[xmlsec] XMLSEC Reference URI question

Wed Jul 24 17:03:58 PDT 2002

xmlsec verify --print-all --trusted new_export.pem test_allkey_04.xml

I've included the PEM-formatted public key, the XML test document and the
output captured from running the 07/12/02 build of xmlsec plus the one fix
you sent me earlier. Let me know if you need anything else.
Thanks!
  Ferrell

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Wednesday, July 24, 2002 5:48 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: 'xmlsec at aleksey.com'; Dodd, Tim (ISS Atlanta)
Subject: Re: [xmlsec] XMLSEC Reference URI question

I am not sure I clear understand what kind of problem do you have. Will you
mind to send me the file you have problems with?

Thanks,

Aleksey

Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  Ok, I've tried to use an XPath Transform to limit the data being 
>verified. Unfortunately, it doesn't appear to work. Here's what I see 
>happening in the
>code:
>
>xmlSecTransformXPathReadNode( ) [xpath.c:203] takes the input 
>xmlSecTransformPtr and upcasts it to a xmlSecXmlTransformPtr. It then 
>stores the parsed XPath string and the "here" node reference in the 
>xmlSecXmlTransform object it points to (at least there's checking of 
>the pointer assignment sanity here).
>
>The caller, xmlSecTransformRead, returns to its caller 
>xmlSecTransformNodeRead with the pointer to the object containing the 
>XPath transform information. The transform is further passed back to 
>xmlSecTransformsNodeRead which calls xmlSecTransformStateUpdate which 
>discovers that the transform type is xmlSecTransformTypeXml and call 
>xmlSecTransformCreateXml. This routine, because the file is already 
>parsed and both curFirstBinTransform and curC14NTransform in the state 
>object are NULL, does nothing and returns!
>
>This results in the XPath Transform information being parsed and saved 
>but otherwise ignored. The <Signature> block contains the following 
>transform which is parsed and ignored in the above case:
>
>  <sig:Transform 
> Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
>  <sig:XPath>/ISSKeys/Contacts/Contact</sig:XPath> 
>  </sig:Transform>
>
>The result is that adding an XPath transform like above, is ignored. 
>This works properly with the Apache Java tools so I believe that it's a 
>legal way to construct a reference. Eventually, I'd intended to change 
>the XPath reference to a here()-relative reference to solve my compound 
>document problem but this seemed like a quick/easy test -- 
>unfortunately it's not working.
>
>Is this a bug, or, have I missed something else? Since Apache properly 
>verifies this signature and the code in xmlSecTransformCreateXml seems 
>to be missing any knowledge of this transform, I'm guessing that it's a 
>bug -- but I'll appreciate your advice on how to proceed!
>
>Thanks!
>  Ferrell
>
>=====================================
>Ferrell Moultrie (ferrell at iss.net)
>Software Engineer
>
>Internet Security Systems, Inc.
>6303 Barfield Road
>Atlanta, Georgia 30328
>Phone:  404-236-2600
>Direct: 404-236-2849
>Fax:    404-236-2632
>http://www.iss.net
>
>Internet Security Systems -- The Power to Protect 
>=====================================
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: new_export.pem
Type: application/octet-stream
Size: 2434 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20020724/3fbed075/new_export.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_allkey_04.xml
Type: application/octet-stream
Size: 4239 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20020724/3fbed075/test_allkey_04.obj
-------------- next part --------------
xmlSecSignedInfoRead: failed to validate "Reference"
= XMLDSig Result (validate)
== result: FAIL
== sign method: http://www.w3.org/2000/09/xmldsig#rsa-sha1
== KEY
=== method: RSAKeyValue
=== key name: NULL
=== key type: Public
=== key origin: x509
=== X509 Certificate
==== Subject Name: /C=US/O=Web Developer/OU=IT/CN=ISS Keygen Test
==== Issuer Name: /C=US/O=Web Developer/OU=IT/CN=ISS Keygen Test
==== Issuer Serial: 3CEF18C2
== SIGNED INFO REFERENCES
=== REFERENCE 
==== ref type: SignedInfo Reference
==== result: FAIL
==== digest method: http://www.w3.org/2000/09/xmldsig#sha1
==== uri: 
==== type: NULL
==== id: NULL
==== start buffer:
<ISSKeys Source="ISS Atlanta">

	<Contacts>
		<Contact>
			<Keys Address1="2626 Somewhere Lane" Address2="suite 200A" City="Atlanta" Country="US" Email="keys at iss.net" Fax="778-555-1212" Phone="777.555.1212" PostCode="30064" Weburl="http://web.fubar.net"></Keys>
			<CustomerRelations Address1="1313 k nowwhere Lane" Address2="suite 300A" City="Atlanta" Country="US" Email="customer_relations at iss.net" Fax="778-555-7799" Phone="77 7.555.7788" PostCode="30064" Weburl="http://web.customer_relations_iss.net"></CustomerRelations>
			<Support Address1="1234 Anvil Rd." Address2="suite 440B" City="Atlanta" Country="US" Email="support at iss.net" Fax="778-555-7755" Phone="777.555.7744" PostCode="3 0064" Weburl="http://web.suport_iss.net"></Support>
			<Version>1.0</Version>
			<OCN>163444</OCN>
			<Source>ISS Atlanta</Source>
			<Serial>AC
C64BB4-A53D-AC83-3E6F-E0AB737DEC9D</Serial>
			<Timestamp>2000-06-14 10:34:09</Timestamp>
			<sig:Signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
				<sig:SignedInfo>
					<sig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></sig:CanonicalizationMethod>
					<sig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></sig:SignatureMethod>
					<sig:Reference URI="">
						<sig:Transforms>
							<sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
								<sig:XPath>/ISSKeys/Contacts/Contact</sig:XPath>
							</sig:Transform>
							<sig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></sig:Transform>
						</sig:Transforms>
						<sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></sig:DigestMethod>
						<sig:DigestValue>3tPX5xUmcKYHkG3Mv8TBAAYjBIU=</sig:DigestValue>
					</sig:Reference>
				</sig:SignedInfo>
				<sig:SignatureValue>GpbCX9juwQ6k4Hs5j19MSXdtAdxeY9cK06Hb17ugq7f6sIy71gafWWNJ1Na/TKGCrABlgrXWH2VR
asYcPMEmi1RZKDPUzmPAjznKRozjZTS3nn2BrAl1EKLugiqYmer+IG8SOXXTDSiwbmphtsXK+emU
FpUVVxfjLrmk8h6hd4k=</sig:SignatureValue>
				<sig:KeyInfo>
					<sig:X509Data>
						<sig:X509Certificate>
MIICCjCCAXMCBDzvGMIwDQYJKoZIhvcNAQEEBQAwTDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDVdl
YiBEZXZlbG9wZXIxCzAJBgNVBAsTAklUMRgwFgYDVQQDEw9JU1MgS2V5Z2VuIFRlc3QwHhcNMDIw
NTI1MDQ1MzIyWhcNMjcwMTE0MDQ1MzIyWjBMMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNV2ViIERl
dmVsb3BlcjELMAkGA1UECxMCSVQxGDAWBgNVBAMTD0lTUyBLZXlnZW4gVGVzdDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAy6ACsVtGJ69fkeKxJUlZqUP4FJFDIrkrUEi04c8UAAmC6jxu9+mM
uLD+766Ztrjp/2anYX0QS7ReD+Q78ky3a0nmPDIpAzv8P7tUCBc6Yq11w5c1yHSNDdLPxLlX6+JT
nUXnmXMsfAyC2cnoevc38gfEEkEJnS4iCzUC7WHsNgMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBy
08EvqGY4QL5GYhuT5Lx26t7V0Tk9bKxzh9YKxtyTLux0sqDFcAQWu1UpjPSOLwgNhE+uaS+CuyIK
wsSzMx84gOIk7/fOS5F7oRk2ouC0QPPhY0iT2wXi9Zhvd6CifjNwvCdDe0tinSeQNfvpo0FSlg8c
GL2eqXYylPEeMvZ5aw==
</sig:X509Certificate>
					</sig:X509Data>
					<sig:KeyValue>
						<sig:RSAKeyValue>
							<sig:Modulus>
y6ACsVtGJ69fkeKxJUlZqUP4FJFDIrkrUEi04c8UAAmC6jxu9+mMuLD+766Ztrjp/2anYX0QS7Re
D+Q78ky3a0nmPDIpAzv8P7tUCBc6Yq11w5c1yHSNDdLPxLlX6+JTnUXnmXMsfAyC2cnoevc38gfE
EkEJnS4iCzUC7WHsNgM=
</sig:Modulus>
							<sig:Exponent>AQAB</sig:Exponent>
						</sig:RSAKeyValue>
					</sig:KeyValue>
				</sig:KeyInfo>
			</sig:Signature>
		</Contact>
	</Contacts>
	<EndUsers>
		<EndUser Address1="666 Rockets way" Address2="Apt. B" City="Scienceville" CompanyName="Spacely Sprockets" Country="US" Email="gjetson at sprokets.net" PostCode="" State="Disturbed" SubjectName=FAIL
"George Jetson" Title="Whipping Boy">
			<Version>1.0</Version>
			<OCN>163444</OCN>
			<Source>ISS Atlanta</Source>
			<Serial>CE8135D7-8D27-4BC4-BCA6-2DBDE703B6A
E</Serial>
			<Timestamp>2000-06-14 10:34:09</Timestamp>
		</EndUser>
	</EndUsers>
	<LicensedModules>
		<LicensedModule ContactInfo="ACC64BB4- A53D-AC83-3E6F-E0AB737DEC9D" EndUserInfo="CE8135D7-8D27-4BC4-BCA6-2DBDE703B6AE" Identity="RO" LicenseExpiration="2003-06-14" LicenseType="evaluation" Limit="2147483647" LimitOutOfMaintenance="0" MaintenanceExpiration="2003-06-14">
			<Version>1.0</Version>
			<OCN>163444</OCN>
			<Source>ISS Atlanta</Source>
			<Serial>F61BD0F3-D5D9-2F90-A24D-BF989200D712</Serial>
			<Timestamp>2000-06-14 10:34:09</Timestamp>
		</LicensedModule>
	</LicensedModules>
</ISSKeys>
==== end buffer:
= Status:
== Signatures ok: 0
== Signatures fail: 1
== SignedInfo Ref ok: 0
== SignedInfo Ref fail: 1
== Manifest Ref ok: 0
== Manifest Ref fail: 0
Error: operation failed