XML Signature Best Practices for XPath selection proposal

Regarding my Action-586 I drafted a new paragraph for the best practices
document, to be inserted in between existing paragraphs 2.2.2 and 2.2.3
(since I consider it to be close to 2.2.2 in content):

=================================
2.2.3 Modified Approval Example: XPathFilter2 syntax causes nothing to
be selected for signing

Example: Insecure Approval verification message

<Doc xmlns="http://any.ns"
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">
<Approval xml:id="ap">...</Approval>
<Signature>
...
<Reference URI="">
<Transforms>
<Transform Algorithm="...xmldsig-filter2">
<dsig-xpath:XPath Filter="intersect">//*[localname="Approval" and
namespace-uri="http://any.ns"]</dsig-xpath:XPath>
</Transform>
</Transforms> ...
</Reference>
</Signature>
</Doc>

In this case, the XPath filter looks like selecting the Approval element
of namespace http://any.ns. However, in fact, it selects nothing at all.
Note that the function is spelled "local-name", not "localname", and
that both function calls omit their brackets (). The correct XPath
expression would have been
//*[local-name()="Approval" and namespace-uri()="http://any.ns"].
The problem here consists in that the XPath evaluation will not raise an
exception, nor give any other advice on that the XPath selected nothing
or has a bad syntax. This is due to the fact that the XPath parser will
interpret the misspelled function names as regular XPath tokens, hence
leading to a completely different semantics that does not match the
intended selection.
As before, since nothing is selected, the digital signature does not
provide any data integrity properties, but also raises no exception
neither on signature application nor on verification. Hence, when
applying XML Signatures using XPath it is recommended to always actively
verify that the signature protects the intended elements, not more, not
less.
=================================

This should close ACTION-586.

best regards

Meiko

-- 
Dipl.-Inf. Meiko Jensen
Chair for Network and Data Security 
Horst Görtz Institute for IT-Security 
Ruhr University Bochum, Germany
_____________________________
Universitätsstr. 150, Geb. IC 4/150
D-44780 Bochum, Germany
Phone: +49 (0) 234 / 32-26796
Telefax: +49 (0) 234 / 32-14347
http:// www.nds.rub.de

Received on Thursday, 22 July 2010 11:40:38 UTC