[xmlsec] Xml Signature verification failure

Aleksey Sanin aleksey at aleksey.com
Thu Jun 19 10:43:24 PDT 2003


A half an hour digging in the logs and I think I have an explanation:
    0) The xmldsigverifier was compiled in April 2002 and it is more than
    a year old now (probably I need to upgrade it :) )
    1) The c14n code in libxml2 version 2.4.20 that was used to compiled
    xmldsigverifier returns the exact results as you describe
    2) The namespace processing in c14n.c was fixed around July 31, 2002
    in order to support a new Merlin's c14n tests (merlin-c14n-three). 
As far as
    I can remember and as far as I can see from the code, this changes
    solves exactly this problem.

Bottom line: there was a bug and it was fixed almost a year ago, 
xmldsigverifier
on the web site is obsolete (and I hope I will have time to update it soon).

Now I would like to repeat my explanations. I would appreciate if Rich or
someone else familiar with c14n sepcifications:

We have something like this:
   <Root xmlns="http://examples.com">
       <Object>Test</Object>
   </Root>
According to the spec [1] , the non-default namespace node is
rendered only if it is in the XPath node-set. In our case,
the XPath expression selects *only* <Object/> node itself
and none of its namespaces or attributes nodes. Thus I think
that xmlsec/libxml do the right thing by returning
   <Object></Object>
after c14n.


Aleksey


[1] http://www.w3.org/TR/2001/REC-xml-c14n-20010315#ProcessingModel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20030619/299957af/attachment.htm


More information about the xmlsec mailing list