[xmlsec] signing failure with 0.0.13 that work with 0.0.10

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Wed Mar 19 10:18:26 PST 2003

  Looking at the base code in 0.0.10 and the changes I sent you for
XPath support (--node-xpath) versus what is in 0.0.13, I see what is
causing the problem. In 0.0.10, the command line argument pointed to an
element that contained the Signature node. The code then called
xmlSecFindNode to locate the Signature node within that element. The
0.0.13 code however expects that the --node-xpath (or --node-name or
--node-id) points to the Signature node itself. Personally, I find this
to be a lot more difficult to use than the previous plan although it
does allow the Signature node to be called something besides Signature
(although I thought the spec said it had to be called Signature). 
  What was the rationale behind this change and would you consider
changing it back? The change to restore the semantic of what node is
actually being specified would be easy to implement in findStartNode()
but I wanted to see why you changed this before I mucked with the code.

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Tuesday, March 18, 2003 7:26 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: xmlsec at aleksey.com
Subject: Re: [xmlsec] signing failure with 0.0.13 that work with 0.0.10

Hi, Ferrel!

The error you have says that instead of expected <dsig:Signature> node
in the xmlSecDSigGenerate() function you've got something else. Using
"testXPath" utility from LibXML package I can confirm that:

[aleksey at lsh ferrel]$ ./testXPath  --input test-signed.xml
Object is a Node Set :
Set contains 1 nodes:
1  ELEMENT Contact

As you can see, you have selected a wrong "start node" (Contact instead
<dsig:Signature>). Simple changing the xpath expression helps:

 [aleksey at lsh ferrel]$ ./testXPath  --input test-signed.xml
Object is a Node Set :
Set contains 1 nodes:
1  ELEMENT sig:Signature
    namespace sig href=http://www.w3.org/2000/09/xmldsig#
[aleksey at lsh ferrel]$ xmlsec sign --node-xpath '//Contact/*[6]' 
--privkey rsakey.pem
<?xml version="1.0" encoding="UTF-8"?>
<Keys Source="Atlanta"><!-- generated TestKey keygen 
--><Contacts><Contact Id="f6b1af52-0ba8-11d7-87ec-c3c034e4ae6a">

 From my point of view, your original XPath expression to select 
<dsig:Signature> node
is incorrect and I am not sure that I understand how it used to work. 
May be there was
a bug in LibXML and you got it fixed with new LibXML version.

With best regards,

More information about the xmlsec mailing list