[xmlsec] DigestValue, xmlsec failure, need guidance.

Artur BUJDOSO artur.bujdoso at saveas.hu
Fri Mar 12 04:32:20 PST 2004 

Yes, that's what I wanted to know. The author admitted, that it was his
fault, and forgot to include the Id= from the Body.
By telling me that it is impossible, you conviced me that first I have
to inform him about his violation of standards.

Another strange fact (telling it just for fun) that the DigestValue hash
in his example was a precise, fine-crafted, robust SHA1 hash of a NULL
string, mainly because of the missing Id. :-)

Now we're arguing about the canonization, since his documents still does
not pass the online XMLSEC verifier. His referenced Body section has a
lot of namespaces in it, and canonization moves these at the beginning
of the whole document (it seems that he first calculates the hash, makes
its envelope then canonizes it) and since neither me and he are sure
about the standards, I want to pass it through the online verifier
first, because it's a good reference when we're asked about our
verification procedure validity.

By the way, does it make a difference, that it's not a simple signed XML
document but XML SOAP? I think it shouldn't.




Aleksey Sanin wrote:

>I am not sure I understand you. You don't have ID attribute in an element,
>you can't add it because it'll break everything but you still want
>to reference it as "#...."? I am not sure there is a way to do this
>and I am not sure it's a good idea at all (from security point of view).
>
>Aleksey
>
>
>Artur BUJDOSO wrote on 3/11/2004, 4:17 AM:
>  
>
>>Is there a way to declare an ID attribute, if it's not present by 
>>Id="Body" in the Referenced tag? I mean, I got <soapenv:Body> but no 
>><soapenv:Body Id="Body">. The latter is accepted by XMLSEC, but true, it 
>>modifies the verified document. 
>>
>>Artur 
>>
>>Aleksey Sanin wrote: 
>>
>>    
>>
>>>If you modified the signed document then you'll 
>>>get a different digest. Either use external DTD or 
>>>declare ID attributes from your program as explained 
>>>in the FAQ. 
>>>
>>>Aleksey 
>>>
>>>
>>>Artur BUJDOSO wrote on 3/10/2004, 10:30 AM: 
>>> 
>>>
>>>      
>>>
>>>>Thanks for the reply. 
>>>>
>>>>Yes, I've read it and tried to declare at the beginning at the document 
>>>>the Reference ID, and even tried to replace the URI to ID. 
>>>>Following (short) result: 
>>>>
>>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=164:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match 
>>>>
>>>>The PreDigest data buffer, seems to contain the whole document, is this 
>>>>normal? 
>>>>
>>>>Since the author of the document generator admitted that he isn't sure about standards at all, it might be a wrong DigestValue. 
>>>>
>>>>Artur 
>>>>
>>>>
>>>>
>>>>Aleksey Sanin wrote: 
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>Section 3.2 from the FAQ http://www.aleksey.com/xmlsec/faq.html 
>>>>>
>>>>>Aleksey 
>>>>>
>>>>>Artur BUJDOSO wrote on 3/10/2004, 7:25 AM: 
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 
>>>>>>library function failed:expr=xpointer(id('Body')) 
>>>>>>  
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>_______________________________________________ 
>>>>xmlsec mailing list 
>>>>xmlsec at aleksey.com 
>>>>http://www.aleksey.com/mailman/listinfo/xmlsec 
>>>>   
>>>>
>>>>        
>>>>
>>_______________________________________________ 
>>xmlsec mailing list 
>>xmlsec at aleksey.com 
>>http://www.aleksey.com/mailman/listinfo/xmlsec 
>>    
>>

More information about the xmlsec mailing list