[xmlsec] Problem with ver 0.0.11
aleksey at aleksey.com
Wed Dec 4 09:09:33 PST 2002
I believe you have a different issue. In you case there is a problem here:
According to the spec  you have two possible options for the URI
- use '#id' syntax where 'id' is an ID attribute of an element;
- use '#xpointer(expr)' syntax where 'expr' is any valid xpointer
As far as I can understand the spec you are *not* allowed to use xpointer
expressions in the '#id' syntax (there is a really simple reason for
this: if this is
allowed then XPointer could not decide what does '#1234' mean - is it a
number or an ID attribute).
The change in xmlsec library behavior was caused by the fix I put in 
and I believe
that the current way of processing Reference URI attribute is correct.
get the same results as before by slightly changing your signature to:
And explicitly adding C14N transform to exclude comments (if you wish to
do so) because
'#xpointer()' syntax *includes* all selected comments and '#id' does not
(see  for details).
I am sorry for inconvenience caused by this bug fix but I want to make
as more standard complaint as I can.
With best regards,
Matthias Jung wrote:
> Sorry, I can't agree to this.
> Signatures, passing validation using the command line tool of xmlsec
> 0.0.10, will fail when they are verified with version 0.0.11
> I receive following error message:
> F:\dev\dbc\Tests\XML\DSig>xmlsec verify --trusted CACert.pem
> (..\src\transforms.c:1181): error 4: xml operation failed :
> (..\src\transforms.c:881): error 2: xmlsec operation failed :
> (..\src\xmldsig.c:1602): error 2: xmlsec operation failed :
> (..\src\xmldsig.c:1476): error 2: xmlsec operation failed :
> xmlSecReferenceRead - -1
> (..\src\xmldsig.c:1175): error 2: xmlsec operation failed :
> xmlSecSignedInfoRead - -1
> (..\src\xmldsig.c:733): error 2: xmlsec operation failed :
> xmlSecSignatureRead - -1
> Verification of all of my tests using xpointer expressions in xmlsec
> 0.0.11 fail, something seems to be wrong with xpointer evaluation
> (strange because this is done by libxml).
> I am quite sure that compiler flags are exactly the same than in the
> old version. This should not be the problem.
> I have attached to this mail a signed xml-file from my testsuite and
> the certificate file needed to verify the signature (hope they will be
> posted too).
> To see if this is an xmlsec problem or not, please check if the
> signature is valid on your (Windows) xmlsec environment.
> Cheers Matthias
More information about the xmlsec