[xmlsec] Problem with ver 0.0.11
Aleksey Sanin
aleksey@aleksey.com
Wed, 04 Dec 2002 09:09:33 -0800
Matthias,
I believe you have a different issue. In you case there is a problem here:
<ds:Reference URI="#/1/2">
....
</ds:Reference>
According to the spec [1] you have two possible options for the URI
attribute:
- use '#id' syntax where 'id' is an ID attribute of an element;
- use '#xpointer(expr)' syntax where 'expr' is any valid xpointer
expression.
As far as I can understand the spec you are *not* allowed to use xpointer
expressions in the '#id' syntax (there is a really simple reason for
this: if this is
allowed then XPointer could not decide what does '#1234' mean - is it a
number or an ID attribute).
The change in xmlsec library behavior was caused by the fix I put in [2]
and I believe
that the current way of processing Reference URI attribute is correct.
You can
get the same results as before by slightly changing your signature to:
<ds:Reference URI="#xpointer(/1/2)">
....
</ds:Reference>
And explicitly adding C14N transform to exclude comments (if you wish to
do so) because
'#xpointer()' syntax *includes* all selected comments and '#id' does not
(see [1] for details).
I am sorry for inconvenience caused by this bug fix but I want to make
xmlsec library
as more standard complaint as I can.
With best regards,
Aleksey
[1] http://www.w3.org/TR/xmldsig-core/#sec-URI
[2] http://www.aleksey.com/pipermail/xmlsec/2002/000368.html
Matthias Jung wrote:
> Sorry, I can't agree to this.
>
> Signatures, passing validation using the command line tool of xmlsec
> 0.0.10, will fail when they are verified with version 0.0.11
> I receive following error message:
>
> F:\dev\dbc\Tests\XML\DSig>xmlsec verify --trusted CACert.pem
> sig_xpointer_child_sequence_xmlsec.xml
> (..\src\transforms.c:1181): error 4: xml operation failed :
> xmlXPtrEval(/1/2)
> (..\src\transforms.c:881): error 2: xmlsec operation failed :
> xmlSecTransformStateParseUri(#/1/2
> (..\src\xmldsig.c:1602): error 2: xmlsec operation failed :
> xmlSecTransformStateCreate
> (..\src\xmldsig.c:1476): error 2: xmlsec operation failed :
> xmlSecReferenceRead - -1
> (..\src\xmldsig.c:1175): error 2: xmlsec operation failed :
> xmlSecSignedInfoRead - -1
> (..\src\xmldsig.c:733): error 2: xmlsec operation failed :
> xmlSecSignatureRead - -1
> ERROR
>
> Verification of all of my tests using xpointer expressions in xmlsec
> 0.0.11 fail, something seems to be wrong with xpointer evaluation
> (strange because this is done by libxml).
> I am quite sure that compiler flags are exactly the same than in the
> old version. This should not be the problem.
>
> I have attached to this mail a signed xml-file from my testsuite and
> the certificate file needed to verify the signature (hope they will be
> posted too).
> To see if this is an xmlsec problem or not, please check if the
> signature is valid on your (Windows) xmlsec environment.
>
>
> Cheers Matthias
>