Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Upgrade goxmldsig from v1.4.0 to v.1.5.0 #616

New issue
New issue
Open
Open
Upgrade goxmldsig from v1.4.0 to v.1.5.0#616
@Pe-te

Description

@Pe-te
Pe-te
opened on Apr 29, 2025
github.com/russellhaering/goxmldsig v1.4.0
github.com/russellhaering/goxmldsig v1.5.0

When upgrading goxmldsig from v1.4.0 to v1.5.0 the following two tests fail:

service_provider_test.go:1436: assertion failed:
expected error "cannot validate signature on Assertion: Signature could not be verified",
got "cannot validate signature on Assertion: crypto/rsa: verification error"
--- FAIL: TestXswPermutationSevenIsRejected (0.00s)

service_provider_test.go:1467: assertion failed:
expected error "cannot validate signature on Assertion: Signature could not be verified",
got "cannot validate signature on Assertion: crypto/rsa: verification error"
--- FAIL: TestXswPermutationEightIsRejected (0.00s)

This also happens in the automated dependabot pull request here: #607

Any idea what is causing this or how to fix it?

Differences between the two versions can be seen here:

https://github.com/russellhaering/goxmldsig/compare/v1.4.0...v1.5.0?diff=split&w

I tried some debugging, but the stack trace where the errors happen is completely different in v1.4.0 and v1.5.0.

v1.4.0:

github.com/russellhaering/[email protected]/validate.go:L265

	if !bytes.Equal(digest, decodedDigestValue) {
		return nil, errors.New("Signature could not be verified")
	}

v1.5.0:

crypto/internal/fips140/rsa/pkcs1v15.go:L125

	if !bytes.Equal(em, expected) {
		return ErrVerification
	}

The data for em and expected looks like this, it's not even the same length:
Image

Line 265 in v1.4.0 is moved to line 356 in v1.5.0:
https://github.com/russellhaering/goxmldsig/compare/v1.4.0...v1.5.0?diff=split&w#diff-bbf4d9531c9f596bdac5b426ac47babf2ad4d4b0a2196e8f013de35ab8515886R356

But it never gets to line 356 in v1.5.0 because the new code in line 288 returns the rsa error:

	err = cert.CheckSignature(algo, canonicalSignedInfoBytes, decodedSignature)
	if err != nil {
		return nil, err
	}

This is going too deep for me, so I'm giving up and hope someone can use the information to find a fix.
I'm not exactly sure what permutations are and what the purpose of the test is.
But I would guess it should fail at the same place, not be cut off earlier by something else?

  • maybe the rsa key is not good enough and needs and update
  • might be we just need to change the expected error string
  • something completely different

good luck! 😄

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions