[xmlsec] XPath/XPathFilter2 evaluation bug

Steingart Ferenc stengi at cardinal.hu
Wed Nov 2 01:55:37 PDT 2011

I think I have found a bug in XPath/Xpath-Filter2 reference evaluation. 
The bug is reproducable with the xmlsec command line utility, using the 
attached input files.
The  problem is that the whole document is included in the reference digest.

The command line:
xmlsec1 --sign --store-references --print-debug --id-attr:id 
"urn:test.global":ToBeSigned --privkey-pem signkey.pem --pubkey-cert-pem 
signcert.crt tobesigned.xml

After some debugging sessions I found, that the problem arises when the 
libxml2 xpath evaluation returns an empty nodeset in the form: the 
xmlXPathObject's type is XPATH_NODESET and the nodesetval pointer is 
NULL. (Sometimes empty nodesets are returned  with a non-null nodesetval 
pointer, but nodesetval->nodeNr=0)
I have managed to correct the handlig of such empty nodesets by two 
small modification:
in nodeset.c: in function xmlSecNodeSetOneContains the default value of 
the variable  int in_nodes_set has to be set to 0:
xmlSecNodeSetOneContains(xmlSecNodeSetPtr nset, xmlNodePtr node, 
xmlNodePtr parent) {
     int in_nodes_set = 0;
By this NULL nodes pointers in xmlSecNodeSet nodesets are handled 
correctly. But this arises another problem: when using an xpointer in 
the corresponding reference,
the initial xmlSecNodeSetPtr nodeset's nodes pointer is set to NULL, 
with type xmlSecNodeSetNormal. This defines an empty nodeset, so the 
initial nodeset has to be changed.
In transforms.c in function xmlSecTransformCtxExecute has to be created 
with type xmlSecNodeSetInvert instead of xmlSecNodeSetNormal, which 
means the whole document:
xmlSecTransformCtxExecute(xmlSecTransformCtxPtr ctx, xmlDocPtr doc) {
     int ret;

     xmlSecAssert2(ctx != NULL, -1);
     xmlSecAssert2(ctx->result == NULL, -1);
     xmlSecAssert2(ctx->status == xmlSecTransformStatusNone, -1);
     xmlSecAssert2(doc != NULL, -1);

     if((ctx->uri == NULL) || (xmlStrlen(ctx->uri) == 0)) {
         xmlSecNodeSetPtr nodes;

         if((ctx->xptrExpr != NULL) && (xmlStrlen(ctx->xptrExpr) > 0)){
             /* our xpointer transform takes care of providing correct 
nodes set */
             nodes = xmlSecNodeSetCreate(doc, NULL, xmlSecNodeSetInvert);
This way xpath evaluation seems correct. Of course my modifications 
require more evaluation.

Steingart Ferenc

fejleszto", programtervezo" matematikus
Tel: 06 1 345 7974
Email: steingart.ferenc at cardinal.hu
Web: http://www.cardinal.hu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20111102/bd1d1016/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cardinal
Type: image/jpeg
Size: 9344 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20111102/bd1d1016/attachment-0001.jpe>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: signcert.crt
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20111102/bd1d1016/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: signkey.pem
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20111102/bd1d1016/attachment-0003.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tobesigned.xml
Type: text/xml
Size: 1655 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20111102/bd1d1016/attachment-0001.xml>

More information about the xmlsec mailing list