fix enc context reset (issue lsh123#437) (lsh123#438)

ycharts · Aug 19, 2024 · 76e1e61 · 76e1e61
1 parent e8a46b9
commit 76e1e61
Show file tree

Hide file tree

Showing 8 changed files with 159 additions and 4 deletions.
diff --git a/src/xmlenc.c b/src/xmlenc.c
@@ -95,6 +95,17 @@ xmlSecEncCtxDestroy(xmlSecEncCtxPtr encCtx) {
     xmlFree(encCtx);
 }
 
+static void
+xmlSecEncCtxSetDefaults(xmlSecEncCtxPtr encCtx) {
+    xmlSecAssert(encCtx != NULL);
+
+    encCtx->keyInfoReadCtx.mode = xmlSecKeyInfoModeRead;
+
+    /* it's not wise to write private key :) */
+    encCtx->keyInfoWriteCtx.mode = xmlSecKeyInfoModeWrite;
+    encCtx->keyInfoWriteCtx.keyReq.keyType = xmlSecKeyDataTypePublic;
+}
+
 /**
  * xmlSecEncCtxInitialize:
  * @encCtx:             the pointer to <enc:EncryptedData/> processing context.
@@ -120,16 +131,12 @@ xmlSecEncCtxInitialize(xmlSecEncCtxPtr encCtx, xmlSecKeysMngrPtr keysMngr) {
         xmlSecInternalError("xmlSecKeyInfoCtxInitialize", NULL);
         return(-1);
     }
-    encCtx->keyInfoReadCtx.mode = xmlSecKeyInfoModeRead;
 
     ret = xmlSecKeyInfoCtxInitialize(&(encCtx->keyInfoWriteCtx), keysMngr);
     if(ret < 0) {
         xmlSecInternalError("xmlSecKeyInfoCtxInitialize", NULL);
         return(-1);
     }
-    encCtx->keyInfoWriteCtx.mode = xmlSecKeyInfoModeWrite;
-    /* it's not wise to write private key :) */
-    encCtx->keyInfoWriteCtx.keyReq.keyType = xmlSecKeyDataTypePublic;
 
     /* initializes transforms encCtx */
     ret = xmlSecTransformCtxInitialize(&(encCtx->transformCtx));
@@ -138,6 +145,7 @@ xmlSecEncCtxInitialize(xmlSecEncCtxPtr encCtx, xmlSecKeysMngrPtr keysMngr) {
         return(-1);
     }
 
+    xmlSecEncCtxSetDefaults(encCtx);
     return(0);
 }
 
@@ -222,6 +230,8 @@ xmlSecEncCtxReset(xmlSecEncCtxPtr encCtx) {
 
     encCtx->encDataNode = encCtx->encMethodNode =
         encCtx->keyInfoNode = encCtx->cipherValueNode = NULL;
+
+    xmlSecEncCtxSetDefaults(encCtx);
 }
 
 /**

diff --git a/tests/aleksey-xmlenc-01/enc-two-enc-keys.data b/tests/aleksey-xmlenc-01/enc-two-enc-keys.data
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE test [
+<!ATTLIST Test Id ID #IMPLIED>
+]>
+<Test Id="Test">
+test
+</Test>
diff --git a/tests/aleksey-xmlenc-01/enc-two-enc-keys.tmpl b/tests/aleksey-xmlenc-01/enc-two-enc-keys.tmpl
@@ -0,0 +1,32 @@
+<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
+<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
+<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"> </EncryptionMethod>
+<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+<KeyName>key1</KeyName>
+<X509Data>
+<X509Certificate/>
+</X509Data>
+</KeyInfo>
+<CipherData>
+<CipherValue/>
+</CipherData>
+</EncryptedKey>
+<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
+<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"> </EncryptionMethod>
+<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+<KeyName>key2</KeyName>
+<X509Data>
+<X509Certificate/>
+</X509Data>
+</KeyInfo>
+<CipherData>
+<CipherValue/>
+</CipherData>
+</EncryptedKey>
+</KeyInfo>
+<CipherData>
+<CipherValue/>
+</CipherData>
+</EncryptedData>
diff --git a/tests/aleksey-xmlenc-01/enc-two-enc-keys.xml b/tests/aleksey-xmlenc-01/enc-two-enc-keys.xml
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE test [
+<!ATTLIST Test Id ID #IMPLIED>
+]>
+<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
+<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
+<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"> </EncryptionMethod>
+<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+<KeyName>key1</KeyName>
+<X509Data>
+<X509Certificate>MIID9zCCA2CgAwIBAgIJAK+ii7kzrdqsMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3Vy
+aXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEQMA4G
+A1UECxMHUm9vdCBDQTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3
+DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tMCAXDTE0MDUyMzE3NTA1OVoYDzIxMTQw
+NDI5MTc1MDU5WjCBrjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
+PTA7BgNVBAoTNFhNTCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtz
+ZXkuY29tL3htbHNlYykxEDAOBgNVBAsTB1Jvb3QgQ0ExFjAUBgNVBAMTDUFsZWtz
+ZXkgU2FuaW4xITAfBgkqhkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtY4MCNj/qrOzVuex1BD/PuCYTDDOLLVj
+tpKXQteQPqy0kgMwuQgRwdNnICIHQbnFKL40XoyACJVWKM7b0LkvWJNeyVzXPqEE
+9ZPmNxWGUjVcr7powT7v8V7S2QflUnr8ZvR4XWwkZJ9EYKNhenijgJ5yYDrXCWdv
+C+fnjBjv2LcCAwEAAaOCARcwggETMB0GA1UdDgQWBBQGtaSsp6p1ROoVnE/fBYNP
+ah7+CzCB4wYDVR0jBIHbMIHYgBQGtaSsp6p1ROoVnE/fBYNPah7+C6GBtKSBsTCB
+rjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExPTA7BgNVBAoTNFhN
+TCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtzZXkuY29tL3htbHNl
+YykxEDAOBgNVBAsTB1Jvb3QgQ0ExFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAf
+BgkqhkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbYIJAK+ii7kzrdqsMAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEARpb86RP/ck55X+NunXeIX81i763b
+j7Z1VJwFbA/QfupzxnqJ2IP/lxC8YxJ3Bp2IJMI7rC9r0poa41ZxI5rGHip97Dpg
+sxPF9lkRUmKBBQjkICOq1w/4d2DRInBoqXttD+0WsqDfNDVK+7kSE07ytn3RzHCj
+j0gv0PdxmuCsR/E=
+</X509Certificate>
+</X509Data>
+</KeyInfo>
+<CipherData>
+<CipherValue>OWIZitDwtQp3dvJ2NP2bgQaaiW+Z0vwyh8ajaw7nuwlqQugrbugy9upogbKMpOrz
+XFLfdzfQ5EfRBr2MaPvMkft2wBWfYOS437RNrKdd/MZxZjSPoFRAMBz4F6cVjDx5
+L3/I/3usuqoyYLNtjQTxcIt+sdtNMZnAyVxz/08vEGg=</CipherValue>
+</CipherData>
+</EncryptedKey>
+<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
+<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"> </EncryptionMethod>
+<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+<KeyName>key2</KeyName>
+<X509Data>
+<X509Certificate>MIIDzzCCAzigAwIBAgIJAK+ii7kzrdqtMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3Vy
+aXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEQMA4G
+A1UECxMHUm9vdCBDQTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3
+DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tMCAXDTE0MDUyMzE3NTIzOFoYDzIxMTQw
+NDI5MTc1MjM4WjCBnDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
+PTA7BgNVBAoTNFhNTCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtz
+ZXkuY29tL3htbHNlYykxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAfBgkqhkiG
+9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
+QQCyuvKJ2CuUPD33ghPt4Q8MilesHxVbbpyKfmabrYVpDGVDmOKKp337qJUZZ95K
+fwlXbR2j0zyKWJmvRxUx+PsTAgMBAAGjggFFMIIBQTAMBgNVHRMEBTADAQH/MCwG
+CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
+HQ4EFgQU/uTsUyTwlZXHELXhRLVdOWVa434wgeMGA1UdIwSB2zCB2IAUBrWkrKeq
+dUTqFZxP3wWDT2oe/guhgbSkgbEwga4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
+YWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFyeSAoaHR0cDov
+L3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMRAwDgYDVQQLEwdSb290IENBMRYwFAYD
+VQQDEw1BbGVrc2V5IFNhbmluMSEwHwYJKoZIhvcNAQkBFhJ4bWxzZWNAYWxla3Nl
+eS5jb22CCQCvoou5M63arDANBgkqhkiG9w0BAQUFAAOBgQBuTAW63AgWqqUDPGi8
+BiXbdKHhFP4J8qgkdv5WMa6SpSWVgNgOYXkK/BSg1aSmQtGv8/8UvBRPoJnO4y0N
+jWUFf1ubOgUNmedYNLq7YbTp8yTGWeogCyM2xdWELMP8BMgQL0sP+MDAFMKO3itY
+mEWnCEsP15HKSTms54RNj7oJ+A==
+</X509Certificate>
+</X509Data>
+</KeyInfo>
+<CipherData>
+<CipherValue>fDxlxg+iGPUl78ourojHao8/BcxY+A2IQXVghY/OqeQUUD9eT55jrGxgw5UEADoq
+ZD8I/KolksaZ1414NyOIIw==</CipherValue>
+</CipherData>
+</EncryptedKey>
+</KeyInfo>
+<CipherData>
+<CipherValue>ORyr/Fi6TMsMMfEWeDy9iPGl43zoKJLbTTukFwOqtfBi0nSdsMkGkmpQAs3a1PsG</CipherValue>
+</CipherData>
+</EncryptedData>
diff --git a/tests/keys/README.md b/tests/keys/README.md
@@ -226,6 +226,14 @@ keys into PKCS12 form that is suitable for not only NSS but all crypto engines (
 password is `secret123`):
 
 ```
+cat cakey.pem cacert.pem  > allcakey.pem
+openssl pkcs12 -export -in allcakey.pem -name CARsaKey -out cakey.p12
+rm allcakey.pem
+
+cat ca2key.pem ca2cert.pem cacert.pem  > allca2key.pem
+openssl pkcs12 -export -in allca2key.pem -name CA2RsaKey -out ca2key.p12
+rm allca2key.pem
+
 cat dsakey.pem dsacert.pem ca2cert.pem cacert.pem > alldsa.pem
 openssl pkcs12 -export -in alldsa.pem -name TestDsaKey -out dsakey.p12
 

diff --git a/tests/keys/ca2key.p12 b/tests/keys/ca2key.p12
diff --git a/tests/keys/cakey.p12 b/tests/keys/cakey.p12
diff --git a/tests/testEnc.sh b/tests/testEnc.sh
@@ -29,6 +29,22 @@ echo "--------- Positive Testing ----------"
 #
 ##########################################################################
 
+# same file is encrypted with two keys, test both
+execEncTest $res_success \
+    "" \
+    "aleksey-xmlenc-01/enc-two-enc-keys" \
+    "aes256-cbc rsa-1_5" \
+    "$priv_key_option:key1 $topfolder/keys/cakey.$priv_key_format --pwd secret123" \
+    "--session-key aes-256 --xml-data $topfolder/aleksey-xmlenc-01/enc-two-enc-keys.data --pubkey-cert-$cert_format:key1 $topfolder/keys/cacert.$cert_format --pubkey-cert-$cert_format:key2 $topfolder/keys/ca2cert.$cert_format" \
+    "$priv_key_option:key1 $topfolder/keys/cakey.$priv_key_format --pwd secret123"
+
+execEncTest $res_success \
+    "" \
+    "aleksey-xmlenc-01/enc-two-enc-keys" \
+    "aes256-cbc rsa-1_5" \
+    "$priv_key_option:key2 $topfolder/keys/ca2key.$priv_key_format --pwd secret123" \
+    "--session-key aes-256 --xml-data $topfolder/aleksey-xmlenc-01/enc-two-enc-keys.data --pubkey-cert-$cert_format:key1 $topfolder/keys/cacert.$cert_format --pubkey-cert-$cert_format:key2 $topfolder/keys/ca2cert.$cert_format" \
+    "$priv_key_option:key2 $topfolder/keys/ca2key.$priv_key_format --pwd secret123"
 
 execEncTest $res_success \
     "" \