[xmlsec] Signing with root element not having namespace

Aleksey Sanin aleksey at aleksey.com
Sun Jun 7 09:05:52 PDT 2020 

Well, xmldsig standard defines the namespace and that's
how any standard compatible signature should be done.

Again, I think someone just copy pasted

<xs:element name="Signature" type="ds:SignatureType"/>

into XYZBlock.xsd w/o understanding how schemas work.
The best course of action is to fix this in the schema.


Aleksey

On 6/5/20 1:11 PM, Kiss Ádám wrote:
> Right, so it cannot be done this way. Thank you!
> 
> 
> I also tried to put the Signature element into ds: namespace, but then 
> the sign tool failed again. It turned out the removing the cb: namespace 
> from the parent element of the ds:Signature node solves the problem. I 
> saw xmlSecDSigNs variable hardcoded in libxmlsec not only when finding 
> the Signature node, but also later in the transformation chain. May I 
> ask if that is mandatory to be that way, or I can change the search 
> namespace (by changing that constant) to the relative one written in our 
> standard. I should then recompile of course the whole lib which I've 
> done before.
> 
> 
> Bests, Adam
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> *Feladó:* Aleksey Sanin <aleksey at aleksey.com>
> *Elküldve:* 2020. június 4. 17:09
> *Címzett:* Kiss Ádám; xmlsec at aleksey.com
> *Tárgy:* Re: [xmlsec] Signing with root element not having namespace
> In xmndsig-core-schema.xsd, there is targetNamespace defined:
> 
> targetNamespace="http://www.w3.org/2000/09/xmldsig#"
> 
> Which places ALL entities (types, elements, ...) from this schema
> into this namespace (including Signature node itself).
> 
> In XYZBlock.xsd, the same Signature element is redefined for no
> obvious reasons as
> 
> <xs:element name="Signature" type="ds:SignatureType"/>
> 
> This should be replaced with something like this to reference the
> Signature element defined in xmldsig spec:
> 
> <xs:element ref="ds:Signature"/>
> 
> As it stands right now, this is not an xmldsig compatible construct.
> 
> Hope this helps,
> 
> Aleksey
> 
> On 6/4/20 3:57 AM, Kiss Ádám wrote:
>> Thank you for your answer!
>> 
>> 
>> Unfortunately the standard is not public, but obfuscated version should 
>> be okay for investigation. I've attached the XSDs the standard specify. 
>> The XML I sent you earlier is just our interpretation, can be changed.
>> 
>> 
>> Do you have any idea we can go on?
>> 
>> 
>> Bests, Adam
>> 
>> 
>> 
>> ------------------------------------------------------------------------
>> *Feladó:* Aleksey Sanin <aleksey at aleksey.com>
>> *Elküldve:* 2020. június 3. 17:39
>> *Címzett:* Kiss Ádám; xmlsec at aleksey.com
>> *Tárgy:* Re: [xmlsec] Signing with root element not having namespace
>> Indeed in your XML file the Signature node doesn't have the correct
>> namespace:
>> 
>> <Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> 
>> Is this standard publically available somewhere? This doesn't look
>> right to me.
>> 
>> Aleksey
>> 
>> On 6/3/20 7:50 AM, Kiss Ádám wrote:
>>> Hello!
>>> 
>>> 
>>> I've been using your lib for a long time with many success!
>>> 
>>> 
>>> Now I got a task which I cannot handle with my skills. I've attached a 
>>> simplified version of the XML.
>>> 
>>> 
>>> The main problem is that an industry standard determines the whole 
>>> structure of the XML in this application including the namespaces. When 
>>> I tried to sign it with the standard method in the doc I got the error: 
>>> 'node not found'. It turned out xmlsecGetNodeNSHref sees the <Signature> 
>>> block with (null) namepspace, which doesn't fit xmlsec's requirement. 
>>> Changing xmlSecFindNode to ignore the (null) namespace helped for a 
>>> short time, but some function calls later a similar error was found in 
>>> xmlSecFindParent. After getting over again C14N failed. I am not sure if 
>>> that (null) is the problem during the canonization.
>>> 
>>> 
>>> I cannot see that deep into the code. Could you help me out?
>>> 
>>> 
>>> Bests,
>>> 
>>> Adam
>>> 
>>> 
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>> 
>> 
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>

More information about the xmlsec mailing list