Looks like there is a bug in LibXML XPath engine. I'll forward it to libxml mailing list and also take a look tomorrow.
Aleksey. Moultrie, Ferrell (ISSAtlanta) wrote: >Aleksey: > I've validated a bunch of signatures with 0.0.8 and that's working >well. However, I've found one signature that won't validate -- it >appears to be an xpath failure -- xpath is selecting the wrong data. I >can make a 1-character change *outside* of the data being signed (as >verified by the buffer output from xmlsec) and make it work/fail -- and >it makes no sense what so ever. > The attached files differ by only one character -- a newline at the >end of the node being signed (but *after* the closing tag). If the >newline is present, the xpath transform fails with: > >(d:\projects\thirdparty\xmlsoft-org-build-trees\xmlsec-0.0.8\src\xmldsig >.c:1441): error 34: invalid reference : >If the newline is absent, the xpath transform works (as do all the >others I've tried). > Running a very simple xmlsec command will show the good and bad >results: > xmlsec verify --print-all dereg1.xml <<bad>> > xmlsec verify --print-all dereg2.xml <<good>> >I've stepped through a bunch of the code looking for what's going on but >I obviously don't understand the code well enough yet to know more than >that the transform is returning the wrong data (an xml subset of the >correct data). If you can figure out what's going on here it would >greatly improve my life -- this has been a wild ride today! >Thanks! > Ferrell > >===================================== >Ferrell Moultrie ([EMAIL PROTECTED]) >Software Engineer > >Internet Security Systems, Inc. >6303 Barfield Road >Atlanta, Georgia 30328 >Phone: 404-236-2600 >Direct: 404-236-2849 >Fax: 404-236-2632 >http://www.iss.net > >Internet Security Systems -- The Power to Protect >===================================== > > >------------------------------------------------------------------------ > ><?xml version="1.0"?> ><ISSKeys Source="ISS Atlanta"><!-- TestKey ISS keygen --> ><EndUsers><EndUser Address1="666 Rockets way" Address2="Apt. B" City="Scienceville" >CompanyName="Spacely Sprockets" Country="USA" Email="[EMAIL PROTECTED]" >Id="424ea53e-b226-11d6-9cbb-91339fef79f0" PostCode="12345678 OP" State="Disturbed" >SubjectName="George Jetson" Title="Whipping >Boy"><Version>1.0</Version><OCN>111111</OCN><Source>ISS >Atlanta</Source><Serial>9BB60667-7810-A0E4-5C92-2C72A9699370</Serial><Timestamp>2002-08-17 > 17:14:04</Timestamp><sig:Signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#";> ><sig:SignedInfo> ><sig:CanonicalizationMethod >Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> ><sig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> ><sig:Reference URI=""> ><sig:Transforms> ><sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";> ><sig:XPath> >not(ancestor-or-self::sig:Signature) > and ( > (ancestor::node() = >/ISSKeys/EndUsers[1]/child::EndUser[@Id='424ea53e-b226-11d6-9cbb-91339fef79f0']) >) ></sig:XPath> ></sig:Transform> ><sig:Transform >Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> ></sig:Transforms> ><sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> ><sig:DigestValue>3fsXwkDTCtWuYNadHVTSbTg6yeA=</sig:DigestValue> ></sig:Reference> ></sig:SignedInfo> ><sig:SignatureValue> >xZmkkvAssRopw+QDt1w/wxgvQmVbitadPL1gbWou73cuhD+r6m1xaQf4TZhpfsyGddO0cnHZ65NP >Y2TvmVzwWJiJiZ9qqTvcdxHnbuihZhWb8Stu2nh3GDLS6aCpRW2dv3zSj4hgRHGmPqjpATq+lWrO >57igjO05UT6ppXOkmhM= ></sig:SignatureValue> ><sig:KeyInfo> ><sig:KeyValue> ><sig:RSAKeyValue> ><sig:Modulus> >7CeDV7ApjGtmML8LGCS0/vrFcVe3Q2UnvrJXWlYedHmcYRUqPqtcyYuPzwSLqIEwFl7NQjbubnZK >vlkfkRdKnRpbPhA0m1HxURmhZhGl7joTOMbpx3kgEctFo1Xbq0WZVK07XhPqsr3eIJ+K8u6UCe4k >8IeHud0KF17TKp/iGIE= ></sig:Modulus> ><sig:Exponent>AQAB</sig:Exponent> ></sig:RSAKeyValue> ></sig:KeyValue> ></sig:KeyInfo> ></sig:Signature></EndUser></EndUsers></ISSKeys> > > >------------------------------------------------------------------------ > ><?xml version="1.0"?> ><ISSKeys Source="ISS Atlanta"><!-- TestKey ISS keygen --> ><EndUsers><EndUser Address1="666 Rockets way" Address2="Apt. B" City="Scienceville" >CompanyName="Spacely Sprockets" Country="USA" Email="[EMAIL PROTECTED]" >Id="424ea53e-b226-11d6-9cbb-91339fef79f0" PostCode="12345678 OP" State="Disturbed" >SubjectName="George Jetson" Title="Whipping >Boy"><Version>1.0</Version><OCN>111111</OCN><Source>ISS >Atlanta</Source><Serial>9BB60667-7810-A0E4-5C92-2C72A9699370</Serial><Timestamp>2002-08-17 > 17:14:04</Timestamp><sig:Signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#";> ><sig:SignedInfo> ><sig:CanonicalizationMethod >Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> ><sig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> ><sig:Reference URI=""> ><sig:Transforms> ><sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";> ><sig:XPath> >not(ancestor-or-self::sig:Signature) > and ( > (ancestor::node() = >/ISSKeys/EndUsers[1]/child::EndUser[@Id='424ea53e-b226-11d6-9cbb-91339fef79f0']) >) ></sig:XPath> ></sig:Transform> ><sig:Transform >Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> ></sig:Transforms> ><sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> ><sig:DigestValue>3fsXwkDTCtWuYNadHVTSbTg6yeA=</sig:DigestValue> ></sig:Reference> ></sig:SignedInfo> ><sig:SignatureValue> >xZmkkvAssRopw+QDt1w/wxgvQmVbitadPL1gbWou73cuhD+r6m1xaQf4TZhpfsyGddO0cnHZ65NP >Y2TvmVzwWJiJiZ9qqTvcdxHnbuihZhWb8Stu2nh3GDLS6aCpRW2dv3zSj4hgRHGmPqjpATq+lWrO >57igjO05UT6ppXOkmhM= ></sig:SignatureValue> ><sig:KeyInfo> ><sig:KeyValue> ><sig:RSAKeyValue> ><sig:Modulus> >7CeDV7ApjGtmML8LGCS0/vrFcVe3Q2UnvrJXWlYedHmcYRUqPqtcyYuPzwSLqIEwFl7NQjbubnZK >vlkfkRdKnRpbPhA0m1HxURmhZhGl7joTOMbpx3kgEctFo1Xbq0WZVK07XhPqsr3eIJ+K8u6UCe4k >8IeHud0KF17TKp/iGIE= ></sig:Modulus> ><sig:Exponent>AQAB</sig:Exponent> ></sig:RSAKeyValue> ></sig:KeyValue> ></sig:KeyInfo> ></sig:Signature></EndUser> ></EndUsers></ISSKeys> > > _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
