I believe you have a different issue. In you case there is a problem here:
<ds:Reference URI="#/1/2">
....
</ds:Reference>
According to the spec [1] you have two possible options for the URI attribute:
- use '#id' syntax where 'id' is an ID attribute of an element;
- use '#xpointer(expr)' syntax where 'expr' is any valid xpointer expression.
As far as I can understand the spec you are *not* allowed to use xpointer
expressions in the '#id' syntax (there is a really simple reason for this: if this is
allowed then XPointer could not decide what does '#1234' mean - is it a
number or an ID attribute).
The change in xmlsec library behavior was caused by the fix I put in [2] and I believe
that the current way of processing Reference URI attribute is correct. You can
get the same results as before by slightly changing your signature to:
<ds:Reference URI="#xpointer(/1/2)">
....
</ds:Reference>
And explicitly adding C14N transform to exclude comments (if you wish to do so) because
'#xpointer()' syntax *includes* all selected comments and '#id' does not (see [1] for details).
I am sorry for inconvenience caused by this bug fix but I want to make xmlsec library
as more standard complaint as I can.
With best regards,
Aleksey
[1] http://www.w3.org/TR/xmldsig-core/#sec-URI
[2] http://www.aleksey.com/pipermail/xmlsec/2002/000368.html
Matthias Jung wrote:
Sorry, I can't agree to this.
Signatures, passing validation using the command line tool of xmlsec 0.0.10, will fail when they are verified with version 0.0.11
I receive following error message:
F:\dev\dbc\Tests\XML\DSig>xmlsec verify --trusted CACert.pem sig_xpointer_child_sequence_xmlsec.xml
(..\src\transforms.c:1181): error 4: xml operation failed : xmlXPtrEval(/1/2)
(..\src\transforms.c:881): error 2: xmlsec operation failed : xmlSecTransformStateParseUri(#/1/2
(..\src\xmldsig.c:1602): error 2: xmlsec operation failed : xmlSecTransformStateCreate
(..\src\xmldsig.c:1476): error 2: xmlsec operation failed : xmlSecReferenceRead - -1
(..\src\xmldsig.c:1175): error 2: xmlsec operation failed : xmlSecSignedInfoRead - -1
(..\src\xmldsig.c:733): error 2: xmlsec operation failed : xmlSecSignatureRead - -1
ERROR
Verification of all of my tests using xpointer expressions in xmlsec 0.0.11 fail, something seems to be wrong with xpointer evaluation (strange because this is done by libxml).
I am quite sure that compiler flags are exactly the same than in the old version. This should not be the problem.
I have attached to this mail a signed xml-file from my testsuite and the certificate file needed to verify the signature (hope they will be posted too).
To see if this is an xmlsec problem or not, please check if the signature is valid on your (Windows) xmlsec environment.
Cheers Matthias
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
