Hi Steingart,
Thanks a lot for the bug report and analysis! This is indeed a change
in recent libxml2 versions. Unfortunately, there are a couple other
places where we rely on NULL nodeset to be "all" so I implemented
a slightly different version of your patch
http://git.gnome.org/browse/xmlsec/commit/?id=d081286fdaf5718eab01013a47fc76539925397d
Best,
Aleksey
On 11/2/11 1:55 AM, Steingart Ferenc wrote:
Hi,
I think I have found a bug in XPath/Xpath-Filter2 reference evaluation.
The bug is reproducable with the xmlsec command line utility, using the
attached input files.
The problem is that the whole document is included in the reference digest.
The command line:
xmlsec1 --sign --store-references --print-debug --id-attr:id
"urn:test.global":ToBeSigned --privkey-pem signkey.pem --pubkey-cert-pem
signcert.crt tobesigned.xml
After some debugging sessions I found, that the problem arises when the
libxml2 xpath evaluation returns an empty nodeset in the form: the
xmlXPathObject's type is XPATH_NODESET and the nodesetval pointer is
NULL. (Sometimes empty nodesets are returned with a non-null nodesetval
pointer, but nodesetval->nodeNr=0)
I have managed to correct the handlig of such empty nodesets by two
small modification:
in nodeset.c: in function xmlSecNodeSetOneContains the default value of
the variable int in_nodes_set has to be set to 0:
-------------------
xmlSecNodeSetOneContains(xmlSecNodeSetPtr nset, xmlNodePtr node,
xmlNodePtr parent) {
int in_nodes_set = 0;
...
-------------------
By this NULL nodes pointers in xmlSecNodeSet nodesets are handled
correctly. But this arises another problem: when using an xpointer in
the corresponding reference,
the initial xmlSecNodeSetPtr nodeset's nodes pointer is set to NULL,
with type xmlSecNodeSetNormal. This defines an empty nodeset, so the
initial nodeset has to be changed.
In transforms.c in function xmlSecTransformCtxExecute has to be created
with type xmlSecNodeSetInvert instead of xmlSecNodeSetNormal, which
means the whole document:
-------------------
xmlSecTransformCtxExecute(xmlSecTransformCtxPtr ctx, xmlDocPtr doc) {
int ret;
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->result == NULL, -1);
xmlSecAssert2(ctx->status == xmlSecTransformStatusNone, -1);
xmlSecAssert2(doc != NULL, -1);
if((ctx->uri == NULL) || (xmlStrlen(ctx->uri) == 0)) {
xmlSecNodeSetPtr nodes;
if((ctx->xptrExpr != NULL) && (xmlStrlen(ctx->xptrExpr) > 0)){
/* our xpointer transform takes care of providing correct nodes set */
nodes = xmlSecNodeSetCreate(doc, NULL, xmlSecNodeSetInvert);
...
-------------------
This way xpath evaluation seems correct. Of course my modifications
require more evaluation.
Steingart Ferenc
fejlesztő, programtervező matematikus
Tel: 06 1 345 7974
Email: [email protected]
Web: http://www.cardinal.hu
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
