[xmlsec] A really strange case of failing xpointer(id('...'))

Max Motovilov max at motovilov.com
Fri Aug 23 09:44:41 PDT 2013 

Happening to me in the code that's previously been working for quite a
while. Here's the document I pass via its <Signature> element into
xmlSecDSigCtxSign() :

=========
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE AuthnRequest [
<!ELEMENT AuthnRequest (#PCDATA)>
<!ATTLIST AuthnRequest ID ID #IMPLIED>
]>
<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="login"
Destination="http://10.0.25.17:8080/cosmosDev/web/idp/SSO"
IssueInstant="2013-08-23T18:39:25Z" Version="2.0">
   <Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://10.0.26.16/ssoRequest</Issuer>
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
     <SignedInfo>
       <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
       <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       <Reference URI="#login">
         <Transforms>
           <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
         </Transforms>
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <DigestValue/>
       </Reference>
     </SignedInfo>
     <SignatureValue/>
   </Signature>
</AuthnRequest>
=========

and here's the traceback I get:

=========
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
library function failed:expr=xpointer(id('login'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:
=========

The document has an ID attribute declared in DTD, the value has no weird
characters in it yet the id() expression fails. To add insult to injury,
this is in the code that's been working for a long time on different
versions of Linux. The problem I am seeing now is on CentOS
(2.6.32-220.23.1.el6.centos.plus.x86_64), libxmlsec1 1.2.16, libxml2
2.7.6, BUT everything has worked with this configuration (just not this
particular instance) before! The only difference I can think of is that
the XML document is now created by a different (newer) version of the
wrapper library for libxml2 (https://github.com/polotek/libxmljs) but
what could it possibly impact I don't know. Same version of the library
works for me just fine on a different system.

Ideas or advice very much appreciated!

Thanks in advance,
...Max...

More information about the xmlsec mailing list