[xmlsec] Ouch -- xpath again -- a bug this time, I think
Aleksey Sanin
aleksey at aleksey.com
Wed Aug 28 21:54:08 PDT 2002
Looks like there is a bug in LibXML XPath engine. I'll forward it to
libxml mailing
list and also take a look tomorrow.
Aleksey.
Moultrie, Ferrell (ISSAtlanta) wrote:
>Aleksey:
> I've validated a bunch of signatures with 0.0.8 and that's working
>well. However, I've found one signature that won't validate -- it
>appears to be an xpath failure -- xpath is selecting the wrong data. I
>can make a 1-character change *outside* of the data being signed (as
>verified by the buffer output from xmlsec) and make it work/fail -- and
>it makes no sense what so ever.
> The attached files differ by only one character -- a newline at the
>end of the node being signed (but *after* the closing tag). If the
>newline is present, the xpath transform fails with:
>
>(d:\projects\thirdparty\xmlsoft-org-build-trees\xmlsec-0.0.8\src\xmldsig
>.c:1441): error 34: invalid reference :
>If the newline is absent, the xpath transform works (as do all the
>others I've tried).
> Running a very simple xmlsec command will show the good and bad
>results:
> xmlsec verify --print-all dereg1.xml <<bad>>
> xmlsec verify --print-all dereg2.xml <<good>>
>I've stepped through a bunch of the code looking for what's going on but
>I obviously don't understand the code well enough yet to know more than
>that the transform is returning the wrong data (an xml subset of the
>correct data). If you can figure out what's going on here it would
>greatly improve my life -- this has been a wild ride today!
>Thanks!
> Ferrell
>
>=====================================
>Ferrell Moultrie (ferrell at iss.net)
>Software Engineer
>
>Internet Security Systems, Inc.
>6303 Barfield Road
>Atlanta, Georgia 30328
>Phone: 404-236-2600
>Direct: 404-236-2849
>Fax: 404-236-2632
>http://www.iss.net
>
>Internet Security Systems -- The Power to Protect
>=====================================
>
>
>------------------------------------------------------------------------
>
><?xml version="1.0"?>
><ISSKeys Source="ISS Atlanta"><!-- TestKey ISS keygen -->
><EndUsers><EndUser Address1="666 Rockets way" Address2="Apt. B" City="Scienceville" CompanyName="Spacely Sprockets" Country="USA" Email="gjetson at sprokets.net" Id="424ea53e-b226-11d6-9cbb-91339fef79f0" PostCode="12345678 OP" State="Disturbed" SubjectName="George Jetson" Title="Whipping Boy"><Version>1.0</Version><OCN>111111</OCN><Source>ISS Atlanta</Source><Serial>9BB60667-7810-A0E4-5C92-2C72A9699370</Serial><Timestamp>2002-08-17 17:14:04</Timestamp><sig:Signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
><sig:SignedInfo>
><sig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
><sig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
><sig:Reference URI="">
><sig:Transforms>
><sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
><sig:XPath>
>not(ancestor-or-self::sig:Signature)
> and (
> (ancestor::node() = /ISSKeys/EndUsers[1]/child::EndUser[@Id='424ea53e-b226-11d6-9cbb-91339fef79f0'])
>)
></sig:XPath>
></sig:Transform>
><sig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
></sig:Transforms>
><sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
><sig:DigestValue>3fsXwkDTCtWuYNadHVTSbTg6yeA=</sig:DigestValue>
></sig:Reference>
></sig:SignedInfo>
><sig:SignatureValue>
>xZmkkvAssRopw+QDt1w/wxgvQmVbitadPL1gbWou73cuhD+r6m1xaQf4TZhpfsyGddO0cnHZ65NP
>Y2TvmVzwWJiJiZ9qqTvcdxHnbuihZhWb8Stu2nh3GDLS6aCpRW2dv3zSj4hgRHGmPqjpATq+lWrO
>57igjO05UT6ppXOkmhM=
></sig:SignatureValue>
><sig:KeyInfo>
><sig:KeyValue>
><sig:RSAKeyValue>
><sig:Modulus>
>7CeDV7ApjGtmML8LGCS0/vrFcVe3Q2UnvrJXWlYedHmcYRUqPqtcyYuPzwSLqIEwFl7NQjbubnZK
>vlkfkRdKnRpbPhA0m1HxURmhZhGl7joTOMbpx3kgEctFo1Xbq0WZVK07XhPqsr3eIJ+K8u6UCe4k
>8IeHud0KF17TKp/iGIE=
></sig:Modulus>
><sig:Exponent>AQAB</sig:Exponent>
></sig:RSAKeyValue>
></sig:KeyValue>
></sig:KeyInfo>
></sig:Signature></EndUser></EndUsers></ISSKeys>
>
>
>------------------------------------------------------------------------
>
><?xml version="1.0"?>
><ISSKeys Source="ISS Atlanta"><!-- TestKey ISS keygen -->
><EndUsers><EndUser Address1="666 Rockets way" Address2="Apt. B" City="Scienceville" CompanyName="Spacely Sprockets" Country="USA" Email="gjetson at sprokets.net" Id="424ea53e-b226-11d6-9cbb-91339fef79f0" PostCode="12345678 OP" State="Disturbed" SubjectName="George Jetson" Title="Whipping Boy"><Version>1.0</Version><OCN>111111</OCN><Source>ISS Atlanta</Source><Serial>9BB60667-7810-A0E4-5C92-2C72A9699370</Serial><Timestamp>2002-08-17 17:14:04</Timestamp><sig:Signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
><sig:SignedInfo>
><sig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
><sig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
><sig:Reference URI="">
><sig:Transforms>
><sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
><sig:XPath>
>not(ancestor-or-self::sig:Signature)
> and (
> (ancestor::node() = /ISSKeys/EndUsers[1]/child::EndUser[@Id='424ea53e-b226-11d6-9cbb-91339fef79f0'])
>)
></sig:XPath>
></sig:Transform>
><sig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
></sig:Transforms>
><sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
><sig:DigestValue>3fsXwkDTCtWuYNadHVTSbTg6yeA=</sig:DigestValue>
></sig:Reference>
></sig:SignedInfo>
><sig:SignatureValue>
>xZmkkvAssRopw+QDt1w/wxgvQmVbitadPL1gbWou73cuhD+r6m1xaQf4TZhpfsyGddO0cnHZ65NP
>Y2TvmVzwWJiJiZ9qqTvcdxHnbuihZhWb8Stu2nh3GDLS6aCpRW2dv3zSj4hgRHGmPqjpATq+lWrO
>57igjO05UT6ppXOkmhM=
></sig:SignatureValue>
><sig:KeyInfo>
><sig:KeyValue>
><sig:RSAKeyValue>
><sig:Modulus>
>7CeDV7ApjGtmML8LGCS0/vrFcVe3Q2UnvrJXWlYedHmcYRUqPqtcyYuPzwSLqIEwFl7NQjbubnZK
>vlkfkRdKnRpbPhA0m1HxURmhZhGl7joTOMbpx3kgEctFo1Xbq0WZVK07XhPqsr3eIJ+K8u6UCe4k
>8IeHud0KF17TKp/iGIE=
></sig:Modulus>
><sig:Exponent>AQAB</sig:Exponent>
></sig:RSAKeyValue>
></sig:KeyValue>
></sig:KeyInfo>
></sig:Signature></EndUser>
></EndUsers></ISSKeys>
>
>
More information about the xmlsec
mailing list