[xmlsec] Xml Signature verification failure
Aleksey Sanin
aleksey@aleksey.com
Thu, 19 Jun 2003 10:43:24 -0700
This is a multi-part message in MIME format.
--------------010805060603030302040504
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
A half an hour digging in the logs and I think I have an explanation:
0) The xmldsigverifier was compiled in April 2002 and it is more than
a year old now (probably I need to upgrade it :) )
1) The c14n code in libxml2 version 2.4.20 that was used to compiled
xmldsigverifier returns the exact results as you describe
2) The namespace processing in c14n.c was fixed around July 31, 2002
in order to support a new Merlin's c14n tests (merlin-c14n-three).
As far as
I can remember and as far as I can see from the code, this changes
solves exactly this problem.
Bottom line: there was a bug and it was fixed almost a year ago,
xmldsigverifier
on the web site is obsolete (and I hope I will have time to update it soon).
Now I would like to repeat my explanations. I would appreciate if Rich or
someone else familiar with c14n sepcifications:
We have something like this:
<Root xmlns="http://examples.com">
<Object>Test</Object>
</Root>
According to the spec [1] , the non-default namespace node is
rendered only if it is in the XPath node-set. In our case,
the XPath expression selects *only* <Object/> node itself
and none of its namespaces or attributes nodes. Thus I think
that xmlsec/libxml do the right thing by returning
<Object></Object>
after c14n.
Aleksey
[1] http://www.w3.org/TR/2001/REC-xml-c14n-20010315#ProcessingModel
--------------010805060603030302040504
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body>
A half an hour digging in the logs and I think I have an explanation:<br>
0) The xmldsigverifier was compiled in April 2002 and it is more
than<br>
a year old now (probably I need to upgrade it :) )<br>
1) The c14n code in libxml2 version 2.4.20 that was used to
compiled <br>
xmldsigverifier returns the exact results as you describe<br>
2) The namespace processing in c14n.c was fixed around July 31, 2002<br>
in order to support a new Merlin's c14n tests (merlin-c14n-three).
As far as <br>
I can remember and as far as I can see from the code, this changes<br>
solves exactly this problem.<br>
<br>
Bottom line: there was a bug and it was fixed almost a year ago,
xmldsigverifier<br>
on the web site is obsolete (and I hope I will have time to update it
soon).<br>
<br>
Now I would like to repeat my explanations. I would appreciate if Rich
or<br>
someone else familiar with c14n sepcifications:<br>
<br>
We have something like this: <br>
<Root xmlns=<a class="moz-txt-link-rfc2396E"
href="http://examples.com">"http://examples.com"</a>> <br>
<Object>Test</Object> <br>
</Root> <br>
According to the spec [1] , the non-default namespace node is <br>
rendered only if it is in the XPath node-set. In our case, <br>
the XPath expression selects <b class="moz-txt-star"><span
class="moz-txt-tag">*</span>only<span class="moz-txt-tag">*</span></b>
<Object/> node itself <br>
and none of its namespaces or attributes nodes. Thus I think <br>
that xmlsec/libxml do the right thing by returning <br>
<Object></Object> <br>
after c14n.<br>
<br>
<br>
Aleksey<br>
<br>
<br>
[1] <a class="moz-txt-link-freetext"
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#ProcessingModel">http://www.w3.org/TR/2001/REC-xml-c14n-20010315#ProcessingModel</a><br>
<br>
</body>
</html>
--------------010805060603030302040504--