[PATCH] xml-security-c: Potential bug in canonicalization from an XPathNodeList

[John Keeping <jo...@metanate.com>]

Hi,

We've recently started using xml-security-c and while trying to validate
signatures in some test files we noticed some digest failures.

Using the "2 out of 3" rule, the digests validate in xmlsec
(http://www.aleksey.com/xmlsec/) and using a validator based on the Java
6 libraries but not xml-security-c, so I believe xml-security-c is at
fault. By dumping out the byte stream at the point of digest generation,
I think I've narrowed this down to the XSECC14n20010315 canonicalization
in the case where it's fed by a XPathNodeList as provided by an
enveloped signature transform.

For this bug to be exposed, the referenced section of the file must be
using no namespace prefix but be in a namespace defined on a parent
element not in the node set.

I'm attaching an example file which illustrates this structure (although
I've removed some of the signature block and the digest is definitely
invalid, so it won't validate) and a test program through which the file
can be run to demonstrate the problem.

The test program can be run as:

./test test.xml data1 test.out

expected.xml contains the expected output.

I've created a patch (fix_c14n.patch) which fixes this for me, but it's
not extensively tested and I'm not intimately familiar with the source
so there may well be a better way of doing this. It's also quite
possible that I've broken something else, so please don't apply this
blindly!


Regards,

John

-- 
John Keeping
Metanate Ltd
www.metanate.com (Software consultancy)
www.schemus.com (Data synchronisation)

This e-mail and all attachments it may contain is confidential and
intended solely for the use of the individual to whom it is addressed.
Any views or opinions presented are those of the author and do not
necessarily represent those of Metanate Ltd.  If you are not the
intended recipient, be advised that you have received this e-mail in
error and that any use, dissemination, printing, forwarding or copying
of this e-mail is strictly prohibited.  Please contact the sender if
you have received this e-mail in error.

Re: [PATCH] xml-security-c: Potential bug in canonicalization from an XPathNodeList

[John Keeping <jo...@metanate.com>]

Scott Cantor wrote:
> Can you please file all of that in the bugzilla?

Filed as bug 47353 (as you've probably seen!)

> I'm very reluctant to make changes to that code because I don't understand
> it, and don't have any easy way to run any regressions using test vectors,
> but I'll take a look at it.
> 
> One question, is this just Enveloped by itself, or is any actual use of
> XPath required (i.e. building with Xalan?)

We are building with Xalan, but in this case I don't think it's invoked
since XSEC_USE_XPATH_ENVELOPE is not defined, so
DSIGTransformEnvelope::appendTransformer is creating a TXFMEnvelope
rather than a TXFMXPath. Also, the node is found via a URI reference not
an XPath.


John


-- 
John Keeping
+44 (0) 1223 566730 (Direct)
Metanate Ltd, Station Court, Great Shelford, Cambridge CB22 5NE, UK
www.metanate.com (Software consultancy)
www.schemus.com (Data synchronisation)

This e-mail and all attachments it may contain is confidential and
intended solely for the use of the individual to whom it is addressed.
Any views or opinions presented are those of the author and do not
necessarily represent those of Metanate Ltd.  If you are not the
intended recipient, be advised that you have received this e-mail in
error and that any use, dissemination, printing, forwarding or copying
of this e-mail is strictly prohibited.  Please contact the sender if
you have received this e-mail in error.

RE: [PATCH] xml-security-c: Potential bug in canonicalization from an XPathNodeList

[Scott Cantor <ca...@osu.edu>]

Can you please file all of that in the bugzilla?

I'm very reluctant to make changes to that code because I don't understand
it, and don't have any easy way to run any regressions using test vectors,
but I'll take a look at it.

One question, is this just Enveloped by itself, or is any actual use of
XPath required (i.e. building with Xalan?)

-- Scott