- From: Berin Lautenbach <berin@wingsofhermes.org>
- Date: Sun, 15 May 2005 09:41:31 +1000
- To: "Cullum, Steve" <steven.cullum@eds.com>
- CC: "'w3c-ietf-xmldsig@w3.org.'" <w3c-ietf-xmldsig@w3.org>, security-dev@xml.apache.org
Steve,
Probably the best place to ask questions about the Apache library is on
security-dev@xml.apache.org. We're all happy to help :>.
But to quickly answer your question - the checksig executable doesn't
currently support a way of setting attribute names that will be taken as
Ids. The library itself has calls that allow you to define names of
attributes to be taken as names, but not the checksig app.
We can (and should) add something into the app to do this - but lets
continue the discussion on security-dev@xml.
Cheers,
Berin
Cullum, Steve wrote:
> I am trying to validate the following signed SOAP document. I have
> the
private/public keys xxx.p12 file installed into the default windows
keystore. The document was signed using the Verisign TSIK library
version "tsik-1.10-windows"
>
> Using "checksig.exe" to test my document the exception
"XSECException::IDNotFoundInDOMDoc" is thrown. Because fNodeIDMap inside
the fn() is 0
>
> DOMElement *DOMDocumentImpl::getElementById(const XMLCh *elementId)
> const { if (fNodeIDMap == 0) return 0; }
>
> I am using using :- XercesC_2_5, XalanC_1_7, xml-security-c-1.1.0
>
>
> Can anyone help me.......please. I presume the document is incorrect
in some way but I don't really know where to begin - everything looks ok
according to my interpretation of the specification.
>
> Thankyou in advance.
>
> Steve
>
>
>
>
> Here is the call stack from the debugger ::-
>
>
>> xerces-c_2_5_0D.dll!xercesc_2_5::DOMDocumentImpl::getElementById(const unsigned short * elementId=0x01290eca) Line 642 C++
>
> xsec_1_1_0D.dll!TXFMDocObject::setInput(xercesc_2_5::DOMDocument * doc=0x0128f890, const unsigned short * newFragmentId=0x01290eca) Line 108 + 0x11 C++
> xsec_1_1_0D.dll!DSIGReference::getURIBaseTXFM(xercesc_2_5::DOMDocument * doc=0x0128f890, const unsigned short * URI=0x01290ec8, const XSECEnv * env=0x01275568) Line 502 C++
> xsec_1_1_0D.dll!DSIGReference::calculateHash(unsigned char * toFill=0x0012f2d8, unsigned int maxToFill=0x00000080) Line 1206 + 0x2e C++
> xsec_1_1_0D.dll!DSIGReference::checkHash() Line 1365 + 0x14 C++
> xsec_1_1_0D.dll!DSIGReference::verifyReferenceList(DSIGReferenceList * lst=0x01288f28, safeBuffer & errStr={...}) Line 885 + 0x8 C++
> xsec_1_1_0D.dll!DSIGSignedInfo::verify(safeBuffer & errStr={...}) Line 123 + 0x10 C++
> xsec_1_1_0D.dll!DSIGSignature::verify() Line 1055 + 0x12 C++
> checksig.exe!evaluate(int argc=0x00000002, char * * argv=0x00326c58) Line 483 + 0xe C++
> checksig.exe!main(int argc=0x00000002, char * * argv=0x00326c58) Line 583 + 0xd C++
> checksig.exe!mainCRTStartup() Line 398 + 0x11 C
> kernel32.dll!77e8141a()
>
>
>
>
> Function ...
>
> // from debugger
> newFragmentId == "wsse-c26651c0-c209-11d9-9834-e9a275261f99"
>
> DOMElement *DOMDocumentImpl::getElementById(const XMLCh *elementId) const {
> if (fNodeIDMap == 0)
> return 0;
>
> /**
> ** fNodeIDMap is 0
> **/
>
> DOMAttr *theAttr = fNodeIDMap->find(elementId);
> if (theAttr == 0)
> return 0;
>
> return theAttr->getOwnerElement();
> }
>
> void TXFMDocObject::setInput(DOMDocument *doc, const XMLCh * newFragmentId) {
>
> // We have a document fragment marked by an objectID string.
> // Now try to find the node that the objectId belongs to
> fragmentObject = doc->getElementById(newFragmentId);
>
> /**
> ** --- fragmentObject always returns NULL **/
> if ((fragmentObject == NULL) && (mp_env != NULL) && (mp_env->getIdByAttributeName()))
> {
> // It might be that no DSIG DTD was attached and that the ID is in a
> // DSIG element and the application is permitting attribute name based
> // Id searches
> fragmentObject = findDSIGId(doc, newFragmentId, mp_env);
> }
>
> if (fragmentObject == 0)
> throw XSECException(XSECException::IDNotFoundInDOMDoc);
>
> document = doc;
> fragmentId = XMLString::replicate(newFragmentId);
> type = TXFMBase::DOM_NODE_DOCUMENT_FRAGMENT;
> }
>
>
>
> Signed soap xml :-------
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header><wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ds:Reference URI="#wsse-c26651c0-c209-11d9-9834-e9a275261f99"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>+G19/tWZSlCS894TQvdJYrVsb+4=</ds:DigestValue></ds:Reference><ds:Reference URI="#wsse-c26121a0-c209-11d9-9834-e9a275261f99"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>4B9ZewNptVgz0MpJBpaoI6b0Oks=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>MCwCFFiTYY7/B+tYizr
qc!
> cMZJKVQC6RyAhQUoVXtXfNUVEFZlaE3USajTEqUzQ==</ds:SignatureValue></ds:Signature></wsse:Security><wsu:Timestamp xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"><wsu:Created wsu:Id="wsse-c26121a0-c209-11d9-9834-e9a275261f99">2005-05-11T10:45:15Z</wsu:Created></wsu:Timestamp></soapenv:Header><soapenv:Body wsu:Id="wsse-c26651c0-c209-11d9-9834-e9a275261f99" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
> <ns1:secountResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns1="myserviceprovider">
> <secountReturn xsi:type="xsd:string"><secount_results>
> <disclaimer><.... CONTENTS REMOVED ..../></disclaimer>
> <header>
> <.... CONTENTS REMOVED ..../>
> </header>
> <results>
> <.... CONTENTS REMOVED ..../>
> </results>
> </secount_results>
> </secountReturn>
> </ns1:secountResponse>
> </soapenv:Body>
> </soapenv:Envelope>
>
>
>
Received on Saturday, 14 May 2005 23:41:46 UTC