Test DS/signed/all.sh failing when using xmlsec1 1.3.7-1

[dodys]

Currently for Ubuntu 25.10, xmlsec1 is updated from 1.2.41-1 to 1.3.7-1.
For openscap this is causing one test to fail:

test 15
      Start 15: DS/signed/all.sh

15: Test command: /home/ubuntu/openscap-1.4.2+dfsg/tests/DS/signed/all.sh
15: Working Directory: /home/ubuntu/openscap-1.4.2+dfsg/build-py3.13/tests/DS/signed
15: Environment variables: 
15:  srcdir=/home/ubuntu/openscap-1.4.2+dfsg/tests/DS/signed
15:  top_srcdir=/home/ubuntu/openscap-1.4.2+dfsg
15:  builddir=/home/ubuntu/openscap-1.4.2+dfsg/build-py3.13
15: Test timeout computed to be: 10000000
15: Test a signed SCAP source data stream with a valid signature
15/36 Test #15: DS/signed/all.sh ................................***Failed    0.11 sec
...
The following tests FAILED:
	 15 - DS/signed/all.sh (Failed)

When manually executing the built oscap test, I get:

$ bash /home/ubuntu/openscap-1.4.2+dfsg/build-py3.13/run /home/ubuntu/openscap-1.4.2+dfsg/build-py3.13/utils/oscap xccdf eval --verbose DEVEL --verbose-log-file /tmp/tmp.t9w6eF4Hch --results-arf /tmp/tmp.lsJDvJ8oTM /home/ubuntu/openscap-1.4.2+dfsg/tests/DS/signed/simple_ds_valid_sign.xml
func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=135:obj=unknown:subj=unknown:error=27:unexpected node:node=KeyValue
func=xmlSecKeysMngrGetKey:file=keys.c:line=1344:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=537:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=357:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: 
OpenSCAP Error: Signature verification failed [./src/source/signature.c:199]
Invalid signature in SCAP Source Datastream (1.3) content in /home/ubuntu/openscap-1.4.2+dfsg/tests/DS/signed/simple_ds_valid_sign.xml [./src/XCCDF/xccdf_session.c:888]

Any ideas on this? It is a big jump in xmlsec1 version and there are plenty incompatibilities.

[dodys]

@evgenyz fyi

[evgenyz]

This could be related: lsh123/xmlsec#708

[evgenyz]

Or this: lsh123/xmlsec#724

[evgenyz]

Can you please check what xmlsec1 --verify --id-attr component --id-attr data-stream simple_ds_valid_sign.xml does?

[evgenyz]

Also worth trying: xmlsec1 --verify --enabled-key-data rsa --enabled-key-data key-value --id-attr component --id-attr data-stream simple_ds_valid_sign.xml

[dodys]

Can you please check what xmlsec1 --verify --id-attr component --id-attr data-stream simple_ds_valid_sign.xml does?

$ xmlsec1 --verify --id-attr component --id-attr data-stream tests/DS/signed/simple_ds_valid_sign.xml 
Verification status: FAILED
Failure reason: KEY-NOT-FOUND
Error: failed to verify file "tests/DS/signed/simple_ds_valid_sign.xml"

[dodys]

Also worth trying: xmlsec1 --verify --enabled-key-data rsa --enabled-key-data key-value --id-attr component --id-attr data-stream simple_ds_valid_sign.xml

$ xmlsec1 --verify --enabled-key-data rsa --enabled-key-data key-value --id-attr component --id-attr data-stream tests/DS/signed/simple_ds_valid_sign.xml
Verification status: OK

[evgenyz]

Aha, so it is lsh123/xmlsec#724. Thanks!

[evgenyz]

Note to myself: we need to use keyInfoCtx->enabledKeyData in order to enable this feature.

[evgenyz]

Also note to myself: https://groups.google.com/a/list.nist.gov/g/scap-dev/c/XugR6yvBws8