I suppose there is no reason we couldn't tod this in the library, the problem is we'd loose context.
For example :
Say we had a document like this :
<doc>
<elt>
Some text
</elt>
<Signature>
....
</Signature>
<Signature>
.....
</Signature>
</doc>I.e. where there are two SIgnature nodes. In the current implementation, because we are working in DOM at all times, we can easily know which signature has the Envlope reference (we simply check find the Signature DOM node that is the ancestor of the current reference). That way the other Signature is included in what is signed.
If we allow for an Envelope transform to take a serialised XML input, then we have to guess which Signature it actually was.
It gets even worse - we might get passed in a document that does not contain the original Signature. However the library has no way to know, if it finds a signature it will just assume that it is the right one.
Interested in people's thoughts. It's very easy to add something to parse the serialised input back to DOM and then assume that the first found Signature node is the right one.
CHeers,
BerinCsaba Vegso wrote:
Dear Berin,
Thank you for your help. I removed the corresponding transformation metod from the list belonging to the reference. This have eliminated the problem.
However, I really do not understand why this problem was occured by simply using this canonicalization over the XML document before enveloping. By using the .NET implementation everything worked fine. The document was signed by using the above mentioned canonicalization method and the signature can be validated sucessfully.
Regardless of the .NET implementation, do I know something wrong?
----- Original Message ----- From: "Berin Lautenbach" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, February 01, 2004 3:41 AM Subject: Re: validating enveloped XML signature
Csaba,
Your problem is (I think) your transforms. You have a c14n transform (Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";) and then an envelope transform (Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";).
The transforms are performed in sequence. So the first transform will serialise your document back into a byte stream, which is then passed into the envelope transform, which will throw an exception because it expects to be passed a set of DOM nodes. If you take the c14n transform out, you should be right.
Cheers, Berin
Csaba Vegso wrote:
Thanks for your quick answer Berin,
The signature is enveloped in the document. I can walk through its
elements
by using DOM methods. It seems to be well-formatted.
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMeth
od Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; /><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; /><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/><DigestValue>fc2sS60XFckCVc4CovfFrseazSI=</DigestValue></Reference></Signe
dInfo><SignatureValue>FU4nWLgwmO6QqPBPIOyu7eSwI91xD9UjUxL/3GSMcK8rC9cWMot4ex
/593KWzEGL/nZ5N2+6s47AeM2gUZzwIM+LZmuan5RQRREZMMKyOqiuV0zl6xs8cFnP8rvw1Jh48R
nINN91uwV7zDk8g//W7iFWTELwYcHhbFjIEt1QADw=</SignatureValue><KeyInfo><KeyValu
e
xmlns="http://www.w3.org/2000/09/xmldsig#";><RSAKeyValue><Modulus>pipNNVlJMT0
2h5lFviz5xt+QJlmzxaaEmIm328+4G4k4fxuvKEtCN8+7/IGzu8VXm986Uil1/RhOW0msoelATKl
oDR7FnftknvUfvKoiv0UxX6smG1Gmel3Vjj2/BGePI4K7cFMYIoUByQo6Dimyx0UTzPBqBjBMxMK
A2098vqk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyIn
fo></Signature>
----- Original Message ----- From: "Berin Lautenbach" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, February 01, 2004 1:42 AM Subject: Re: validating enveloped XML signature
Csaba,
An Envelope transform has to operate on the document the signature is contained in, so it throws an exception if it finds that the input is not a node set of some kind.
Can you post a copy of the XML signature you are trying to validate?
Cheers, Berin
Csaba Vegso wrote:
Dear all,
I am trying to validate an enveloped XML signature by using XML
Security
v1.0. The verifyOnlySigniture() returns with true, but when I want to validate the signature over the whole document with the verify() method a TransformInputOutputFail
<http://xml.apache.org/security/c/apiDocs/classXSECException.html#w43w6>
type
of XSECException exception is catched (desc.: "XPath requires DOM_NODES input type"). As I am checking the downloaded source code, I see that the only one position where such type of exception is thrown is the TXFMEnvelope::setInput() method.
I would be very grateful, if somebody could save me some time required by further debugging.
I am using Xerces 2.4.0, Xalan 1.7.0 and openssl-0.9.7. I doubt it is matter, but the signiture was created by choosing RSA on Win2000.
Thanks in advance,
------------------------------------------------------------------------
*Csaba Vegso*
Electrical Engineer
Phone: +36 1 476 8437
Mobile: +36 30 242 0862
Geomant Call Center Solutions
