Hi guys, I used xmlsec for the first time years ago, now I am updating my software to validate xml signatures generated with other softaware. I have a verification error! The error reason is clear, but I don't understand if it is a Xmlsec interpretation misunderstanding of Xml Signature standard or not...
FILES I have a document (doc.xml) and a detached xml signature generate with Oxygen Xml Editor 13.2 (det-rsasha1.xml) VERIFY ERROR >xmlsec --verify det-rsasha1.xml error : Unknown IO error func=xmlSecTransformEnvelopedExecute:file=..\src\enveloped.c:line=108:obj=enveloped-signature:subj=unknown:error=34:same document is required for transform: func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2371:obj=enveloped-signature:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecParserPushBin:file=..\src\parser.c:line=222:obj=xml-parser:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed: func=xmlSecTransformPump:file=..\src\transforms.c:line=1634:obj=xml-parser:subj=xmlSecTransformPushBin:error=1:xmlsec library function failed: func=xmlSecTransformCtxUriExecute:file=..\src\transforms.c:line=1160:obj=unknown:subj=xmlSecTransformPump:error=1:xmlsec library function failed:uri=doc.xml func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1280:obj=unknown:subj=xmlSecTransformCtxUriExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "det-rsasha1.xml" ERROR REASON Now... the error is due to the combined use of 1) reference to an external document doc.xml 2) use of enveloped-signature transform by that reference XmlSec enveloped-signature transform requires that the xml document (target of the transformation itself) contains the signature that contains the Reference node. (In my case this is not true, because the document target of the transform is external and does not contain the Signature node) QUESTION Is this implementation check really correct??? If it is correct... why Oxygen Xml Editor 13.2 generate this combination? Here is the Xml Signature standard: 6.6.4 Enveloped Signature Transform "An enveloped signature transform T removes the whole Signature element containing T from the digest calculation of the Reference element containing T. The entire string of characters used by an XML processor to match the Signature with the XML production element is removed. The output of the transform is equivalent to the output that would result from replacing T with an XPath transform containing the following XPath parameter element: [...]" >From my point of view the xmlsec implementation is too strict! The standard does not require that the document (target of T) actually contains the Signature node, the standard only say that the transform T removes the Signature node containing the transform T from the document. If the document does not contain the Signature node, no document modification is specified for this transform. If document doc.xml does not contain a Signature node, I suppose that the transformation result should be the document doc.xml itself. Am I wrong? Oxygen is not standard? XmlSec is too strict? Who is right? Thank you for your time ----------------------------------- Guido Billi Telvox S.R.L. Via Pastrengo, 2 40123 Bologna tel: 051 33 97 121 www.telvox.com<http://www.telvox.com>
det-rsasha1.xml
Description: det-rsasha1.xml
doc.xml
Description: doc.xml
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
