W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2001

RE: [GUMP] Build Failure - Security

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Thu, 29 Nov 2001 14:48:45 +0100
To: Gregor Karlinger <gregor.karlinger@iaik.at>
Cc: XMLSigWG <w3c-ietf-xmldsig@w3.org>
Message-id: <2022977827.1007045325@[]>
Hi Gregor,

--On Mittwoch, 28. November 2001 20:50 +0100 Gregor Karlinger 
<gregor.karlinger@iaik.at> wrote:

> Another issue is if there is a need to fix this bug, since the Reference
> processing model of XMLDSIG is based on the XPath data model. If an
> application programmer relies on this fact and uses an XMLDSIG
> implementation
> that uses Xalan for XPath processing, signature creation/validation could
> be incorrect if XPath transforms are utilized that make use of the XPath
> namespace
> axis.
> Think of the following (academic, I have to admit) example:
>   1. Fetch the following XML document
>      <AnElement xmlns:foo="bar">
>        <AnotherElement/>
>      </AnElement>
>   2. Apply an XPath transform with an XPath
>      "self::AnotherElement/namespace::foo". This should
>      result in a node list containing a single node, namely the element
>      "AnotherElement". But since the XPath implementation is buggy, an
>      empty node list is the result of the transform.
>   3. Final canonicalization: Although the c14n implementation is working
>      correct (since it has implemented a work around for the Xalan bug),
>      in this case the input for the hash computation will be nothing in-
>      stead of "<AnotherElement>".

I tried it using my impl and what I created (passphrase is 

To this Document, I added my Signature

<AnElement xmlns:foo='http://bar.com/'>
   <AnotherElement />

which resulted in this signed Doucment

<AnElement xmlns:foo="http://bar.com/">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Reference URI="">

The signed bytes from the Reference are:

<AnotherElement xmlns:foo="http://bar.com/"></AnotherElement>

Right or wrong?

Received on Thursday, 29 November 2001 08:37:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:36 UTC