[xmlsec] Ouch -- xpath again -- a bug this time, I think
Moultrie, Ferrell (ISSAtlanta)
FMoultrie@iss.net
Thu, 29 Aug 2002 00:12:05 -0400
This is a multi-part message in MIME format.
------_=_NextPart_001_01C24F12.3C2667B1
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Aleksey:
I've validated a bunch of signatures with 0.0.8 and that's working
well. However, I've found one signature that won't validate -- it
appears to be an xpath failure -- xpath is selecting the wrong data. I
can make a 1-character change *outside* of the data being signed (as
verified by the buffer output from xmlsec) and make it work/fail -- and
it makes no sense what so ever.=20
The attached files differ by only one character -- a newline at the
end of the node being signed (but *after* the closing tag). If the
newline is present, the xpath transform fails with:
=20
(d:\projects\thirdparty\xmlsoft-org-build-trees\xmlsec-0.0.8\src\xmldsig
.c:1441): error 34: invalid reference :
If the newline is absent, the xpath transform works (as do all the
others I've tried).=20
Running a very simple xmlsec command will show the good and bad
results:
xmlsec verify --print-all dereg1.xml <<bad>>
xmlsec verify --print-all dereg2.xml <<good>>
I've stepped through a bunch of the code looking for what's going on but
I obviously don't understand the code well enough yet to know more than
that the transform is returning the wrong data (an xml subset of the
correct data). If you can figure out what's going on here it would
greatly improve my life -- this has been a wild ride today!
Thanks!
Ferrell
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ferrell Moultrie (ferrell@iss.net)
Software Engineer
Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328
Phone: 404-236-2600
Direct: 404-236-2849
Fax: 404-236-2632
http://www.iss.net
Internet Security Systems -- The Power to Protect
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
------_=_NextPart_001_01C24F12.3C2667B1
Content-Type: text/xml;
name="dereg2.xml"
Content-Transfer-Encoding: base64
Content-Description: dereg2.xml
Content-Disposition: attachment;
filename="dereg2.xml"
PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8SVNTS2V5cyBTb3VyY2U9IklTUyBBdGxhbnRhIj48IS0t
IFRlc3RLZXkgSVNTIGtleWdlbiAtLT4NCjxFbmRVc2Vycz48RW5kVXNlciBBZGRyZXNzMT0iNjY2
IFJvY2tldHMgd2F5IiBBZGRyZXNzMj0iQXB0LiBCIiBDaXR5PSJTY2llbmNldmlsbGUiIENvbXBh
bnlOYW1lPSJTcGFjZWx5IFNwcm9ja2V0cyIgQ291bnRyeT0iVVNBIiBFbWFpbD0iZ2pldHNvbkBz
cHJva2V0cy5uZXQiIElkPSI0MjRlYTUzZS1iMjI2LTExZDYtOWNiYi05MTMzOWZlZjc5ZjAiIFBv
c3RDb2RlPSIxMjM0NTY3OCBPUCIgU3RhdGU9IkRpc3R1cmJlZCIgU3ViamVjdE5hbWU9Ikdlb3Jn
ZSBKZXRzb24iIFRpdGxlPSJXaGlwcGluZyBCb3kiPjxWZXJzaW9uPjEuMDwvVmVyc2lvbj48T0NO
PjExMTExMTwvT0NOPjxTb3VyY2U+SVNTIEF0bGFudGE8L1NvdXJjZT48U2VyaWFsPjlCQjYwNjY3
LTc4MTAtQTBFNC01QzkyLTJDNzJBOTY5OTM3MDwvU2VyaWFsPjxUaW1lc3RhbXA+MjAwMi0wOC0x
NyAxNzoxNDowNDwvVGltZXN0YW1wPjxzaWc6U2lnbmF0dXJlIHhtbG5zOnNpZz0iaHR0cDovL3d3
dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQo8c2lnOlNpZ25lZEluZm8+DQo8c2lnOkNhbm9u
aWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JF
Qy14bWwtYzE0bi0yMDAxMDMxNSIvPg0KPHNpZzpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJo
dHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCjxzaWc6UmVmZXJl
bmNlIFVSST0iIj4NCjxzaWc6VHJhbnNmb3Jtcz4NCjxzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0i
aHR0cDovL3d3dy53My5vcmcvVFIvMTk5OS9SRUMteHBhdGgtMTk5OTExMTYiPg0KPHNpZzpYUGF0
aD4NCm5vdChhbmNlc3Rvci1vci1zZWxmOjpzaWc6U2lnbmF0dXJlKQ0KIGFuZCAoDQogICAoYW5j
ZXN0b3I6Om5vZGUoKSA9IC9JU1NLZXlzL0VuZFVzZXJzWzFdL2NoaWxkOjpFbmRVc2VyW0BJZD0n
NDI0ZWE1M2UtYjIyNi0xMWQ2LTljYmItOTEzMzlmZWY3OWYwJ10pDQopDQo8L3NpZzpYUGF0aD4N
Cjwvc2lnOlRyYW5zZm9ybT4NCjxzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53
My5vcmcvVFIvMjAwMS9SRUMteG1sLWMxNG4tMjAwMTAzMTUjV2l0aENvbW1lbnRzIi8+DQo8L3Np
ZzpUcmFuc2Zvcm1zPg0KPHNpZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3Lncz
Lm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPg0KPHNpZzpEaWdlc3RWYWx1ZT4zZnNYd2tEVEN0
V3VZTmFkSFZUU2JUZzZ5ZUE9PC9zaWc6RGlnZXN0VmFsdWU+DQo8L3NpZzpSZWZlcmVuY2U+DQo8
L3NpZzpTaWduZWRJbmZvPg0KPHNpZzpTaWduYXR1cmVWYWx1ZT4NCnhabWtrdkFzc1JvcHcrUUR0
MXcvd3hndlFtVmJpdGFkUEwxZ2JXb3U3M2N1aEQrcjZtMXhhUWY0VFpocGZzeUdkZE8wY25IWjY1
TlANClkyVHZtVnp3V0ppSmlaOXFxVHZjZHhIbmJ1aWhaaFdiOFN0dTJuaDNHRExTNmFDcFJXMmR2
M3pTajRoZ1JIR21QcWpwQVRxK2xXck8NCjU3aWdqTzA1VVQ2cHBYT2ttaE09DQo8L3NpZzpTaWdu
YXR1cmVWYWx1ZT4NCjxzaWc6S2V5SW5mbz4NCjxzaWc6S2V5VmFsdWU+DQo8c2lnOlJTQUtleVZh
bHVlPg0KPHNpZzpNb2R1bHVzPg0KN0NlRFY3QXBqR3RtTUw4TEdDUzAvdnJGY1ZlM1EyVW52ckpY
V2xZZWRIbWNZUlVxUHF0Y3lZdVB6d1NMcUlFd0ZsN05RamJ1Ym5aSw0KdmxrZmtSZEtuUnBiUGhB
MG0xSHhVUm1oWmhHbDdqb1RPTWJweDNrZ0VjdEZvMVhicTBXWlZLMDdYaFBxc3IzZUlKK0s4dTZV
Q2U0aw0KOEllSHVkMEtGMTdUS3AvaUdJRT0NCjwvc2lnOk1vZHVsdXM+DQo8c2lnOkV4cG9uZW50
PkFRQUI8L3NpZzpFeHBvbmVudD4NCjwvc2lnOlJTQUtleVZhbHVlPg0KPC9zaWc6S2V5VmFsdWU+
DQo8L3NpZzpLZXlJbmZvPg0KPC9zaWc6U2lnbmF0dXJlPjwvRW5kVXNlcj48L0VuZFVzZXJzPjwv
SVNTS2V5cz4NCg==
------_=_NextPart_001_01C24F12.3C2667B1
Content-Type: text/xml;
name="dereg1.xml"
Content-Transfer-Encoding: base64
Content-Description: dereg1.xml
Content-Disposition: attachment;
filename="dereg1.xml"
PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8SVNTS2V5cyBTb3VyY2U9IklTUyBBdGxhbnRhIj48IS0t
IFRlc3RLZXkgSVNTIGtleWdlbiAtLT4NCjxFbmRVc2Vycz48RW5kVXNlciBBZGRyZXNzMT0iNjY2
IFJvY2tldHMgd2F5IiBBZGRyZXNzMj0iQXB0LiBCIiBDaXR5PSJTY2llbmNldmlsbGUiIENvbXBh
bnlOYW1lPSJTcGFjZWx5IFNwcm9ja2V0cyIgQ291bnRyeT0iVVNBIiBFbWFpbD0iZ2pldHNvbkBz
cHJva2V0cy5uZXQiIElkPSI0MjRlYTUzZS1iMjI2LTExZDYtOWNiYi05MTMzOWZlZjc5ZjAiIFBv
c3RDb2RlPSIxMjM0NTY3OCBPUCIgU3RhdGU9IkRpc3R1cmJlZCIgU3ViamVjdE5hbWU9Ikdlb3Jn
ZSBKZXRzb24iIFRpdGxlPSJXaGlwcGluZyBCb3kiPjxWZXJzaW9uPjEuMDwvVmVyc2lvbj48T0NO
PjExMTExMTwvT0NOPjxTb3VyY2U+SVNTIEF0bGFudGE8L1NvdXJjZT48U2VyaWFsPjlCQjYwNjY3
LTc4MTAtQTBFNC01QzkyLTJDNzJBOTY5OTM3MDwvU2VyaWFsPjxUaW1lc3RhbXA+MjAwMi0wOC0x
NyAxNzoxNDowNDwvVGltZXN0YW1wPjxzaWc6U2lnbmF0dXJlIHhtbG5zOnNpZz0iaHR0cDovL3d3
dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQo8c2lnOlNpZ25lZEluZm8+DQo8c2lnOkNhbm9u
aWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JF
Qy14bWwtYzE0bi0yMDAxMDMxNSIvPg0KPHNpZzpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJo
dHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCjxzaWc6UmVmZXJl
bmNlIFVSST0iIj4NCjxzaWc6VHJhbnNmb3Jtcz4NCjxzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0i
aHR0cDovL3d3dy53My5vcmcvVFIvMTk5OS9SRUMteHBhdGgtMTk5OTExMTYiPg0KPHNpZzpYUGF0
aD4NCm5vdChhbmNlc3Rvci1vci1zZWxmOjpzaWc6U2lnbmF0dXJlKQ0KIGFuZCAoDQogICAoYW5j
ZXN0b3I6Om5vZGUoKSA9IC9JU1NLZXlzL0VuZFVzZXJzWzFdL2NoaWxkOjpFbmRVc2VyW0BJZD0n
NDI0ZWE1M2UtYjIyNi0xMWQ2LTljYmItOTEzMzlmZWY3OWYwJ10pDQopDQo8L3NpZzpYUGF0aD4N
Cjwvc2lnOlRyYW5zZm9ybT4NCjxzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53
My5vcmcvVFIvMjAwMS9SRUMteG1sLWMxNG4tMjAwMTAzMTUjV2l0aENvbW1lbnRzIi8+DQo8L3Np
ZzpUcmFuc2Zvcm1zPg0KPHNpZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3Lncz
Lm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPg0KPHNpZzpEaWdlc3RWYWx1ZT4zZnNYd2tEVEN0
V3VZTmFkSFZUU2JUZzZ5ZUE9PC9zaWc6RGlnZXN0VmFsdWU+DQo8L3NpZzpSZWZlcmVuY2U+DQo8
L3NpZzpTaWduZWRJbmZvPg0KPHNpZzpTaWduYXR1cmVWYWx1ZT4NCnhabWtrdkFzc1JvcHcrUUR0
MXcvd3hndlFtVmJpdGFkUEwxZ2JXb3U3M2N1aEQrcjZtMXhhUWY0VFpocGZzeUdkZE8wY25IWjY1
TlANClkyVHZtVnp3V0ppSmlaOXFxVHZjZHhIbmJ1aWhaaFdiOFN0dTJuaDNHRExTNmFDcFJXMmR2
M3pTajRoZ1JIR21QcWpwQVRxK2xXck8NCjU3aWdqTzA1VVQ2cHBYT2ttaE09DQo8L3NpZzpTaWdu
YXR1cmVWYWx1ZT4NCjxzaWc6S2V5SW5mbz4NCjxzaWc6S2V5VmFsdWU+DQo8c2lnOlJTQUtleVZh
bHVlPg0KPHNpZzpNb2R1bHVzPg0KN0NlRFY3QXBqR3RtTUw4TEdDUzAvdnJGY1ZlM1EyVW52ckpY
V2xZZWRIbWNZUlVxUHF0Y3lZdVB6d1NMcUlFd0ZsN05RamJ1Ym5aSw0KdmxrZmtSZEtuUnBiUGhB
MG0xSHhVUm1oWmhHbDdqb1RPTWJweDNrZ0VjdEZvMVhicTBXWlZLMDdYaFBxc3IzZUlKK0s4dTZV
Q2U0aw0KOEllSHVkMEtGMTdUS3AvaUdJRT0NCjwvc2lnOk1vZHVsdXM+DQo8c2lnOkV4cG9uZW50
PkFRQUI8L3NpZzpFeHBvbmVudD4NCjwvc2lnOlJTQUtleVZhbHVlPg0KPC9zaWc6S2V5VmFsdWU+
DQo8L3NpZzpLZXlJbmZvPg0KPC9zaWc6U2lnbmF0dXJlPjwvRW5kVXNlcj4NCjwvRW5kVXNlcnM+
PC9JU1NLZXlzPg0K
------_=_NextPart_001_01C24F12.3C2667B1--