Re: XML Signature Best Practices for XPath selection proposal

Meiko

I suggest changing the title of this example to be more descriptive:

2.2.3 Modified Approval Example: Incorrect XPath syntax signals no error and results in nothing selected for signing

Unless someone raises a concern on the list, I'll go ahead and add this to the Best Practices document.

Thanks

regards, Frederick

Frederick Hirsch
Nokia



On Jul 22, 2010, at 7:40 AM, ext Meiko Jensen wrote:

> Regarding my Action-586 I drafted a new paragraph for the best practices
> document, to be inserted in between existing paragraphs 2.2.2 and 2.2.3
> (since I consider it to be close to 2.2.2 in content):
> 
> =================================
> 2.2.3 Modified Approval Example: XPathFilter2 syntax causes nothing to
> be selected for signing
> 
> Example: Insecure Approval verification message
> 
> <Doc xmlns="http://any.ns"
> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">
> <Approval xml:id="ap">...</Approval>
> <Signature>
> ...
> <Reference URI="">
> <Transforms>
> <Transform Algorithm="...xmldsig-filter2">
> <dsig-xpath:XPath Filter="intersect">//*[localname="Approval" and
> namespace-uri="http://any.ns"]</dsig-xpath:XPath>
> </Transform>
> </Transforms> ...
> </Reference>
> </Signature>
> </Doc>
> 
> In this case, the XPath filter looks like selecting the Approval element
> of namespace http://any.ns. However, in fact, it selects nothing at all.
> Note that the function is spelled "local-name", not "localname", and
> that both function calls omit their brackets (). The correct XPath
> expression would have been
> //*[local-name()="Approval" and namespace-uri()="http://any.ns"].
> The problem here consists in that the XPath evaluation will not raise an
> exception, nor give any other advice on that the XPath selected nothing
> or has a bad syntax. This is due to the fact that the XPath parser will
> interpret the misspelled function names as regular XPath tokens, hence
> leading to a completely different semantics that does not match the
> intended selection.
> As before, since nothing is selected, the digital signature does not
> provide any data integrity properties, but also raises no exception
> neither on signature application nor on verification. Hence, when
> applying XML Signatures using XPath it is recommended to always actively
> verify that the signature protects the intended elements, not more, not
> less.
> =================================
> 
> This should close ACTION-586.
> 
> best regards
> 
> Meiko
> 
> -- 
> Dipl.-Inf. Meiko Jensen
> Chair for Network and Data Security 
> Horst Görtz Institute for IT-Security 
> Ruhr University Bochum, Germany
> _____________________________
> Universitätsstr. 150, Geb. IC 4/150
> D-44780 Bochum, Germany
> Phone: +49 (0) 234 / 32-26796
> Telefax: +49 (0) 234 / 32-14347
> http:// www.nds.rub.de
> 
> 

Received on Thursday, 22 July 2010 19:28:19 UTC