[xmlsec] Manifest References

Dan Seguin Dan.Seguin at cord3inc.com
Fri Jun 2 02:22:54 PDT 2017


Greetings,

I have a question about signing and validating Signatures where Manifest
blocks are present.

My understanding (if correct) from the XMLDSIG spec is that References
within Manifest blocks can fail the digest operation or de-referencing
of an URI, and not be considered a failure for signing or validation.

In cases where the Manifest block is Reference'd from a SignedInfo
Reference, the whole block is digested (with whatever is in there)
whether or not the digesting occurred on the internal Manifest Reference
entries.

I'm seeing that xmlsec functions throw an error that halts the signing
or verification if the References inside a Manifest block can't be
processed.

Is this correct?

>From xmldsig.c, function xmlSecDSigCtxProcessManifestNode, there is this
snippet:

>     /* calculate references */
>     cur = xmlSecGetNextElementNode(node->children);
>     while((cur != NULL) && (xmlSecCheckNodeName(cur,
> xmlSecNodeReference, xmlSecDSigNs))) {
>         /* create reference */
>         dsigRefCtx = xmlSecDSigReferenceCtxCreate(dsigCtx,
> xmlSecDSigReferenceOriginManifest);
>         if(dsigRefCtx == NULL) {
>             xmlSecError(XMLSEC_ERRORS_HERE,
>                         NULL,
>                         "xmlSecDSigReferenceCtxCreate",
>                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
>                         XMLSEC_ERRORS_NO_MESSAGE);
>             return(-1);
>         }
>
>         /* add to the list */
>         ret = xmlSecPtrListAdd(&(dsigCtx->manifestReferences),
> dsigRefCtx);
>         if(ret < 0) {
>             xmlSecError(XMLSEC_ERRORS_HERE,
>                         NULL,
>                         "xmlSecPtrListAdd",
>                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
>                         XMLSEC_ERRORS_NO_MESSAGE);
>             xmlSecDSigReferenceCtxDestroy(dsigRefCtx);
>             return(-1);
>         }
>
>         /* process */
>         ret = xmlSecDSigReferenceCtxProcessNode(dsigRefCtx, cur);
>         if(ret < 0) {
>             xmlSecError(XMLSEC_ERRORS_HERE,
>                         NULL,
>                         "xmlSecDSigReferenceCtxProcessNode",
>                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
>                         "node=%s",
>                         xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
>             return(-1);
>         }
>
>         /* we don;t care if Reference processing failed because
>          * it's Manifest node */
>         cur = xmlSecGetNextElementNode(cur->next);

The call to xmlSecDSigReferenceCtxProcessNode exits
xmlSecDSigCtxProcessManifestNode if there's a failure, sending the error
upstream.

For producing a Signature (from template) with a Manifest block (with
pre-calculated Digest from an application and populated with an URI that
is NOT processable) this isn't a problem if setting dsigCtx->flags |=
XMLSEC_DSIG_FLAGS_IGNORE_MANIFESTS.

However, for ingesting Signatures from external entities, Manifest
blocks may have to be processed to verify (reference) digests before
verifying signature. On failure, I'd assume that whatever digests are
there are then used for signature validation. 

I would rather not use the IGNORE flag on validation.

Guidance?

Cheers.












More information about the xmlsec mailing list