7fffd2a48250 <xmlSecNssKeyDataX509Klass>, key=0x495ff20, node=0x4935c20, keyInfoCtx=0x4960e00) at keysdata.c:278
#6  0x00007fffd29b665a in xmlSecKeyInfoNodeRead (keyInfoNode=0x4a009f0, key=0x495ff20, keyInfoCtx=0x4960e00) at keyinfo.c:120
#7  0x00007fffd2983f01 in xmlSecKeysMngrGetKey (keyInfoNode=0x4a009f0, keyInfoCtx=0x4960e00) at keys.c:1235
#8  0x00007fffd29a5777 in xmlSecDSigCtxProcessKeyInfoNode (dsigCtx=0x4960df0, node=0x4a009f0) at xmldsig.c:795
#9  0x00007fffd29a1f52 in xmlSecDSigCtxProcessSignatureNode (dsigCtx=0x4960df0, node=0x4936380) at xmldsig.c:512
#10 0x00007fffd29a240c in xmlSecDSigCtxVerify (dsigCtx=0x4960df0, node=0x4936380) at xmldsig.c:350

[vmiklos]

I'll check what is the output from the template we give to xmlSecDSigCtxSign(), if that's unchanged then the root cause will be on our side, I guess.

The 1.2 output is like this:
t.xml.txt

The 1.3 output is like this:
t.xml.txt

The diff is:

--- t.xml	2023-03-10 08:54:19.530832266 +0100
+++ t.xml	2023-03-10 08:52:45.142773541 +0100
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <root>
-  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="ID_00c4002f00f4007d00e500d8004800920089004800af002e009800c100370090">
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="ID_0033003700b000b800e700ef0040000b00a6009100030039005800bc00890016">
     <SignedInfo>
       <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
       <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
@@ -13,7 +13,7 @@
           <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
         </Transforms>
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-        <DigestValue>Y1GBM1C7gZil/UlrI3/LJ0sKiLrdIB8jLpPVM8d+IaY=</DigestValue>
+        <DigestValue>vOXQ+SBkFAIj6lf30NRysjWFrmp03sw7jTYBXEnI+9w=</DigestValue>
       </Reference>
       <Reference URI="manifest.rdf">
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
@@ -31,7 +31,7 @@
           <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
         </Transforms>
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-        <DigestValue>ZqTT6AaPMTPnzyTLUPZNKj9asfURhsTBSHyVWjEVyis=</DigestValue>
+        <DigestValue>5sfDn+yQAn8MPSMYjQTwyljxh6nKWvMKhKfVNbZHwYY=</DigestValue>
       </Reference>
       <Reference URI="Configurations2/accelerator/current.xml">
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
@@ -55,42 +55,108 @@
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
         <DigestValue>cU2+NwsKcGNmkhfZGyh1Zv6Lq7yFmbYpskR2/4G4NZM=</DigestValue>
       </Reference>
-      <Reference URI="#ID_00e300d700ce000e00cc000f0046003d00b400bc001f0067004f000d005400da">
+      <Reference URI="#ID_00ac005800ac00f3004900e6004500d5009c0009001900f500e200ad009700eb">
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-        <DigestValue>YsXTxE/vLbYy/IC4T1wGi53NRZB8sYiLfZg8y4jfwfE=</DigestValue>
+        <DigestValue>I9tIJ+1i8J1TFzJTt9Z7/YDSR7coBpvd2KwMFTDj0dU=</DigestValue>
       </Reference>
-      <Reference URI="#idSignedProperties_ID_00c4002f00f4007d00e500d8004800920089004800af002e009800c100370090" Type="http://uri.etsi.org/01903#SignedProperties">
+      <Reference URI="#idSignedProperties_ID_0033003700b000b800e700ef0040000b00a6009100030039005800bc00890016" Type="http://uri.etsi.org/01903#SignedProperties">
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-        <DigestValue>0K1YQgjQ39swvNuM2cR1yFojTxxFOv3PNAIRrzbbnCA=</DigestValue>
+        <DigestValue>p9ydEE51X4Yt5Z9SudArMDfwpwv0NRE7ko6bInnlSzo=</DigestValue>
       </Reference>
     </SignedInfo>
-    <SignatureValue>sV/Uskpx04M93oLcg/UhJX4VvEax16wX4RjwXnS4CGlc4ACoHw0yQOQJ/1f1CDbZ
-QazJcs2KX1EDpNHImvXVAAICM9wFLA4qfM3vQZTtq02QDjq4G5/FPh0NWoPhJnKg
-RVli24XDT+r8owsEHuUX2F0Gdw8Yu5T5FSuSNRJWQTurCqpFdVSjG2FZCFWBwoGL
-kyUjAgZMMqi2H2qLn4azUrkOH9KrlGeeca18R6ZXFD/ZeHZpw1CjjZhtFIAmnMxq
-XZgd8NOpLFCyBrOlxN8yzq48kKeRwaTsTE2y0O4dagUjw9jGalp+KRUx3hbRx5e1
-aDbOqK4iwlslr4e8ucILyw==</SignatureValue>
+    <SignatureValue>kdfV6XpEvTRYtzpVn6OG5j6h1mBbOe9rVk+Vr0P5LB/W7Z9qwbgZn/DDRZB80Y4g
++ZrwGXuf9mz5neXi8cPoCc4bx8ToGVcReGsBJai9Ovfngqc8VLTwOV5s6agvUFYf
+zFrVT3BkMTrypucZ5RkYdKBsIvAdzlkymL6R93FfpF/r0EiZZtfujnR1e0nIsn+x
+j6AqtLb+1rUin/vPdgdN3Qb40nwTzlsmjjCEtaOgEfkvan9vOoyt7yrvM0FaJFnw
+MG0ww1Cnn4ujWufh6sSZb3d/Gq+bPe4SgGjCCL9hxFByVrEyrvbxY9nYjXCxouM5
+JM5OnD2EHGbhe+fVXrLPdw==</SignatureValue>
     <KeyInfo>
       <X509Data>
         <X509IssuerSerial>
           <X509IssuerName>CN=Xmlsecurity Intermediate Root CA,O=Xmlsecurity RSA Test,ST=England,C=UK</X509IssuerName>
           <X509SerialNumber>4096</X509SerialNumber>
         </X509IssuerSerial>
+        <X509IssuerSerial>
+          <X509IssuerName>CN=Xmlsecurity Intermediate Root CA,O=Xmlsecurity RSA Test,ST=England,C=UK</X509IssuerName>
+          <X509SerialNumber>4096</X509SerialNumber>
+        </X509IssuerSerial>
+        <X509IssuerSerial>
+          <X509IssuerName>CN=Xmlsecurity Intermediate Root CA,O=Xmlsecurity RSA Test,ST=England,C=UK</X509IssuerName>
+          <X509SerialNumber>4096</X509SerialNumber>
+        </X509IssuerSerial>
         <X509Certificate>MIIFGDCCAwCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1lZGlhdGUgUm9vdCBDQTAgFw0xODEwMDYxOTQyNThaGA8yMTE4MDkxMjE5NDI1OFowazELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSswKQYDVQQDDCJYbWxzZWN1cml0eSBSU0EgVGVzdCBleGFtcGxlIEFsaWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00dJeduvg67xONvWDWdmypspZKzorkuWiYvFtLZ/WUQG5+CExovOOMX5xNwxFFwgfH5goJtW/+Jz2CIu9P7EVaPAWWCL554WUsu0plY9hXmJcgkkK52iUde/IcsdlovRervJNbjtZZX+NTwKhIB1PdMRbWFlYz8h65/ysK3xal9NfnkcUnvjoUX6ANL5auSAnTteMJJJgpEh2lyVE3+v9ydRrGTfdjSikum2GP3OD9AMQKRSNcUiVZ9P6sUO31UAK555JLC27KI6a48k4gLDa1AqXUPaX9kxen9FKk1aClzgl+fQ/RQEShjC3LUNczOCyY+j0ou6d+0XXpib0QoUYQIDAQABo4HFMIHCMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAY/LzoPqu7RihAD7zIAUiddVAkkMB8GA1UdIwQYMBaAFB5MARhhq/go7y+tqaL9J1uXDrj1MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBABt5pNVN+hx+ZKRMlxRVlcgNGIeGZDE574GKoizHhL2LzAnEorG1OzRMyppH/FUhV6JETciaQ2lqDZTa7wRe4L3pKYx1NXiyLniu2uRyLPy5yRXWof4DBw4E/WGuPKuRTioSHS5aeJ/V1oVO0S0bXRF9DQasZtMrzF5RsAeJjKlrUvEg8/6buHIXzsa8077BGzUb8F2uIUCcfZZowf66EgRoSSRp3N2wU6tYgz4uqyQZR/OaOzhxBxAnElBInVwQyyGz66Nm6jmZbkRylPyyDUslIto+2riT37RhQLkFAOt8THqFc4JBtvolowLg4N5rtxz5Xgr0rD+h7VVf7FLEEeK4ckAmMOImBaKAavvMoSei8N9BfcwE7z9rJNcNYbIdUGwgc6wh8IuQel+hFb3wjuGzhH7QlJBsjC90ZqzJEJAv/vzm60nd/hg6tCFqQ5QnbzZaTXLB6S8P6cBOf3q9jStLxGd8VhoQxDUC08rVJd6cEvaYLMOeYrkp6DqtG8zLqeuflsmchSsGtqCxiVxSNO3pKOSfLlVmy5hnJccUtG95AiRSVCbg5bA8t/o7GHGw0JaC28yuptyVhomtt7qTm3esnpf7CkxIT1OlcUAfVt0ab4cIPLwnyD/UL5VWK9QEiqQLHgrlxahPw372fZBeXyJc/SWz2uMk0HhsMQwq+WZB</X509Certificate>
+        <X509Certificate>MIIFGDCCAwCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVUsx
+EDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0
+MSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1lZGlhdGUgUm9vdCBDQTAgFw0x
+ODEwMDYxOTQyNThaGA8yMTE4MDkxMjE5NDI1OFowazELMAkGA1UEBhMCVUsxEDAO
+BgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSsw
+KQYDVQQDDCJYbWxzZWN1cml0eSBSU0EgVGVzdCBleGFtcGxlIEFsaWNlMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00dJeduvg67xONvWDWdmypspZKzo
+rkuWiYvFtLZ/WUQG5+CExovOOMX5xNwxFFwgfH5goJtW/+Jz2CIu9P7EVaPAWWCL
+554WUsu0plY9hXmJcgkkK52iUde/IcsdlovRervJNbjtZZX+NTwKhIB1PdMRbWFl
+Yz8h65/ysK3xal9NfnkcUnvjoUX6ANL5auSAnTteMJJJgpEh2lyVE3+v9ydRrGTf
+djSikum2GP3OD9AMQKRSNcUiVZ9P6sUO31UAK555JLC27KI6a48k4gLDa1AqXUPa
+X9kxen9FKk1aClzgl+fQ/RQEShjC3LUNczOCyY+j0ou6d+0XXpib0QoUYQIDAQAB
+o4HFMIHCMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIB
+DQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFAY/LzoPqu7RihAD7zIAUiddVAkkMB8GA1UdIwQYMBaAFB5MARhhq/go7y+t
+qaL9J1uXDrj1MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
+KwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBABt5pNVN+hx+ZKRMlxRVlcgNGIeG
+ZDE574GKoizHhL2LzAnEorG1OzRMyppH/FUhV6JETciaQ2lqDZTa7wRe4L3pKYx1
+NXiyLniu2uRyLPy5yRXWof4DBw4E/WGuPKuRTioSHS5aeJ/V1oVO0S0bXRF9DQas
+ZtMrzF5RsAeJjKlrUvEg8/6buHIXzsa8077BGzUb8F2uIUCcfZZowf66EgRoSSRp
+3N2wU6tYgz4uqyQZR/OaOzhxBxAnElBInVwQyyGz66Nm6jmZbkRylPyyDUslIto+
+2riT37RhQLkFAOt8THqFc4JBtvolowLg4N5rtxz5Xgr0rD+h7VVf7FLEEeK4ckAm
+MOImBaKAavvMoSei8N9BfcwE7z9rJNcNYbIdUGwgc6wh8IuQel+hFb3wjuGzhH7Q
+lJBsjC90ZqzJEJAv/vzm60nd/hg6tCFqQ5QnbzZaTXLB6S8P6cBOf3q9jStLxGd8
+VhoQxDUC08rVJd6cEvaYLMOeYrkp6DqtG8zLqeuflsmchSsGtqCxiVxSNO3pKOSf
+LlVmy5hnJccUtG95AiRSVCbg5bA8t/o7GHGw0JaC28yuptyVhomtt7qTm3esnpf7
+CkxIT1OlcUAfVt0ab4cIPLwnyD/UL5VWK9QEiqQLHgrlxahPw372fZBeXyJc/SWz
+2uMk0HhsMQwq+WZB
+</X509Certificate>
+        <X509Certificate>MIIFGDCCAwCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVUsx
+EDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0
+MSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1lZGlhdGUgUm9vdCBDQTAgFw0x
+ODEwMDYxOTQyNThaGA8yMTE4MDkxMjE5NDI1OFowazELMAkGA1UEBhMCVUsxEDAO
+BgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSsw
+KQYDVQQDDCJYbWxzZWN1cml0eSBSU0EgVGVzdCBleGFtcGxlIEFsaWNlMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00dJeduvg67xONvWDWdmypspZKzo
+rkuWiYvFtLZ/WUQG5+CExovOOMX5xNwxFFwgfH5goJtW/+Jz2CIu9P7EVaPAWWCL
+554WUsu0plY9hXmJcgkkK52iUde/IcsdlovRervJNbjtZZX+NTwKhIB1PdMRbWFl
+Yz8h65/ysK3xal9NfnkcUnvjoUX6ANL5auSAnTteMJJJgpEh2lyVE3+v9ydRrGTf
+djSikum2GP3OD9AMQKRSNcUiVZ9P6sUO31UAK555JLC27KI6a48k4gLDa1AqXUPa
+X9kxen9FKk1aClzgl+fQ/RQEShjC3LUNczOCyY+j0ou6d+0XXpib0QoUYQIDAQAB
+o4HFMIHCMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIB
+DQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFAY/LzoPqu7RihAD7zIAUiddVAkkMB8GA1UdIwQYMBaAFB5MARhhq/go7y+t
+qaL9J1uXDrj1MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
+KwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBABt5pNVN+hx+ZKRMlxRVlcgNGIeG
+ZDE574GKoizHhL2LzAnEorG1OzRMyppH/FUhV6JETciaQ2lqDZTa7wRe4L3pKYx1
+NXiyLniu2uRyLPy5yRXWof4DBw4E/WGuPKuRTioSHS5aeJ/V1oVO0S0bXRF9DQas
+ZtMrzF5RsAeJjKlrUvEg8/6buHIXzsa8077BGzUb8F2uIUCcfZZowf66EgRoSSRp
+3N2wU6tYgz4uqyQZR/OaOzhxBxAnElBInVwQyyGz66Nm6jmZbkRylPyyDUslIto+
+2riT37RhQLkFAOt8THqFc4JBtvolowLg4N5rtxz5Xgr0rD+h7VVf7FLEEeK4ckAm
+MOImBaKAavvMoSei8N9BfcwE7z9rJNcNYbIdUGwgc6wh8IuQel+hFb3wjuGzhH7Q
+lJBsjC90ZqzJEJAv/vzm60nd/hg6tCFqQ5QnbzZaTXLB6S8P6cBOf3q9jStLxGd8
+VhoQxDUC08rVJd6cEvaYLMOeYrkp6DqtG8zLqeuflsmchSsGtqCxiVxSNO3pKOSf
+LlVmy5hnJccUtG95AiRSVCbg5bA8t/o7GHGw0JaC28yuptyVhomtt7qTm3esnpf7
+CkxIT1OlcUAfVt0ab4cIPLwnyD/UL5VWK9QEiqQLHgrlxahPw372fZBeXyJc/SWz
+2uMk0HhsMQwq+WZB
+</X509Certificate>
       </X509Data>
     </KeyInfo>
     <Object>
       <SignatureProperties>
-        <SignatureProperty Id="ID_00e300d700ce000e00cc000f0046003d00b400bc001f0067004f000d005400da" Target="#ID_00c4002f00f4007d00e500d8004800920089004800af002e009800c100370090">
-          <dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">2023-03-10T08:53:51.566819829</dc:date>
+        <SignatureProperty Id="ID_00ac005800ac00f3004900e6004500d5009c0009001900f500e200ad009700eb" Target="#ID_0033003700b000b800e700ef0040000b00a6009100030039005800bc00890016">
+          <dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">2023-03-10T08:51:53.929277801</dc:date>
         </SignatureProperty>
       </SignatureProperties>
     </Object>
     <Object xmlns:xd="http://uri.etsi.org/01903/v1.3.2#">
-      <xd:QualifyingProperties Target="#ID_00c4002f00f4007d00e500d8004800920089004800af002e009800c100370090">
-        <xd:SignedProperties Id="idSignedProperties_ID_00c4002f00f4007d00e500d8004800920089004800af002e009800c100370090">
+      <xd:QualifyingProperties Target="#ID_0033003700b000b800e700ef0040000b00a6009100030039005800bc00890016">
+        <xd:SignedProperties Id="idSignedProperties_ID_0033003700b000b800e700ef0040000b00a6009100030039005800bc00890016">
           <xd:SignedSignatureProperties>
-            <xd:SigningTime>2023-03-10T08:53:51.566819829</xd:SigningTime>
+            <xd:SigningTime>2023-03-10T08:51:53.929277801</xd:SigningTime>
             <xd:SigningCertificate>
               <xd:Cert>
                 <xd:CertDigest>
@@ -108,7 +174,7 @@
             </xd:SignaturePolicyIdentifier>
           </xd:SignedSignatureProperties>
         </xd:SignedProperties>
-        <xd:UnsignedProperties Id="idUnsignedProperties_ID_00c4002f00f4007d00e500d8004800920089004800af002e009800c100370090">
+        <xd:UnsignedProperties Id="idUnsignedProperties_ID_0033003700b000b800e700ef0040000b00a6009100030039005800bc00890016">
           <xd:UnsignedSignatureProperties>
             <xd:CertificateValues>
               <xd:EncapsulatedX509Certificate>MIIFGDCCAwCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1lZGlhdGUgUm9vdCBDQTAgFw0xODEwMDYxOTQyNThaGA8yMTE4MDkxMjE5NDI1OFowazELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSswKQYDVQQDDCJYbWxzZWN1cml0eSBSU0EgVGVzdCBleGFtcGxlIEFsaWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00dJeduvg67xONvWDWdmypspZKzorkuWiYvFtLZ/WUQG5+CExovOOMX5xNwxFFwgfH5goJtW/+Jz2CIu9P7EVaPAWWCL554WUsu0plY9hXmJcgkkK52iUde/IcsdlovRervJNbjtZZX+NTwKhIB1PdMRbWFlYz8h65/ysK3xal9NfnkcUnvjoUX6ANL5auSAnTteMJJJgpEh2lyVE3+v9ydRrGTfdjSikum2GP3OD9AMQKRSNcUiVZ9P6sUO31UAK555JLC27KI6a48k4gLDa1AqXUPaX9kxen9FKk1aClzgl+fQ/RQEShjC3LUNczOCyY+j0ou6d+0XXpib0QoUYQIDAQABo4HFMIHCMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAY/LzoPqu7RihAD7zIAUiddVAkkMB8GA1UdIwQYMBaAFB5MARhhq/go7y+tqaL9J1uXDrj1MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBABt5pNVN+hx+ZKRMlxRVlcgNGIeGZDE574GKoizHhL2LzAnEorG1OzRMyppH/FUhV6JETciaQ2lqDZTa7wRe4L3pKYx1NXiyLniu2uRyLPy5yRXWof4DBw4E/WGuPKuRTioSHS5aeJ/V1oVO0S0bXRF9DQasZtMrzF5RsAeJjKlrUvEg8/6buHIXzsa8077BGzUb8F2uIUCcfZZowf66EgRoSSRp3N2wU6tYgz4uqyQZR/OaOzhxBxAnElBInVwQyyGz66Nm6jmZbkRylPyyDUslIto+2riT37RhQLkFAOt8THqFc4JBtvolowLg4N5rtxz5Xgr0rD+h7VVf7FLEEeK4ckAmMOImBaKAavvMoSei8N9BfcwE7z9rJNcNYbIdUGwgc6wh8IuQel+hFb3wjuGzhH7QlJBsjC90ZqzJEJAv/vzm60nd/hg6tCFqQ5QnbzZaTXLB6S8P6cBOf3q9jStLxGd8VhoQxDUC08rVJd6cEvaYLMOeYrkp6DqtG8zLqeuflsmchSsGtqCxiVxSNO3pKOSfLlVmy5hnJccUtG95AiRSVCbg5bA8t/o7GHGw0JaC28yuptyVhomtt7qTm3esnpf7CkxIT1OlcUAfVt0ab4cIPLwnyD/UL5VWK9QEiqQLHgrlxahPw372fZBeXyJc/SWz2uMk0HhsMQwq+WZB</xd:EncapsulatedX509Certificate>

Looks like one cert used to be listed only once with 1.2 but is listed 3 times with 1.3. Should I tweak things on our side to deduplicate the cert list or is this unintentional in xmlsec and would be rather better to fix it there? Thanks.

[lsh123]

First, thanks a lot for the tests!

• It looks like the private key is only coming from SecurityEnvironment_NssImpl::createKeysManager() and that was the key that 1.2.x was using for signatures. Not sure if this is the same key as the one you have in the X509Data node in the template and this was exactly the reason why implemented "strict" key search mode. I would be interesting to understand why 1.3.0 doesn't pickup the same key, but it was likely wrong thing to do. I wonder if you ever tried to verify the file that was signed with 1.2.0 in this test :)

• Duplicate certs in the 1.3.0 output. Let me file an issue and look into it. I can see how it can have one additional cert printed out but not two. Issue xmlsec-1.3.0-rc2 prints extra certificates in the output #603

• The assert cppunittester: /home/vmiklos/git/libreoffice/master/xmlsecurity/source/helper/xsecctl.cxx:765: static void XSecController::exportSignature(const com::sun::star::uno::Reference<com::sun::star::xml::sax::XDocumentHandler>&, const SignatureInformation&, bool): Assertion `signatureInfo.GetSigningCertificate()' failed.

I wonder if this is caused by multiple certs :)

[lsh123]

Thanks, error was telling :) PR #609 should make it work for you. Sorry I usually don't test without certs verification like you are using and this is why we run into all these issues. I added a high level failure reasons here:

2cfeca7

I would recommend to consider switching to use xmlsec certs verification over time. I can work with you to get the information propagated for error messages as needed. Honestly using XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS scares me a lot :)

[vmiklos]

PR #609 should make it work for you.

Indeed, great. :-) I'll go back to a full 'make check' to see if I find anything else, but hopefully it'll be now all fine.

I would recommend to consider switching to use xmlsec certs verification over time.

I'm not against that at all, though probably separate from the 1.2 -> 1.3 upgrade. My understanding is that the openoffice dsig code had its own cert verify code so that the UI can tell if the dsig verification failed in general, or there was a problem with the cert verification specifically. (And we inherited this in libreoffice, unchanged.) If we can keep telling the users about this difference, replacing own code with library code sound great.

I'm a bit confused about xmlSecDSigFailureReason, though: which one of these would be "the digests & signature OK, but we don't trust this certificate" (which is what the unwanted XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS provides for us)? Thanks.

[lsh123]

Well currently xmlsec wouldn't even check signature if cert verification failed :) But as I said, I would love to work with you to figure out how to make it work for your use case. And I argee, 1.2 -> 1.3 is big enough on its own :)

[vmiklos]

Well currently xmlsec wouldn't even check signature if cert verification failed :) But as I said, I would love to work with you to figure out how to make it work for your use case.

OK, I'll start a separate discussion/thread post 1.3; possibly we can even accept that way (do cert verify first, and only then sig verify), as long as we change documentation on our side.

Anyhow, as a data point, there was a last libreoffice testcase that failed with xmlsec 1.3, but it was a PDF signing one, so really just worked by accident before (I would say), and other than that, at least Linux/nss 'make check' now passes for me locally with xmlsec 1.3.

If that's interesting for you, I can do similar integration testing for mscng with a next xmlsec 1.3 RC.

And thanks again for your fixes that help our use-case.

[lsh123]

great, thank you! and yes more tests is good! :)