[xmlsec] Signing with root element not having namespace

Kiss Ádám kiss.adam at prolan.hu
Mon Jun 8 04:36:00 PDT 2020 

All right!


Thank you very much!


Bests, Adam


________________________________
Feladó: Aleksey Sanin <aleksey at aleksey.com>
Elküldve: 2020. június 7. 18:05
Címzett: Kiss Ádám; xmlsec at aleksey.com
Tárgy: Re: [xmlsec] Signing with root element not having namespace

Well, xmldsig standard defines the namespace and that's
how any standard compatible signature should be done.

Again, I think someone just copy pasted

<xs:element name="Signature" type="ds:SignatureType"/>

into XYZBlock.xsd w/o understanding how schemas work.
The best course of action is to fix this in the schema.


Aleksey

On 6/5/20 1:11 PM, Kiss Ádám wrote:
> Right, so it cannot be done this way. Thank you!
>
>
> I also tried to put the Signature element into ds: namespace, but then
> the sign tool failed again. It turned out the removing the cb: namespace
> from the parent element of the ds:Signature node solves the problem. I
> saw xmlSecDSigNs variable hardcoded in libxmlsec not only when finding
> the Signature node, but also later in the transformation chain. May I
> ask if that is mandatory to be that way, or I can change the search
> namespace (by changing that constant) to the relative one written in our
> standard. I should then recompile of course the whole lib which I've
> done before.
>
>
> Bests, Adam
>
>
>
>
>
> ------------------------------------------------------------------------
> *Feladó:* Aleksey Sanin <aleksey at aleksey.com>
> *Elküldve:* 2020. június 4. 17:09
> *Címzett:* Kiss Ádám; xmlsec at aleksey.com
> *Tárgy:* Re: [xmlsec] Signing with root element not having namespace
> In xmndsig-core-schema.xsd, there is targetNamespace defined:
>
> targetNamespace="http://www.w3.org/2000/09/xmldsig#"
>
> Which places ALL entities (types, elements, ...) from this schema
> into this namespace (including Signature node itself).
>
> In XYZBlock.xsd, the same Signature element is redefined for no
> obvious reasons as
>
> <xs:element name="Signature" type="ds:SignatureType"/>
>
> This should be replaced with something like this to reference the
> Signature element defined in xmldsig spec:
>
> <xs:element ref="ds:Signature"/>
>
> As it stands right now, this is not an xmldsig compatible construct.
>
> Hope this helps,
>
> Aleksey
>
> On 6/4/20 3:57 AM, Kiss Ádám wrote:
>> Thank you for your answer!
>>
>>
>> Unfortunately the standard is not public, but obfuscated version should
>> be okay for investigation. I've attached the XSDs the standard specify.
>> The XML I sent you earlier is just our interpretation, can be changed.
>>
>>
>> Do you have any idea we can go on?
>>
>>
>> Bests, Adam
>>
>>
>>
>> ------------------------------------------------------------------------
>> *Feladó:* Aleksey Sanin <aleksey at aleksey.com>
>> *Elküldve:* 2020. június 3. 17:39
>> *Címzett:* Kiss Ádám; xmlsec at aleksey.com
>> *Tárgy:* Re: [xmlsec] Signing with root element not having namespace
>> Indeed in your XML file the Signature node doesn't have the correct
>> namespace:
>>
>> <Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>
>> Is this standard publically available somewhere? This doesn't look
>> right to me.
>>
>> Aleksey
>>
>> On 6/3/20 7:50 AM, Kiss Ádám wrote:
>>> Hello!
>>>
>>>
>>> I've been using your lib for a long time with many success!
>>>
>>>
>>> Now I got a task which I cannot handle with my skills. I've attached a
>>> simplified version of the XML.
>>>
>>>
>>> The main problem is that an industry standard determines the whole
>>> structure of the XML in this application including the namespaces. When
>>> I tried to sign it with the standard method in the doc I got the error:
>>> 'node not found'. It turned out xmlsecGetNodeNSHref sees the <Signature>
>>> block with (null) namepspace, which doesn't fit xmlsec's requirement.
>>> Changing xmlSecFindNode to ignore the (null) namespace helped for a
>>> short time, but some function calls later a similar error was found in
>>> xmlSecFindParent. After getting over again C14N failed. I am not sure if
>>> that (null) is the problem during the canonization.
>>>
>>>
>>> I cannot see that deep into the code. Could you help me out?
>>>
>>>
>>> Bests,
>>>
>>> Adam
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20200608/fcf5d568/attachment.htm>

More information about the xmlsec mailing list