[xmlsec] Signature verification vs namespaces
Matej Tyc
matyc at redhat.com
Thu Jan 21 07:58:42 PST 2021
Hello,
one of the use cases of XML signing is signing of security content of
SCAP datastreams, which is a XML format standardized by NIST, i.e. one
would consider that as mainstream rather than obscure. Contents of
datastreams can be signed, and if this is the case, the namespace of the
signature element and the element that is signed differs. The example
r900-rhel-datastream.xml from the test suite can be obtained at [1]
(extracted file for your convenience is available at [2]).
This namespace discrepancy causes the xmlsec1 utility not to work out of
the box. [3] points to a solution - one has to "declare" the missing
namespaces using the --id-attr flag, e.g. xmlsec1 --verify --id-attr
http://scap.nist.gov/schema/scap/source/1.2:component --id-attr
http://scap.nist.gov/schema/scap/source/1.2:data-stream
r900-rhel-datastream.xml . However, the project FAQ [4] refers to this
as if it was some kind of a dirty hack.
The recommended solution would be to use a DTD. SCAP XMLs are complex,
there are XSDs available, but not DTDs. And those would be really
murderous. And aside from that, we just need to point out to namespaces
that should be considered when searching for the signed element, so one
doesn't have a big incentive to deal with complex files.
Do you have any ideas how to approach this problem in a non-hackish way
that we may be missing?
Thanks,
Matej
Refs:
[1]:
https://csrc.nist.gov/projects/scap-validation-program/validation-test-content
[2]: https://fedorapeople.org/~jcerny/r900-rhel-datastream.xml
[3]: https://www.aleksey.com/xmlsec/faq.html#section_3_4
[4]: https://www.aleksey.com/pipermail/xmlsec/2011/009201.html
More information about the xmlsec
mailing list