Aleksey: I've validated a bunch of signatures with 0.0.8 and that's working well. However, I've found one signature that won't validate -- it appears to be an xpath failure -- xpath is selecting the wrong data. I can make a 1-character change *outside* of the data being signed (as verified by the buffer output from xmlsec) and make it work/fail -- and it makes no sense what so ever. The attached files differ by only one character -- a newline at the end of the node being signed (but *after* the closing tag). If the newline is present, the xpath transform fails with: (d:\projects\thirdparty\xmlsoft-org-build-trees\xmlsec-0.0.8\src\xmldsig .c:1441): error 34: invalid reference : If the newline is absent, the xpath transform works (as do all the others I've tried). Running a very simple xmlsec command will show the good and bad results: xmlsec verify --print-all dereg1.xml <<bad>> xmlsec verify --print-all dereg2.xml <<good>> I've stepped through a bunch of the code looking for what's going on but I obviously don't understand the code well enough yet to know more than that the transform is returning the wrong data (an xml subset of the correct data). If you can figure out what's going on here it would greatly improve my life -- this has been a wild ride today! Thanks! Ferrell
===================================== Ferrell Moultrie ([EMAIL PROTECTED]) Software Engineer Internet Security Systems, Inc. 6303 Barfield Road Atlanta, Georgia 30328 Phone: 404-236-2600 Direct: 404-236-2849 Fax: 404-236-2632 http://www.iss.net Internet Security Systems -- The Power to Protect =====================================
<?xml version="1.0"?> <ISSKeys Source="ISS Atlanta"><!-- TestKey ISS keygen --> <EndUsers><EndUser Address1="666 Rockets way" Address2="Apt. B" City="Scienceville" CompanyName="Spacely Sprockets" Country="USA" Email="[EMAIL PROTECTED]" Id="424ea53e-b226-11d6-9cbb-91339fef79f0" PostCode="12345678 OP" State="Disturbed" SubjectName="George Jetson" Title="Whipping Boy"><Version>1.0</Version><OCN>111111</OCN><Source>ISS Atlanta</Source><Serial>9BB60667-7810-A0E4-5C92-2C72A9699370</Serial><Timestamp>2002-08-17 17:14:04</Timestamp><sig:Signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#";> <sig:SignedInfo> <sig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <sig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <sig:Reference URI=""> <sig:Transforms> <sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";> <sig:XPath> not(ancestor-or-self::sig:Signature) and ( (ancestor::node() = /ISSKeys/EndUsers[1]/child::EndUser[@Id='424ea53e-b226-11d6-9cbb-91339fef79f0']) ) </sig:XPath> </sig:Transform> <sig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> </sig:Transforms> <sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <sig:DigestValue>3fsXwkDTCtWuYNadHVTSbTg6yeA=</sig:DigestValue> </sig:Reference> </sig:SignedInfo> <sig:SignatureValue> xZmkkvAssRopw+QDt1w/wxgvQmVbitadPL1gbWou73cuhD+r6m1xaQf4TZhpfsyGddO0cnHZ65NP Y2TvmVzwWJiJiZ9qqTvcdxHnbuihZhWb8Stu2nh3GDLS6aCpRW2dv3zSj4hgRHGmPqjpATq+lWrO 57igjO05UT6ppXOkmhM= </sig:SignatureValue> <sig:KeyInfo> <sig:KeyValue> <sig:RSAKeyValue> <sig:Modulus> 7CeDV7ApjGtmML8LGCS0/vrFcVe3Q2UnvrJXWlYedHmcYRUqPqtcyYuPzwSLqIEwFl7NQjbubnZK vlkfkRdKnRpbPhA0m1HxURmhZhGl7joTOMbpx3kgEctFo1Xbq0WZVK07XhPqsr3eIJ+K8u6UCe4k 8IeHud0KF17TKp/iGIE= </sig:Modulus> <sig:Exponent>AQAB</sig:Exponent> </sig:RSAKeyValue> </sig:KeyValue> </sig:KeyInfo> </sig:Signature></EndUser></EndUsers></ISSKeys>
<?xml version="1.0"?> <ISSKeys Source="ISS Atlanta"><!-- TestKey ISS keygen --> <EndUsers><EndUser Address1="666 Rockets way" Address2="Apt. B" City="Scienceville" CompanyName="Spacely Sprockets" Country="USA" Email="[EMAIL PROTECTED]" Id="424ea53e-b226-11d6-9cbb-91339fef79f0" PostCode="12345678 OP" State="Disturbed" SubjectName="George Jetson" Title="Whipping Boy"><Version>1.0</Version><OCN>111111</OCN><Source>ISS Atlanta</Source><Serial>9BB60667-7810-A0E4-5C92-2C72A9699370</Serial><Timestamp>2002-08-17 17:14:04</Timestamp><sig:Signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#";> <sig:SignedInfo> <sig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <sig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <sig:Reference URI=""> <sig:Transforms> <sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";> <sig:XPath> not(ancestor-or-self::sig:Signature) and ( (ancestor::node() = /ISSKeys/EndUsers[1]/child::EndUser[@Id='424ea53e-b226-11d6-9cbb-91339fef79f0']) ) </sig:XPath> </sig:Transform> <sig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> </sig:Transforms> <sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <sig:DigestValue>3fsXwkDTCtWuYNadHVTSbTg6yeA=</sig:DigestValue> </sig:Reference> </sig:SignedInfo> <sig:SignatureValue> xZmkkvAssRopw+QDt1w/wxgvQmVbitadPL1gbWou73cuhD+r6m1xaQf4TZhpfsyGddO0cnHZ65NP Y2TvmVzwWJiJiZ9qqTvcdxHnbuihZhWb8Stu2nh3GDLS6aCpRW2dv3zSj4hgRHGmPqjpATq+lWrO 57igjO05UT6ppXOkmhM= </sig:SignatureValue> <sig:KeyInfo> <sig:KeyValue> <sig:RSAKeyValue> <sig:Modulus> 7CeDV7ApjGtmML8LGCS0/vrFcVe3Q2UnvrJXWlYedHmcYRUqPqtcyYuPzwSLqIEwFl7NQjbubnZK vlkfkRdKnRpbPhA0m1HxURmhZhGl7joTOMbpx3kgEctFo1Xbq0WZVK07XhPqsr3eIJ+K8u6UCe4k 8IeHud0KF17TKp/iGIE= </sig:Modulus> <sig:Exponent>AQAB</sig:Exponent> </sig:RSAKeyValue> </sig:KeyValue> </sig:KeyInfo> </sig:Signature></EndUser> </EndUsers></ISSKeys>
