This is probably "gray area". It can go either way. Aleksey
On 2/12/13 3:42 AM, guido billi wrote: > > I understand your point and I could agree... but... in this case... > what do you think should I do? > can I suppose that Oxygen is out of standard and invalidate its signatures? > > Speaking about the code... right now I neither have time > to study xmlsec code in depth, create a patch and test it... > nor the knowledge to say if my patch is correct. > > because actualy I am building my test cases... > and this is why I was looking for "where the truth is"... > in order to decide if my tests on these files should pass or not. > > Do you know someone I can speak with in order to > understand what is the right interpretation of the standard? > > Thank you for your time. > > ________________________________________ > Da: Aleksey Sanin [[email protected]] > Inviato: martedì 12 febbraio 2013 8.15 > A: guido billi > Cc: [email protected] > Oggetto: Re: [xmlsec] enveloped-signature problem > > Well, I can see your point but I find it stupid to apply a no-op > transform. Moreover, by design the enveloped signature transform > was added to support *same document* signatures so using it on an > external document is not something the W3C group was envisioning > either. > > Regardless, I don't remember exact details of the code but there > might be some interesting implications on the removal of the node > and then re-inserting it. Feel free to take a look. I accept patches :) > > Aleksey > > On 2/11/13 5:35 AM, guido billi wrote: >> Hi guys, >> >> I used xmlsec for the first time years ago, now I am updating my >> software to validate xml signatures generated with other softaware. >> >> I have a verification error! >> >> The error reason is clear, but I don’t understand if it is a Xmlsec >> interpretation misunderstanding of Xml Signature standard or not… >> >> >> >> FILES >> >> >> >> I have a document (doc.xml) and a detached xml signature generate with >> Oxygen Xml Editor 13.2 (det-rsasha1.xml) >> >> >> >> VERIFY ERROR >> >> >> >>> xmlsec --verify det-rsasha1.xml >> >> >> >> error : Unknown IO error >> >> *func=xmlSecTransformEnvelopedExecute:file=..\src\enveloped.c:line=108:obj=enveloped-signature:subj=unknown:error=34:same >> document is required for transform:* >> >> func=xmlSecTransformDefaultPushXml:file=..\src\transforms.c:line=2371:obj=enveloped-signature:subj=xmlSecTransformExecute:error=1:xmlsec >> library function failed: >> >> func=xmlSecParserPushBin:file=..\src\parser.c:line=222:obj=xml-parser:subj=xmlSecTransformPushXml:error=1:xmlsec >> library function failed: >> >> func=xmlSecTransformPump:file=..\src\transforms.c:line=1634:obj=xml-parser:subj=xmlSecTransformPushBin:error=1:xmlsec >> library function failed: >> >> func=xmlSecTransformCtxUriExecute:file=..\src\transforms.c:line=1160:obj=unknown:subj=xmlSecTransformPump:error=1:xmlsec >> library function failed:uri=doc.xml >> >> func=xmlSecTransformCtxExecute:file=..\src\transforms.c:line=1280:obj=unknown:subj=xmlSecTransformCtxUriExecute:error=1:xmlsec >> library function failed: >> >> func=xmlSecDSigReferenceCtxProcessNode:file=..\src\xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec >> library function failed: >> >> func=xmlSecDSigCtxProcessSignedInfoNode:file=..\src\xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec >> library function failed:node=Reference >> >> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec >> library function failed: >> >> func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >> library function failed: >> >> Error: signature failed >> >> ERROR >> >> SignedInfo References (ok/all): 0/1 >> >> Manifests References (ok/all): 0/0 >> >> Error: failed to verify file "det-rsasha1.xml" >> >> >> >> ERROR REASON >> >> >> >> Now… the error is due to the combined use of >> >> 1) reference to an *external* document doc.xml >> >> 2) use of enveloped-signature transform by that reference >> >> *XmlSec enveloped-signature transform requires that the xml document * >> >> *(target of the transformation itself) contains the signature that >> contains the Reference node.* >> >> >> >> (In my case this is not true, because the document target of the >> transform is external >> >> and does not contain the Signature node) >> >> >> >> QUESTION >> >> >> >> Is this implementation check really correct??? >> >> If it is correct… why Oxygen Xml Editor 13.2 generate this combination? >> >> >> >> Here is the Xml Signature standard: >> >> 6.6.4 Enveloped Signature Transform >> >> “An enveloped signature transform /*T*/ removes the whole >> |Signature|element containing /*T*/ from the digest calculation of the >> |Reference|element containing /*T*/. The entire string of characters >> used by an XML processor to match the |Signature|with the XML production >> |element|is removed. The output of the transform is equivalent to the >> output that would result from replacing /*T*/ with an XPath transform >> containing the following |XPath|parameter element: […]” >> >> >> >> From my point of view the xmlsec implementation is too strict! >> >> The standard does not require that the document (target of T) actually >> contains the Signature node, >> >> the standard only say that the transform T removes the Signature node >> containing the transform T from the document. >> >> If the document does not contain the Signature node, no document >> modification is specified for this transform. >> >> >> >> If document doc.xml does not contain a Signature node, >> >> I suppose that the transformation result should be the document doc.xml >> itself. >> >> >> >> Am I wrong? >> >> Oxygen is not standard? >> >> XmlSec is too strict? >> >> Who is right? >> >> >> >> Thank you for your time >> >> >> >> >> >> ----------------------------------- >> >> Guido Billi >> >> Telvox S.R.L. >> >> Via Pastrengo, 2 >> >> 40123 Bologna >> >> tel: 051 33 97 121 >> >> www.telvox.com <http://www.telvox.com> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
