Well, I can see your point but I find it stupid to apply a no-op transform. Moreover, by design the enveloped signature transform was added to support *same document* signatures so using it on an external document is not something the W3C group was envisioning either.
Regardless, I don't remember exact details of the code but there might be some interesting implications on the removal of the node and then re-inserting it. Feel free to take a look. I accept patches :) Aleksey On 2/11/13 5:35 AM, guido billi wrote: > Hi guys, > > I used xmlsec for the first time years ago, now I am updating my > software to validate xml signatures generated with other softaware. > > I have a verification error! > > The error reason is clear, but I don’t understand if it is a Xmlsec > interpretation misunderstanding of Xml Signature standard or not… > > > > FILES > > > > I have a document (doc.xml) and a detached xml signature generate with > Oxygen Xml Editor 13.2 (det-rsasha1.xml) > > > > VERIFY ERROR > > > >>xmlsec --verify det-rsasha1.xml > > > > error : Unknown IO error > > *func=xmlSecTransformEnvelopedExecute:file=..\src\enveloped.c:line=108:obj=enveloped-signature:subj=unknown:error=34:same > document is required for transform:* > > func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2371:obj=enveloped-signature:subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > > func=xmlSecParserPushBin:file=..\src\parser.c:line=222:obj=xml-parser:subj=xmlSecTransformPushXml:error=1:xmlsec > library function failed: > > func=xmlSecTransformPump:file=..\src\transforms.c:line=1634:obj=xml-parser:subj=xmlSecTransformPushBin:error=1:xmlsec > library function failed: > > func=xmlSecTransformCtxUriExecute:file=..\src\transforms.c:line=1160:obj=unknown:subj=xmlSecTransformPump:error=1:xmlsec > library function failed:uri=doc.xml > > func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1280:obj=unknown:subj=xmlSecTransformCtxUriExecute:error=1:xmlsec > library function failed: > > func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > > func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > > func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > > func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > > Error: signature failed > > ERROR > > SignedInfo References (ok/all): 0/1 > > Manifests References (ok/all): 0/0 > > Error: failed to verify file "det-rsasha1.xml" > > > > ERROR REASON > > > > Now… the error is due to the combined use of > > 1) reference to an *external* document doc.xml > > 2) use of enveloped-signature transform by that reference > > *XmlSec enveloped-signature transform requires that the xml document * > > *(target of the transformation itself) contains the signature that > contains the Reference node.* > > > > (In my case this is not true, because the document target of the > transform is external > > and does not contain the Signature node) > > > > QUESTION > > > > Is this implementation check really correct??? > > If it is correct… why Oxygen Xml Editor 13.2 generate this combination? > > > > Here is the Xml Signature standard: > > 6.6.4 Enveloped Signature Transform > > “An enveloped signature transform /*T*/ removes the whole > |Signature|element containing /*T*/ from the digest calculation of the > |Reference|element containing /*T*/. The entire string of characters > used by an XML processor to match the |Signature|with the XML production > |element|is removed. The output of the transform is equivalent to the > output that would result from replacing /*T*/ with an XPath transform > containing the following |XPath|parameter element: […]” > > > > From my point of view the xmlsec implementation is too strict! > > The standard does not require that the document (target of T) actually > contains the Signature node, > > the standard only say that the transform T removes the Signature node > containing the transform T from the document. > > If the document does not contain the Signature node, no document > modification is specified for this transform. > > > > If document doc.xml does not contain a Signature node, > > I suppose that the transformation result should be the document doc.xml > itself. > > > > Am I wrong? > > Oxygen is not standard? > > XmlSec is too strict? > > Who is right? > > > > Thank you for your time > > > > > > ----------------------------------- > > Guido Billi > > Telvox S.R.L. > > Via Pastrengo, 2 > > 40123 Bologna > > tel: 051 33 97 121 > > www.telvox.com <http://www.telvox.com> > > > > > > > > > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
