[xmlsec] xpath question

Rob Cronin rmc24@cornell.edu
Sun, 13 Apr 2003 15:51:58 -0400


Hi Aleksy,

I've been working with the interoperability if you remember, and I hit a
brick wall, I think it may be due to my lacking of understanding exactly how
your or LibXml's xpath works when searching for a Reference in a document.
Below is the document, where I'm searching for
<<<<<<<

          <Reference URI="#Id-dcfe14b7-f2e6-4869-8614-b7d8718115ae">
            <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>p7Jp5FT3yGu545BSbdYKHkNxdzk=</DigestValue>
          </Reference>

>>>>>>

which is located outside of the tag that contains all of the signature
information

<<<<<<

<soap:Body xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
wsu:Id="Id-dcfe14b7-f2e6-4869-8614-b7d8718115ae">
    <Call
xmlns="http://asp.asp.cornell.edu/cgi-bin/rmc24/arithmeticsecure.cgi">
      <sleep_for>1</sleep_for>
      <y>3</y>
      <x>4</x>
    </Call>
  </soap:Body>

>>>>>>

I think that may be the problem.  Because if I move the body to a place
inside of the <Signature> element tag, it finds the reference fine.  Can you
think of anything that I could look at in order to get the context to start
looking at the root node of the document

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">


Thanks so much, below is the error I get, and the document I'm trying to
verify.

Rob Cronin


Here is the error
>>>>>>>>>>>
$  apps/xmlsec verify --trusted CAcert.pem  soapreq
func=xmlSecXPathDataExecute:file=xpath.c:line=253:obj=unknown:subj=xmlXPtrEv
al:error=4:xml operation failed:
func=xmlSecXPathDataListExecute:file=xpath.c:line=336:obj=unknown:subj=xmlSe
cXPathDataExecute:error=2:xmlsec operation failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=446:obj=xpointer:subj=xml
SecXPathDataExecute:error=2:xmlsec operation failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=1997:obj=xpointer:

subj=xmlSecTransformExecute:error=2:xmlsec operation failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=966:obj=unknown:sub
j=xmlSecTransformPushXml:error=2:xmlsec operation failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1017:obj=unknown:subj=
xmlSecTransformCtxXmlExecute:error=2:xmlsec operation failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1414:obj=unknown:
subj=xmlSecTransformCtxExecute:error=2:xmlsec operation failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=695:obj=unknown:
subj=xmlSecDSigReferenceCtxProcessNode:error=2:xmlsec operation
failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=436:obj=unknown:s
ubj=xmlSecDSigCtxProcessSignedInfoNode:error=2:xmlsec operation failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=245:obj=unknown:subj=xmlSecDSig
CtxSigantureProcessNode:error=2:xmlsec operation failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "soapreq"
>>>>>>>>>

Below is the document soapreq.  There is a lot of stuff in there, but in
particular the Reference to the Soap:Body is what I'm interested in solving.
>>>>>>>>>>>>>>>
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Header>
    <wsrp:path xmlns:wsrp="http://schemas.xmlsoap.org/rp"
soap:actor="http://schemas.xmlsoap.org/soap/actor/next"
soap:mustUnderstand="1">
      <wsrp:action xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
wsu:Id="Id-52149406-7642-4b92-8906-51a79418e107">http://asp.asp.cornell.edu/
cgi-bin/rmc24/arithmetics
ecure.cgi#Call</wsrp:action>
      <wsrp:to xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
wsu:Id="Id-cafe6401-7840-4ac0-8afd-028113954c19">http://asp00.asp.cornell.ed
u/cgi-bin/rmc24/arithmeticsec
ure.cgi</wsrp:to>
      <wsrp:id xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
wsu:Id="Id-aaf4032b-934e-466c-88fe-7cdd4873092d">uuid:ff7c70d6-6458-4460-b5a
4-e0838c3d1747</wsrp:id>
    </wsrp:path>
    <wsu:Timestamp
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
      <wsu:Created
wsu:Id="Id-baed3f84-7b45-4fa0-ab79-188256154149">2003-03-12T01:14:59Z</wsu:C
reated>
      <wsu:Expires
wsu:Id="Id-850cbfd2-a57b-47aa-9721-f0fc152f63bf">2003-03-12T01:19:59Z</wsu:E
xpires>
    </wsu:Timestamp>
    <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"
soap:mustUnderstand="1">
      <wsse:BinarySecurityToken
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"
wsu:Id="SecurityToken-90e6d1e9-
57ce-43b2-8aec-83046d24f4ea">MIICtTCCAh6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQs
wCQYDVQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQ
KEw5NeSBDb21wYW55IEx0ZDAeF
w0wMzAzMTEyMDE3NDJaFw0wNDAzMTAyMDE3NDJaMEwxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlCZ
XJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMIGfMA0GC
SqGSIb3DQEBAQUAA4GNADCBiQK
BgQC60+wSVxPg2bczrYX/740dawc/fYE8L0bCqra1SCn0rtrxQDDcgWr7vcEWy122YjJ0J4AC82y
1HnQ4ZMIkWhFbrVXpNJQ3jtQucOuJPRpCi0Eum0rk69STtbrCpjgLQIg2jxTFqsHvlF8E5WgR3j7
XMcMoGSOHxl3kWl3bf3VOXwIDA
QABo4GmMIGjMB0GA1UdDgQWBBQXp5+FoZ5A80wPOAFZ+mJwvwrmrDB0BgNVHSMEbTBrgBQXp5+Fo
Z5A80wPOAFZ+mJwvwrmrKFQpE4wTDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQM
A4GA1UEBxMHTmV3YnVyeTEXMBU
GA1UEChMOTXkgQ29tcGFueSBMdGSCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQC
Ek3fhoPBsEoTGjGi1FcJ10j8NjgHnc6djiFWmbSaGhth+qeEHaV4MHEBJrX4ifiG/rgfxURqm5sq
375PNYZHrp7pUSi0Uxva858vGC
nTH0sZrQSZBLuPaX03S9R0eAkwbVGD938psOofIVeE/YIt/Jb60rlB9plaM4ZLGFcnEUw==</wss
e:BinarySecurityToken>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <Reference URI="#Id-dcfe14b7-f2e6-4869-8614-b7d8718115ae">
            <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>p7Jp5FT3yGu545BSbdYKHkNxdzk=</DigestValue>
          </Reference>
        </SignedInfo>

<SignatureValue>dsqhwt3NqdT+h2PE+JNmYvSTA8RwifAExdnuhmNRYhyucwTUFX2ZNC97i+s8
iLOBHR1o/3sf8Pz19y3j4Nx/dzXqAs21xkcGQaFNGi0nf7beqPJv6R5pZm/ipadsmnDslOiu3eT6
kNKpyRRxmQZe1LeFte
YeEdjIaiODiSu63Kc=</SignatureValue>
        <KeyInfo>
          <X509Data>

<X509Certificate>>MIICtTCCAh6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEw
JHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5NeSBDb2
1wYW55IEx0ZDAeFw0w
MzAzMTEyMDE3NDJaFw0wNDAzMTAyMDE3NDJaMEwxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlCZXJr
c2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQ
C60+wSVxPg2bczrYX/740dawc/fYE8L0bCqra1SCn0rtrxQDDcgWr7vcEWy122YjJ0J4AC82y1Hn
Q4ZMIkWhFbrVXpNJQ3jtQucOuJPRpCi0Eum0rk69STtbrCpjgLQIg2jxTFqsHvlF8E5WgR3j7XMc
MoGSOHxl3kWl3bf3VOXwIDAQAB
o4GmMIGjMB0GA1UdDgQWBBQXp5+FoZ5A80wPOAFZ+mJwvwrmrDB0BgNVHSMEbTBrgBQXp5+FoZ5A
80wPOAFZ+mJwvwrmrKFQpE4wTDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4G
A1UEBxMHTmV3YnVyeTEXMBUGA1
UEChMOTXkgQ29tcGFueSBMdGSCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCEk3
fhoPBsEoTGjGi1FcJ10j8NjgHnc6djiFWmbSaGhth+qeEHaV4MHEBJrX4ifiG/rgfxURqm5sq375
PNYZHrp7pUSi0Uxva858vGCnTH
0sZrQSZBLuPaX03S9R0eAkwbVGD938psOofIVeE/YIt/Jb60rlB9plaM4ZLGFcnEUw==</X509Ce
rtificate>
        </X509Data>
        </KeyInfo>
      </Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
wsu:Id="Id-dcfe14b7-f2e6-4869-8614-b7d8718115ae">
    <Call
xmlns="http://asp.asp.cornell.edu/cgi-bin/rmc24/arithmeticsecure.cgi">
      <sleep_for>1</sleep_for>
      <y>3</y>
      <x>4</x>
    </Call>
  </soap:Body>
</soap:Envelope>