[xmlsec] enveloped-signature problem
Aleksey Sanin
aleksey at aleksey.com
Mon Feb 11 23:15:47 PST 2013
Well, I can see your point but I find it stupid to apply a no-op
transform. Moreover, by design the enveloped signature transform
was added to support *same document* signatures so using it on an
external document is not something the W3C group was envisioning
either.
Regardless, I don't remember exact details of the code but there
might be some interesting implications on the removal of the node
and then re-inserting it. Feel free to take a look. I accept patches :)
Aleksey
On 2/11/13 5:35 AM, guido billi wrote:
> Hi guys,
>
> I used xmlsec for the first time years ago, now I am updating my
> software to validate xml signatures generated with other softaware.
>
> I have a verification error!
>
> The error reason is clear, but I don’t understand if it is a Xmlsec
> interpretation misunderstanding of Xml Signature standard or not…
>
>
>
> FILES
>
>
>
> I have a document (doc.xml) and a detached xml signature generate with
> Oxygen Xml Editor 13.2 (det-rsasha1.xml)
>
>
>
> VERIFY ERROR
>
>
>
>>xmlsec --verify det-rsasha1.xml
>
>
>
> error : Unknown IO error
>
> *func=xmlSecTransformEnvelopedExecute:file=..\src\enveloped.c:line=108:obj=enveloped-signature:subj=unknown:error=34:same
> document is required for transform:*
>
> func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2371:obj=enveloped-signature:subj=xmlSecTransformExecute:error=1:xmlsec
> library function failed:
>
> func=xmlSecParserPushBin:file=..\src\parser.c:line=222:obj=xml-parser:subj=xmlSecTransformPushXml:error=1:xmlsec
> library function failed:
>
> func=xmlSecTransformPump:file=..\src\transforms.c:line=1634:obj=xml-parser:subj=xmlSecTransformPushBin:error=1:xmlsec
> library function failed:
>
> func=xmlSecTransformCtxUriExecute:file=..\src\transforms.c:line=1160:obj=unknown:subj=xmlSecTransformPump:error=1:xmlsec
> library function failed:uri=doc.xml
>
> func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1280:obj=unknown:subj=xmlSecTransformCtxUriExecute:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> library function failed:node=Reference
>
> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
>
> Error: signature failed
>
> ERROR
>
> SignedInfo References (ok/all): 0/1
>
> Manifests References (ok/all): 0/0
>
> Error: failed to verify file "det-rsasha1.xml"
>
>
>
> ERROR REASON
>
>
>
> Now… the error is due to the combined use of
>
> 1) reference to an *external* document doc.xml
>
> 2) use of enveloped-signature transform by that reference
>
> *XmlSec enveloped-signature transform requires that the xml document *
>
> *(target of the transformation itself) contains the signature that
> contains the Reference node.*
>
>
>
> (In my case this is not true, because the document target of the
> transform is external
>
> and does not contain the Signature node)
>
>
>
> QUESTION
>
>
>
> Is this implementation check really correct???
>
> If it is correct… why Oxygen Xml Editor 13.2 generate this combination?
>
>
>
> Here is the Xml Signature standard:
>
> 6.6.4 Enveloped Signature Transform
>
> “An enveloped signature transform /*T*/ removes the whole
> |Signature|element containing /*T*/ from the digest calculation of the
> |Reference|element containing /*T*/. The entire string of characters
> used by an XML processor to match the |Signature|with the XML production
> |element|is removed. The output of the transform is equivalent to the
> output that would result from replacing /*T*/ with an XPath transform
> containing the following |XPath|parameter element: […]”
>
>
>
> From my point of view the xmlsec implementation is too strict!
>
> The standard does not require that the document (target of T) actually
> contains the Signature node,
>
> the standard only say that the transform T removes the Signature node
> containing the transform T from the document.
>
> If the document does not contain the Signature node, no document
> modification is specified for this transform.
>
>
>
> If document doc.xml does not contain a Signature node,
>
> I suppose that the transformation result should be the document doc.xml
> itself.
>
>
>
> Am I wrong?
>
> Oxygen is not standard?
>
> XmlSec is too strict?
>
> Who is right?
>
>
>
> Thank you for your time
>
>
>
>
>
> -----------------------------------
>
> Guido Billi
>
> Telvox S.R.L.
>
> Via Pastrengo, 2
>
> 40123 Bologna
>
> tel: 051 33 97 121
>
> www.telvox.com <http://www.telvox.com>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list