[xmlsec] R: enveloped-signature problem

Tue Feb 12 06:35:49 PST 2013

This is probably "gray area". It can go either way.

Aleksey

On 2/12/13 3:42 AM, guido billi wrote:
> 
> I understand your point and I could agree... but... in this case...
> what do you think should I do? 
> can I suppose that Oxygen is out of standard and invalidate its signatures?
> 
> Speaking about the code... right now I neither have time
> to study xmlsec code in depth, create a patch and test it...
> nor the knowledge to say if my patch is correct.
> 
> because actualy I am building my test cases...
> and this is why I was looking for "where the truth is"...
> in order to decide if my tests on these files should pass or not. 
> 
> Do you know someone I can speak with in order to
> understand what is the right interpretation of the standard?
> 
> Thank you for your time. 
> 
> ________________________________________
> Da: Aleksey Sanin [aleksey at aleksey.com]
> Inviato: martedì 12 febbraio 2013 8.15
> A: guido billi
> Cc: xmlsec at aleksey.com
> Oggetto: Re: [xmlsec] enveloped-signature problem
> 
> Well, I can see your point but I find it stupid to apply a no-op
> transform. Moreover, by design the enveloped signature transform
> was added to support *same document* signatures so using it on an
> external document is not something the W3C group was envisioning
> either.
> 
> Regardless, I don't remember exact details of the code but there
> might be some interesting implications on the removal of the node
> and then re-inserting it. Feel free to take a look. I accept patches :)
> 
> Aleksey
> 
> On 2/11/13 5:35 AM, guido billi wrote:
>> Hi guys,
>>
>> I used xmlsec for the first time years ago, now I am updating my
>> software to validate xml signatures generated with other softaware.
>>
>> I have a verification error!
>>
>> The error reason is clear, but I don’t understand if it is a Xmlsec
>> interpretation misunderstanding of Xml Signature standard or not…
>>
>>
>>
>> FILES
>>
>>
>>
>> I have a document (doc.xml) and a detached xml signature generate with
>> Oxygen Xml Editor 13.2 (det-rsasha1.xml)
>>
>>
>>
>> VERIFY ERROR
>>
>>
>>
>>> xmlsec --verify det-rsasha1.xml
>>
>>
>>
>> error : Unknown IO error
>>
>> *func=xmlSecTransformEnvelopedExecute:file=..\src\enveloped.c:line=108:obj=enveloped-signature:subj=unknown:error=34:same
>> document is required for transform:*
>>
>> func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2371:obj=enveloped-signature:subj=xmlSecTransformExecute:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecParserPushBin:file=..\src\parser.c:line=222:obj=xml-parser:subj=xmlSecTransformPushXml:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecTransformPump:file=..\src\transforms.c:line=1634:obj=xml-parser:subj=xmlSecTransformPushBin:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecTransformCtxUriExecute:file=..\src\transforms.c:line=1160:obj=unknown:subj=xmlSecTransformPump:error=1:xmlsec
>> library function failed:uri=doc.xml
>>
>> func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1280:obj=unknown:subj=xmlSecTransformCtxUriExecute:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
>> library function failed:node=Reference
>>
>> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>> library function failed:
>>
>> Error: signature failed
>>
>> ERROR
>>
>> SignedInfo References (ok/all): 0/1
>>
>> Manifests References (ok/all): 0/0
>>
>> Error: failed to verify file "det-rsasha1.xml"
>>
>>
>>
>> ERROR REASON
>>
>>
>>
>> Now… the error is due to the combined use of
>>
>> 1)      reference to an *external* document doc.xml
>>
>> 2)      use of enveloped-signature transform by that reference
>>
>> *XmlSec enveloped-signature transform requires that the xml document *
>>
>> *(target of the transformation itself) contains the signature that
>> contains the Reference node.*
>>
>>
>>
>> (In my case this is not true, because the document target of the
>> transform is external
>>
>> and does not contain the Signature node)
>>
>>
>>
>> QUESTION
>>
>>
>>
>> Is this implementation check really correct???
>>
>> If it is correct… why Oxygen Xml Editor 13.2 generate  this combination?
>>
>>
>>
>> Here is the Xml Signature standard:
>>
>> 6.6.4 Enveloped Signature Transform
>>
>>  “An enveloped signature transform /*T*/ removes the whole
>> |Signature|element containing /*T*/ from the digest calculation of the
>> |Reference|element containing /*T*/. The entire string of characters
>> used by an XML processor to match the |Signature|with the XML production
>> |element|is removed. The output of the transform is equivalent to the
>> output that would result from replacing /*T*/ with an XPath transform
>> containing the following |XPath|parameter element: […]”
>>
>>
>>
>> From my point of view the xmlsec implementation is too strict!
>>
>> The standard does not require that the document (target of T) actually
>> contains the Signature node,
>>
>> the standard only say that the transform T removes the Signature node
>> containing the transform T from the document.
>>
>> If the document does not contain the Signature node, no document
>> modification is specified for this transform.
>>
>>
>>
>> If document doc.xml does not contain a Signature node,
>>
>> I suppose that the transformation result should be the document doc.xml
>> itself.
>>
>>
>>
>> Am I wrong?
>>
>> Oxygen is not standard?
>>
>> XmlSec is too strict?
>>
>> Who is right?
>>
>>
>>
>> Thank you for your time
>>
>>
>>
>>
>>
>> -----------------------------------
>>
>> Guido Billi
>>
>> Telvox S.R.L.
>>
>> Via Pastrengo, 2
>>
>> 40123 Bologna
>>
>> tel: 051 33 97 121
>>
>> www.telvox.com <http://www.telvox.com>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>