[xmlsec] DigestValue, xmlsec failure, need guidance.
Aleksey Sanin
aleksey at aleksey.com
Fri Mar 12 08:33:58 PST 2004
Artur BUJDOSO wrote on 3/12/2004, 4:32 AM:
> Yes, that's what I wanted to know. The author admitted, that it was his
> fault, and forgot to include the Id= from the Body.
> By telling me that it is impossible, you conviced me that first I have
> to inform him about his violation of standards.
>
> Another strange fact (telling it just for fun) that the DigestValue hash
> in his example was a precise, fine-crafted, robust SHA1 hash of a NULL
> string, mainly because of the missing Id. :-)
>
> Now we're arguing about the canonization, since his documents still does
> not pass the online XMLSEC verifier. His referenced Body section has a
> lot of namespaces in it, and canonization moves these at the beginning
> of the whole document (it seems that he first calculates the hash, makes
> its envelope then canonizes it) and since neither me and he are sure
> about the standards, I want to pass it through the online verifier
> first, because it's a good reference when we're asked about our
> verification procedure validity.
>
> By the way, does it make a difference, that it's not a simple signed XML
> document but XML SOAP? I think it shouldn't.
>
>
>
>
> Aleksey Sanin wrote:
>
> >I am not sure I understand you. You don't have ID attribute in an element,
> >you can't add it because it'll break everything but you still want
> >to reference it as "#...."? I am not sure there is a way to do this
> >and I am not sure it's a good idea at all (from security point of view).
> >
> >Aleksey
> >
> >
> >Artur BUJDOSO wrote on 3/11/2004, 4:17 AM:
> >
> >
> >>Is there a way to declare an ID attribute, if it's not present by
> >>Id="Body" in the Referenced tag? I mean, I got <soapenv:Body> but no
> >><soapenv:Body Id="Body">. The latter is accepted by XMLSEC, but true, it
> >>modifies the verified document.
> >>
> >>Artur
> >>
> >>Aleksey Sanin wrote:
> >>
> >>
> >>
> >>>If you modified the signed document then you'll
> >>>get a different digest. Either use external DTD or
> >>>declare ID attributes from your program as explained
> >>>in the FAQ.
> >>>
> >>>Aleksey
> >>>
> >>>
> >>>Artur BUJDOSO wrote on 3/10/2004, 10:30 AM:
> >>>
> >>>
> >>>
> >>>
> >>>>Thanks for the reply.
> >>>>
> >>>>Yes, I've read it and tried to declare at the beginning at the document
> >>>>the Reference ID, and even tried to replace the URI to ID.
> >>>>Following (short) result:
> >>>>
> >>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=164:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
> >>>>
> >>>>The PreDigest data buffer, seems to contain the whole document, is this
> >>>>normal?
> >>>>
> >>>>Since the author of the document generator admitted that he isn't sure about standards at all, it might be a wrong DigestValue.
> >>>>
> >>>>Artur
> >>>>
> >>>>
> >>>>
> >>>>Aleksey Sanin wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Section 3.2 from the FAQ http://www.aleksey.com/xmlsec/faq.html
> >>>>>
> >>>>>Aleksey
> >>>>>
> >>>>>Artur BUJDOSO wrote on 3/10/2004, 7:25 AM:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> >>>>>>library function failed:expr=xpointer(id('Body'))
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>_______________________________________________
> >>>>xmlsec mailing list
> >>>>xmlsec at aleksey.com
> >>>>http://www.aleksey.com/mailman/listinfo/xmlsec
> >>>>
> >>>>
> >>>>
> >>>>
> >>_______________________________________________
> >>xmlsec mailing list
> >>xmlsec at aleksey.com
> >>http://www.aleksey.com/mailman/listinfo/xmlsec
> >>
> >>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list