From d63aef1df8a6d463d639c7c6142611e8bb661176 Mon Sep 17 00:00:00 2001 From: lsh123 Date: Tue, 22 Nov 2022 21:28:06 -0500 Subject: [PATCH 01/15] fix enc context reset (issue #437) (#438) --- src/xmlenc.c | 18 +++- tests/aleksey-xmlenc-01/enc-two-enc-keys.data | 7 ++ tests/aleksey-xmlenc-01/enc-two-enc-keys.tmpl | 32 +++++++ tests/aleksey-xmlenc-01/enc-two-enc-keys.xml | 82 ++++++++++++++++++ tests/keys/README.md | 8 ++ tests/keys/ca2key.p12 | Bin 0 -> 1910 bytes tests/keys/cakey.p12 | Bin 0 -> 2244 bytes tests/testEnc.sh | 16 ++++ 8 files changed, 159 insertions(+), 4 deletions(-) create mode 100644 tests/aleksey-xmlenc-01/enc-two-enc-keys.data create mode 100644 tests/aleksey-xmlenc-01/enc-two-enc-keys.tmpl create mode 100644 tests/aleksey-xmlenc-01/enc-two-enc-keys.xml create mode 100644 tests/keys/ca2key.p12 create mode 100644 tests/keys/cakey.p12 diff --git a/src/xmlenc.c b/src/xmlenc.c index c21a1a149..4312d3739 100644 --- a/src/xmlenc.c +++ b/src/xmlenc.c @@ -95,6 +95,17 @@ xmlSecEncCtxDestroy(xmlSecEncCtxPtr encCtx) { xmlFree(encCtx); } +static void +xmlSecEncCtxSetDefaults(xmlSecEncCtxPtr encCtx) { + xmlSecAssert(encCtx != NULL); + + encCtx->keyInfoReadCtx.mode = xmlSecKeyInfoModeRead; + + /* it's not wise to write private key :) */ + encCtx->keyInfoWriteCtx.mode = xmlSecKeyInfoModeWrite; + encCtx->keyInfoWriteCtx.keyReq.keyType = xmlSecKeyDataTypePublic; +} + /** * xmlSecEncCtxInitialize: * @encCtx: the pointer to processing context. @@ -120,16 +131,12 @@ xmlSecEncCtxInitialize(xmlSecEncCtxPtr encCtx, xmlSecKeysMngrPtr keysMngr) { xmlSecInternalError("xmlSecKeyInfoCtxInitialize", NULL); return(-1); } - encCtx->keyInfoReadCtx.mode = xmlSecKeyInfoModeRead; ret = xmlSecKeyInfoCtxInitialize(&(encCtx->keyInfoWriteCtx), keysMngr); if(ret < 0) { xmlSecInternalError("xmlSecKeyInfoCtxInitialize", NULL); return(-1); } - encCtx->keyInfoWriteCtx.mode = xmlSecKeyInfoModeWrite; - /* it's not wise to write private key :) */ - encCtx->keyInfoWriteCtx.keyReq.keyType = xmlSecKeyDataTypePublic; /* initializes transforms encCtx */ ret = xmlSecTransformCtxInitialize(&(encCtx->transformCtx)); @@ -138,6 +145,7 @@ xmlSecEncCtxInitialize(xmlSecEncCtxPtr encCtx, xmlSecKeysMngrPtr keysMngr) { return(-1); } + xmlSecEncCtxSetDefaults(encCtx); return(0); } @@ -222,6 +230,8 @@ xmlSecEncCtxReset(xmlSecEncCtxPtr encCtx) { encCtx->encDataNode = encCtx->encMethodNode = encCtx->keyInfoNode = encCtx->cipherValueNode = NULL; + + xmlSecEncCtxSetDefaults(encCtx); } /** diff --git a/tests/aleksey-xmlenc-01/enc-two-enc-keys.data b/tests/aleksey-xmlenc-01/enc-two-enc-keys.data new file mode 100644 index 000000000..0532dec5e --- /dev/null +++ b/tests/aleksey-xmlenc-01/enc-two-enc-keys.data @@ -0,0 +1,7 @@ + + +]> + +test + diff --git a/tests/aleksey-xmlenc-01/enc-two-enc-keys.tmpl b/tests/aleksey-xmlenc-01/enc-two-enc-keys.tmpl new file mode 100644 index 000000000..80e4c7514 --- /dev/null +++ b/tests/aleksey-xmlenc-01/enc-two-enc-keys.tmpl @@ -0,0 +1,32 @@ + + + + + + +key1 + + + + + + + + + + + +key2 + + + + + + + + + + + + + diff --git a/tests/aleksey-xmlenc-01/enc-two-enc-keys.xml b/tests/aleksey-xmlenc-01/enc-two-enc-keys.xml new file mode 100644 index 000000000..62ac11b9b --- /dev/null +++ b/tests/aleksey-xmlenc-01/enc-two-enc-keys.xml @@ -0,0 +1,82 @@ + + +]> + + + + + + +key1 + +MIID9zCCA2CgAwIBAgIJAK+ii7kzrdqsMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3Vy +aXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEQMA4G +A1UECxMHUm9vdCBDQTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3 +DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tMCAXDTE0MDUyMzE3NTA1OVoYDzIxMTQw +NDI5MTc1MDU5WjCBrjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx +PTA7BgNVBAoTNFhNTCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtz +ZXkuY29tL3htbHNlYykxEDAOBgNVBAsTB1Jvb3QgQ0ExFjAUBgNVBAMTDUFsZWtz +ZXkgU2FuaW4xITAfBgkqhkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTCBnzAN +BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtY4MCNj/qrOzVuex1BD/PuCYTDDOLLVj +tpKXQteQPqy0kgMwuQgRwdNnICIHQbnFKL40XoyACJVWKM7b0LkvWJNeyVzXPqEE +9ZPmNxWGUjVcr7powT7v8V7S2QflUnr8ZvR4XWwkZJ9EYKNhenijgJ5yYDrXCWdv +C+fnjBjv2LcCAwEAAaOCARcwggETMB0GA1UdDgQWBBQGtaSsp6p1ROoVnE/fBYNP +ah7+CzCB4wYDVR0jBIHbMIHYgBQGtaSsp6p1ROoVnE/fBYNPah7+C6GBtKSBsTCB +rjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExPTA7BgNVBAoTNFhN +TCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtzZXkuY29tL3htbHNl +YykxEDAOBgNVBAsTB1Jvb3QgQ0ExFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAf +BgkqhkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbYIJAK+ii7kzrdqsMAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEARpb86RP/ck55X+NunXeIX81i763b +j7Z1VJwFbA/QfupzxnqJ2IP/lxC8YxJ3Bp2IJMI7rC9r0poa41ZxI5rGHip97Dpg +sxPF9lkRUmKBBQjkICOq1w/4d2DRInBoqXttD+0WsqDfNDVK+7kSE07ytn3RzHCj +j0gv0PdxmuCsR/E= + + + + +OWIZitDwtQp3dvJ2NP2bgQaaiW+Z0vwyh8ajaw7nuwlqQugrbugy9upogbKMpOrz +XFLfdzfQ5EfRBr2MaPvMkft2wBWfYOS437RNrKdd/MZxZjSPoFRAMBz4F6cVjDx5 +L3/I/3usuqoyYLNtjQTxcIt+sdtNMZnAyVxz/08vEGg= + + + + + +key2 + +MIIDzzCCAzigAwIBAgIJAK+ii7kzrdqtMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3Vy +aXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEQMA4G +A1UECxMHUm9vdCBDQTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3 +DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tMCAXDTE0MDUyMzE3NTIzOFoYDzIxMTQw +NDI5MTc1MjM4WjCBnDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx +PTA7BgNVBAoTNFhNTCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtz +ZXkuY29tL3htbHNlYykxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAfBgkqhkiG +9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC +QQCyuvKJ2CuUPD33ghPt4Q8MilesHxVbbpyKfmabrYVpDGVDmOKKp337qJUZZ95K +fwlXbR2j0zyKWJmvRxUx+PsTAgMBAAGjggFFMIIBQTAMBgNVHRMEBTADAQH/MCwG +CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV +HQ4EFgQU/uTsUyTwlZXHELXhRLVdOWVa434wgeMGA1UdIwSB2zCB2IAUBrWkrKeq +dUTqFZxP3wWDT2oe/guhgbSkgbEwga4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD +YWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFyeSAoaHR0cDov +L3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMRAwDgYDVQQLEwdSb290IENBMRYwFAYD +VQQDEw1BbGVrc2V5IFNhbmluMSEwHwYJKoZIhvcNAQkBFhJ4bWxzZWNAYWxla3Nl +eS5jb22CCQCvoou5M63arDANBgkqhkiG9w0BAQUFAAOBgQBuTAW63AgWqqUDPGi8 +BiXbdKHhFP4J8qgkdv5WMa6SpSWVgNgOYXkK/BSg1aSmQtGv8/8UvBRPoJnO4y0N +jWUFf1ubOgUNmedYNLq7YbTp8yTGWeogCyM2xdWELMP8BMgQL0sP+MDAFMKO3itY +mEWnCEsP15HKSTms54RNj7oJ+A== + + + + +fDxlxg+iGPUl78ourojHao8/BcxY+A2IQXVghY/OqeQUUD9eT55jrGxgw5UEADoq +ZD8I/KolksaZ1414NyOIIw== + + + + +ORyr/Fi6TMsMMfEWeDy9iPGl43zoKJLbTTukFwOqtfBi0nSdsMkGkmpQAs3a1PsG + + diff --git a/tests/keys/README.md b/tests/keys/README.md index 02b0efd50..9e5fffce4 100644 --- a/tests/keys/README.md +++ b/tests/keys/README.md @@ -226,6 +226,14 @@ keys into PKCS12 form that is suitable for not only NSS but all crypto engines ( password is `secret123`): ``` +cat cakey.pem cacert.pem > allcakey.pem +openssl pkcs12 -export -in allcakey.pem -name CARsaKey -out cakey.p12 +rm allcakey.pem + +cat ca2key.pem ca2cert.pem cacert.pem > allca2key.pem +openssl pkcs12 -export -in allca2key.pem -name CA2RsaKey -out ca2key.p12 +rm allca2key.pem + cat dsakey.pem dsacert.pem ca2cert.pem cacert.pem > alldsa.pem openssl pkcs12 -export -in alldsa.pem -name TestDsaKey -out dsakey.p12 diff --git a/tests/keys/ca2key.p12 b/tests/keys/ca2key.p12 new file mode 100644 index 0000000000000000000000000000000000000000..54f6bb16b9db90d06778c8d69e5c387978d047ab GIT binary patch literal 1910 zcmai#X*8P&7ssC`5{VIgX{4%z)SlQLOSSr1>b1mD)rO+zpe-`B)G}(UsUXH$Qd>>Y zmMMd#q-tMMZ3wlDYGN;5OFOkx(XrQ<^S-D3I3Mo0=l=iqocrP4^SclY84LpjAR1Cd zP>4vkq;H6TNbo)lDG8?`u?MmkM1#NnW(nS>!CxFmZ7>ixNcG1W3!?rv4JL#DAe^9(2i+3%5`cq5xM&LHhsudLMs>FGaN4k& zn%ylL{QSR$7Q~JAyz6NbrBGSpVE9_tus$kru%V)TayvUA;r?j`J4{EUNzXuFvJsSJ z_&0kqc9UyhtItX4^7Qr^c|FOug}-?EVEx$_!Woh((cP}LFe$RQNNMZV3?t5=)BE+H z*n|Dr#lAl-*hd*IJt8Hwc!4Q~zY(1D9;2nLGW&@$Reqi;W`Q>|U+-F{JerJH^D=*788-)nkFZa|{HLq-r& zSUa;)TsYM#6=ihCrzc&#dX3wU`=hER-G!P^+udjvzN5QRyzA_jZDcXw^1PmaJ6sr{ zkE|2D{j9X*IuNY>6g+pX1vUSPvtA-FnkJ{#V<8&TP%o@!VoWH0^K%>1J;2kE?eREo zq-k}S&h7p0@gZNub-&#V+u%2+%zGGKKOHSEnXwqGos4O##R+Q3rc1gOEp}TbwX)Dk zsG8cvivza|?AiBhB2ckc4n?;eCg0i)1iXS9H1+&)_qI1Q;Gvs)XU>-EnTV=6IxUwt zn)GLlosC~2x-O|$b8V9N2Ezp@?j}KEsn=Ld4r{J2hl)m(8U|9V9_rF2qXjukyQE_u z&bL@6Rmn9xqAHm)9d)$fNj7F6AvfU^Q{~k}?~jp%5Ixr)8p-MA+Yb|nA%PuK+2bzw zuwkFJ%iz#7GLtvi#z=!UgUay&Q}NCli+$8Ht`r0Ul5O4H8b4Ev6)cnEUJ8l;j#)0$ zU2Q1JhD{GCyC044o>B<71ddH~NgA!+dp~xyR_g|H=}v-Ys8!L*W%eo3Mp$#|`wVk; z6&;y|n0QBl%#Z$odsa^QS2Pni6&M&nwC40?PQLS8<5QkiPD;01AAnCc(v?sa@RAYq z^B4`MWhY?;=q-l1ACzQ%w!G)hB$_mOMyhgn7`GwcbTKJoMJmy!v-FE3r6uvIHWQ4J zOKlfNX7Ac{-;PG8h_f-jbXCi$2|sYD+LbmPUcZtTjt>ksT|J*D?|{ce597!6?D<=S zVw0z~LHlAs18O&NZEs2|D)Ai0t!GiHIX?{y7_*)=L*z4CNdedf(lMqJFUaGdAY z+-xw9NV}a}u^o&QY2RN#^=SLHR~Y{N{*Q3@RIE{>eSL%btV{|0aUoV?R+@jRj{Hz5 zAO^=PV*x4pr59g62+^{5H@yYD+-8YA+2+r9yjX$WQ6yrJ$u-#P?GLS# zMdM>O{uJw}FgyIQw+{2&V6?>vuAu-2gPk%Bmx4(vc8=j=^=(k*_zqzgO0JQxt-L%n zW!`rSt@9h2mD)>RcrUCyo6SN$tp0sk(zSn*D(dRPS6Kfy{|R<22PoTQJ54;O$h~z4 zOuZYb;Af!0&hO_yG}y_neEJ)BFcmlrrf?wR4?!L~O!l$Yr!H@U8KXI3 z;w*2>QSRN@w=Ns~6PTBAr5v|u?>gMbk&#wn>7jM78@(nLyp^XS9@jka^&M2PB)X;G5UeJ(tTkd zGw0H%5M_A;eTVlk_M z6y%Kt$pw5U|JA;F94Sg5>tD1<+42pw^uVx)5}&;sB(l~?V}54lhi*>f<;CH+HslLo z%-f+tE4+ofbx4~*(v7MK{rcsO=Nmf-gz3;Kb75D$s(q`Fal4e|uY0?_TqlE2mlN+= z4Jwb_;Z0?@S9`p$S%NncPKs06Zu+~C<(#Z3yh7gbL05oLJF~XoQ*Asy%kJxx?%(Kc zGjTa7FBgzMrPKUFvX&)u{OiJn#I?j_4g;ou37`#-fe^qGumQY)a7g}J3s&n0T$~>z zLRsL%L?KW{ov0LuhecuqzzpvvjPTW!K literal 0 HcmV?d00001 diff --git a/tests/keys/cakey.p12 b/tests/keys/cakey.p12 new file mode 100644 index 0000000000000000000000000000000000000000..b3ea9c8b9a5207ebbdf721b3e5a249359fb76153 GIT binary patch literal 2244 zcmai#c{me}AIE2AHrw3y87g6zTSVrLoH;62u4%52`${WUBiCAv+=gW3YOWk%(&3De zrBFGlDTK)J?fd+GPyPA*2)1QF_fig$Q{vF{cQ4qu{@EA<9 z>~IhWgaA-*Fyw#NfKV0yN(>CWlx)W2!wh1Q194th#-fLXPYS>TKPz^o>|9R7ff6mm zs2#zpjg#_hM=q;WzxDIkX=?G6lTf-#QZ`yo8W(H01Na=;_UY4H81eO>QoO#l3V3uu z2bkk181@}CSV{JWZlo3tPc9U}VMS(ese`J>>CEWBAkW%iUQIYj&M2&lo?WKlO|{W) zo|xh@A5mLo;=%SYQT zP~nMQ$K!}bUAJT%3&p)Ue;vNPdBzZ2mPO3HeYHmdYKcI14nxH+B7T^w^rqj6J8hmK zSzIcD-Fst_E#xjppoQHFDG<%X>qkuM!%rL$Xjg4$VXkajIsvvkMdptA2A0&ivUsks z3X0ubgGY|HMUpx$Nk@3!si&=E3Z2h7G-8;8B{d9WDwWzyS2Ef~%3kZ4hM)*@z)@D} z#S(Qd4$n91#L!I+`T>%(V%T|du<0f=&{W&#;g7kwa;`#O&gnF1wy{0cPhm5g7FykX zmwmhvPcHKK$1$_p)}=|&s^g++qLdeYQ0S6U!ckvxuiM;yB&IdxD>};^;V zDMrMUx-lEoRo=)+{ z(%W*6l`Bb+PEU7m9x(ws5;S0|;xL*4I8i3ofl-rHk$q@(ocoj4qT4~iNY*xBL^a*4 z+z?6D;Q|?l@BTW^F?41OAU4YFr7*p5vT0{KcFA7)0YJ0cT0MDvC@HF&uqkXQ5~SzU zq2jHwAEH~Ht*U%9%P?Kd^qWHBMw4WK3Vu`~`VE%f9r=b+Y+=N|E1z%yUv4Cj$oN9Y z7a1wyB~txi*UZ+b?p z!ZM=T)l91>s-qN-kBQp+nbNR#`7urX*U0x>L)@?MEdh+`T?Sk4&##C!gdme9bEuBx zi*}U;1<-n7n)IfYua_cJ(OVK>8 zozmcf{@`1)maIRO6=7^^q9`s>F<|oP)>RagpE@jVJ!sQ3LXpK&O z&7k6rb#sU$7xeTfsYGfgrzh>XQjReW5ut75$_)D4-=lTW6c%^t1&*{^=^+OGCvLc4|f z4ZDi&cU5;-@RaJeM_{?*h`Q_Qp*06o`v;XzXKvuT`x$|fTJn?eT^ziu~r3{`Tz`_M<^>)Z!SMC^Rjs%cjBbo^qBc*6Cd3vKSrCN0_(`jr~l zG0iSeg&1dZ+JY5FfG9h^K4|}*d<6UyKEGVh+W=%)djIlAOwGVkwfJEDgmv*Et77Xx zkw{_QCpAw>?t`!q-q`T-g{GQYZ+Wm%gHwtWE}cP0lNx=v%`HuDEFnJ}y_VV>U|*G+ zQHffd4o8t)sIL9J&h3SjFn0<++O;dT#qeUD>g(NSH|BnY5COKJWjCz1TwNv Date: Mon, 28 Nov 2022 16:09:51 -0500 Subject: [PATCH 02/15] fix missing returns and full audit for all errors (issue #449) (#450) --- scripts/check-return.pl | 23 +++++++++++++++++++++++ src/dl.c | 3 +++ src/gcrypt/signatures.c | 10 +++++----- src/gnutls/x509vfy.c | 6 +++--- src/keyinfo.c | 5 +++-- src/mscng/certkeys.c | 2 ++ src/mscng/x509.c | 4 ++++ src/mscng/x509vfy.c | 6 +++++- src/mscrypto/signatures.c | 2 +- src/nss/signatures.c | 2 +- src/openssl/evp_signatures.c | 2 +- src/openssl/kt_rsa.c | 2 ++ src/openssl/signatures.c | 2 +- src/openssl/x509vfy.c | 13 ++++++++----- src/xmldsig.c | 1 + src/xmlsec.c | 11 +++++++++-- src/xmltree.c | 1 + 17 files changed, 73 insertions(+), 22 deletions(-) create mode 100644 scripts/check-return.pl diff --git a/scripts/check-return.pl b/scripts/check-return.pl new file mode 100644 index 000000000..fdd1bcf56 --- /dev/null +++ b/scripts/check-return.pl @@ -0,0 +1,23 @@ +#!/bin/perl +# +# Usage: +# egrep -r -A8 -n 'xmlSec.*Error[0-9]?\(' ./src/ | sed 's/ //g' | perl ./scripts/check-return.pl +# + +my $has_return = 0; +my $where = ""; +foreach my $line ( ) { + chomp( $line ); + if($line eq "--" || $line eq '}' || $line eq 'continue' || $line eq 'break') { + if(not $has_return) { + print("FOUND MISSING RETURN: $where\n"); + } + $has_return = 0; + $where = ""; + } elsif($line =~ /.*Error.*/ && $where eq "") { + # print("Found error: $line\n"); + $where = $line + } elsif($line =~ /.*goto.*/ || $line =~ /.*return.*/ || $line =~ /.*ignoreerror.*/) { + $has_return = 1; + } +} \ No newline at end of file diff --git a/src/dl.c b/src/dl.c index 03aa9f2e6..ea81d2b8f 100644 --- a/src/dl.c +++ b/src/dl.c @@ -223,6 +223,7 @@ xmlSecCryptoDLLibraryDestroy(xmlSecCryptoDLLibraryPtr lib) { ret = lt_dlclose(lib->handle); if(ret != 0) { xmlSecIOError("lt_dlclose", NULL, NULL); + /* ignore error */ } } #endif /* XMLSEC_DL_LIBLTDL */ @@ -234,6 +235,7 @@ xmlSecCryptoDLLibraryDestroy(xmlSecCryptoDLLibraryPtr lib) { res = FreeLibrary(lib->handle); if(!res) { xmlSecIOError("FreeLibrary", NULL, NULL); + /* ignore error */ } } #endif /* defined(XMLSEC_WINDOWS) && defined(XMLSEC_DL_WIN32)*/ @@ -395,6 +397,7 @@ xmlSecCryptoDLShutdown(void) { ret = lt_dlexit (); if(ret != 0) { xmlSecIOError("lt_dlexit", NULL, NULL); + /* ignore error */ } #else /* XMLSEC_DL_LIBLTDL */ UNREFERENCED_PARAMETER(ret); diff --git a/src/gcrypt/signatures.c b/src/gcrypt/signatures.c index 5a4e4e4da..338ec8f1e 100644 --- a/src/gcrypt/signatures.c +++ b/src/gcrypt/signatures.c @@ -388,16 +388,16 @@ xmlSecGCryptPkSignatureVerify(xmlSecTransformPtr transform, } /* check result */ - if(ret == 1) { - transform->status = xmlSecTransformStatusOk; - } else { + if(ret != 1) { xmlSecOtherError(XMLSEC_ERRORS_R_DATA_NOT_MATCH, xmlSecTransformGetName(transform), - "ctx->verify: signature does not verify"); + "ctx->verify: signature verification failed"); transform->status = xmlSecTransformStatusFail; + return(0); } - /* done */ + /* success */ + transform->status = xmlSecTransformStatusOk; return(0); } diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c index b0cbb6b81..b557b0960 100644 --- a/src/gnutls/x509vfy.c +++ b/src/gnutls/x509vfy.c @@ -406,12 +406,12 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store, } if(err != GNUTLS_E_SUCCESS) { xmlSecGnuTLSError("gnutls_x509_crt_list_verify", err, NULL); - /* don't stop, continue! */ + /* ignore error, don't stop, continue! */ continue; } else if(verify != 0) { xmlSecOtherError2(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, NULL, "gnutls_x509_crt_list_verify: verification failed: status=%u", verify); - /* don't stop, continue! */ + /* ignore error, don't stop, continue! */ continue; } @@ -420,7 +420,7 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store, ret = xmlSecGnuTLSX509CheckTime(cert_list, cert_list_cur_size, verification_time); if(ret != 1) { xmlSecInternalError("xmlSecGnuTLSX509CheckTime", NULL); - /* don't stop, continue! */ + /* ignore error, don't stop, continue! */ continue; } diff --git a/src/keyinfo.c b/src/keyinfo.c index 18c48cd83..dd17673f2 100644 --- a/src/keyinfo.c +++ b/src/keyinfo.c @@ -1053,9 +1053,10 @@ xmlSecKeyDataRetrievalMethodXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNod if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_RETRMETHOD_STOP_ON_UNKNOWN_HREF) != 0) { xmlSecInvalidNodeAttributeError(node, xmlSecAttrType, xmlSecKeyDataKlassGetName(id), "retrieval type is unknown"); - } else { - res = 0; + goto done; } + + res = 0; goto done; } diff --git a/src/mscng/certkeys.c b/src/mscng/certkeys.c index c0053d355..14659607e 100644 --- a/src/mscng/certkeys.c +++ b/src/mscng/certkeys.c @@ -304,6 +304,7 @@ xmlSecMSCngKeyDataFinalize(xmlSecKeyDataPtr data) { status = NCryptFreeObject(ctx->privkey); if(status != STATUS_SUCCESS) { xmlSecMSCngNtError("BCryptDestroyKey", NULL, status); + /* ignore error */ } } @@ -311,6 +312,7 @@ xmlSecMSCngKeyDataFinalize(xmlSecKeyDataPtr data) { status = BCryptDestroyKey(ctx->pubkey); if(status != STATUS_SUCCESS) { xmlSecMSCngNtError("BCryptDestroyKey", NULL, status); + /* ignore error */ } } diff --git a/src/mscng/x509.c b/src/mscng/x509.c index 30ed19a76..36e9bc46c 100644 --- a/src/mscng/x509.c +++ b/src/mscng/x509.c @@ -134,12 +134,14 @@ xmlSecMSCngKeyDataX509Finalize(xmlSecKeyDataPtr data) { if(ctx->cert != NULL) { if(!CertFreeCertificateContext(ctx->cert)) { xmlSecMSCngLastError("CertFreeCertificateContext", NULL); + /* ignore error */ } } if(ctx->hMemStore != 0) { if(!CertCloseStore(ctx->hMemStore, 0)) { xmlSecMSCngLastError("CertCloseStore", NULL); + /* ignore error */ } } @@ -820,6 +822,7 @@ xmlSecMSCngKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE* output) { xmlSecAssert(output != NULL); xmlSecNotImplementedError(NULL); + /* ignore error */ } static void @@ -828,6 +831,7 @@ xmlSecMSCngKeyDataX509DebugXmlDump(xmlSecKeyDataPtr data, FILE* output) { xmlSecAssert(output != NULL); xmlSecNotImplementedError(NULL); + /* ignore error */ } static xmlSecKeyDataKlass xmlSecMSCngKeyDataX509Klass = { diff --git a/src/mscng/x509vfy.c b/src/mscng/x509vfy.c index 95e7807b4..87da7110e 100644 --- a/src/mscng/x509vfy.c +++ b/src/mscng/x509vfy.c @@ -65,6 +65,7 @@ xmlSecMSCngX509StoreFinalize(xmlSecKeyDataStorePtr store) { ret = CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_CHECK_FLAG); if(ret == FALSE) { xmlSecMSCngLastError("CertCloseStore", xmlSecKeyDataStoreGetName(store)); + /* ignore error */ } } @@ -72,6 +73,7 @@ xmlSecMSCngX509StoreFinalize(xmlSecKeyDataStorePtr store) { ret = CertCloseStore(ctx->trustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG); if(ret == FALSE) { xmlSecMSCngLastError("CertCloseStore", xmlSecKeyDataStoreGetName(store)); + /* ignore error */ } } @@ -79,6 +81,7 @@ xmlSecMSCngX509StoreFinalize(xmlSecKeyDataStorePtr store) { ret = CertCloseStore(ctx->untrusted, CERT_CLOSE_STORE_CHECK_FLAG); if(ret == FALSE) { xmlSecMSCngLastError("CertCloseStore", xmlSecKeyDataStoreGetName(store)); + /* ignore error */ } } @@ -86,7 +89,8 @@ xmlSecMSCngX509StoreFinalize(xmlSecKeyDataStorePtr store) { ret = CertCloseStore(ctx->untrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG); if(ret == FALSE) { xmlSecMSCngLastError("CertCloseStore", xmlSecKeyDataStoreGetName(store)); - } + /* ignore error */ + } } memset(ctx, 0, sizeof(xmlSecMSCngX509StoreCtx)); diff --git a/src/mscrypto/signatures.c b/src/mscrypto/signatures.c index cbcc286fa..64ad383ee 100644 --- a/src/mscrypto/signatures.c +++ b/src/mscrypto/signatures.c @@ -408,7 +408,7 @@ static int xmlSecMSCryptoSignatureVerify(xmlSecTransformPtr transform, dwError = GetLastError(); if (NTE_BAD_SIGNATURE == HRESULT_FROM_WIN32(dwError)) { xmlSecOtherError(XMLSEC_ERRORS_R_DATA_NOT_MATCH, xmlSecTransformGetName(transform), - "CryptVerifySignature: signature does not verify"); + "CryptVerifySignature: signature verification failed"); transform->status = xmlSecTransformStatusFail; goto done; } else { diff --git a/src/nss/signatures.c b/src/nss/signatures.c index a13c77d5d..9c39d372c 100644 --- a/src/nss/signatures.c +++ b/src/nss/signatures.c @@ -459,7 +459,7 @@ xmlSecNssSignatureVerify(xmlSecTransformPtr transform, if (PORT_GetError() == SEC_ERROR_PKCS7_BAD_SIGNATURE) { xmlSecOtherError(XMLSEC_ERRORS_R_DATA_NOT_MATCH, xmlSecTransformGetName(transform), - "VFY_EndWithSignature: signature does not verify"); + "VFY_EndWithSignature: signature verification failed"); transform->status = xmlSecTransformStatusFail; } else { xmlSecNssError("VFY_EndWithSignature", diff --git a/src/openssl/evp_signatures.c b/src/openssl/evp_signatures.c index e1ce02b68..7e1605e2b 100644 --- a/src/openssl/evp_signatures.c +++ b/src/openssl/evp_signatures.c @@ -452,7 +452,7 @@ xmlSecOpenSSLEvpSignatureVerify(xmlSecTransformPtr transform, } else if(ret != 1) { xmlSecOtherError(XMLSEC_ERRORS_R_DATA_NOT_MATCH, xmlSecTransformGetName(transform), - "EVP_VerifyFinal: signature does not verify"); + "EVP_VerifyFinal: signature verification failed"); transform->status = xmlSecTransformStatusFail; return(0); } diff --git a/src/openssl/kt_rsa.c b/src/openssl/kt_rsa.c index 6a86bace4..5431084ed 100644 --- a/src/openssl/kt_rsa.c +++ b/src/openssl/kt_rsa.c @@ -526,6 +526,7 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform) { if(ret < 0) { xmlSecInternalError("xmlSecOpenSSLRsaPkcs1ProcessImpl", xmlSecTransformGetName(transform)); + return(-1); } ret = xmlSecBufferSetSize(out, outSize); @@ -811,6 +812,7 @@ xmlSecOpenSSLRsaOaepSetKeyImpl(xmlSecOpenSSLRsaOaepCtxPtr ctx, EVP_PKEY* pKey, ctx->pKeyCtx = EVP_PKEY_CTX_new_from_pkey(xmlSecOpenSSLGetLibCtx(), pKey, NULL); if (ctx->pKeyCtx == NULL) { xmlSecOpenSSLError("EVP_PKEY_CTX_new_from_pkey", NULL); + return (-1); } if (encrypt != 0) { diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c index 307726321..9e40a099e 100644 --- a/src/openssl/signatures.c +++ b/src/openssl/signatures.c @@ -501,7 +501,7 @@ xmlSecOpenSSLSignatureVerify(xmlSecTransformPtr transform, } else { xmlSecOtherError(XMLSEC_ERRORS_R_DATA_NOT_MATCH, xmlSecTransformGetName(transform), - "ctx->verifyCallback: signature does not verify"); + "ctx->verifyCallback: signature verification failed"); transform->status = xmlSecTransformStatusFail; } diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c index e168517e1..5f6e4dd1c 100644 --- a/src/openssl/x509vfy.c +++ b/src/openssl/x509vfy.c @@ -250,7 +250,6 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* xmlSecAssert2(ctx != NULL, NULL); xmlSecAssert2(ctx->xst != NULL, NULL); - /* dup certs */ certs2 = sk_X509_dup(certs); if(certs2 == NULL) { xmlSecOpenSSLError("sk_X509_dup", @@ -391,6 +390,7 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* xmlSecKeyDataStoreGetName(store), "X509_verify_cert: subject=%s; issuer=%s; err=%d; msg=%s", subject, issuer, err, xmlSecErrorsSafeString(err_msg)); + /* ignore error */ } } } @@ -410,27 +410,30 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* xmlSecKeyDataStoreGetName(store), "subject=%s; issuer=%s; err=%d; msg=%s", subject, issuer, err, xmlSecErrorsSafeString(err_msg)); - break; + goto done; + case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_NOT_YET_VALID, xmlSecKeyDataStoreGetName(store), "subject=%s; issuer=%s; err=%d; msg=%s", subject, issuer, err, xmlSecErrorsSafeString(err_msg)); - break; + goto done; + case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_HAS_EXPIRED, xmlSecKeyDataStoreGetName(store), "subject=%s; issuer=%s; err=%d; msg=%s", subject, issuer, err, xmlSecErrorsSafeString(err_msg)); - break; + goto done; + default: xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, xmlSecKeyDataStoreGetName(store), "subject=%s; issuer=%s; err=%d; msg=%s", subject, issuer, err, xmlSecErrorsSafeString(err_msg)); - break; + goto done; } } diff --git a/src/xmldsig.c b/src/xmldsig.c index e7a8b44c8..668ea2382 100644 --- a/src/xmldsig.c +++ b/src/xmldsig.c @@ -655,6 +655,7 @@ xmlSecDSigCtxProcessSignedInfoNode(xmlSecDSigCtxPtr dsigCtx, xmlNodePtr node, xm if(dsigCtx->preSignMemBufMethod == NULL) { xmlSecInternalError("xmlSecTransformCtxCreateAndAppend", xmlSecTransformKlassGetName(xmlSecTransformMemBufId)); + return(-1); } } diff --git a/src/xmlsec.c b/src/xmlsec.c index c36dc7f2a..6da57caa9 100644 --- a/src/xmlsec.c +++ b/src/xmlsec.c @@ -130,7 +130,7 @@ xmlSecInit(void) { */ int xmlSecShutdown(void) { - int res = 0; + int res = -1; xmlSecTransformIdsShutdown(); xmlSecKeyDataIdsShutdown(); @@ -138,10 +138,17 @@ xmlSecShutdown(void) { #ifndef XMLSEC_NO_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLShutdown() < 0) { xmlSecInternalError("xmlSecCryptoDLShutdown", NULL); - res = -1; + goto done; } #endif /* XMLSEC_NO_CRYPTO_DYNAMIC_LOADING */ + /* success */ + res = 0; + +#ifndef XMLSEC_NO_CRYPTO_DYNAMIC_LOADING +done: +#endif /* XMLSEC_NO_CRYPTO_DYNAMIC_LOADING */ + xmlSecIOShutdown(); xmlSecErrorsShutdown(); return(res); diff --git a/src/xmltree.c b/src/xmltree.c index 13e0a6d97..b2ef6e734 100644 --- a/src/xmltree.c +++ b/src/xmltree.c @@ -768,6 +768,7 @@ xmlSecAddIDs(xmlDocPtr doc, xmlNodePtr cur, const xmlChar** ids) { xmlAddID(NULL, doc, name, attr); } else if(tmp != attr) { xmlSecInvalidStringDataError("id", name, "unique id (id already defined)", NULL); + /* ignore error */ } xmlFree(name); } From 7a874b4533a67375591eb71f0dba0e653f2f36d1 Mon Sep 17 00:00:00 2001 From: Aleksey Sanin Date: Mon, 28 Nov 2022 16:17:53 -0500 Subject: [PATCH 03/15] update docs --- configure.ac | 4 ++-- docs/download.html | 2 +- docs/index.html | 8 ++++++++ docs/news.html | 8 ++++++++ 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index a308425b9..e28819d97 100644 --- a/configure.ac +++ b/configure.ac @@ -1,10 +1,10 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([xmlsec1],[1.2.36],[http://www.aleksey.com/xmlsec]) +AC_INIT([xmlsec1],[1.2.37],[http://www.aleksey.com/xmlsec]) XMLSEC_PACKAGE=xmlsec1 XMLSEC_VERSION_MAJOR=1 XMLSEC_VERSION_MINOR=2 -XMLSEC_VERSION_SUBMINOR=36 +XMLSEC_VERSION_SUBMINOR=37 XMLSEC_VERSION="$XMLSEC_VERSION_MAJOR.$XMLSEC_VERSION_MINOR.$XMLSEC_VERSION_SUBMINOR" XMLSEC_VERSION_INFO=`echo $XMLSEC_VERSION | awk -F. '{ printf "%d:%d:%d", $1+$2, $3, $2 }'` XMLSEC_VERSION_SAFE=`echo $XMLSEC_VERSION | sed 's/\./_/g'` diff --git a/docs/download.html b/docs/download.html index 67af4b292..8b86df4a1 100644 --- a/docs/download.html +++ b/docs/download.html @@ -48,7 +48,7 @@

Download

Stable releases.

-

The latest stable XML Security Library version is 1.2.36:

+

The latest stable XML Security Library version is 1.2.37:

  • Sources for latest version.
    • diff --git a/docs/index.html b/docs/index.html index 2c2f2bbf6..0589ebf48 100644 --- a/docs/index.html +++ b/docs/index.html @@ -67,6 +67,14 @@

    XML Security Library

    see the Copyright file in the distribution for details.

    News

      +
    • November 30 2022
      + The XML Security Library 1.2.37 release includes the following changes: + +
      • +
    • October 31 2022
      The XML Security Library 1.2.36 release includes the following changes:
        diff --git a/docs/news.html b/docs/news.html index b732a0e15..5f555a093 100644 --- a/docs/news.html +++ b/docs/news.html @@ -48,6 +48,14 @@

        XML Security Library News

          +
        • November 30 2022
          + The XML Security Library 1.2.37 release includes the following changes: + +
          • +
        • October 31 2022
          The XML Security Library 1.2.36 release includes the following changes:
            From 9cf095c732a8bf735e75e3db448a63e2d28317f3 Mon Sep 17 00:00:00 2001 From: Aleksey Sanin Date: Mon, 28 Nov 2022 16:21:25 -0500 Subject: [PATCH 04/15] update docs for 1.2.37 release --- docs/api/xmlsec-version.html | 6 +++--- man/xmlsec1-config.1 | 2 +- man/xmlsec1.1 | 2 +- scripts/build_docs.sh | 18 ++++++++++++++++++ 4 files changed, 23 insertions(+), 5 deletions(-) create mode 100644 scripts/build_docs.sh diff --git a/docs/api/xmlsec-version.html b/docs/api/xmlsec-version.html index 2f6a6c314..8705de0f9 100644 --- a/docs/api/xmlsec-version.html +++ b/docs/api/xmlsec-version.html @@ -78,7 +78,7 @@

            version

            Types and Values

            XMLSEC_VERSION

            -
            #define XMLSEC_VERSION            "1.2.36"
+
            #define XMLSEC_VERSION            "1.2.37"
 
            
 
            The library version string in the format
 "$major_number.$minor_number.$sub_minor_number".
            
@@ -100,14 +100,14 @@ 
            version
 
            
 
            
 
            XMLSEC_VERSION_SUBMINOR
            
-
            #define XMLSEC_VERSION_SUBMINOR        36
+
            #define XMLSEC_VERSION_SUBMINOR        37
 
            
 
            The library sub-minor version number.
            
 
            
 
            
 
            
 
            XMLSEC_VERSION_INFO
            
-
            #define XMLSEC_VERSION_INFO        "3:36:2"
+
            #define XMLSEC_VERSION_INFO        "3:37:2"
 
            
 
            The library version info string in the format
 "$major_number+$minor_number:$sub_minor_number:$minor_number".
            
diff --git a/man/xmlsec1-config.1 b/man/xmlsec1-config.1
index aa2c56ce8..b39d30f11 100644
--- a/man/xmlsec1-config.1
+++ b/man/xmlsec1-config.1
@@ -1,5 +1,5 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.1.
-.TH XMLSEC1-CONFIG "1" "October 2022" "xmlsec1-config 1.2.36" "User Commands"
+.TH XMLSEC1-CONFIG "1" "November 2022" "xmlsec1-config 1.2.37" "User Commands"
 .SH NAME
 xmlsec1-config \- detail installed version of xmlsec library
 .SH SYNOPSIS
diff --git a/man/xmlsec1.1 b/man/xmlsec1.1
index c9aa528ee..b4f3a82f9 100644
--- a/man/xmlsec1.1
+++ b/man/xmlsec1.1
@@ -1,5 +1,5 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.1.
-.TH XMLSEC1 "1" "October 2022" "xmlsec1 1.2.36 (openssl)" "User Commands"
+.TH XMLSEC1 "1" "November 2022" "xmlsec1 1.2.37 (openssl)" "User Commands"
 .SH NAME
 xmlsec1 \- sign, verify, encrypt and decrypt XML documents
 .SH SYNOPSIS
diff --git a/scripts/build_docs.sh b/scripts/build_docs.sh
new file mode 100644
index 000000000..362a077f0
--- /dev/null
+++ b/scripts/build_docs.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# config
+configure_options=""
+configure_options="$configure_options --enable-static-linking --enable-crypto-dl=no"
+configure_options="$configure_options --enable-manpages-build --enable-docs-build"
+configure_options="$configure_options --enable-md5 --enable-ripemd160"
+cur_pwd=`pwd`
+today=`date +%F-%H-%M-%S`
+
+echo "============= Building xmlsec"
+make distclean
+./autogen.sh $configure_options
+make
+
+echo "============== Cleanup"
+cd "$cur_pwd"
+

From 68f1e089deaa0cb3b20f47ac6c9a440e66fd99bb Mon Sep 17 00:00:00 2001
From: Aleksey Sanin 
Date: Mon, 28 Nov 2022 16:24:11 -0500
Subject: [PATCH 05/15] update build script

---
 scripts/build_release.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/build_release.sh b/scripts/build_release.sh
index e1e164ebf..de46de33e 100755
--- a/scripts/build_release.sh
+++ b/scripts/build_release.sh
@@ -17,6 +17,7 @@ tar_file="xmlsec1-$version.tar.gz"
 sig_file="xmlsec1-$version.sig"
 rc_tar_file="xmlsec1-$version-$rc.tar.gz"
 rc_sig_file="xmlsec1-$version-$rc.sig"
+git_1_2_x_branch="xmlsec-1_2_x"
 git_release_branch=`echo "xmlsec-$version" | sed 's/\./_/g'`
 git_version_tag=`echo $version | sed 's/\./_/g'`
 
@@ -36,6 +37,9 @@ cd xmlsec
 if [ x"$rc" != x ]; then
     echo "============== Switching to release branch '$git_release_branch' for RC build '$rc'"
     git checkout $git_release_branch
+else
+    echo "============== Switching to 1.2.x branch '$git_1_2_x_branch'"
+    git checkout $git_1_2_x_branch
 fi
 find . -name ".git" | xargs rm -r
 

From a8b36a5f9cef3769c69f531b3e7b388d6c379db0 Mon Sep 17 00:00:00 2001
From: Aleksey Sanin 
Date: Mon, 28 Nov 2022 21:33:29 +0000
Subject: [PATCH 06/15] fix download version

---
 docs/download.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/download.html b/docs/download.html
index 8b86df4a1..2e291ca43 100644
--- a/docs/download.html
+++ b/docs/download.html
@@ -51,7 +51,7 @@ 
            Stable releases.
            
 
            The latest stable XML Security Library version is 1.2.37:
            
 
              
 
            • 
-Sources for latest version.
              • 
+Sources for latest version.
 
            • 
 Windows binaries for XMLSec Library 
 (as well as LibXML2, LibXSLT and OpenSSL) from Igor Zlatkovic.
              • 

From a18532d2908345a8eef378892df5171338e5fe9b Mon Sep 17 00:00:00 2001
From: Aleksey Sanin 
Date: Mon, 28 Nov 2022 16:41:29 -0500
Subject: [PATCH 07/15] add xmlsec-1_2_x branch to github workflows

---
 .github/workflows/make-check.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/make-check.yml b/.github/workflows/make-check.yml
index 042fbd398..99943c698 100755
--- a/.github/workflows/make-check.yml
+++ b/.github/workflows/make-check.yml
@@ -2,9 +2,13 @@ name: Make Check
 
 on:
   push:
-    branches: [ master ]
+    branches: 
+	- master
+	- xmlsec-1_2_x
   pull_request:
-    branches: [ master ]
+    branches:
+	- master
+	- xmlsec-1_2_x
 
 jobs:
   check-ubuntu-openssl300:

From c11cecbdbbf58dec5d6a9b9b0dc19c6f31a85069 Mon Sep 17 00:00:00 2001
From: Aleksey Sanin 
Date: Mon, 28 Nov 2022 16:47:43 -0500
Subject: [PATCH 08/15] add xmlsec-1_2_x branch to github workflows

---
 .github/workflows/make-check.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/make-check.yml b/.github/workflows/make-check.yml
index 99943c698..b2b044ddd 100755
--- a/.github/workflows/make-check.yml
+++ b/.github/workflows/make-check.yml
@@ -3,12 +3,12 @@ name: Make Check
 on:
   push:
     branches: 
-	- master
-	- xmlsec-1_2_x
+          - master
+          - xmlsec-1_2_x
   pull_request:
     branches:
-	- master
-	- xmlsec-1_2_x
+          - master
+          - xmlsec-1_2_x
 
 jobs:
   check-ubuntu-openssl300:

From 60674591e760a5e2ea31c51dda2c07392a216e0f Mon Sep 17 00:00:00 2001
From: lsh123 
Date: Mon, 28 Nov 2022 17:36:35 -0500
Subject: [PATCH 09/15] update docs (#453)

---
 docs/bugs.html     | 2 --
 docs/download.html | 4 ++--
 docs/xmldsig.html  | 2 --
 3 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/docs/bugs.html b/docs/bugs.html
index d062d071d..0b8672305 100644
--- a/docs/bugs.html
+++ b/docs/bugs.html
@@ -81,7 +81,6 @@
 by any information distribution using XMLSec GitHub issues tracker, discussions, 
 source code, or any other XMLSec related tools.
              
 
-
              
 
              
 Ask google
 
              
@@ -89,7 +88,6 @@
 able to ask permissions to publish it. If you are the author or know
 the author then I would appreciate if you send me a message on GitHub so I can ask 
 permissions and put author's name here.
-
              
 
 
 
diff --git a/docs/download.html b/docs/download.html
index 2e291ca43..f3c6d57cb 100644
--- a/docs/download.html
+++ b/docs/download.html
@@ -90,10 +90,10 @@ 
              GIT
              
 
              XML Security Library is available from the GitHub.
 
              
 
              Other languages
              
-
              
 
 
 
diff --git a/docs/xmldsig.html b/docs/xmldsig.html
index 4dfddb1b6..917266a52 100644
--- a/docs/xmldsig.html
+++ b/docs/xmldsig.html
@@ -681,7 +681,6 @@ 
              Other algorithms
              
                   N
                   Y(2)
                   N
-
 
 
 GOST2001 signatures
@@ -691,7 +690,6 @@ 
              Other algorithms
              
                   N
                   Y(2)
                   N
-
 
 
 

              (1) Defining  DSA key

From 4fa8730f84c49676ae096fbef4ff0fc3d0fec631 Mon Sep 17 00:00:00 2001
From: lsh123 
Date: Thu, 23 Feb 2023 17:43:01 -0500
Subject: [PATCH 10/15] Fix x509data->keyCert when loading a key from a cert
 (#546)

---
 src/gnutls/app.c   |  73 +++++++++++++++++++++-----
 src/mscng/app.c    |  70 +++++++++++++++----------
 src/mscrypto/app.c |  22 +++++++-
 src/nss/app.c      | 113 +++++++++++++++++++++++++++++-----------
 src/openssl/app.c  | 126 +++++++++++++++++++++++++++++++--------------
 5 files changed, 293 insertions(+), 111 deletions(-)

diff --git a/src/gnutls/app.c b/src/gnutls/app.c
index 317b8626d..2c2c354cd 100644
--- a/src/gnutls/app.c
+++ b/src/gnutls/app.c
@@ -226,38 +226,64 @@ xmlSecGnuTLSAppKeyCertLoad(xmlSecKeyPtr key, const char* filename,
  */
 int
 xmlSecGnuTLSAppKeyCertLoadMemory(xmlSecKeyPtr key,
-                                 const xmlSecByte* data,
-                                 xmlSecSize dataSize,
-                                 xmlSecKeyDataFormat format) {
-    gnutls_x509_crt_t cert;
+    const xmlSecByte* data, xmlSecSize dataSize, xmlSecKeyDataFormat format)
+{
+    gnutls_x509_crt_t cert = NULL;
+    gnutls_x509_crt_t keyCert = NULL;
     xmlSecKeyDataPtr keyData;
     int ret;
+    int res = -1;
 
     xmlSecAssert2(key != NULL, -1);
     xmlSecAssert2(data != NULL, -1);
     xmlSecAssert2(dataSize > 0, -1);
     xmlSecAssert2(format != xmlSecKeyDataFormatUnknown, -1);
 
+    /* read cert and make a copy for the keyCert */
+    cert = xmlSecGnuTLSX509CertRead(data, dataSize, format);
+    if(cert == NULL) {
+        xmlSecInternalError("xmlSecGnuTLSX509CertRead", NULL);
+        goto done;
+    }
+
+    keyCert = xmlSecGnuTLSX509CertDup(cert);
+    if(keyCert == NULL) {
+        xmlSecInternalError("xmlSecGnuTLSX509CertDup", NULL);
+        goto done;
+    }
+
+    /* add both cert and keyCert to the keyData */
     keyData = xmlSecKeyEnsureData(key, xmlSecGnuTLSKeyDataX509Id);
     if(keyData == NULL) {
         xmlSecInternalError("xmlSecKeyEnsureData", NULL);
-        return(-1);
+        goto done;
     }
 
-    cert = xmlSecGnuTLSX509CertRead(data, dataSize, format);
-    if(cert == NULL) {
-        xmlSecInternalError("xmlSecGnuTLSX509CertRead", NULL);
-        return(-1);
+    ret = xmlSecGnuTLSKeyDataX509AdoptKeyCert(keyData, keyCert);
+    if(ret < 0) {
+        xmlSecInternalError("xmlSecGnuTLSKeyDataX509AdoptKeyCert", NULL);
+        goto done;
     }
+    keyCert = NULL; /* owned by keyData now */
 
     ret = xmlSecGnuTLSKeyDataX509AdoptCert(keyData, cert);
     if(ret < 0) {
         xmlSecInternalError("xmlSecGnuTLSKeyDataX509AdoptCert", NULL);
-        gnutls_x509_crt_deinit(cert);
-        return(-1);
+        goto done;
     }
+    cert = NULL; /* owned by key data now */
 
-    return(0);
+    /* success */
+    res = 0;
+
+done:
+    if(cert != NULL) {
+        gnutls_x509_crt_deinit(cert);
+    }
+    if(keyCert != NULL) {
+        gnutls_x509_crt_deinit(keyCert);
+    }
+    return(res);
 }
 
 /**
@@ -503,6 +529,7 @@ xmlSecGnuTLSAppKeyFromCertLoadMemory(const xmlSecByte* data,
     xmlSecKeyDataPtr keyData = NULL;
     xmlSecKeyDataPtr x509Data = NULL;
     gnutls_x509_crt_t cert = NULL;
+    gnutls_x509_crt_t keyCert = NULL;
     xmlSecKeyPtr res = NULL;
     int ret;
 
@@ -510,13 +537,19 @@ xmlSecGnuTLSAppKeyFromCertLoadMemory(const xmlSecByte* data,
     xmlSecAssert2(dataSize > 0, NULL);
     xmlSecAssert2(format != xmlSecKeyDataFormatUnknown, NULL);
 
-    /* read cert */
+    /* read cert and make a copy for keyCert */
     cert = xmlSecGnuTLSX509CertRead(data, dataSize, format);
     if(cert == NULL) {
         xmlSecInternalError("xmlSecGnuTLSX509CertRead", NULL);
         goto done;
     }
 
+    keyCert = xmlSecGnuTLSX509CertDup(cert);
+    if(keyCert == NULL) {
+        xmlSecInternalError("xmlSecGnuTLSX509CertDup", NULL);
+        goto done;
+    }
+
     /* create key */
     key = xmlSecKeyCreate();
     if(key == NULL) {
@@ -545,11 +578,20 @@ xmlSecGnuTLSAppKeyFromCertLoadMemory(const xmlSecByte* data,
         xmlSecInternalError("xmlSecKeyEnsureData", NULL);
         goto done;
     }
-    ret = xmlSecGnuTLSKeyDataX509AdoptKeyCert(x509Data, cert);
+
+    /* add cert and key cert */
+    ret = xmlSecGnuTLSKeyDataX509AdoptKeyCert(x509Data, keyCert);
     if(ret < 0) {
         xmlSecInternalError("xmlSecGnuTLSKeyDataX509AdoptKeyCert", NULL);
         goto done;
     }
+    keyCert = NULL; /* owned by x509Data now */
+
+    ret = xmlSecGnuTLSKeyDataX509AdoptCert(x509Data, cert);
+    if(ret < 0) {
+        xmlSecInternalError("xmlSecGnuTLSKeyDataX509AdoptCert", NULL);
+        goto done;
+    }
     cert = NULL; /* owned by x509Data now */
 
     /* success */
@@ -560,6 +602,9 @@ xmlSecGnuTLSAppKeyFromCertLoadMemory(const xmlSecByte* data,
     if(cert != NULL) {
         gnutls_x509_crt_deinit(cert);
     }
+    if(keyCert != NULL) {
+        gnutls_x509_crt_deinit(keyCert);
+    }
     if(keyData != NULL) {
         xmlSecKeyDataDestroy(keyData);
     }
diff --git a/src/mscng/app.c b/src/mscng/app.c
index 778ca5b27..f23fa649d 100644
--- a/src/mscng/app.c
+++ b/src/mscng/app.c
@@ -190,7 +190,8 @@ xmlSecKeyPtr
 xmlSecMSCngAppKeyLoadMemory(const xmlSecByte* data, xmlSecSize dataSize, xmlSecKeyDataFormat format,
                             const char *pwd, void* pwdCallback, void* pwdCallbackCtx) {
     PCCERT_CONTEXT pCert = NULL;
-    PCCERT_CONTEXT tmpcert = NULL;
+    PCCERT_CONTEXT pCertChain = NULL;
+    PCCERT_CONTEXT pKeyCert = NULL;
     xmlSecKeyDataPtr x509Data = NULL;
     xmlSecKeyDataPtr keyData = NULL;
     xmlSecKeyPtr key = NULL;
@@ -205,6 +206,7 @@ xmlSecMSCngAppKeyLoadMemory(const xmlSecByte* data, xmlSecSize dataSize, xmlSecK
     UNREFERENCED_PARAMETER(pwdCallback);
     UNREFERENCED_PARAMETER(pwdCallbackCtx);
 
+    /* read cert and make a copy for cert chain and keyCert */
     XMLSEC_SAFE_CAST_SIZE_TO_ULONG(dataSize, dwDataSize, goto done, NULL);
     pCert = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, data, dwDataSize);
     if(pCert == NULL) {
@@ -212,54 +214,64 @@ xmlSecMSCngAppKeyLoadMemory(const xmlSecByte* data, xmlSecSize dataSize, xmlSecK
         goto done;
     }
 
-    x509Data = xmlSecKeyDataCreate(xmlSecMSCngKeyDataX509Id);
-    if(x509Data == NULL) {
-        xmlSecInternalError("xmlSecKeyDataCreate", NULL);
+    pCertChain = CertDuplicateCertificateContext(pCert);
+    if(pCertChain == NULL) {
+        xmlSecMSCngLastError("CertDuplicateCertificateContext", NULL);
         goto done;
     }
 
-    tmpcert = CertDuplicateCertificateContext(pCert);
-    if(tmpcert == NULL) {
-        xmlSecMSCngLastError("CertDuplicateCertificateContext",
-            xmlSecKeyDataGetName(x509Data));
+    pKeyCert = CertDuplicateCertificateContext(pCert);
+    if(pKeyCert == NULL) {
+        xmlSecMSCngLastError("CertDuplicateCertificateContext", NULL);
         goto done;
     }
 
-    ret = xmlSecMSCngKeyDataX509AdoptKeyCert(x509Data, tmpcert);
-    if(ret < 0) {
-        xmlSecInternalError("xmlSecMSCngKeyDataX509AdoptKeyCert",
+    /* create key */
+    key = xmlSecKeyCreate();
+    if(key == NULL) {
+        xmlSecInternalError("xmlSecKeyCreate",
             xmlSecKeyDataGetName(x509Data));
         goto done;
     }
-    tmpcert = NULL;
 
     keyData = xmlSecMSCngCertAdopt(pCert, xmlSecKeyDataTypePublic);
     if(keyData == NULL) {
-        xmlSecInternalError("xmlSecMSCngCertAdopt",
-            xmlSecKeyDataGetName(x509Data));
+        xmlSecInternalError("xmlSecMSCngCertAdopt", NULL);
         goto done;
     }
-    pCert = NULL;
+    pCert = NULL;  /* owned by keyData now */
 
-    key = xmlSecKeyCreate();
-    if(key == NULL) {
-        xmlSecInternalError("xmlSecKeyCreate",
-            xmlSecKeyDataGetName(x509Data));
+    ret = xmlSecKeySetValue(key, keyData);
+    if(ret < 0) {
+        xmlSecInternalError("xmlSecKeySetValue", NULL);
+        goto done;
+    }
+    keyData = NULL;
+
+   /* add cert and keyCert to x509 data and add it to the key */
+    x509Data = xmlSecKeyDataCreate(xmlSecMSCngKeyDataX509Id);
+    if(x509Data == NULL) {
+        xmlSecInternalError("xmlSecKeyDataCreate", NULL);
         goto done;
     }
 
-    ret = xmlSecKeySetValue(key, keyData);
+    ret = xmlSecMSCngKeyDataX509AdoptKeyCert(x509Data, pKeyCert);
     if(ret < 0) {
-        xmlSecInternalError("xmlSecKeySetValue",
-            xmlSecKeyDataGetName(x509Data));
+        xmlSecInternalError("xmlSecMSCngKeyDataX509AdoptKeyCert", NULL);
         goto done;
     }
-    keyData = NULL;
+    pKeyCert = NULL; /* owned by x509Data data now */
+
+    ret = xmlSecMSCngKeyDataX509AdoptCert(x509Data, pCertChain);
+    if(ret < 0) {
+        xmlSecInternalError("xmlSecMSCngKeyDataX509AdoptCert", NULL);
+        goto done;
+    }
+    pCertChain = NULL; /* owned by x509Data data now */
 
     ret = xmlSecKeyAdoptData(key, x509Data);
     if(ret < 0) {
-        xmlSecInternalError("xmlSecKeyAdoptData",
-            xmlSecKeyDataGetName(x509Data));
+        xmlSecInternalError("xmlSecKeyAdoptData", NULL);
         goto done;
     }
     x509Data = NULL;
@@ -267,12 +279,16 @@ xmlSecMSCngAppKeyLoadMemory(const xmlSecByte* data, xmlSecSize dataSize, xmlSecK
     /* success */
     res = key;
     key = NULL;
+
 done:
     if(pCert != NULL) {
         CertFreeCertificateContext(pCert);
     }
-    if(tmpcert != NULL) {
-        CertFreeCertificateContext(tmpcert);
+    if(pCertChain != NULL) {
+        CertFreeCertificateContext(pCertChain);
+    }
+    if(pKeyCert != NULL) {
+        CertFreeCertificateContext(pKeyCert);
     }
     if(x509Data != NULL) {
         xmlSecKeyDataDestroy(x509Data);
diff --git a/src/mscrypto/app.c b/src/mscrypto/app.c
index e669fc83d..ae654a104 100644
--- a/src/mscrypto/app.c
+++ b/src/mscrypto/app.c
@@ -367,7 +367,7 @@ xmlSecMSCryptoAppKeyCertLoad(xmlSecKeyPtr key, const char* filename,
 int
 xmlSecMSCryptoAppKeyCertLoadMemory(xmlSecKeyPtr key, const xmlSecByte* data, xmlSecSize dataSize,
                                    xmlSecKeyDataFormat format) {
-    PCCERT_CONTEXT pCert;
+    PCCERT_CONTEXT pCert, pKeyCert;
     xmlSecKeyDataPtr kdata;
     DWORD dwDataSize;
     int ret;
@@ -388,19 +388,39 @@ xmlSecMSCryptoAppKeyCertLoadMemory(xmlSecKeyPtr key, const xmlSecByte* data, xml
     case xmlSecKeyDataFormatDer:
     case xmlSecKeyDataFormatCertDer:
         XMLSEC_SAFE_CAST_SIZE_TO_ULONG(dataSize, dwDataSize, return(-1), NULL);
+
+        /* read cert and make a copy for key cert */
         pCert = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, data, dwDataSize);
         if (NULL == pCert) {
             xmlSecInternalError2("CertCreateCertificateContext", xmlSecKeyDataGetName(kdata),
                 "format=" XMLSEC_ENUM_FMT, XMLSEC_ENUM_CAST(format));
             return(-1);
         }
+        pKeyCert = CertDuplicateCertificateContext(pCert);
+        if(pKeyCert == NULL) {
+            xmlSecMSCryptoError("CertDuplicateCertificateContext", xmlSecKeyDataGetName(kdata));
+            CertFreeCertificateContext(pCert);
+            return(-1);
+        }
 
+        /* add cert and key cert */
         ret = xmlSecMSCryptoKeyDataX509AdoptCert(kdata, pCert);
         if(ret < 0) {
             xmlSecInternalError("xmlSecMSCryptoKeyDataX509AdoptCert", xmlSecKeyDataGetName(kdata));
             CertFreeCertificateContext(pCert);
+            CertFreeCertificateContext(pKeyCert);
             return(-1);
         }
+        pCert = NULL; /* owned by kdata */
+
+        ret = xmlSecMSCryptoKeyDataX509AdoptKeyCert(kdata, pKeyCert);
+        if(ret < 0) {
+            xmlSecInternalError("xmlSecMSCryptoKeyDataX509AdoptKeyCert", xmlSecKeyDataGetName(kdata));
+            CertFreeCertificateContext(pKeyCert);
+            return(-1);
+        }
+        pKeyCert = NULL; /* owned by kdata */
+
         break;
     default:
         xmlSecOtherError2(XMLSEC_ERRORS_R_INVALID_FORMAT, xmlSecKeyDataGetName(kdata),
diff --git a/src/nss/app.c b/src/nss/app.c
index 5be6ae562..87874ca9e 100644
--- a/src/nss/app.c
+++ b/src/nss/app.c
@@ -572,9 +572,11 @@ xmlSecNssAppKeyCertLoadMemory(xmlSecKeyPtr key, const xmlSecByte* data, xmlSecSi
  */
 int
 xmlSecNssAppKeyCertLoadSECItem(xmlSecKeyPtr key, SECItem* secItem, xmlSecKeyDataFormat format) {
-    CERTCertificate *cert=NULL;
+    CERTCertificate *cert = NULL;
+    CERTCertificate *keyCert = NULL;
     xmlSecKeyDataPtr data;
     int ret;
+    int res = -1;
 
     xmlSecAssert2(key != NULL, -1);
     xmlSecAssert2(secItem != NULL, -1);
@@ -583,9 +585,10 @@ xmlSecNssAppKeyCertLoadSECItem(xmlSecKeyPtr key, SECItem* secItem, xmlSecKeyData
     data = xmlSecKeyEnsureData(key, xmlSecNssKeyDataX509Id);
     if(data == NULL) {
         xmlSecInternalError("xmlSecKeyEnsureData(xmlSecNssKeyDataX509Id)", NULL);
-        return(-1);
+        goto done;
     }
 
+    /* read cert */
     switch(format) {
     case xmlSecKeyDataFormatPkcs8Der:
     case xmlSecKeyDataFormatDer:
@@ -594,24 +597,49 @@ xmlSecNssAppKeyCertLoadSECItem(xmlSecKeyPtr key, SECItem* secItem, xmlSecKeyData
         if(cert == NULL) {
             xmlSecNssError2("__CERT_NewTempCertificate", xmlSecKeyDataGetName(data),
                 "format=" XMLSEC_ENUM_FMT, XMLSEC_ENUM_CAST(format));
-            return(-1);
+            goto done;
         }
         break;
     default:
         xmlSecOtherError2(XMLSEC_ERRORS_R_INVALID_FORMAT, xmlSecKeyDataGetName(data),
             "format=" XMLSEC_ENUM_FMT, XMLSEC_ENUM_CAST(format));
-        return(-1);
+        goto done;
     }
-
     xmlSecAssert2(cert != NULL, -1);
+
+    /* make a copy for key cert */
+    keyCert = CERT_DupCertificate(cert);
+    if(keyCert == NULL) {
+        xmlSecNssError("CERT_DupCertificate", xmlSecKeyDataGetName(data));
+        goto done;
+    }
+
+    /* add both cert and key cert in the data */
     ret = xmlSecNssKeyDataX509AdoptCert(data, cert);
     if(ret < 0) {
         xmlSecInternalError("xmlSecNssKeyDataX509AdoptCert", xmlSecKeyDataGetName(data));
-        CERT_DestroyCertificate(cert);
-        return(-1);
+        goto done;
     }
+    cert = NULL; /* owned by data now */
 
-    return(0);
+    ret = xmlSecNssKeyDataX509AdoptKeyCert(data, keyCert);
+    if(ret < 0) {
+        xmlSecInternalError("xmlSecNssKeyDataX509AdoptKeyCert", xmlSecKeyDataGetName(data));
+        goto done;
+    }
+    keyCert = NULL; /* owned by data now */
+
+    /* success */
+    res = 0;
+
+done:
+    if(cert != NULL) {
+        CERT_DestroyCertificate(cert);
+    }
+    if(keyCert != NULL) {
+        CERT_DestroyCertificate(keyCert);
+    }
+    return(res);
 }
 
 /**
@@ -941,11 +969,13 @@ xmlSecNssAppPkcs12LoadSECItem(SECItem* secItem, const char *pwd,
  */
 xmlSecKeyPtr
 xmlSecNssAppKeyFromCertLoadSECItem(SECItem* secItem, xmlSecKeyDataFormat format) {
-    xmlSecKeyPtr key;
-    xmlSecKeyDataPtr keyData;
+    xmlSecKeyPtr key = NULL;
+    xmlSecKeyDataPtr keyData = NULL;
     xmlSecKeyDataPtr certData;
-    CERTCertificate *cert=NULL;
+    CERTCertificate *cert = NULL;
+    CERTCertificate *keyCert = NULL;
     int ret;
+    xmlSecKeyPtr res = NULL;
 
     xmlSecAssert2(secItem != NULL, NULL);
     xmlSecAssert2(format != xmlSecKeyDataFormatUnknown, NULL);
@@ -954,65 +984,90 @@ xmlSecNssAppKeyFromCertLoadSECItem(SECItem* secItem, xmlSecKeyDataFormat format)
     switch(format) {
     case xmlSecKeyDataFormatCertDer:
         cert = __CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                         secItem, NULL, PR_FALSE, PR_TRUE);
+                    secItem, NULL, PR_FALSE, PR_TRUE);
         if(cert == NULL) {
             xmlSecNssError2("__CERT_NewTempCertificate", NULL,
                 "format=" XMLSEC_ENUM_FMT, XMLSEC_ENUM_CAST(format));
-            return(NULL);
+            goto done;
         }
         break;
     default:
         xmlSecOtherError2(XMLSEC_ERRORS_R_INVALID_FORMAT, NULL,
             "format=" XMLSEC_ENUM_FMT, XMLSEC_ENUM_CAST(format));
-        return(NULL);
+        goto done;
     }
 
     /* get key value */
     keyData = xmlSecNssX509CertGetKey(cert);
     if(keyData == NULL) {
         xmlSecInternalError("xmlSecNssX509CertGetKey", NULL);
-        CERT_DestroyCertificate(cert);
-        return(NULL);
+        goto done;
     }
 
     /* create key */
     key = xmlSecKeyCreate();
     if(key == NULL) {
         xmlSecInternalError("xmlSecKeyCreate", NULL);
-        xmlSecKeyDataDestroy(keyData);
-        CERT_DestroyCertificate(cert);
-        return(NULL);
+        goto done;
+    }
+
+    /* make a copy for key cert */
+    keyCert = CERT_DupCertificate(cert);
+    if(keyCert == NULL) {
+        xmlSecNssError("CERT_DupCertificate", NULL);
+        goto done;
     }
 
     /* set key value */
     ret = xmlSecKeySetValue(key, keyData);
     if(ret < 0) {
         xmlSecInternalError("xmlSecKeySetValue", NULL);
-        xmlSecKeyDestroy(key);
-        xmlSecKeyDataDestroy(keyData);
-        CERT_DestroyCertificate(cert);
-        return(NULL);
+        goto done;
     }
+    keyData = NULL; /* owned by key now */
 
     /* create cert data */
     certData = xmlSecKeyEnsureData(key, xmlSecNssKeyDataX509Id);
     if(certData == NULL) {
         xmlSecInternalError("xmlSecKeyEnsureData", NULL);
-        xmlSecKeyDestroy(key);
-        CERT_DestroyCertificate(cert);
-        return(NULL);
+        goto done;
     }
 
-    /* put cert in the cert data */
+    /* put cert and key cert in the cert data */
     ret = xmlSecNssKeyDataX509AdoptCert(certData, cert);
     if(ret < 0) {
         xmlSecInternalError("xmlSecNssKeyDataX509AdoptCert", NULL);
+        goto done;
+    }
+    cert = NULL; /* owned by data now */
+
+    ret = xmlSecNssKeyDataX509AdoptKeyCert(certData, keyCert);
+    if(ret < 0) {
+        xmlSecInternalError("xmlSecNssKeyDataX509AdoptKeyCert", NULL);
+        goto done;
+    }
+    keyCert = NULL; /* owned by data now */
+
+    /* success */
+    res = key;
+    key = NULL;
+
+
+done:
+    if(key != NULL) {
         xmlSecKeyDestroy(key);
+    }
+    if(keyData != NULL) {
+        xmlSecKeyDataDestroy(keyData);
+    }
+    if(cert != NULL) {
         CERT_DestroyCertificate(cert);
-        return(NULL);
+    }
+    if(keyCert != NULL) {
+        CERT_DestroyCertificate(keyCert);
     }
 
-    return(key);
+    return(res);
 }
 
 
diff --git a/src/openssl/app.c b/src/openssl/app.c
index f3bd3e26d..269b32c66 100644
--- a/src/openssl/app.c
+++ b/src/openssl/app.c
@@ -658,22 +658,17 @@ int
 xmlSecOpenSSLAppKeyCertLoadBIO(xmlSecKeyPtr key, BIO* bio, xmlSecKeyDataFormat format) {
 
     xmlSecKeyDataFormat certFormat;
-    xmlSecKeyDataPtr data;
-    X509 *cert;
+    xmlSecKeyDataPtr data = NULL;
+    X509 *cert = NULL;
+    X509 *keyCert = NULL;
     int ret;
+    int res = -1;
 
     xmlSecAssert2(key != NULL, -1);
     xmlSecAssert2(bio != NULL, -1);
     xmlSecAssert2(format != xmlSecKeyDataFormatUnknown, -1);
 
-    data = xmlSecKeyEnsureData(key, xmlSecOpenSSLKeyDataX509Id);
-    if(data == NULL) {
-        xmlSecInternalError("xmlSecKeyEnsureData",
-                            xmlSecTransformKlassGetName(xmlSecOpenSSLKeyDataX509Id));
-        return(-1);
-    }
-
-    /* adjust cert format */
+    /* adjust cert format if needed */
     switch(format) {
     case xmlSecKeyDataFormatPkcs8Pem:
         certFormat = xmlSecKeyDataFormatPem;
@@ -685,22 +680,50 @@ xmlSecOpenSSLAppKeyCertLoadBIO(xmlSecKeyPtr key, BIO* bio, xmlSecKeyDataFormat f
         certFormat = format;
     }
 
+    /* read cert and make a copy for key cert */
     cert = xmlSecOpenSSLAppCertLoadBIO(bio, certFormat);
     if(cert == NULL) {
-        xmlSecInternalError("xmlSecOpenSSLAppCertLoad",
-                            xmlSecKeyDataGetName(data));
-        return(-1);
+        xmlSecInternalError("xmlSecOpenSSLAppCertLoad", NULL);
+        goto done;
+    }
+    keyCert = X509_dup(cert);
+    if(keyCert == NULL) {
+        xmlSecOpenSSLError("X509_dup", NULL);
+        goto done;
+    }
+
+    /* add both cert and key cert to the key */
+    data = xmlSecKeyEnsureData(key, xmlSecOpenSSLKeyDataX509Id);
+    if(data == NULL) {
+        xmlSecInternalError("xmlSecKeyEnsureData", NULL);
+        goto done;
     }
 
     ret = xmlSecOpenSSLKeyDataX509AdoptCert(data, cert);
     if(ret < 0) {
-        xmlSecInternalError("xmlSecOpenSSLKeyDataX509AdoptCert",
-                            xmlSecKeyDataGetName(data));
-        X509_free(cert);
-        return(-1);
+        xmlSecInternalError("xmlSecOpenSSLKeyDataX509AdoptCert", NULL);
+        goto done;
     }
+    cert = NULL; /* owned by data now */
 
-    return(0);
+    ret = xmlSecOpenSSLKeyDataX509AdoptKeyCert(data, keyCert);
+    if(ret < 0) {
+        xmlSecInternalError("xmlSecOpenSSLKeyDataX509AdoptKeyCert", NULL);
+        goto done;
+    }
+    keyCert = NULL; /* owned by data now */
+
+    /* success */
+    res = 0;
+
+done:
+    if(cert != NULL) {
+        X509_free(cert);
+    }
+    if(keyCert != NULL) {
+        X509_free(keyCert);
+    }
+    return(res);
 }
 
 /**
@@ -999,68 +1022,91 @@ xmlSecOpenSSLAppPkcs12LoadBIO(BIO* bio, const char *pwd,
  */
 xmlSecKeyPtr
 xmlSecOpenSSLAppKeyFromCertLoadBIO(BIO* bio, xmlSecKeyDataFormat format) {
-    xmlSecKeyPtr key;
-    xmlSecKeyDataPtr keyData;
+    xmlSecKeyPtr key = NULL;
+    xmlSecKeyDataPtr keyData = NULL;
     xmlSecKeyDataPtr certData;
-    X509 *cert;
+    X509 * cert = NULL;
+    X509 * keyCert = NULL;
     int ret;
+    xmlSecKeyPtr res = NULL;
 
     xmlSecAssert2(bio != NULL, NULL);
     xmlSecAssert2(format != xmlSecKeyDataFormatUnknown, NULL);
 
-    /* load cert */
+    /* load cert and make a copy for keyCert */
     cert = xmlSecOpenSSLAppCertLoadBIO(bio, format);
     if(cert == NULL) {
         xmlSecInternalError("xmlSecOpenSSLAppCertLoadBIO", NULL);
-        return(NULL);
+        goto done;
+    }
+    keyCert = X509_dup(cert);
+    if(keyCert == NULL) {
+        xmlSecOpenSSLError("X509_dup", NULL);
+        goto done;
     }
 
     /* get key value */
     keyData = xmlSecOpenSSLX509CertGetKey(cert);
     if(keyData == NULL) {
         xmlSecInternalError("xmlSecOpenSSLX509CertGetKey", NULL);
-        X509_free(cert);
-        return(NULL);
+        goto done;
     }
 
     /* create key */
     key = xmlSecKeyCreate();
     if(key == NULL) {
         xmlSecInternalError("xmlSecKeyCreate", NULL);
-        xmlSecKeyDataDestroy(keyData);
-        X509_free(cert);
-        return(NULL);
+        goto done;
     }
 
     /* set key value */
     ret = xmlSecKeySetValue(key, keyData);
     if(ret < 0) {
         xmlSecInternalError("xmlSecKeySetValue", NULL);
-        xmlSecKeyDestroy(key);
-        xmlSecKeyDataDestroy(keyData);
-        X509_free(cert);
-        return(NULL);
+        goto done;
     }
+    keyData = NULL; /* owned by key now */
 
     /* create cert data */
     certData = xmlSecKeyEnsureData(key, xmlSecOpenSSLKeyDataX509Id);
     if(certData == NULL) {
         xmlSecInternalError("xmlSecKeyEnsureData", NULL);
-        xmlSecKeyDestroy(key);
-        X509_free(cert);
-        return(NULL);
+        goto done;
     }
 
-    /* put cert in the cert data */
+    /* put cert and key cert in the cert data */
     ret = xmlSecOpenSSLKeyDataX509AdoptCert(certData, cert);
     if(ret < 0) {
         xmlSecInternalError("xmlSecOpenSSLKeyDataX509AdoptCert", NULL);
-        xmlSecKeyDestroy(key);
-        X509_free(cert);
-        return(NULL);
+        goto done;
     }
+    cert = NULL; /* owned by certData now */
 
-    return(key);
+    ret = xmlSecOpenSSLKeyDataX509AdoptKeyCert(certData, keyCert);
+    if(ret < 0) {
+        xmlSecInternalError("xmlSecOpenSSLKeyDataX509AdoptKeyCert", NULL);
+        goto done;
+    }
+    keyCert = NULL; /* owned by certData now */
+
+    /* success */
+    res = key;
+    key = NULL;
+
+done:
+    if(key != NULL) {
+        xmlSecKeyDestroy(key);
+    }
+    if(keyData != NULL) {
+        xmlSecKeyDataDestroy(keyData);
+    }
+    if(cert != NULL) {
+         X509_free(cert);
+    }
+    if(keyCert != NULL) {
+         X509_free(keyCert);
+    }
+    return(res);
 }
 
 

From eb99bbb43589d555b2075a8931d72cb3c0b6ee2c Mon Sep 17 00:00:00 2001
From: lsh123 
Date: Thu, 2 Mar 2023 15:52:59 -0800
Subject: [PATCH 11/15] xmlsec-mscng: fix block ciphers key size (issue #555)
 (#571)

---
 src/mscng/ciphers.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/mscng/ciphers.c b/src/mscng/ciphers.c
index 1c3f2dd0a..dec755856 100644
--- a/src/mscng/ciphers.c
+++ b/src/mscng/ciphers.c
@@ -290,6 +290,7 @@ xmlSecMSCngBlockCipherSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
         xmlSecInvalidKeyDataSizeError(bufDataSize, ctx->keySize, xmlSecTransformGetName(transform));
         goto done;
     }
+    bufDataSize = ctx->keySize;
 
     /* allocate the key object */
     dwKeyObjectLength = dwBytesWritten = 0;

From 7ca423e2415b375e42cb960d1b3d5470dc96d965 Mon Sep 17 00:00:00 2001
From: lsh123 
Date: Mon, 30 Jan 2023 11:19:12 -0500
Subject: [PATCH 12/15] Re-encode the p12 keys with new algorithms to make it
 work with newer versions of openssl (#469)

---
 tests/01-phaos-xmlenc-3/rsa-priv-key.p12 | Bin 2454 -> 2604 bytes
 tests/merlin-xmlenc-five/rsapriv.p12     | Bin 2140 -> 2274 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/tests/01-phaos-xmlenc-3/rsa-priv-key.p12 b/tests/01-phaos-xmlenc-3/rsa-priv-key.p12
index f17e6ecce37df464aed780de17fd00789042e210..b5360aade70e1f86a400e293866784aed7878b52 100644
GIT binary patch
literal 2604
zcmai$c{J1w7st(*!PtrHOGUEfhe@_*M3(GZ7_yb6!pqnS8Dk$~2_ri()>pD*Y){CV
zeGeHz%9gQ2Bf{f3?|bUc=Z|~txu5SJ_pkdo7r@Y80fVRk3~ZhTCK06*MPUNbg7Pu2
zVF(7+e};Pi4CLaUh$bHcId_Iwz#yu#M)xNH0e627P$obR5dSkW0{jp<)PfEtbY;06
z45p(37-{JKw+#$~QUL-qFo!4|&;x1+NCLvz%t6Y1Oq{A40;v=r!Zzg580vf@Vjh1<
z6gsHHh?$@XF{@jvkl66$yYn;^5#wGrs$&&x8`xDT?k2eHAMisBuVRvk%Oo1oOhZGT
zb^X$tG5nTtQ`Pgqj%8m*)*QtO$`)Mdh!sCcSni&ne61_1uoA~_eWo|D!IeFKKRh)*
zZFX$YQ#LZQ*kJHcc_VMOEqRUCD|ornJE`$U
zlyHA8Qm6{S8e&BnR#!GyOYoMa-M?R{7LhaAA}=Bs6tb&iumg?r3JkgJhO@_y5m4z{
zA(RvFtOYzcF%|h2+8ju_w3~vgOt?eZFrbN1Pirm4=4x%d1vepWZg$5TJHXPfYHK8cHsgNPiEvKkOB5$j#zlWF*0|oFH*VpNQMO-AVH129M%7Q@t`dB9
zG)U~a>~cwH8R3i;8&p*Fw2%u@3OP~g+6rB)njS6o(u(y*KrAECPsE-
zlFXjbu_%Msqb0d=YN3i&QwgSTV$`Lq523hd=sSB4i@IjBd-&cca`pApd!o}^8vGqS
zZ{B+F@V(&?`?MDhlsOCK<#oSo%M7SiN}?dRPS34eU%z1?E-v2A>wdA$B)S9P>L8+y
ziJVfi{n~2TSR9wFZO%CNMR&m#5Y~h(VP^I3GHVgCE50cTmk>@TDvp}$X??Euh=b_@
z-&X6eX;7ysFdJ0$GY&@aD`s!;`LmlBsJ3%`Uh7`9%el?Inw~9O@hwPq`satdT=yg=
z?~pWqGMF&aj9k=^`sRsn!KLzGcxVVcx
zMFG5qS~E$iROYBF_D$#4yAKP-@3tOUtwIG;oXfl4Kjn<+BCWt(1-@nuXT?)%Jyuz%
z=S7Jl`Kp+ZxQc$}&A_!*8IQKUAbtj|m4+8vgwrcM|QpfzGBK{&C6{oW{f?o>x5MZ4qy>hkM%6Ee?bL`006^?}EOpt!6Wqj`L~y{ySUgB2by61}b!
zs)ZfJHInschGyygkUcN_(H;?g@z3t`{GN1c=!si&3i7aS6
zT;HMSHTR$zFh{->>UHdIJ;fAjCf4~
zaP%;34%=saD>GhwXQJ)^>5E;$H^7=Cqoghe-Ey(i(!R!jZGFQM>TzyaU|}9YEKr{J
zj++~IwO-`zV7N7#mE)B;g!nnXt(+{mN|qIGr?k1G$%E0L_c?aXVc$3N4|kOY!)xDs
zHJ{(QZ<#_occJDZqJUw&26=;=ZQKH?4Op0ZVCcZGW?V&P_5}
zs)T4>`jFX5l4o#}=6dAguCnP2Cns0O-d=FZHOP3a-v^IGg2|OC7aksC>jB?qq5_t*
zh29OpE7oY4U!)FZAFUlwwgH${CzN+EM5Tjr8onMNN;&l}7Qn?ENdxr9+PUsbS8=jJ
zb-NamvR!zQ&!VMdC+EkE1ma9ldWI&9fuig7DkkIBAKcs`qU>Ig@#vR*
z+e;s(i{H{6DBW}$BAj1k0K=_MnkxL{Zx?BIe=<`x0e6b}18b>Xyr5pFRf6^-Ux$3?
z=XpE)HvfCHe?5TijV0;UbMcH#VhdS&+t54?ZJ+Eec-m8%EqgDm52e$=#)-%XeTSb?
z$jAXM>jhXnr(^lriQ&A5)Zl~kEj>H0mnC#Jo1L-Z0wpZwth6~vJf{r|QLd=$9k^-Q
ze!QGe(dOOS$m%TTi#4N^UMYj
zXlpm+mMm~TbVPo#)`RKUnlSfd3cYyQ9@?VwL*SNExIcUfKlG}g)g&VKAV@NSwD3kb%&E649nUo0>XYqd1g(bfkgD8yep#d5L(*wGOyoNh2zrcqzJ
zf<7(L_qLe^yb82hUU?pOKemuI!fY$
ztW61Pyjnu!97CvAeF+@7nAo0F(2j=>wk>d3VU1+LY*u_>BXS=_fnQH_o8pgy#&G8A
z6FHYj3l86TzooczuT&&dXnb1tNx%zT-`w9Mz9`D)-SXRB;<}?+jtio)yaRsh<(X_9
z?Lt{HLZgE-8q(9buXTnJL^w=@&1i}fJvUM<41_1-#<^efeQ*q&99prBP#p{a3jLqk
z*oEatt*og{m)IWo+$;xQ*GIlLx@i^{3KN$XoJXRhXA?Zu85vEhi@+sM)@&o*q<+j8vH3)sEq5
zv?v`tZmrh_3G90poLv8*On6cwVy=EiQy&EHk>zaqBC7^){T3{YLzZ5Uj>?zn0TqhM
z7r68%;FLWN;pi;$Z5bKk#(u8F_l>33l!VWY+yD@OEWq^p&jN#>R1jeo%)Qz;i`X#a
oyTkisQX3foZ#Sc~A2kq6;#9jzMcrZ`bT1@O4yaQ`&3_#HH)n&#*#H0l

delta 2417
zcmV-%36A!x6qXZzFoFq^0s#Xsf(cj#2`Yw2hW8Bt2LYgh2}uNk2}Ll12|+M|1K$P-
zDuzgg_YDCD2B3li&@h4n%mM)bFoFZc1_>&LNQU0k8?x8|o_pF$S3mMca~eyeH;k&@R+@Q)W$
zK>%ClXIl+_XjFoE)@phd^LVXuRv5J(PZtr
zd`mVcUBP_*AfhJtf_GIrIkwI|bp64btJ@d9p|MPZzJ{uWM8*&`Pmf
zG*~9;OmNwaaN&0LlP+9ZR2Us0no!G$Gjl_-5@3&iv$3PDIXHIJMU_6{zRv{^dP&|A
zo+PfAyfJ_1MrKtrY)|zV8`X5<7cfeDgxl7hud4e+G&Nm4wBHMvWk24;KU+0cyf#$=
z>HNUNntCD;KtPnX1NaG=FC+-1>&!R@MM)&~tYF}sfUvEvb0VgvjhD2E3X+6_;
zr|3O@YlKQNj9c|;g~77zal1~tQ;>xMANzNk#$`v)>ZndyQqqG3)ypU=ES7-k($mVE
zAiwTX|B>u{zKge|y+lwc?zax#`>p%2SL)q2N^9WpKLqmcAiNzK=+@?_>r#~9{M1F$
zZl6QC!rX}j;bTXw-dnnH)^!?RJ7l|4T^i
zoBXpM=e|4Nn6z&fTD7FUc}ST$gO~~#Mb%ylhDI3JO~tx@ns;Tp^2uRxVs3>f)Hc=v#DnU6Yu
z^3>Re&chKn`9#;0rTZXWp(PY*MMNa*7(ENqhz
zxN)dgQ^v-+Nt@6FFZdxh(nJ;9FcnWY3xc1z-$@gyE*7`Vv#)TPxVo7-<6If~L=Ga!b!tWNMP7G_?5!8V;rM}dpVN!clmekA!UEfg3qcJd|`j(%u_
zq}O^!y)|S(ek{YKy7$t$(ybrY+;*FtzT91Kw=Qp#D#)%821W$KF&1BFne2a=0|jms
za(9!@b1_S_TO!hDe6@4FLxMpn?TU1cC)eFoFd`FoFd?1`8^NNQUM$Gz3Mz(3hW8Bt3;_c$4g?79hdqvP!U$pl0tf&Ef&|F(_ZL=aay?w;
z7z*X0&x&*tZFYW$ibWAcPdsLSXuRAt#tw{1V3G|vaa+dVtM=Pm&)VP$w!EBw{2vr#GiCjB
z`TH!AvA&4ajIMVa5t|^VeO``F#UTj*Q7Ii9rCXnm<>3m=3X4_gdB{#Lj>`>%!qCj|
zs<90~B6y;wYP+rCE+7402x%H?4+a(8?1hO5TN@0H=b2%as$yI8&wb$<$Ddvqd8BiI
z5#b;xLgto8nu51Uc?9);`bB^YBwS_|zZYR)c6N%ZeE}*<9)EdV=KUX=SzYbBuhbWj
zAgnwe0};c)V`7r@H1n)lc|ilmf&>dox{DDTetJD8RFWdh=I`OiCL_kCA%j2-Sc+>@
zCcK@eo1z2V+5`4%BUSN{J*CI@oD>NmCeFtw1GjR7psO9H29xc7F48A_5`jG9hWG#(
zu}Z1rgRqJ30vv27hMfBpo)b3z)rH1S5wAvZ?MWNc5SElgJWor8#d;z89QFCjJl&A@
zG({ef3jB0cw3G)+D$4N|{{Bpu3|6FOhNJSqu@<}YLEn%H0HOy4Yz1!0`V8ajXrB4}
zf7a8IT{OprXpFn#piTfcB!m`^f))$
z1~d-B^4=O(HBlw9QHvmZHOAvIIV$FkQi}vdhI!Nr6NmyYFe=BY2Rx|zMgn6WojF*0
zQxP|TRa(WJH<<8k@jFfz4_fo4v@CaZ05##~Xv4sOH*6w)qC3)^@vtD+@cWNShxrkAxHMY
z&4+z}aRdNh@p5+xMX&6*M#MHYxm_N)FY<0uh
z^VrOPnD5zU+e>Bn2&@&XzHq?*G5XA$fz!*+UF2Oo4l#juO%o@7M-*ZBfN>Scv>MV+
zxQX*Q^>cYiT<#m9y*YMGS^HtYU@pihDHq8X>$Ys^aJ)2l{?Y~vDN?v=ss8i3*5mh5
z_={0Tfd1d@tFf!+dIrV_5dZksKQ4z}1;1z&Q3{RnjtD|zNJkw;61$yNGZ
zp3^|3Zl+YHv1CfJq;VP9MzV~GZax3|)XV$gJm)#z?~C*1oXaZ99
zM(3~Xvk7{RwCz~M>t~hbd7qPV!v`LGc%5ze^j5tj_a+^h`ly*co}VR~Mh#`TU;@cz
zv%$;I|BZxeMkbz$H=aXAPTMsN_f`UPR6j{)dWD95sJ?mEhuzgx6n)s^O8a`|r&u$a
z_w$+B_G1p$u0;;n0Zp}sy;f+BlEo6zOjD|3ef;QGrtNagdgB-&ZKf!Wj|}cwFAO(?
zdgS)JTp0US5jd2iIPX`w&PTT#J701jBjHqC2&%)BU3)=gzvAtf8Mf?IpH?ay9Vw0&
zIGRW2`Y-i21}vTlDxX7wqSZ?hr{`_ttJGK`;@o|Ps@_E@x}>X-rv*i1
zr5O%~HYE-}!X3(V;lYUlCj5XoG$62neRLmQhdIm{H#8!%g%we>HUzNYUGSTUq)33H$Ng{=oz}i>mruAlow8Coe&e@cK!y3>N;-WwpE8kccKJj
z@v0Av$vgKhwA);bAD~`YRZemcz}3cEAg#iw3b$CCmob{1*=XKjN{8s28*{Q6Zw!{H
z^pB}mH||Yt_~w({f$z^OiAfC!>#6c;!SM9G&NU{?Rx}+o$$srhCOs7!6+IK`cI-Kh
zRzhN^NemL#R8$@7LPo%j3COJSi<595ovN=g-uZjmUBk6*_Wu3;(zC^(Uk#o)Q^v)>nIsi;&wadv4R~O*98YZHp!%wjvlpowQIUDH5|EQO>
zu8hW9z@3cq2HVMe6d>*ntS8`elW$nV=a~B|uRRGpzcgoEOQwMTnoURLKX9&8Ol*J$
z(d5MJF<-KZ-t3fAj5+#9!{MF{wIbjPN_n_rFnsww0f0LF;@wYxLakr`)a-{${1N+v
z#r|chxF{Gx2Ou8^0A%dHfN4APEFsvid*(lZxhjEOoCbg2u^3Nr(Wa~Q!2n1M^I%?S
z_q3Lvy}j1mEt2$xE8vH8AuT6
zOV2Zo7*P=!mz%e8bZS`Vv|exEsZV8qHLKfx4#IZ1k(=bPuebi9U+X@Q7HmW8oik)L
zFR2lY~&3mkyaIQBxlNL
z!K8q%!n)G4agD|gCbX^kg{$10d!lu)u;=o3-Ki2rAk|bM|AqrB-(^-o-pCo}^L_>u
zJ|#IAa_?rOcW;i&-Gmjzl$Xi)PXmO{dNxMx-ooH7f)6lJR&%*;#
zcscljx$^YD9fHGN4yH1s78WEDLi>W*G?KFyLN!jh-JryV#>O^yAJ$wP$_^UOZEZJMQh(7QOdBoN
zO`Nw#DG0Os&_{cuLE*(La3ZQsekChoV^B$3@2Wp;
z#y)6c@6hN!$s=w4(d(kqamD<4k|TP(&D!LR$qDnJXqgK-lDxT|07*s_Byyu5Cc$pIQTAxWdPqpOP-=
zW~)bb9)zUy_wB)s3wDE?xh76eu-3?QnOE{-_v8)tW9-Xbk%cTiHu=1Gpy9RAX-mM>=WIfYSl<>Raeh>@7?$Q`p)@%=X`&C=Qk@j4kx3iFeeZYd=#glTnY(h3EO-?
zPGA8QCIF$rc#be9iVFGqPX#TYLPn0zAP5LJitc|JAW9s{{qF@{AQZ(9fyn@zM*6xQ
zCW1gP0EG%ENJl)AX6ik9_i}ILNsLOGvPCSpmW#PTgCE>_p`enn;@#_?vQ7L$zv|4^
zQ|Zlmx2J29!U=4SP~>O=Q6x3Y4&7=Vn-rxrEFSO7r}}=WeG>k#6ldqz*dk(zdhMhYbVt)TY{fSM8w_mn)
z2{g)>Q4crm*^Ps$}b+FY&yWz)5rIuNn
zW4J}X5D0w0w7xI6Bu-c=bhZe(Wyd^EI56bU0+)s89LgU9=EF
z*IieQUWgI38Jevbt)NUW1B08+ce`S}9g73b<|A*4CIogqS1QfAoL(Ea-V;P%!ZT5S
zm?(9tRs(^)R$2uChKRUna&n4-S>EtAAv8|WoT*M=SE~BL;hr*Y^qpUJcDuoE%_0GZ
z7d})-u&Cixy6WjGIPsR66t>1<*j~x2v6mDmIHg>cyHwx=s4+RdhUC+ilr&w9Z{$X3
zLH^bDG|4dV%2m^QLxYaP2D5lqiz{hN(=(2JW(B)Y=OF%={g8h0pSy|;{&Ds!r3{3s=dVF%R5m!YW=)*6a-4=l;}AD4qm
zm#tA$u;~A&t$+&Vf>6O6M;M5rf)1cO{}CNG5L7?~JwAek|K~sOFaIgHHY^j457B=4
z4?+b|wB`15`!}At9*P4fnLJ_{)_!C&Z1H0IafGM*igkc0faZY&&#
zc-U*=ox@!#?BNOeOPs$^YA00em^?!<$TY#qRsQ18!v>9tYL4>l_-`t7Ir}qW33`0;
z?~*##v9Z~1smnWYZ{**R4Ox9f-)zmH!#LZM#cZEQ4_`2~kFL@Ez=6GwekXbJu}b}Ns#40jq|W$Amai$1
z^l~Bttra1_srI%qZ9-TAy?-_Def$2-!q}cZ@|_=ss7IRPZ5W`iTfi{`T6eIxu2x9uJZ|z*;2+(cQ`2VL
z=fjsSt%e4MTvrPqkBvI4B`1TNh8pH>M{@{D%=XXPW|O|vhQ+>$Nw1LV!R+J{Q#w!K
zqSHi+t}8Y~|Q@05dT
zubL2B4=r7X&B3^N*)j{PcPK#V473sI)PJv?;SJNqpiz=2E+~g0KNxh90{{{6wfl=1
ghxR91>7B+viknmGV*E%D*dPEU^(@AS@7J0C2G*D1#{d8T


From c4529d3661278aa1b4657d03406871bae3aa9f12 Mon Sep 17 00:00:00 2001
From: Aleksey Sanin 
Date: Thu, 23 Mar 2023 11:31:32 -0400
Subject: [PATCH 13/15] Ensure that all cert data is written out

---
 src/keysdata.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/keysdata.c b/src/keysdata.c
index 305ec1656..66d28d648 100644
--- a/src/keysdata.c
+++ b/src/keysdata.c
@@ -2403,7 +2403,8 @@ xmlSecKeyValueX509XmlWrite(xmlSecKeyValueX509Ptr x509Value, xmlNodePtr node,
             xmlSecInternalError("xmlSecKeyValueX509XmlWriteBase64Blob(cert)", NULL);
             return(-1);
         }
-    } else if(xmlSecBufferGetSize(&(x509Value->crl)) > 0) {
+    }
+    if(xmlSecBufferGetSize(&(x509Value->crl)) > 0) {
         ret = xmlSecKeyValueX509XmlWriteBase64Blob(&(x509Value->crl), node,
             xmlSecNodeX509CRL, xmlSecDSigNs,
             base64LineSize, addLineBreaks);
@@ -2411,7 +2412,8 @@ xmlSecKeyValueX509XmlWrite(xmlSecKeyValueX509Ptr x509Value, xmlNodePtr node,
             xmlSecInternalError("xmlSecKeyValueX509XmlWriteBase64Blob(cert)", NULL);
             return(-1);
         }
-    } else if(xmlSecBufferGetSize(&(x509Value->ski)) > 0) {
+    }
+    if(xmlSecBufferGetSize(&(x509Value->ski)) > 0) {
         ret = xmlSecKeyValueX509XmlWriteBase64Blob(&(x509Value->ski), node,
             xmlSecNodeX509SKI, xmlSecDSigNs,
             base64LineSize, addLineBreaks);
@@ -2419,7 +2421,8 @@ xmlSecKeyValueX509XmlWrite(xmlSecKeyValueX509Ptr x509Value, xmlNodePtr node,
             xmlSecInternalError("xmlSecKeyValueX509XmlWriteBase64Blob(ski)", NULL);
             return(-1);
         }
-    } else if(x509Value->subject != NULL) {
+    }
+    if(x509Value->subject != NULL) {
         ret = xmlSecKeyValueX509XmlWriteString(x509Value->subject, node,
             xmlSecNodeX509SubjectName, xmlSecDSigNs);
         if(ret < 0) {
@@ -2427,7 +2430,8 @@ xmlSecKeyValueX509XmlWrite(xmlSecKeyValueX509Ptr x509Value, xmlNodePtr node,
                 "subject=%s", xmlSecErrorsSafeString(x509Value->subject));
             return(-1);
         }
-    } else if((x509Value->issuerName != NULL) && (x509Value->issuerSerial != NULL)) {
+    }
+    if((x509Value->issuerName != NULL) && (x509Value->issuerSerial != NULL)) {
         xmlNodePtr issuerSerial;
 
         issuerSerial = xmlSecEnsureEmptyChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs);
@@ -2807,4 +2811,3 @@ void xmlSecImportSetPersistKey(void) {
 int xmlSecImportGetPersistKey(void) {
     return xmlSecImportPersistKey;
 }
-

From d871faf0f92dc7dbeedb40d2076132b894055292 Mon Sep 17 00:00:00 2001
From: lsh123 
Date: Tue, 11 Apr 2023 11:14:56 -0400
Subject: [PATCH 14/15] Enable MD5 for OpenSSL cert verification (#620)

---
 tests/testrun.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tests/testrun.sh b/tests/testrun.sh
index 05ed22974..65620684b 100755
--- a/tests/testrun.sh
+++ b/tests/testrun.sh
@@ -86,6 +86,12 @@ if [ "z$crypto" = "zopenssl" -a "z$XMLSEC_OPENSSL_TEST_CONFIG" != "z" ] ; then
     export OPENSSL_CONF="$opensslconf"
 fi
 
+if [ "z$crypto" = "zopenssl" ] ; then
+    # phaos certs use RSA-MD5 which might be disabled
+    extra_vars="$extra_vars OPENSSL_ENABLE_MD5_VERIFY=1"
+    export OPENSSL_ENABLE_MD5_VERIFY=1
+fi
+
 #
 # Setup keys config
 #

From 6403818687eb3e10808fe60af694e509a2a2279c Mon Sep 17 00:00:00 2001
From: Aleksey Sanin 
Date: Sun, 25 Jun 2023 11:50:06 -0400
Subject: [PATCH 15/15] Force static linking for libraries when
 --enable-static-linking is specified on Windows (MinGW/Cygwin)

---
 configure.ac             | 3 +++
 include/xmlsec/exports.h | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index e28819d97..6bd018699 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2224,6 +2224,9 @@ AC_MSG_CHECKING(for static linking)
 AC_ARG_ENABLE([static_linking], [AS_HELP_STRING([--enable-static-linking],[enable static linking (no)])])
 if test "z$enable_static_linking" = "zyes" -o "z$enable_static_linking" = "ztrue" ; then
     XMLSEC_STATIC_BINARIES="-static"
+    if test "z$build_on_windows" = "zyes" ; then
+        XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_STATIC=1"
+    fi
     XMLSEC_APP_DEFINES="$XMLSEC_APP_DEFINES -DXMLSEC_STATIC=1"
     enable_crypto_dl="no"
     AC_MSG_RESULT([yes])
diff --git a/include/xmlsec/exports.h b/include/xmlsec/exports.h
index 893a012a1..a94b1a5ea 100644
--- a/include/xmlsec/exports.h
+++ b/include/xmlsec/exports.h
@@ -47,7 +47,7 @@ extern "C" {
 #      if !defined(XMLSEC_STATIC)
 #        define XMLSEC_EXPORT __declspec(dllimport)
 #      else
-#        define XMLSEC_EXPORT
+#        define XMLSEC_EXPORT extern
 #      endif
 #    endif /* defined(IN_XMLSEC) */
    /* This holds on all other platforms/compilers, which are easier to
@@ -71,7 +71,7 @@ extern "C" {
 #      if !defined(XMLSEC_STATIC)
 #        define XMLSEC_CRYPTO_EXPORT __declspec(dllimport)
 #      else
-#        define XMLSEC_CRYPTO_EXPORT
+#        define XMLSEC_CRYPTO_EXPORT extern
 #      endif
 #    endif /* defined(IN_XMLSEC_CRYPTO) */
    /* This holds on all other platforms/compilers, which are easier to