[xmlsec] Re: xmlsec question - empty node set from XPath

[Aleksey Sanin]

Hi, Moultrie!

I don't think that this is a library business to determine does the 
signature
actually signs something or not. From a formal point of view the signature
*is* valid! And empty XPath result is only one possible way of getting
"empty" signature (for example, you are signing a de-attached file and 
it is empty).
 XMLSec library provides the application  a very simple way of getting 
actual
signed data (in the xmlsec application you see this with "--print-all" 
option).
And I believe that the application should be responsible for checking this
because of an old rule "sign what you see".

Aleksey

Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  In xpath.c [line 594] you check if the result of the XPath Transform is
>NULL. Should it not also check if the node set is empty, i.e.,
>    if((*nodes) == NULL || (*nodes)->nodeNr == 0) {
>  It's quite possible (easy even) to mistakenly code an XPath Transform that
>selects nothing. The result is that Apache dutifully signs nothing and
>xmlsec verifies nothing. Thus, nothing is being verified even though there
>is the appearance that the document content is valid. The only clue you get
>to this is running xmlsec in --print-all mode doesn't print a content buffer
>because there isn't one. Is the case of an empty Transform result defined to
>work this way or can/should xmlsec reject it as a flawed Transform?
>Thanks!
>  Ferrell
>
>=====================================
>Ferrell Moultrie (ferrell at iss.net)
>Software Engineer
>
>Internet Security Systems, Inc.
>6303 Barfield Road
>Atlanta, Georgia 30328
>Phone:  404-236-2600
>Direct: 404-236-2849
>Fax:    404-236-2632
>http://www.iss.net
>
>Internet Security Systems -- The Power to Protect
>=====================================
>  
>