[xmlsec] Re: help is needed please. Thanks in advance.
Aleksey Sanin
aleksey@aleksey.com
Sun, 28 Sep 2003 21:49:01 -0700
This is a multi-part message in MIME format.
--------------010203060201000407000900
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Well, it's a known issue and it was discussed on xmlsec mailing list
many times.
The last time was last week :)
http://www.aleksey.com/pipermail/xmlsec/2003/001527.html
(read on this is a long thread).
Breifly: Visa protocol breaks several XML specifications because
"939..." could not
be an ID attribute. You may hack libxml2 and make it work. But I have no
idea what
else woud you break and what kind of other security issues may show up.
Aleksey
Jason Coon wrote:
>ok,
> I know I should not do this but I am desperate. I am trying to verify this
>xml message with the root cert. Yes this is VISA. Anyway. I get this
>message. I have tried xmlsec1 and the examples and your online tool and
>everything I do I get this error also attaching DTD to declare node. I
>think it is a bug though I can verify other types of xml signatures. lo
>
>Sun solaris
>xmlsec1 1.1.1 (openssl)
>libxml2 20511
>OpenSSL 0.9.7b 10 Apr 2003
>
>Any Help would be appreciated.
>
>sincerally Jason Coon
>
>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEv
>al:error=5:libxml2 library function failed:expr=xpointer(id('939123509'))
>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSe
>cXPathDataExecute:error=1:xmlsec library function failed:
>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xml
>SecXPathDataExecute:error=1:xmlsec library function failed:
>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2332:obj=xpointer:
>subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1168:obj=unknown:su
>bj=xmlSecTransformPushXml:error=1:xmlsec library function
>failed:transform=xpointer
>func=xmlSecTransformCtxExecute:file=transforms.c:line=1228:obj=unknown:subj=
>xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1564:obj=unknown:
>subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:
>subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function
>failed:node=Reference
>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:s
>ubj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function
>failed:
>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSig
>CtxSigantureProcessNode:error=1:xmlsec library function failed:
>Error: signature verification failed
>
>
>
><ThreeDSecure><Message id="PAReq20030928111313"><PARes
>id="939123509"><version>1.0.2</version><Merchant
>
>
>><acqBIN>11111111111</acqBIN><merID>12AB,cd/34-EF -g,5/H-67</merID></Mercha
>>
>>
>nt><Purchase><xid>MDAwMDAwM
>jAwMzA5MjgxMTEzMTM=</xid><date>20030928
>11:13:13</date><purchAmount>123456</purchAmount><currency>840</
>currency><exponent>2</exponent></Purchase><pan>0000000001000</pan><TX><time>
>20030928 16:12:46</time><st
>atus>Y</status><cavv>AAABBJg0VhI0VniQEjRWAAAAAAA=</cavv><eci>03</eci><cavvAl
>gorithm>1</cavvAlgorithm></
>TX></PARes><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo
>xmlns="http://www.w3.org/2
>000/09/xmldsig#"><CanonicalizationMethod
>Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></
>CanonicalizationMethod><SignatureMethod
>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></Signat
>ureMethod><Reference URI="#939123509"><DigestMethod
>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
></DigestMethod><DigestValue>qbtokjyh7AaUwsfV3NdOtYraVVY=</DigestValue></Refe
>rence></SignedInfo><Signatu
>reValue>kGlOMSgqHlKo2mU5dcrVz2XJgl+fyyAxEQ61pD8XPOmNBH0C80PbmvBnrKD6UkpfoUhc
>lCxL/zW/3RT1hTNY2pgf9FqSYAv
>xthEDpmKyaQT6y77Eo3WTpSBOyV3XrH3xD4Mu76K8ZHNSuf1FRBvoDjO0CGEMW4VgupziCjgIeag
>=</SignatureValue><KeyInfo>
><X509Data><X509Certificate>MIICJTCCAY6gAwIBAgIVANr+5nC2js/XYLb4IjL9N32xM8AGM
>A0GCSqGSIb3DQEBBQUAMEcxCzAJ
>BgNVBAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMRUwEwYDVQQLEwxDYXJhZGFzIExhYnMxDzANBgNV
>BAMTBkNUSCBDQTAeFw0wMzA4MTk
>xNDIyNTVaFw0wNTA4MTgxNDIyNTVaMEQxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMRU
>wEwYDVQQLEwxDYXJhZGFzIExhYn
>MxDDAKBgNVBAMTA0NUSDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnwMTpPBfeChZ/q+nT+
>4pHsX1JQXHCPTzoAO1CBfvtgmqh
>lRmKNhB9k+/tvKZMF5K/FQ879lW6MDEjq+2Sezz2FjUF9GZDjqJC/VzbeINji0kj8tYdjkqDAcu3
>6Q/n4A7LmZqtY+7FAbN53rLWaSv
>1Nx4Gk/JdLdOmHuwtp8E+xcCAwEAAaMQMA4wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
>gQAq7k89O6UZCAcPY074dluCQAa
>6ditQmX32g2Lzda8n3uBU5pD0JQqpxWCWriD3m2zcZHLjjXpMJSzd2CRl1HsGrTkLFGLs27iG/fR
>Nv+9RLkPWV/GulBKWk+WGTiHAoI
>umIoYZYvz7L8lWJRw0bKvBXj3W42uxyacGr3HyWa1HDQ==</X509Certificate><X509Certifi
>cate>MIICLzCCAZigAwIBAgIUDP
>wVD8SyBkFHsDnddWtKGyIqUxEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEDAOBgNVBA
>oTB0NhcmFkYXMxFTATBgNVBAsTD
>ENhcmFkYXMgTGFiczERMA8GA1UEAxMIQ1RIIFJPT1QwHhcNMDMwODE5MTQyMjUzWhcNMDcwODE4M
>TQyMjUzWjBHMQswCQYDVQQGEwJV
>UzEQMA4GA1UEChMHQ2FyYWRhczEVMBMGA1UECxMMQ2FyYWRhcyBMYWJzMQ8wDQYDVQQDEwZDVEgg
>Q0EwgZ8wDQYJKoZIhvcNAQEBBQA
>DgY0AMIGJAoGBAJRiE7jros/yRb7tmenId3UeArIKyQ9/g4926zYYPkVx8k/iNIEimsRvjWOyv5V
>ca6fOtRBO6zsMmgUVziRnNGDIXi
>Vlp7zDlqJR/4o3gFBjfKfHYfe1RJLZfl2yHF6A8xJGYZNhGD/rQb1I6qy1S/ayluY5x2oftL8xsn
>il2oCFAgMBAAGjFjAUMBIGA1UdE
>wEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADgYEAL5qy3xM/LGrzE0WghCGwzWSYOWzMAOfek
>3pL5At9hQuL7/UCh5u9vRTFCgLs
>R6EveIzuqrHb7dfnLpXIyoOyL5eVG7YBn5xtR1WSUdxWdIsm1Yuxbrw8IlQXSgCc3KVQAIoT9zlc
>HUzGzf3PUVrm578tfRjKP1ya+tL
>NoDoGXvg=</X509Certificate><X509Certificate>MIICMjCCAZugAwIBAgIVAJoV+yURqXHF
>8zXECfEhRqpwzCMwMA0GCSqGSIb
>3DQEBBQUAMEkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMRUwEwYDVQQLEwxDYXJhZGF
>zIExhYnMxETAPBgNVBAMTCENUSC
>BST09UMB4XDTAzMDgxOTE0MjI1MVoXDTExMDgxNzE0MjI1MVowSTELMAkGA1UEBhMCVVMxEDAOBg
>NVBAoTB0NhcmFkYXMxFTATBgNVB
>AsTDENhcmFkYXMgTGFiczERMA8GA1UEAxMIQ1RIIFJPT1QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AM
>IGJAoGBAIrpC9h6fesI1FnpSHH+
>dP+JaY3FitHMW9LHBLpdCSEzAVe6VJOZO7Ycw49iDKkhPCrSZk/59RXD+3+vYqukFL0FLfG2GFTA
>1c9YU94dqBovrmwbMP7HYN82PmQ
>tifzGMeS9d7znDx+AqlDU1eXCZMVdHSsz/qneP8LSydrMaU/RAgMBAAGjFjAUMBIGA1UdEwEB/wQ
>IMAYBAf8CAQEwDQYJKoZIhvcNAQ
>EFBQADgYEAZdRIyN/SSPQ3bLunDVKxanOLDiXfczxGMnQZWK47fQfWdbqqEINrcObagSw44Ba9pF
>Z796DXn5XPZOkLuhrgLSwVVVqkU
>WLeUaRPEFGDXQMk9XqrbCpivQix1Hr+9DgWWiqg0snC7JkD6rieQ8NIuj+bD83vnuhOW/nLEuLSf
>xk=</X509Certificate></X509
>Data></KeyInfo></Signature></Message></ThreeDSecure>
>
>
>
--------------010203060201000407000900
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Well, it's a known issue and it was discussed on xmlsec mailing list
many times.<br>
The last time was last week :)<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/pipermail/xmlsec/2003/001527.html">http://www.aleksey.com/pipermail/xmlsec/2003/001527.html</a><br>
<br>
(read on this is a long thread).<br>
<br>
Breifly: Visa protocol breaks several XML specifications because
"939..." could not <br>
be an ID attribute. You may hack libxml2 and make it work. But I have
no idea what <br>
else woud you break and what kind of other security issues may show up.<br>
<br>
Aleksey<br>
<br>
<br>
<br>
Jason Coon wrote:<br>
<blockquote type="cite"
cite="midLPEJLFMOLDCGDAKIGAJEIEKOCCAA.jason@terrarium.com">
<pre wrap="">ok,
I know I should not do this but I am desperate. I am trying to verify this
xml message with the root cert. Yes this is VISA. Anyway. I get this
message. I have tried xmlsec1 and the examples and your online tool and
everything I do I get this error also attaching DTD to declare node. I
think it is a bug though I can verify other types of xml signatures. lo
Sun solaris
xmlsec1 1.1.1 (openssl)
libxml2 20511
OpenSSL 0.9.7b 10 Apr 2003
Any Help would be appreciated.
sincerally Jason Coon
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEv
al:error=5:libxml2 library function failed:expr=xpointer(id('939123509'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSe
cXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xml
SecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2332:obj=xpointer:
subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1168:obj=unknown:su
bj=xmlSecTransformPushXml:error=1:xmlsec library function
failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1228:obj=unknown:subj=
xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1564:obj=unknown:
subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:
subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function
failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:s
ubj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function
failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSig
CtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature verification failed
<ThreeDSecure><Message id="PAReq20030928111313"><PARes
id="939123509"><version>1.0.2</version><Merchant
</pre>
<blockquote type="cite">
<pre wrap=""><acqBIN>11111111111</acqBIN><merID>12AB,cd/34-EF -g,5/H-67</merID></Mercha
</pre>
</blockquote>
<pre wrap=""><!---->nt><Purchase><xid>MDAwMDAwM
jAwMzA5MjgxMTEzMTM=</xid><date>20030928
11:13:13</date><purchAmount>123456</purchAmount><currency>840</
currency><exponent>2</exponent></Purchase><pan>0000000001000</pan><TX><time>
20030928 16:12:46</time><st
atus>Y</status><cavv>AAABBJg0VhI0VniQEjRWAAAAAAA=</cavv><eci>03</eci><cavvAl
gorithm>1</cavvAlgorithm></
TX></PARes><Signature xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>><SignedInfo
xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2
000/09/xmldsig#"</a>><CanonicalizationMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</a>></
CanonicalizationMethod><SignatureMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</a>></Signat
ureMethod><Reference URI="#939123509"><DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>>
</DigestMethod><DigestValue>qbtokjyh7AaUwsfV3NdOtYraVVY=</DigestValue></Refe
rence></SignedInfo><Signatu
reValue>kGlOMSgqHlKo2mU5dcrVz2XJgl+fyyAxEQ61pD8XPOmNBH0C80PbmvBnrKD6UkpfoUhc
lCxL/zW/3RT1hTNY2pgf9FqSYAv
xthEDpmKyaQT6y77Eo3WTpSBOyV3XrH3xD4Mu76K8ZHNSuf1FRBvoDjO0CGEMW4VgupziCjgIeag
=</SignatureValue><KeyInfo>
<X509Data><X509Certificate>MIICJTCCAY6gAwIBAgIVANr+5nC2js/XYLb4IjL9N32xM8AGM
A0GCSqGSIb3DQEBBQUAMEcxCzAJ
BgNVBAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMRUwEwYDVQQLEwxDYXJhZGFzIExhYnMxDzANBgNV
BAMTBkNUSCBDQTAeFw0wMzA4MTk
xNDIyNTVaFw0wNTA4MTgxNDIyNTVaMEQxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMRU
wEwYDVQQLEwxDYXJhZGFzIExhYn
MxDDAKBgNVBAMTA0NUSDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnwMTpPBfeChZ/q+nT+
4pHsX1JQXHCPTzoAO1CBfvtgmqh
lRmKNhB9k+/tvKZMF5K/FQ879lW6MDEjq+2Sezz2FjUF9GZDjqJC/VzbeINji0kj8tYdjkqDAcu3
6Q/n4A7LmZqtY+7FAbN53rLWaSv
1Nx4Gk/JdLdOmHuwtp8E+xcCAwEAAaMQMA4wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQAq7k89O6UZCAcPY074dluCQAa
6ditQmX32g2Lzda8n3uBU5pD0JQqpxWCWriD3m2zcZHLjjXpMJSzd2CRl1HsGrTkLFGLs27iG/fR
Nv+9RLkPWV/GulBKWk+WGTiHAoI
umIoYZYvz7L8lWJRw0bKvBXj3W42uxyacGr3HyWa1HDQ==</X509Certificate><X509Certifi
cate>MIICLzCCAZigAwIBAgIUDP
wVD8SyBkFHsDnddWtKGyIqUxEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEDAOBgNVBA
oTB0NhcmFkYXMxFTATBgNVBAsTD
ENhcmFkYXMgTGFiczERMA8GA1UEAxMIQ1RIIFJPT1QwHhcNMDMwODE5MTQyMjUzWhcNMDcwODE4M
TQyMjUzWjBHMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHQ2FyYWRhczEVMBMGA1UECxMMQ2FyYWRhcyBMYWJzMQ8wDQYDVQQDEwZDVEgg
Q0EwgZ8wDQYJKoZIhvcNAQEBBQA
DgY0AMIGJAoGBAJRiE7jros/yRb7tmenId3UeArIKyQ9/g4926zYYPkVx8k/iNIEimsRvjWOyv5V
ca6fOtRBO6zsMmgUVziRnNGDIXi
Vlp7zDlqJR/4o3gFBjfKfHYfe1RJLZfl2yHF6A8xJGYZNhGD/rQb1I6qy1S/ayluY5x2oftL8xsn
il2oCFAgMBAAGjFjAUMBIGA1UdE
wEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADgYEAL5qy3xM/LGrzE0WghCGwzWSYOWzMAOfek
3pL5At9hQuL7/UCh5u9vRTFCgLs
R6EveIzuqrHb7dfnLpXIyoOyL5eVG7YBn5xtR1WSUdxWdIsm1Yuxbrw8IlQXSgCc3KVQAIoT9zlc
HUzGzf3PUVrm578tfRjKP1ya+tL
NoDoGXvg=</X509Certificate><X509Certificate>MIICMjCCAZugAwIBAgIVAJoV+yURqXHF
8zXECfEhRqpwzCMwMA0GCSqGSIb
3DQEBBQUAMEkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMRUwEwYDVQQLEwxDYXJhZGF
zIExhYnMxETAPBgNVBAMTCENUSC
BST09UMB4XDTAzMDgxOTE0MjI1MVoXDTExMDgxNzE0MjI1MVowSTELMAkGA1UEBhMCVVMxEDAOBg
NVBAoTB0NhcmFkYXMxFTATBgNVB
AsTDENhcmFkYXMgTGFiczERMA8GA1UEAxMIQ1RIIFJPT1QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AM
IGJAoGBAIrpC9h6fesI1FnpSHH+
dP+JaY3FitHMW9LHBLpdCSEzAVe6VJOZO7Ycw49iDKkhPCrSZk/59RXD+3+vYqukFL0FLfG2GFTA
1c9YU94dqBovrmwbMP7HYN82PmQ
tifzGMeS9d7znDx+AqlDU1eXCZMVdHSsz/qneP8LSydrMaU/RAgMBAAGjFjAUMBIGA1UdEwEB/wQ
IMAYBAf8CAQEwDQYJKoZIhvcNAQ
EFBQADgYEAZdRIyN/SSPQ3bLunDVKxanOLDiXfczxGMnQZWK47fQfWdbqqEINrcObagSw44Ba9pF
Z796DXn5XPZOkLuhrgLSwVVVqkU
WLeUaRPEFGDXQMk9XqrbCpivQix1Hr+9DgWWiqg0snC7JkD6rieQ8NIuj+bD83vnuhOW/nLEuLSf
xk=</X509Certificate></X509
Data></KeyInfo></Signature></Message></ThreeDSecure>
</pre>
</blockquote>
</body>
</html>
--------------010203060201000407000900--