[xmlsec] A really strange case of failing xpointer(id('...'))

Max Motovilov max at motovilov.com
Fri Aug 23 10:40:34 PDT 2013


Looks like I have the answer -- libxmljs statically links against a 
version of libxml2 they package along with their code :(  I must be 
seeing an ABI incompatibility between different versions of libxml2

Thanks for your quick responses!
...Max...

> libxml2 came from the same rpm repo as before. In fact I have what I'm 
> pretty sure is an identical VM instance w/CentOS and same versions of 
> libxml2 and libxmlsec1. The older version of my software -- which is a 
> very simple Node.js binding for libxmlsec1 -- works there just fine. 
> The code did not change between the new and old versions at all -- I 
> have simply recompiled it against newer versions of Node.js runtime 
> and libxml2 binding library (libxmljs). This newer version does work 
> on my local Mint instance but, like I said, both the libxml2 and 
> libxmlsec1 are more recent there as well. My only trail right now is 
> possible incompatibility between libxmljs and older libxml2 OR between 
> the documents libxmljs creates with libxml2 AND the way libxmlsec1 
> uses them -- the last one sounds rather fishy even to myself :(
>
> ...Max...
>
>> Weird indeed. The document and DTD look good to me but apparently ID
>> attribute is not recognized. May be there were some changes in LibXML2?
>> Or may be LibXML2 was not compiled with XPointer support?
>>
>> Aleksey
>>
>> On 8/23/13 9:44 AM, Max Motovilov wrote:
>>> Happening to me in the code that's previously been working for quite a
>>> while. Here's the document I pass via its <Signature> element into
>>> xmlSecDSigCtxSign() :
>>>
>>> =========
>>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>>> <!DOCTYPE AuthnRequest [
>>> <!ELEMENT AuthnRequest (#PCDATA)>
>>> <!ATTLIST AuthnRequest ID ID #IMPLIED>
>>> ]>
>>> <AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="login"
>>> Destination="http://10.0.25.17:8080/cosmosDev/web/idp/SSO"
>>> IssueInstant="2013-08-23T18:39:25Z" Version="2.0">
>>>    <Issuer
>>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://10.0.26.16/ssoRequest</Issuer> 
>>>
>>>
>>>    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>      <SignedInfo>
>>>        <CanonicalizationMethod
>>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> 
>>>
>>>        <SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>        <Reference URI="#login">
>>>          <Transforms>
>>>            <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>          </Transforms>
>>>          <DigestMethod 
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>          <DigestValue/>
>>>        </Reference>
>>>      </SignedInfo>
>>>      <SignatureValue/>
>>>    </Signature>
>>> </AuthnRequest>
>>> =========
>>>
>>> and here's the traceback I get:
>>>
>>> =========
>>> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 
>>>
>>>
>>> library function failed:expr=xpointer(id('login'))
>>> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec 
>>>
>>>
>>> library function failed:
>>> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec 
>>>
>>>
>>> library function failed:
>>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec 
>>>
>>>
>>> library function failed:
>>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec 
>>>
>>>
>>> library function failed:transform=xpointer
>>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec 
>>>
>>>
>>> library function failed:
>>> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 
>>>
>>>
>>> library function failed:
>>> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 
>>>
>>>
>>> library function failed:node=Reference
>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 
>>>
>>>
>>> library function failed:
>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec 
>>>
>>>
>>> library function failed:
>>> =========
>>>
>>> The document has an ID attribute declared in DTD, the value has no 
>>> weird
>>> characters in it yet the id() expression fails. To add insult to 
>>> injury,
>>> this is in the code that's been working for a long time on different
>>> versions of Linux. The problem I am seeing now is on CentOS
>>> (2.6.32-220.23.1.el6.centos.plus.x86_64), libxmlsec1 1.2.16, libxml2
>>> 2.7.6, BUT everything has worked with this configuration (just not this
>>> particular instance) before! The only difference I can think of is that
>>> the XML document is now created by a different (newer) version of the
>>> wrapper library for libxml2 (https://github.com/polotek/libxmljs) but
>>> what could it possibly impact I don't know. Same version of the library
>>> works for me just fine on a different system.
>>>
>>> Ideas or advice very much appreciated!
>>>
>>> Thanks in advance,
>>> ...Max...
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>



More information about the xmlsec mailing list