[xmlsec] signing failure with 0.0.13 that work with 0.0.10
Moultrie, Ferrell (ISSAtlanta)
FMoultrie@iss.net
Wed, 19 Mar 2003 13:18:26 -0500
Aleksey:
Looking at the base code in 0.0.10 and the changes I sent you for
XPath support (--node-xpath) versus what is in 0.0.13, I see what is
causing the problem. In 0.0.10, the command line argument pointed to an
element that contained the Signature node. The code then called
xmlSecFindNode to locate the Signature node within that element. The
0.0.13 code however expects that the --node-xpath (or --node-name or
--node-id) points to the Signature node itself. Personally, I find this
to be a lot more difficult to use than the previous plan although it
does allow the Signature node to be called something besides Signature
(although I thought the spec said it had to be called Signature).=20
What was the rationale behind this change and would you consider
changing it back? The change to restore the semantic of what node is
actually being specified would be easy to implement in findStartNode()
but I wanted to see why you changed this before I mucked with the code.
Thanks!
Ferrell
-----Original Message-----
From: Aleksey Sanin [mailto:aleksey@aleksey.com]=20
Sent: Tuesday, March 18, 2003 7:26 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: xmlsec@aleksey.com
Subject: Re: [xmlsec] signing failure with 0.0.13 that work with 0.0.10
Hi, Ferrel!
The error you have says that instead of expected <dsig:Signature> node
in the xmlSecDSigGenerate() function you've got something else. Using
"testXPath" utility from LibXML package I can confirm that:
[aleksey@lsh ferrel]$ ./testXPath --input test-signed.xml
"//Contact[1]"
Object is a Node Set :
Set contains 1 nodes:
1 ELEMENT Contact
ATTRIBUTE Id
TEXT
content=3Df6b1af52-0ba8-11d7-87ec-c3c034e4ae6a
As you can see, you have selected a wrong "start node" (Contact instead
of
<dsig:Signature>). Simple changing the xpath expression helps:
[aleksey@lsh ferrel]$ ./testXPath --input test-signed.xml
"//Contact/*[6]"
Object is a Node Set :
Set contains 1 nodes:
1 ELEMENT sig:Signature
namespace sig href=3Dhttp://www.w3.org/2000/09/xmldsig#
[aleksey@lsh ferrel]$ xmlsec sign --node-xpath '//Contact/*[6]'=20
--privkey rsakey.pem
test-signed.xml
<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<Keys Source=3D"Atlanta"><!-- generated TestKey keygen=20
--><Contacts><Contact Id=3D"f6b1af52-0ba8-11d7-87ec-c3c034e4ae6a">
....
From my point of view, your original XPath expression to select=20
<dsig:Signature> node
is incorrect and I am not sure that I understand how it used to work.=20
May be there was
a bug in LibXML and you got it fixed with new LibXML version.
With best regards,
Aleksey