Thanks Aleksey, I patched xmlSec sources, but the problem still persists.
I'm sending some more info, if you like:
1) a stupid patch against xmlSec c14n.c - you need not to apply it, it is just for illustration where I'm gathering my debug files :-)
2) debug files gathered using my debugs in (1) (and pretty-formatted):
INPUT_c14n.xml - input msg to c14n processing
OUTPUT_BAD_c14n.xml - output msg from c14n processing (bad output shown) - this is the case when I just run my test (using patched xmlSec)
OUTPUT_OK_c14n.xml - output msg from c14n processing (good output shown) - see below for info how I got it
3) running my test and setting breakpoint in xmlSec: nodeset.c: 153 the contexts the test stops in are:
parent: XML_ELEMENT_NODE "Body" node: XML_NAMESPACE_DECL "http://schemas.xmlsoap.org/soap/envelope/"; (gdb) c
parent: XML_ELEMENT_NODE "Ping" node: XML_NAMESPACE_DECL "http://xmlsoap.org/Ping"; (gdb) c
parent: XML_ELEMENT_NODE "text" node: XML_NAMESPACE_DECL "http://xmlsoap.org/Ping"; (gdb) c
parent: XML_ELEMENT_NODE "Ping" node: XML_NAMESPACE_DECL "http://xmlsoap.org/Ping"; (gdb) c
parent: XML_ATTRIBUTE_NODE "type" node: XML_NAMESPACE_DECL "http://www.w3.org/2001/XMLSchema-instance";
now, your patch is executed: (gdb) n 154 ns.next = (xmlNsPtr)parent->parent;
however, the nodeset does not contain the namespace "http://www.w3.org/2001/XMLSchema-instance":
(gdb) p *nset->nodes
$23 = {nodeNr = 1, nodeMax = 10, nodeTab = 0x81d7ee0}
(gdb) p *nset->nodes->nodeTab[0]
$24 = {_private = 0x0, type = XML_ELEMENT_NODE, name = 0x81d4110 "Body", children = 0x81d4230, last = 0x81d4230,
parent = 0x81d3f28, next = 0x0, prev = 0x81d10c0, doc = 0x81d3e58, ns = 0x81d3f78, content = 0x0,
properties = 0x81d3428, nsDef = 0x81d33a0, psvi = 0x0, line = 0, extra = 0}
so:
(gdb) p in_nodes_set $25 = 0
so the namespace gets still rendered at <text> element
Then, I tried to manually override the 'in_nodes_set': set it to 1. In this case, the namespace "http://www.w3.org/2001/XMLSchema-instance"; gets no rendered at the <text> element (see OUTPUT_OK_c14n.xml).
best regards, Tomas
Aleksey Sanin wrote:
Tomas,
I checked in the patches for both LibXML2 and XMLSec. As I wrote in LibXML2 the patch does not touch the core library but the C14N test program. On xmlsec side, it is a patch in the core library.
I would appreciate if you can either apply the xmlsec patch attached to my previous message or get fresh xmlsec sources from CVS and try this patch with your examples.
Thanks, Aleksey
Aleksey Sanin wrote:
It is a problems on both sides. The LibXML2 namespaces are a little bit tricky and c14n code had a problem with understanding that attribute namespace is the same as the namespace declaration in the node.
The patches for both libxml2 and xmlsec are attached (the libxml2 patch fixes the testC14N test utility and does not change the core libxml2 functionality thus it is optional). I did a quick test and it seems to be working fine but I will not be able to fully test and check in these patches till next week.
--- c14n.c.orig Fri Aug 22 19:11:14 2003
+++ c14n.c Tue Apr 20 09:41:28 2004
@@ -422,6 +422,22 @@
(xmlC14NIsVisibleCallback)xmlSecNodeSetContains,
nodes, 0, NULL, 1, buf);
} else if(id == xmlSecTransformExclC14NId) {
+ //TS:todo:
+ static char fn[100]="c14n_a.xml";
+ FILE *f;
+ if (fn[5]<'z') fn[5]++;
+ xmlSaveFormatFile(fn,nodes->doc,1);
+ if (fn[5]<'z') fn[5]++;
+ f=fopen(fn,"wt");
+ if (f) {
+ xmlOutputBufferPtr b=xmlOutputBufferCreateFile(f,NULL);
+ xmlC14NExecute(nodes->doc,
+ (xmlC14NIsVisibleCallback)xmlSecNodeSetContains,
+ nodes, 1, nsList, 0, b);
+ fclose(f);
+ }
+
+
ret = xmlC14NExecute(nodes->doc,
(xmlC14NIsVisibleCallback)xmlSecNodeSetContains,
nodes, 1, nsList, 0, buf);
<?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:SE="http://schemas.xmlsoap.org/soap/encoding/";> <SOAP-ENV:Header> <wsse:Security xmlns:wsse="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; SOAP-ENV:mustUnderstand="1"> <wsse:BinarySecurityToken ValueType="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; EncodingType="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; wsu:Id="myCert">MIIFPTCCBCWgAwIBAgIKVzXWLwAAAAAADTANBgkqhkiG9w0BAQUFADBxMRMwEQYKCZImiZPyLGQBGRYD Y29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0MRQwEgYKCZImiZPyLGQBGRYEY29ycDEXMBUGCgmS JomT8ixkARkWB3JlZG1vbmQxEDAOBgNVBAMTB1dTRVRlc3QwHhcNMDMwNjAyMTkyNjQyWhcNMDQwNjAy MTkzNjQyWjBTMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1JlZG1vbmQxEjAQBgNV BAoTCU1pY3Jvc29mdDERMA8GA1UEAxMIV1NTVGVzdDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ANMwScYbZPhif2EitXVaLVbisyc/A4/ZiOzTegwEWGBNJRd+KmiWtdXUv7/EfUQiZ6mz+HxYxKcG5LYO CjYSMF6AwIR8FlI84cFTiDwmLLwFW4JTlgsBsgSRCwiielWOmT04cv5RjfozzXoNY+oMnNtnGTOjKIX2 aOaQ94uQerl1AgMBAAGjggJ3MIICczAOBgNVHQ8BAf8EBAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggq hkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBSl uj2KYScQQCA7nhAXiQYRaAgyRjATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBSLPSf2YoLV O3winf26dO2XGlQsJzCBqgYDVR0fBIGiMIGfMIGcoIGZoIGWhkhodHRwOi8vbmRnby1yNDUtZDExLWsz LnJlZG1vbmQuY29ycC5taWNyb3NvZnQuY29tL0NlcnRFbnJvbGwvV1NFVGVzdC5jcmyGSmZpbGU6Ly9c XE5ER08tUjQ1LUQxMS1LMy5yZWRtb25kLmNvcnAubWljcm9zb2Z0LmNvbVxDZXJ0RW5yb2xsXFdTRVRl c3QuY3JsMIIBFwYIKwYBBQUHAQEEggEJMIIBBTB/BggrBgEFBQcwAoZzaHR0cDovL25kZ28tcjQ1LWQx MS1rMy5yZWRtb25kLmNvcnAubWljcm9zb2Z0LmNvbS9DZXJ0RW5yb2xsL05ER08tUjQ1LUQxMS1LMy5y ZWRtb25kLmNvcnAubWljcm9zb2Z0LmNvbV9XU0VUZXN0LmNydDCBgQYIKwYBBQUHMAKGdWZpbGU6Ly9c XE5ER08tUjQ1LUQxMS1LMy5yZWRtb25kLmNvcnAubWljcm9zb2Z0LmNvbVxDZXJ0RW5yb2xsXE5ER08t UjQ1LUQxMS1LMy5yZWRtb25kLmNvcnAubWljcm9zb2Z0LmNvbV9XU0VUZXN0LmNydDANBgkqhkiG9w0B AQUFAAOCAQEAkmze+mNSSERbwUH1SGM3PX8veP1BQf+CvzAP326QXeSzTrQ+JHetVD6FntwNerSX+pVT lo06p5uYXh7rHMlgLlNhvd8IDTdNQe9PJJ50099MKcgpX22duYTGpIUXKOSt8FQS5bLwcmrTUr1wesV3 7GLbI2to0oQsQEMuq4HRxYmi/loy9tNhqbHA6Evd/dTZDwrEHiQy9g3439DY92+0Kb+qWW9tx8KD8nDV O7v3+c/ExAF8kualWCXRIH77Gm+CDzI3TjAfx0zlhEndtoqRc8bhBKTNi9hK+mzcCMUQeeA+DS6ZV8Xk TMM9dcivLlaN5XoOSLoYn0PITSwLrp0nYw== </wsse:BinarySecurityToken> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#BodyId"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue/> </Reference> </SignedInfo> <SignatureValue/> <KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#myCert"/> </wsse:SecurityTokenReference> </KeyInfo> </Signature> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body xmlns:wsu="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="BodyId"> <ns0:Ping xmlns:ns0="http://xmlsoap.org/Ping"; xsi:type="ns0:ping"> <ns0:text xsi:type="xsd:string">Scenario #3</ns0:text> </ns0:Ping> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
<SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsu="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="BodyId"> <ns0:Ping xmlns:ns0="http://xmlsoap.org/Ping"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="ns0:ping"> <ns0:text xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">Scenario #3</ns0:text> </ns0:Ping> </SOAP-ENV:Body>
<SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsu="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="BodyId"> <ns0:Ping xmlns:ns0="http://xmlsoap.org/Ping"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="ns0:ping"> <ns0:text xsi:type="xsd:string">Scenario #3</ns0:text> </ns0:Ping> </SOAP-ENV:Body>
