santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Keeping <j...@metanate.com>
Subject [PATCH] xml-security-c: Potential bug in canonicalization from an XPathNodeList
Date Thu, 11 Jun 2009 14:24:26 GMT
Hi,

We've recently started using xml-security-c and while trying to validate
signatures in some test files we noticed some digest failures.

Using the "2 out of 3" rule, the digests validate in xmlsec
(http://www.aleksey.com/xmlsec/) and using a validator based on the Java
6 libraries but not xml-security-c, so I believe xml-security-c is at
fault. By dumping out the byte stream at the point of digest generation,
I think I've narrowed this down to the XSECC14n20010315 canonicalization
in the case where it's fed by a XPathNodeList as provided by an
enveloped signature transform.

For this bug to be exposed, the referenced section of the file must be
using no namespace prefix but be in a namespace defined on a parent
element not in the node set.

I'm attaching an example file which illustrates this structure (although
I've removed some of the signature block and the digest is definitely
invalid, so it won't validate) and a test program through which the file
can be run to demonstrate the problem.

The test program can be run as:

./test test.xml data1 test.out

expected.xml contains the expected output.

I've created a patch (fix_c14n.patch) which fixes this for me, but it's
not extensively tested and I'm not intimately familiar with the source
so there may well be a better way of doing this. It's also quite
possible that I've broken something else, so please don't apply this
blindly!


Regards,

John

-- 
John Keeping
Metanate Ltd
www.metanate.com (Software consultancy)
www.schemus.com (Data synchronisation)

This e-mail and all attachments it may contain is confidential and
intended solely for the use of the individual to whom it is addressed.
Any views or opinions presented are those of the author and do not
necessarily represent those of Metanate Ltd.  If you are not the
intended recipient, be advised that you have received this e-mail in
error and that any use, dissemination, printing, forwarding or copying
of this e-mail is strictly prohibited.  Please contact the sender if
you have received this e-mail in error.


Mime
View raw message