[xmlsec] Stylesheet processing and XML DSIG validation error
Pere Rosell
prosell at gs1es.org
Tue Oct 11 09:09:03 PDT 2005
Good afternoon,
I use XMLSEC with OPENSSL to digitally sign XML documents generated by
users in an application. The application uses the enveloped structure of
digital signature as described by W3C. Once they are signed the message
is sent to a Server that adds a reference to a Stylesheet and resends the
message to the final recipient.
To sum up:
Generate XML -> Digital Signature Enveloped -> Send to a server -> Add a
reference to a Stylesheet -> Resend to the receipient -> Digital Signature
Validation -> FAILS!!!!
<?xml version="1.0" encoding="ISO-8859-1" ?>
<?xml-stylesheet type="text/xsl" href="xsl-file.xsl" ?>
<Data>
<tag1>....</tag1>
<tag2>....</tag2>
<tag3>....</tag3>
<tag4>....</tag4>
<tag5>....</tag5>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI=""> <ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/
> </ds:Transforms> <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>CijZOCM6Ptz9VefvxZJyMqMkqFI=</ds:DigestValue>
</ds:Reference> </ds:SignedInfo> <ds:SignatureValue Id="Id">
GRx0ii8XZqA4bNidS/Z4cj2mvlUh4MKtlx90uRIwUOeFvkJHOGkIlOAgBxPguycMT5L7L0Zmli1k
55wZcdSYqA==</ds:SignatureValue>
<ds:KeyInfo> <ds:KeyValue> <ds:RSAKeyValue>
<ds:Modulus>
uK9qiaJVg7mCqO78knbsiwLAopdG4RtIjoF0gyM0KS/zFjeJ07kqu5VFMDYoCjpslKKN8gcK4QaA
tV6frw7mIQ== </ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent> </ds:RSAKeyValue>
</ds:KeyValue> <ds:X509Data> <ds:X509Certificate>
MIIC9jCCAd6gAwIBAgICAvAwDQYJKoZIhvcNAQEEBQAwgZUxCzAJBgNVBAYTAkVTMQ8wDQYDVQQI
EwZFU1BBTkExEjAQBgNVBAcTCUJBUkNFTE9OQTEOMAwGA1UEChMFQUVDT0MxDjAMBgNVBAsTBUFF
Q09DMSMwIQYDVQQDExpDRVJUIEFFQ09DIFBBUkEgQUVDT0MtREFUQTEcMBoGCSqGSIb3DQEJARYN
aW5mb0BhZWNvYy5lczAeFw0wNTA5MjIwOTU5NThaFw0wNjA5MjIwOTU5NThaMD8xHDAaBgNVBAMT
E1BFUkUgUk9TRUxMIC0gQUVDT0MxHzAdBgkqhkiG9w0BCQEWEHByb3NlbGxAYWVjb2MuZXMwXDAN
BgkqhkiG9w0BAQEFAANLADBIAkEAuK9qiaJVg7mCqO78knbsiwLAopdG4RtIjoF0gyM0KS/zFjeJ
07kqu5VFMDYoCjpslKKN8gcK4QaAtV6frw7mIQIDAQABo20wazAbBgNVHREEFDASgRBwcm9zZWxs
QGFlY29jLmVzMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUvp5AA7BytTa1MZ1XtFS2M3MuZRQw
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBBAUAA4IBAQCj8/gDuYEt
fJDQ106gzpyWkC+9Km8NIxM9G49LNF2sTPArAzTm7BLkAkEXJwtndytCLVwKGsX4E/OlDKpFVMFZ
BAUhl7gBmpjD1CHXw3iyD9JZewPTh2rF7+0pw09I/KjDt/tzrvUx8ClpUwATBU6uHEsbLhjvNLe/
C9H/RAH1eIQkEoIE/vQ4WmitkqsT6G/PqTPpB+MLfKKAOhK40wgyewE98LX7PLQGS9IAHetghn90
CWvWTToA60oynCZWqBHcQImFE0/HjSQ1/U9WPlwVAICWwO/GDYwqzXna1TpkHC4EZ2luOxDt4eCM
sULuEcOVq2ew48Tsl1XfmA5hXr/A </ds:X509Certificate>
</ds:X509Data> </ds:KeyInfo>
</ds:Signature>
</Data>
>From W3C specs:
Signature, Enveloped
The signature is over the XML content that contains the signature as
an element. The content provides the root XML document element.
Obviously, enveloped signatures must take care not to include their
own value in the calculation of the SignatureValue.
Since the XSL is added out of the Data tag it should not be taken into
account in the signature process.
I am getting lost somewhere because the reference is out of the root
element so that it should not be taken into account in the validation
process.
Can you help me?
Thanks for your time and help and I look forward to hearing from you soon.
Pere Rosell
More information about the xmlsec
mailing list