W3C home > Mailing lists > Public > public-xmlsec@w3.org > July 2010

Re: XML Signature Best Practices for XPath selection proposal

From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Date: 23 Jul 2010 11:06:01 +0200
Message-ID: <4C495B79.6010405@ruhr-uni-bochum.de>
To: Frederick.Hirsch@nokia.com
Cc: public-xmlsec@w3.org
Frederick,

you are right, that title is better.

Besides: regrets for August 3rd.

best regards

Meiko

Frederick.Hirsch@nokia.com schrieb:
> Meiko
>
> I suggest changing the title of this example to be more descriptive:
>
> 2.2.3 Modified Approval Example: Incorrect XPath syntax signals no error and results in nothing selected for signing
>
> Unless someone raises a concern on the list, I'll go ahead and add this to the Best Practices document.
>
> Thanks
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
> On Jul 22, 2010, at 7:40 AM, ext Meiko Jensen wrote:
>
>   
>> Regarding my Action-586 I drafted a new paragraph for the best practices
>> document, to be inserted in between existing paragraphs 2.2.2 and 2.2.3
>> (since I consider it to be close to 2.2.2 in content):
>>
>> =================================
>> 2.2.3 Modified Approval Example: XPathFilter2 syntax causes nothing to
>> be selected for signing
>>
>> Example: Insecure Approval verification message
>>
>> <Doc xmlns="http://any.ns"
>> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">
>> <Approval xml:id="ap">...</Approval>
>> <Signature>
>> ...
>> <Reference URI="">
>> <Transforms>
>> <Transform Algorithm="...xmldsig-filter2">
>> <dsig-xpath:XPath Filter="intersect">//*[localname="Approval" and
>> namespace-uri="http://any.ns"]</dsig-xpath:XPath>
>> </Transform>
>> </Transforms> ...
>> </Reference>
>> </Signature>
>> </Doc>
>>
>> In this case, the XPath filter looks like selecting the Approval element
>> of namespace http://any.ns. However, in fact, it selects nothing at all.
>> Note that the function is spelled "local-name", not "localname", and
>> that both function calls omit their brackets (). The correct XPath
>> expression would have been
>> //*[local-name()="Approval" and namespace-uri()="http://any.ns"].
>> The problem here consists in that the XPath evaluation will not raise an
>> exception, nor give any other advice on that the XPath selected nothing
>> or has a bad syntax. This is due to the fact that the XPath parser will
>> interpret the misspelled function names as regular XPath tokens, hence
>> leading to a completely different semantics that does not match the
>> intended selection.
>> As before, since nothing is selected, the digital signature does not
>> provide any data integrity properties, but also raises no exception
>> neither on signature application nor on verification. Hence, when
>> applying XML Signatures using XPath it is recommended to always actively
>> verify that the signature protects the intended elements, not more, not
>> less.
>> =================================
>>
>> This should close ACTION-586.
>>
>> best regards
>>
>> Meiko
>>
>> -- 
>> Dipl.-Inf. Meiko Jensen
>> Chair for Network and Data Security 
>> Horst Görtz Institute for IT-Security 
>> Ruhr University Bochum, Germany
>> _____________________________
>> Universitätsstr. 150, Geb. IC 4/150
>> D-44780 Bochum, Germany
>> Phone: +49 (0) 234 / 32-26796
>> Telefax: +49 (0) 234 / 32-14347
>> http:// www.nds.rub.de
>>
>>
>>     
>
>   

-- 
Dipl.-Inf. Meiko Jensen
Chair for Network and Data Security 
Horst Görtz Institute for IT-Security 
Ruhr University Bochum, Germany
_____________________________
Universitätsstr. 150, Geb. IC 4/150
D-44780 Bochum, Germany
Phone: +49 (0) 234 / 32-26796
Telefax: +49 (0) 234 / 32-14347
http:// www.nds.rub.de
Received on Friday, 23 July 2010 09:06:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 23 July 2010 09:06:35 GMT