[Fwd: Re: [xmlsec] Problem with ver 0.0.11]
Matthias Jung
matthias.jung@xtradyne.com
Wed, 04 Dec 2002 19:12:24 +0100
Aleksey,
I think I got your point. I will have a look in the spec later this evening.
I have tried your example using the expression
Unfortunately the digest value of this reference looks like an empty node set was passed to the digest algorithem.
(digest value: "2jmj7l5rSw0yVb/vlWAYkK/YBwk=" , typical sha1 digest of an empty input)
Validation of this signature does not fail because it does not sign any referenced data.
The xml document I used to test this expession has the same structure
than the one I have sent in the last mail.
Another xpointer expression failing in the new version (but did not in the old) is
<ds:Reference URI="#xmlns(soap-env=http://schemas.xmlsoap.org/soap/envelope/)xpointer(/soap-env:Envelope/soap-env:Body)">
To me it looks like a valid xpointer expression. Signing a SOAP envelope using this expession causes the same error than described in the last email.
(..\src\transforms.c:1181): error 4: xml operation failed : xmlXPtrEval(xmlns(soap-env=http://schemas.xmlsoap.org/soap/envelop...
Am I just to stupid to think out valid signature templates or is there really something wrong???
What do you think? (Oh, please don't say I am stupid ;-) )
Matthias
Aleksey Sanin wrote:
> Matthias,
>
> I believe you have a different issue. In you case there is a problem
> here:
>
> ....
>
> According to the spec [1] you have two possible options for the URI
> attribute:
> - use '#id' syntax where 'id' is an ID attribute of an element;
> - use '#xpointer(expr)' syntax where 'expr' is any valid xpointer
> expression.
> As far as I can understand the spec you are *not* allowed to use xpointer
> expressions in the '#id' syntax (there is a really simple reason for
> this: if this is
> allowed then XPointer could not decide what does '#1234' mean - is it a
> number or an ID attribute).
>
> The change in xmlsec library behavior was caused by the fix I put in
> [2] and I believe
> that the current way of processing Reference URI attribute is correct.
> You can
> get the same results as before by slightly changing your signature to:
>
>
> ....
>
>
> And explicitly adding C14N transform to exclude comments (if you wish
> to do so) because
> '#xpointer()' syntax *includes* all selected comments and '#id' does
> not (see [1] for details).
>
> I am sorry for inconvenience caused by this bug fix but I want to make
> xmlsec library
> as more standard complaint as I can.
>
> With best regards,
> Aleksey
>
> [1] http://www.w3.org/TR/xmldsig-core/#sec-URI
> [2] http://www.aleksey.com/pipermail/xmlsec/2002/000368.html
>
>
> Matthias Jung wrote:
>
>> Sorry, I can't agree to this.
>>
>> Signatures, passing validation using the command line tool of xmlsec
>> 0.0.10, will fail when they are verified with version 0.0.11
>> I receive following error message:
>>
>> F:\dev\dbc\Tests\XML\DSig>xmlsec verify --trusted CACert.pem
>> sig_xpointer_child_sequence_xmlsec.xml
>> (..\src\transforms.c:1181): error 4: xml operation failed :
>> xmlXPtrEval(/1/2)
>> (..\src\transforms.c:881): error 2: xmlsec operation failed :
>> xmlSecTransformStateParseUri(#/1/2
>> (..\src\xmldsig.c:1602): error 2: xmlsec operation failed :
>> xmlSecTransformStateCreate
>> (..\src\xmldsig.c:1476): error 2: xmlsec operation failed :
>> xmlSecReferenceRead - -1
>> (..\src\xmldsig.c:1175): error 2: xmlsec operation failed :
>> xmlSecSignedInfoRead - -1
>> (..\src\xmldsig.c:733): error 2: xmlsec operation failed :
>> xmlSecSignatureRead - -1
>> ERROR
>>
>> Verification of all of my tests using xpointer expressions in xmlsec
>> 0.0.11 fail, something seems to be wrong with xpointer evaluation
>> (strange because this is done by libxml).
>> I am quite sure that compiler flags are exactly the same than in the
>> old version. This should not be the problem.
>>
>> I have attached to this mail a signed xml-file from my testsuite and
>> the certificate file needed to verify the signature (hope they will
>> be posted too).
>> To see if this is an xmlsec problem or not, please check if the
>> signature is valid on your (Windows) xmlsec environment.
>>
>>
>> Cheers Matthias
>>
>
>
>