[xmlsec] Problem with ver 0.0.11
Matthias Jung
matthias.jung@xtradyne.com
Wed, 04 Dec 2002 17:34:32 +0100
This is a multi-part message in MIME format.
--------------010301030003050907010300
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sorry, I can't agree to this.
Signatures, passing validation using the command line tool of xmlsec
0.0.10, will fail when they are verified with version 0.0.11
I receive following error message:
F:\dev\dbc\Tests\XML\DSig>xmlsec verify --trusted CACert.pem
sig_xpointer_child_sequence_xmlsec.xml
(..\src\transforms.c:1181): error 4: xml operation failed :
xmlXPtrEval(/1/2)
(..\src\transforms.c:881): error 2: xmlsec operation failed :
xmlSecTransformStateParseUri(#/1/2
(..\src\xmldsig.c:1602): error 2: xmlsec operation failed :
xmlSecTransformStateCreate
(..\src\xmldsig.c:1476): error 2: xmlsec operation failed :
xmlSecReferenceRead - -1
(..\src\xmldsig.c:1175): error 2: xmlsec operation failed :
xmlSecSignedInfoRead - -1
(..\src\xmldsig.c:733): error 2: xmlsec operation failed :
xmlSecSignatureRead - -1
ERROR
Verification of all of my tests using xpointer expressions in xmlsec
0.0.11 fail, something seems to be wrong with xpointer evaluation
(strange because this is done by libxml).
I am quite sure that compiler flags are exactly the same than in the old
version. This should not be the problem.
I have attached to this mail a signed xml-file from my testsuite and the
certificate file needed to verify the signature (hope they will be
posted too).
To see if this is an xmlsec problem or not, please check if the
signature is valid on your (Windows) xmlsec environment.
Cheers Matthias
Aleksey Sanin wrote:
> It is a known problem with Windows builds. Please make sure that
> you compile your application with *exactly* the same compiler/linker
> flags as ones used for libxml and xmlsec libraries compilation.
>
> Otherwise it just does not work beause external variables declared
> in the xmlsec library have NULL values by some reasons known
> only to Igor and the creators of MS VC.
>
> Another possible way is to try to link xmlsec/libxml/openssl libraries
> statically. At least this works on my Windows box :)
>
> Aleksey.
>
>
> kltsai wrote:
>
>> Hi Aleksey Sanin:
>>
>> I sign an XML signature with the following templete with the
>> default dsakey.pem:(testApp sign --privkey dsakey.pem sample1.xml >
>> kltsai6.xml)
>>
>> ==========================================================================
>>
>> <?xml version="1.0"?>
>> <IFX>
>> <Data1 Id="anchor1">
>> <Name>May</Name>
>> </Data1>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="kenny@a.b.c">
>> <SignedInfo>
>> <CanonicalizationMethod
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
>> <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
>> <Reference URI="#xpointer(/)">
>> <Transforms>
>> <Transform
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
>> />
>> </Transforms>
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>> <DigestValue></DigestValue>
>> </Reference>
>> </SignedInfo>
>> <SignatureValue/>
>> <KeyInfo>
>> <KeyValue/>
>> </KeyInfo>
>> </Signature></IFX>
>> ==========================================================================
>>
>>
>>
>>
>> And then I got the following result signature:
>>
>>
>>
>>
>> ==========================================================================
>>
>> <?xml version="1.0"?>
>> <IFX>
>> <Data1 Id="anchor1">
>> <Name>May</Name>
>> </Data1>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="kenny@a.b.c">
>> <SignedInfo>
>> <CanonicalizationMethod
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>> <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
>> <Reference URI="#xpointer(/)">
>> <Transforms>
>> <Transform
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
>>
>> </Transforms>
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue>4x8bEd1KuMZOF4Yvyt9Eh3Y/9hs=</DigestValue>
>> </Reference>
>> </SignedInfo>
>>
>> <SignatureValue>jpbFT2G7aKr5WnZ3zoIXC8eAtwgn6lSqkDYgbuhdT8NguZb6tZKmxA==</SignatureValue>
>>
>> <KeyInfo>
>> <KeyValue>
>> <DSAKeyValue>
>> <P>
>> imW6KYBPYXAf6itSAuYs1aLPfs8/vBEiusv/pl1XMiuMvB7vyiJgSj8/NTkRci/U
>> X/rVXv8rbCRjvYFX3x5/53f4hc6HKz7JQI4qqB7Fl5N86zp+BsQxNQ4tzous9S2H
>> Td2/zdTwVsvO+H9l3FahmVp/m2IHE4W27JYoF49qP10=
>> </P>
>> <Q>
>> v/xzWqjRviekk2rMW3wpYspT9Us=
>> </Q>
>> <G>
>> UIyzUDlLe6uCCgF4Rh98fiKZvg64UJ4FM5L+WbCSMmVsFN06fTwxy3naPPOCzzou
>> fsHv/Bve2gvrDvd078oXWJJf9A44pIZnJkdjEhm2RsDFpXNq0tPKZFcjVsdmqg4M
>> X6YNuwpvZuTwSoDG5u1QMN0mmH9gmbIT3j9x4MO+7EY=
>> </G>
>> <Y>
>> On+KBJE3q1TRhG9RspNX01VI5C0VzSy4N/QyC4YzEENoq3GJkKHIYq+grq9ZqV9x
>> g2Geo/3mqhdcENOtYRmWEfOZJj18oukD6TNceYRZ4HjHjK3WY3wK2OV6QOly+k3f
>> xgEQpP/7IlCka5YICLuHXrbqjn5b0XcK9L2GDtWOyjs=
>> </Y>
>> </DSAKeyValue>
>> </KeyValue>
>> </KeyInfo>
>> </Signature></IFX>
>> ==========================================================================
>>
>>
>> The signing procedure signed silently and successfully. However, the
>> signature seemd
>> wrong because I use "testApp verify kltsai6.xml", and it shows some
>> errors:
>>
>> C:\temp\xmlsec-0.0.11\TestApp\Release>testapp verify kltsai6.xml
>> (C:\temp\xmlsec-0.0.11\src\xmldsig.c:1493): error 51: invalid
>> reference :
>> ==========================================================================
>> = Status:
>> == Signatures ok: 0
>> == Signatures fail: 1
>> == SignedInfo Ref ok: 0
>> == SignedInfo Ref fail: 1
>> == Manifest Ref ok: 0
>> == Manifest Ref fail: 0
>> FAIL
>> Error: operation failed
>> ==========================================================================
>>
>>
>> I realy had no idea, could anyone tell me what happened? Thanks a
>> million~~
>>
>>
>>
>> kltsai
>>
>>
>>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
--------------010301030003050907010300
Content-Type: text/xml;
name="sig_xpointer_child_sequence_xmlsec.xml"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
filename="sig_xpointer_child_sequence_xmlsec.xml"
<?xml version=3D"1.0"?>
<soap-env:Envelope xmlns=3D"http://schemas.xmlsoap.org/wsdl/soap/" xmlns:=
soap-env=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds=3D"http:/=
/www.w3.org/2000/09/xmldsig#" xmlns:wsse=3D"http://schemas.xmlsoap.org/ws=
/2002/04/secext">
<soap-env:Header>
<wsse:Security>
<sci:SamlToken xmlns:sci=3D"http://www.xtradyne.com/sci"/>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=3D"http://www.w3.org/TR/2001/RE=
C-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#r=
sa-sha1"/>
<ds:Reference URI=3D"#/1/2">
<ds:Transforms>
<ds:Transform Algorithm=3D"http://www.w3.org/TR/2001/REC-xml-c14n-=
20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha=
1"/>
<ds:DigestValue>STQ9G1ynPwjTt+ARCYo9MoHX1+s=3D</ds:DigestValue>
</ds:Reference>
<ds:Reference URI=3D"#/1/1/1/1">
<ds:Transforms>
<ds:Transform Algorithm=3D"http://www.w3.org/TR/2001/REC-xml-c14n-=
20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha=
1"/>
<ds:DigestValue>To2Zw32ZPh+izDAq1R9VVwZ8IZQ=3D</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>1/NrtteA13uuuIIKHkbtssXy2wNybxjkI03Ap0XGBXemsJWepS=
EGHDwKxfRull+N/RvfPiXfy1U4YnW6Z7MiHLtglUdk2M1YGzwG/lYphGmXILVHA6AIV6Ft45A=
xJES0JbkpwHIXKy6e9Bz9yWj0TqB2Nc9ssaWdR2urVajiZew=3D</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate xmlns=3D"http://www.w3.org/2000/09/xmldsig#">MIICajCC=
AdOgAwIBAgICASAwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCWEQxEjAQBgNVBAoTCU15Q=
29tcGFueTELMAkGA1UEAxMCQ0EwHhcNMDIwNzI2MDk0NjEyWhcNMDMwNzI2MDk0NjEyWjA8MQ=
swCQYDVQQGEwJYRDESMBAGA1UEChMJTXlDb21wYW55MRkwFwYDVQQDExBEQkNDb21tdW5pY2F=
0aW9uMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDp6PPLc1YAmWdX/GQZ8NrERyNGvbrR=
xkMDHUbkFOLn2MoXhKdLGiPA2Mfh0ezqIryH+oUuvEDcEYLW92QauNvRhwaEM2vlrfodUcIT4=
Zs8PMHZwarFogks1kF1Dga7R+jKMzl7PQP6YnTp4gZZRt4KgIl7PNmxOD/IVEzxoCM0PQIDAQ=
ABo4GIMIGFMB0GA1UdDgQWBBSgoHKyi9pzrL5w8oBHhcVITnfO/DBWBgNVHSMETzBNgBRUyK6=
EVzAl3Sl/lpRZ2I4lN9y2hKEypDAwLjELMAkGA1UEBhMCWEQxEjAQBgNVBAoTCU15Q29tcGFu=
eTELMAkGA1UEAxMCQ0GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCSjn4hk=
RWsBj75GxOu2Fhk6vVuvErnyDbUY9p8K13aTMLGzuF3qB+NbVlhBkaw7XfSbbxo7xIJYcv7v1=
tNcx98us8F2r3FkbwZg5cw7DEmdp163ZdriARh1EPa5sKM6JaR6NZADQLxRJw/GXJ+Hrq6/R8=
EAqD4eteAVHXQ7E/LVQ=3D=3D</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo> =09
</ds:Signature>
</wsse:Security> =09
</soap-env:Header>
<soap-env:Body>=09
<ns1:employNewMessenger xmlns:ns1=3D"urn:CityCycle" soap-env:encodingSt=
yle=3D"http://schemas.xmlsoap.org/soap/encoding/">
<id>Smith</id>
<name>Smith</name>
<firstName>John</firstName>
<address>Hudtwalker Strasse 10,20000 Hamburg</address>
</ns1:employNewMessenger>
</soap-env:Body>
</soap-env:Envelope>
--------------010301030003050907010300
Content-Type: text/plain;
name="CACert.pem"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="CACert.pem"
-----BEGIN CERTIFICATE-----
MIICWzCCAcSgAwIBAgIBADANBgkqhkiG9w0BAQQFADAuMQswCQYDVQQGEwJYRDES
MBAGA1UEChMJTXlDb21wYW55MQswCQYDVQQDEwJDQTAeFw0wMjA3MjYwOTQ2MTFa
Fw0wNDA3MjUwOTQ2MTFaMC4xCzAJBgNVBAYTAlhEMRIwEAYDVQQKEwlNeUNvbXBh
bnkxCzAJBgNVBAMTAkNBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+y2cV
D1DGeybtrwt9zwL4C2gHdqDBKM8OlBADlzFWyl88JWqiEHZ9dNDl8yFyuW0yjgkh
mab8NA+y3aX97BM57M+0WoBbukXcZnDulqvIMNEXI7uDwnLrq5vyDEInKR4IRAfK
l6/dybYozUgNrMJIBxUaVbjTr23/7bV1nU9TpQIDAQABo4GIMIGFMB0GA1UdDgQW
BBRUyK6EVzAl3Sl/lpRZ2I4lN9y2hDBWBgNVHSMETzBNgBRUyK6EVzAl3Sl/lpRZ
2I4lN9y2hKEypDAwLjELMAkGA1UEBhMCWEQxEjAQBgNVBAoTCU15Q29tcGFueTEL
MAkGA1UEAxMCQ0GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQAO
ImAnIhZuVCfTSx1SrASzvJQdMW+7xIw0oXiSEveigzvoe8oskleWbTRQW1NkeS8C
q6Y93deXflRpDuwQIj2jH2upyvYm85crZPDgaiOlzBP+A3f1yK/WECihAnTwj3TN
l1V/WoYQbj/Ohou7/sBeHHb91B1sjkx6AIEDv8DeQQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICVjCCAb8CBD3c7LIwDQYJKoZIhvcNAQEFBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UE
CBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH
VW5rbm93bjEWMBQGA1UEAxMNTWF0dGhpYXMgSnVuZzAeFw0wMjExMjExNDI0NTBaFw0wMzAyMTkx
NDI0NTBaMHIxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vu
a25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xFjAUBgNVBAMTDU1hdHRo
aWFzIEp1bmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJpqpRBzVMOu/mPre/GFa1ssCXWU
l49ChSavP/RbNKyLfkRy0hhgKemepqxS24lE2AW9VSAXFjJgbi0QqQeAd8+NYyXl8NNyqmx66YUO
Pid2IEBiot/EL8FwpLSuoowwD1sFthgwKiL0s2h6BAQYu3EEEIiolTpkpzLe5fNGw1aLAgMBAAEw
DQYJKoZIhvcNAQEFBQADgYEAUOrMQKVW59DXj5pJnZQjRwcnUsiGpP+bzgUCOMOClWxbc152dDVJ
+rNjWWhAvHSEL0xqeU7Hh8dXeGdzhoaihn2i7kMjs74cRNZxzGLisX7vv91+stSCCUAtQXOuWV6Y
VIjE7U95xUC7MKQyUi5xg5A6uXYQvnrHFK0E7iCPkbc=
-----END CERTIFICATE-----
--------------010301030003050907010300--