Yes, that's what I wanted to know. The author admitted, that it was his fault, and forgot to include the Id= from the Body. By telling me that it is impossible, you conviced me that first I have to inform him about his violation of standards.
Another strange fact (telling it just for fun) that the DigestValue hash in his example was a precise, fine-crafted, robust SHA1 hash of a NULL string, mainly because of the missing Id. :-)
Now we're arguing about the canonization, since his documents still does not pass the online XMLSEC verifier. His referenced Body section has a lot of namespaces in it, and canonization moves these at the beginning of the whole document (it seems that he first calculates the hash, makes its envelope then canonizes it) and since neither me and he are sure about the standards, I want to pass it through the online verifier first, because it's a good reference when we're asked about our verification procedure validity.
By the way, does it make a difference, that it's not a simple signed XML document but XML SOAP? I think it shouldn't.
Aleksey Sanin wrote:
I am not sure I understand you. You don't have ID attribute in an element, you can't add it because it'll break everything but you still want to reference it as "#...."? I am not sure there is a way to do this and I am not sure it's a good idea at all (from security point of view).
Aleksey
Artur BUJDOSO wrote on 3/11/2004, 4:17 AM:
Is there a way to declare an ID attribute, if it's not present by Id="Body" in the Referenced tag? I mean, I got <soapenv:Body> but no <soapenv:Body Id="Body">. The latter is accepted by XMLSEC, but true, it modifies the verified document.
Artur
Aleksey Sanin wrote:
If you modified the signed document then you'll get a different digest. Either use external DTD or declare ID attributes from your program as explained in the FAQ._______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Aleksey
Artur BUJDOSO wrote on 3/10/2004, 10:30 AM:
Thanks for the reply.
Yes, I've read it and tried to declare at the beginning at the document the Reference ID, and even tried to replace the URI to ID. Following (short) result:
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=164:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
The PreDigest data buffer, seems to contain the whole document, is this normal?
Since the author of the document generator admitted that he isn't sure about standards at all, it might be a wrong DigestValue.
Artur
Aleksey Sanin wrote:
Section 3.2 from the FAQ http://www.aleksey.com/xmlsec/faq.html_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Aleksey
Artur BUJDOSO wrote on 3/10/2004, 7:25 AM:
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('Body'))
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
