[xmlsec] Re: xmlsec question - empty node set from XPath

Aleksey Sanin aleksey at aleksey.com
Fri Jul 26 08:38:39 PDT 2002

Hi, Moultrie!

I don't think that this is a library business to determine does the 
actually signs something or not. From a formal point of view the signature
*is* valid! And empty XPath result is only one possible way of getting
"empty" signature (for example, you are signing a de-attached file and 
it is empty).
 XMLSec library provides the application  a very simple way of getting 
signed data (in the xmlsec application you see this with "--print-all" 
And I believe that the application should be responsible for checking this
because of an old rule "sign what you see".


Moultrie, Ferrell (ISSAtlanta) wrote:

>  In xpath.c [line 594] you check if the result of the XPath Transform is
>NULL. Should it not also check if the node set is empty, i.e.,
>    if((*nodes) == NULL || (*nodes)->nodeNr == 0) {
>  It's quite possible (easy even) to mistakenly code an XPath Transform that
>selects nothing. The result is that Apache dutifully signs nothing and
>xmlsec verifies nothing. Thus, nothing is being verified even though there
>is the appearance that the document content is valid. The only clue you get
>to this is running xmlsec in --print-all mode doesn't print a content buffer
>because there isn't one. Is the case of an empty Transform result defined to
>work this way or can/should xmlsec reject it as a flawed Transform?
>  Ferrell
>Ferrell Moultrie (ferrell at iss.net)
>Software Engineer
>Internet Security Systems, Inc.
>6303 Barfield Road
>Atlanta, Georgia 30328
>Phone:  404-236-2600
>Direct: 404-236-2849
>Fax:    404-236-2632
>Internet Security Systems -- The Power to Protect

More information about the xmlsec mailing list