Upstream commit aaf82cc broke xmlSecKeyInfoNodeRead(), at least for the openssl crypto provider. Here is the problem: In xmlSecOpenSSLX509DataNodeRead (src/openssl/x509.c:910) there is a loop that iterates over the child nodes. Before the commit there was an error check INSIDE THE LOOP. Here is what it used to be: if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), xmlSecErrorsSafeString(xmlSecNodeGetName(cur)), XMLSEC_ERRORS_R_XMLSEC_FAILED, "read node failed"); return(-1); } Now with the commit each of the calls in the loop has it own error reporting code, for example: if(ret < 0) { xmlSecInternalError2("xmlSecOpenSSLX509CertificateNodeRead", xmlSecKeyDataGetName(data), "node=%s", xmlSecErrorsSafeString(xmlSecNodeGetName(cur))); } However there are NO return(-1); statements inside any of the error checks, nor does the `xmlSecInternalError2` macro execute a return. The consequence is the loop terminates despite errors and executes return(0); just prior to exiting the function. The net result is that errors are no longer reported, the function always returns success. I have not reviewed the rest of the commit to see if a similar mistake was made in any of the other crypto providers.
fixed in this upstream commit: https://github.com/lsh123/xmlsec/commit/b16512bab8c2e006036b7ec5a1fbbff35fe67e94
xmlsec1-1.2.25-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e26d7e7396
xmlsec1-1.2.25-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e26d7e7396
xmlsec1-1.2.25-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.