[xmlsec] enveloped-signature problem

Aleksey Sanin aleksey at aleksey.com
Mon Feb 11 23:15:47 PST 2013 

Well, I can see your point but I find it stupid to apply a no-op
transform. Moreover, by design the enveloped signature transform
was added to support *same document* signatures so using it on an
external document is not something the W3C group was envisioning
either.

Regardless, I don't remember exact details of the code but there
might be some interesting implications on the removal of the node
and then re-inserting it. Feel free to take a look. I accept patches :)

Aleksey

On 2/11/13 5:35 AM, guido billi wrote:
> Hi guys,
> 
> I used xmlsec for the first time years ago, now I am updating my
> software to validate xml signatures generated with other softaware.
> 
> I have a verification error!
> 
> The error reason is clear, but I don’t understand if it is a Xmlsec
> interpretation misunderstanding of Xml Signature standard or not…
> 
>  
> 
> FILES
> 
>  
> 
> I have a document (doc.xml) and a detached xml signature generate with
> Oxygen Xml Editor 13.2 (det-rsasha1.xml)
> 
>  
> 
> VERIFY ERROR
> 
>  
> 
>>xmlsec --verify det-rsasha1.xml
> 
>  
> 
> error : Unknown IO error
> 
> *func=xmlSecTransformEnvelopedExecute:file=..\src\enveloped.c:line=108:obj=enveloped-signature:subj=unknown:error=34:same
> document is required for transform:*
> 
> func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2371:obj=enveloped-signature:subj=xmlSecTransformExecute:error=1:xmlsec
> library function failed:
> 
> func=xmlSecParserPushBin:file=..\src\parser.c:line=222:obj=xml-parser:subj=xmlSecTransformPushXml:error=1:xmlsec
> library function failed:
> 
> func=xmlSecTransformPump:file=..\src\transforms.c:line=1634:obj=xml-parser:subj=xmlSecTransformPushBin:error=1:xmlsec
> library function failed:
> 
> func=xmlSecTransformCtxUriExecute:file=..\src\transforms.c:line=1160:obj=unknown:subj=xmlSecTransformPump:error=1:xmlsec
> library function failed:uri=doc.xml
> 
> func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1280:obj=unknown:subj=xmlSecTransformCtxUriExecute:error=1:xmlsec
> library function failed:
> 
> func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> library function failed:
> 
> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> library function failed:node=Reference
> 
> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:
> 
> func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> 
> Error: signature failed
> 
> ERROR
> 
> SignedInfo References (ok/all): 0/1
> 
> Manifests References (ok/all): 0/0
> 
> Error: failed to verify file "det-rsasha1.xml"
> 
>  
> 
> ERROR REASON
> 
>  
> 
> Now… the error is due to the combined use of
> 
> 1)      reference to an *external* document doc.xml
> 
> 2)      use of enveloped-signature transform by that reference
> 
> *XmlSec enveloped-signature transform requires that the xml document *
> 
> *(target of the transformation itself) contains the signature that
> contains the Reference node.*
> 
>  
> 
> (In my case this is not true, because the document target of the
> transform is external
> 
> and does not contain the Signature node)
> 
>  
> 
> QUESTION
> 
>  
> 
> Is this implementation check really correct???
> 
> If it is correct… why Oxygen Xml Editor 13.2 generate  this combination?
> 
>  
> 
> Here is the Xml Signature standard:
> 
> 6.6.4 Enveloped Signature Transform
> 
>  “An enveloped signature transform /*T*/ removes the whole
> |Signature|element containing /*T*/ from the digest calculation of the
> |Reference|element containing /*T*/. The entire string of characters
> used by an XML processor to match the |Signature|with the XML production
> |element|is removed. The output of the transform is equivalent to the
> output that would result from replacing /*T*/ with an XPath transform
> containing the following |XPath|parameter element: […]”
> 
>  
> 
> From my point of view the xmlsec implementation is too strict!
> 
> The standard does not require that the document (target of T) actually
> contains the Signature node,
> 
> the standard only say that the transform T removes the Signature node
> containing the transform T from the document.
> 
> If the document does not contain the Signature node, no document
> modification is specified for this transform.
> 
>  
> 
> If document doc.xml does not contain a Signature node,
> 
> I suppose that the transformation result should be the document doc.xml
> itself.
> 
>  
> 
> Am I wrong?
> 
> Oxygen is not standard?
> 
> XmlSec is too strict?
> 
> Who is right?
> 
>  
> 
> Thank you for your time
> 
>  
> 
>  
> 
> -----------------------------------
> 
> Guido Billi
> 
> Telvox S.R.L.
> 
> Via Pastrengo, 2
> 
> 40123 Bologna
> 
> tel: 051 33 97 121
> 
> www.telvox.com <http://www.telvox.com>
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list