[xmlsec] enhancement to xmlsec
Moultrie, Ferrell (ISSAtlanta)
FMoultrie@iss.net
Wed, 18 Dec 2002 16:15:09 -0500
This is a multi-part message in MIME format.
------_=_NextPart_001_01C2A6DA.8BAC2789
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Aleksey:
My xml documents that I'm signing/verifying contain repeated nodes of
the same name so any beyond the first node are not addressable by the
--node-name construct supported by xmlsec. Additionally, I'm not using a
dtd so the --node-id doesn't help me out either. Finally, the
sign/verify code accept the --node-id/--node-name arguments but ignore
them, always signing/verifying the first Signature node found.=20
To solve the above issues, I'm attaching suggested changes (relative
to 0.0.10) that allow the --node-name argument to contain an absolute
XPath expression to locate the section of the document to be
signed/verified/etc. If the argument starts with a '/' character, it is
processed as an XPath expression, otherwise it is just a ns:node-name as
before. This shouldn't break anything but allows much greater
flexibility in using xmlsec with complex xml structures.=20
For example, "--node-name //Module[2]" would select the 2nd Module
element in the document skeletonized below:
<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<Keys>
<Modules>
<Module> first module element including <sig:Signature/> </Module>
<Module> second module element including <sig:Signature/> </Module>
<Module> third module element including <sig:Signature/> </Module>
</Modules>
</Keys>
Using either "--node-name //Module[1]" or "--node-name Module" would
select the first occurance (note node-name format works just as it did
before).
While I could have obviously written a new utility to handle manual
signing of my test documents, it seems much better to add this
functionality to the xmlsec application where it could easily be reused
by others. I'm attaching the diff's -- let me know if you need another
format, or, a full copy of the xmlsec.c file before/after my changes.
I have rather thoroughly tested the digital signature
creation/verification but haven't tested encryption/decryption -- but
since it now uses a common routine, what could go wrong, right? (:>)
Thanks!
Ferrell
------_=_NextPart_001_01C2A6DA.8BAC2789
Content-Type: text/plain;
name="xmlsec-diff.txt"
Content-Transfer-Encoding: base64
Content-Description: xmlsec-diff.txt
Content-Disposition: attachment;
filename="xmlsec-diff.txt"
MzA2YTMwNw0KPiBjaGFyICpub2RlWFBhdGggPSBOVUxMOw0KMzg4LDM5NWMzODksNDAwDQo8IAkJ
bm9kZU5hbWUgPSBzdHJyY2hyKGFyZ3ZbKytwb3NdLCAnOicpOw0KPCAJCWlmKG5vZGVOYW1lICE9
IE5VTEwpIHsNCjwgCQkgICAgKihub2RlTmFtZSsrKSA9ICdcMCc7DQo8IAkJICAgIG5vZGVOcyA9
IGFyZ3ZbcG9zXTsNCjwgCQl9IGVsc2Ugew0KPCAJCSAgICBub2RlTmFtZSA9IGFyZ3ZbcG9zXTsN
CjwgCQkgICAgbm9kZU5zID0gTlVMTDsNCjwgCQl9DQotLS0NCj4gCQkJaWYgKGFyZ3ZbKytwb3Nd
WzBdID09ICcvJykgeyAvKiBhYnNvbHV0ZSBYUGF0aCBzcGVjaWZpY2F0aW9uPyAqLyANCj4gCQkJ
CW5vZGVYUGF0aCA9IGFyZ3ZbcG9zXTsNCj4gCQkJfSBlbHNlIHsNCj4gCQkJCW5vZGVOYW1lID0g
c3RycmNocihhcmd2W3Bvc10sICc6Jyk7DQo+IAkJCQlpZihub2RlTmFtZSAhPSBOVUxMKSB7DQo+
IAkJCQkgICAgKihub2RlTmFtZSsrKSA9ICdcMCc7DQo+IAkJCQkgICAgbm9kZU5zID0gYXJndltw
b3NdOw0KPiAJCQkJfSBlbHNlIHsNCj4gCQkJCSAgICBub2RlTmFtZSA9IGFyZ3ZbcG9zXTsNCj4g
CQkJCSAgICBub2RlTnMgPSBOVUxMOw0KPiAJCQkJfQ0KPiAJCQl9DQoxMjQ1YTEyNTEsMTI4MQ0K
PiANCj4gLyogRnVuY3Rpb24gdG8gZmluZCBiYXNlIG5vZGUgZm9yIG9wZXJhdGlvbiBhcyBzcGVj
aWZpZWQgYnkgdXNlciB1c2luZyBlaXRoZXINCj4gICogRFREIElkLCBYUGF0aCBhYnMgZXhwcmVz
c2lvbiwgTm9kZU5hbWUsIG9yIGRlZmF1bHQgdG8gcm9vdCBub2RlICovDQo+IHhtbE5vZGVQdHIg
ZmluZEJhc2VOb2RlKHhtbERvY1B0ciBkb2MpIHsNCj4gCXhtbE5vZGVQdHIgY3VyID0gTlVMTDsN
Cj4gCWlmKG5vZGVJZCAhPSBOVUxMKSB7DQo+IAkgICAgeG1sQXR0clB0ciBhdHRyOw0KPiAJICAg
IGF0dHIgPSB4bWxHZXRJRChkb2MsIEJBRF9DQVNUIG5vZGVJZCk7DQo+IAkgICAgY3VyID0gKGF0
dHIgIT0gTlVMTCkgPyBhdHRyLT5wYXJlbnQgOiBOVUxMOw0KPiAJfSBlbHNlIGlmKG5vZGVYUGF0
aCAhPSBOVUxMKSB7DQo+IAkJeG1sTm9kZVNldFB0ciBwTm9kZUxpc3QgPSBOVUxMOw0KPiAJCXht
bFhQYXRoQ29udGV4dFB0ciBwQ3R4ID0gTlVMTDsNCj4gCQl4bWxYUGF0aE9iamVjdFB0ciBwWFBh
dGhPYmogPSBOVUxMOw0KPiAJCXBDdHggPSB4bWxYUGF0aE5ld0NvbnRleHQoZG9jKTsNCj4gCQlw
WFBhdGhPYmogPSB4bWxYUGF0aEV2YWwoQkFEX0NBU1Qgbm9kZVhQYXRoLCBwQ3R4KTsNCj4gCQlp
ZiAocFhQYXRoT2JqICE9IE5VTEwpIHsNCj4gCQkJcE5vZGVMaXN0ID0gcFhQYXRoT2JqLT5ub2Rl
c2V0dmFsOw0KPiAJCX0NCj4gCQlpZiAocE5vZGVMaXN0ICE9IE5VTEwgJiYgcE5vZGVMaXN0LT5u
b2RlTnIgPiAwKSB7IA0KPiAJCQljdXIgPSBwTm9kZUxpc3QtPm5vZGVUYWJbMF07DQo+IAkJfQ0K
PiAJCXhtbFhQYXRoRnJlZUNvbnRleHQocEN0eCk7DQo+IAkJeG1sWFBhdGhGcmVlT2JqZWN0KHBY
UGF0aE9iaik7DQo+IAl9IGVsc2UgaWYobm9kZU5hbWUgIT0gTlVMTCkgew0KPiAJCWN1ciA9IHht
bFNlY0ZpbmROb2RlKHhtbERvY0dldFJvb3RFbGVtZW50KGRvYyksIEJBRF9DQVNUIG5vZGVOYW1l
LCBCQURfQ0FTVCBub2RlTnMpOw0KPiAJfSBlbHNlIHsNCj4gCSAgICBjdXIgPSB4bWxEb2NHZXRS
b290RWxlbWVudChkb2MpOw0KPiAJfQ0KPiAJcmV0dXJuIGN1cjsgLyogY2FuIGJlIE5VTEwgLi4g
Y2FsbGVyIG11c3QgY2hlY2sgKi8NCj4gfSAvKiBvZiBmaW5kQmFzZU5vZGUoKSAqLw0KPiANCjEy
NDhhMTI4NQ0KPiAJeG1sTm9kZVB0ciBjdXI7DQoxMjU1LDEyNTZjMTI5MiwxMzAxDQo8ICAgICBz
aWduTm9kZSA9IHhtbFNlY0ZpbmROb2RlKHhtbERvY0dldFJvb3RFbGVtZW50KGRvYyksIA0KPCAJ
CQkgICAgICBCQURfQ0FTVCAiU2lnbmF0dXJlIiwgeG1sU2VjRFNpZ05zKTsNCi0tLQ0KPiANCj4g
CS8qKg0KPiAJICogV2hhdCBkbyB3ZSB3YW50IHRvIHNpZ24/DQo+IAkgKi8gICAgDQo+IAljdXIg
PSBmaW5kQmFzZU5vZGUoZG9jKTsNCj4gCWlmIChjdXIgPT0gTlVMTCkgeyANCj4gCQlmcHJpbnRm
KHN0ZGVyciwiRXJyb3I6IGZhaWxlZCB0byBmaW5kIHNwZWNpZmllZCBub2RlXG4iKTsNCj4gCQly
ZXR1cm4oLTEpOw0KPiAJfQ0KPiAJc2lnbk5vZGUgPSB4bWxTZWNGaW5kTm9kZShjdXIsIEJBRF9D
QVNUICJTaWduYXR1cmUiLCB4bWxTZWNEU2lnTnMpOw0KMTI1OCwxMjU5YzEzMDMsMTMwNA0KPCAg
ICAgICAgIGZwcmludGYoc3RkZXJyLCJFcnJvcjogZmFpbGVkIHRvIGZpbmQgU2lnbmF0dXJlIG5v
ZGVcbiIpOw0KPCAJcmV0dXJuKC0xKTsNCi0tLQ0KPiAJCWZwcmludGYoc3RkZXJyLCJFcnJvcjog
ZmFpbGVkIHRvIGZpbmQgU2lnbmF0dXJlIG5vZGVcbiIpOw0KPiAJCXJldHVybigtMSk7DQoxMzEw
YTEzNTYNCj4gCXhtbE5vZGVQdHIgY3VyOw0KMTMxMywxMzE1YzEzNTksMTM2OA0KPCAgICAgCSAg
ICANCjwgICAgIHNpZ25Ob2RlID0geG1sU2VjRmluZE5vZGUoeG1sRG9jR2V0Um9vdEVsZW1lbnQo
ZG9jKSwgDQo8IAkJCSAgICAgIEJBRF9DQVNUICJTaWduYXR1cmUiLCB4bWxTZWNEU2lnTnMpOw0K
LS0tDQo+IA0KPiAJLyoqDQo+IAkgKiBXaGF0IGRvIHdlIHdhbnQgdG8gdmVyaWZ5Pw0KPiAJICov
ICAgIA0KPiAJY3VyID0gZmluZEJhc2VOb2RlKGRvYyk7DQo+IAlpZiAoY3VyID09IE5VTEwpIHsg
DQo+IAkJZnByaW50ZihzdGRlcnIsIkVycm9yOiBmYWlsZWQgdG8gZmluZCBzcGVjaWZpZWQgbm9k
ZVxuIik7DQo+IAkJcmV0dXJuKC0xKTsNCj4gCX0NCj4gCXNpZ25Ob2RlID0geG1sU2VjRmluZE5v
ZGUoY3VyLCBCQURfQ0FTVCAiU2lnbmF0dXJlIiwgeG1sU2VjRFNpZ05zKTsNCjEzMTcsMTMxOGMx
MzcwLDEzNzENCjwgICAgICAgICBmcHJpbnRmKHN0ZGVyciwiRXJyb3I6IGZhaWxlZCB0byBmaW5k
IFNpZ25hdHVyZSBub2RlXG4iKTsNCjwgCXJldHVybigtMSk7DQotLS0NCj4gCQlmcHJpbnRmKHN0
ZGVyciwiRXJyb3I6IGZhaWxlZCB0byBmaW5kIFNpZ25hdHVyZSBub2RlXG4iKTsNCj4gCQlyZXR1
cm4oLTEpOw0KMTQxNCwxNDI0YzE0NjcsMTQ2OA0KPCAJaWYobm9kZUlkICE9IE5VTEwpIHsNCjwg
CSAgICB4bWxBdHRyUHRyIGF0dHI7DQo8IAkgICAgDQo8IAkgICAgYXR0ciA9IHhtbEdldElEKGRv
YywgQkFEX0NBU1Qgbm9kZUlkKTsNCjwgCSAgICBjdXIgPSAoYXR0ciAhPSBOVUxMKSA/IGF0dHIt
PnBhcmVudCA6IE5VTEw7DQo8IAl9IGVsc2UgaWYobm9kZU5hbWUgIT0gTlVMTCkgew0KPCAJICAg
IGN1ciA9IHhtbFNlY0ZpbmROb2RlKHhtbERvY0dldFJvb3RFbGVtZW50KGRvYyksIEJBRF9DQVNU
IG5vZGVOYW1lLCBCQURfQ0FTVCBub2RlTnMpOw0KPCAJfSBlbHNlIHsNCjwgCSAgICBjdXIgPSB4
bWxEb2NHZXRSb290RWxlbWVudChkb2MpOw0KPCAJfQ0KPCAJDQotLS0NCj4gCWN1ciA9IGZpbmRC
YXNlTm9kZShkb2MpOw0KPiANCjE0OThjMTU0MiwxNTQ3DQo8ICAgICBjdXIgPSB4bWxTZWNGaW5k
Tm9kZSh4bWxEb2NHZXRSb290RWxlbWVudChkb2MpLCBCQURfQ0FTVCAiRW5jcnlwdGVkRGF0YSIs
IHhtbFNlY0VuY05zKTsNCi0tLQ0KPiAJY3VyID0gZmluZEJhc2VOb2RlKGRvYyk7DQo+IAlpZiAo
Y3VyID09IE5VTEwpIHsgDQo+IAkJZnByaW50ZihzdGRlcnIsIkVycm9yOiBmYWlsZWQgdG8gZmlu
ZCBzcGVjaWZpZWQgbm9kZVxuIik7DQo+IAkJcmV0dXJuKC0xKTsNCj4gCX0NCj4gICAgIGN1ciA9
IHhtbFNlY0ZpbmROb2RlKGN1ciwgQkFEX0NBU1QgIkVuY3J5cHRlZERhdGEiLCB4bWxTZWNFbmNO
cyk7DQoa
------_=_NextPart_001_01C2A6DA.8BAC2789--