[xmlsec] enveloped-signature problem

guido billi guido.billi at telvox.com
Mon Feb 11 05:35:06 PST 2013

Hi guys,
I used xmlsec for the first time years ago, now I am updating my software to validate xml signatures generated with other softaware.
I have a verification error!
The error reason is clear, but I don't understand if it is a Xmlsec interpretation misunderstanding of Xml Signature standard or not...


I have a document (doc.xml) and a detached xml signature generate with Oxygen Xml Editor 13.2 (det-rsasha1.xml)


>xmlsec --verify det-rsasha1.xml

error : Unknown IO error
func=xmlSecTransformEnvelopedExecute:file=..\src\enveloped.c:line=108:obj=enveloped-signature:subj=unknown:error=34:same document is required for transform:
func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2371:obj=enveloped-signature:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecParserPushBin:file=..\src\parser.c:line=222:obj=xml-parser:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:
func=xmlSecTransformPump:file=..\src\transforms.c:line=1634:obj=xml-parser:subj=xmlSecTransformPushBin:error=1:xmlsec library function failed:
func=xmlSecTransformCtxUriExecute:file=..\src\transforms.c:line=1160:obj=unknown:subj=xmlSecTransformPump:error=1:xmlsec library function failed:uri=doc.xml
func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1280:obj=unknown:subj=xmlSecTransformCtxUriExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "det-rsasha1.xml"


Now... the error is due to the combined use of

1)      reference to an external document doc.xml

2)      use of enveloped-signature transform by that reference
XmlSec enveloped-signature transform requires that the xml document
(target of the transformation itself) contains the signature that contains the Reference node.

(In my case this is not true, because the document target of the transform is external
and does not contain the Signature node)


Is this implementation check really correct???
If it is correct... why Oxygen Xml Editor 13.2 generate  this combination?

Here is the Xml Signature standard:
6.6.4 Enveloped Signature Transform
 "An enveloped signature transform T removes the whole Signature element containing T from the digest calculation of the Reference element containing T. The entire string of characters used by an XML processor to match the Signature with the XML production element is removed. The output of the transform is equivalent to the output that would result from replacing T with an XPath transform containing the following XPath parameter element: [...]"

>From my point of view the xmlsec implementation is too strict!
The standard does not require that the document (target of T) actually contains the Signature node,
the standard only say that the transform T removes the Signature node containing the transform T from the document.
If the document does not contain the Signature node, no document modification is specified for this transform.

If document doc.xml does not contain a Signature node,
I suppose that the transformation result should be the document doc.xml itself.

Am I wrong?
Oxygen is not standard?
XmlSec is too strict?
Who is right?

Thank you for your time

Guido Billi
Telvox S.R.L.
Via Pastrengo, 2
40123 Bologna
tel: 051 33 97 121

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130211/91161fbc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: det-rsasha1.xml
Type: application/xml
Size: 3584 bytes
Desc: det-rsasha1.xml
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130211/91161fbc/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: doc.xml
Type: application/xml
Size: 460 bytes
Desc: doc.xml
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130211/91161fbc/attachment-0001.xml>

More information about the xmlsec mailing list