Bug 45744 - XPath transform and xml-stylesheet
XPath transform and xml-stylesheet
Product: Security - Now in JIRA
Classification: Unclassified
Component: Signature
Java 1.4.1
PC Windows XP
: P2 normal
: ---
Assigned To: XML Security Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2008-09-04 07:20 UTC by Michal Listwan
Modified: 2009-07-10 06:32 UTC (History)
0 users

upp_sign.xml is the signature and out.xml signed xml (2.13 KB, application/zip)
2008-09-04 07:20 UTC, Michal Listwan
verification (5.29 KB, application/octet-stream)
2009-06-18 06:42 UTC, Michal Listwan
A patch for this issue (12.56 KB, patch)
2009-06-19 04:12 UTC, coheigea
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michal Listwan 2008-09-04 07:20:33 UTC
Created attachment 22525 [details]
upp_sign.xml is the signature and out.xml signed xml

There is a problem with verification of signatures having a ds:Reference to an xml file with with <?xml-stylesheet?> with XPath transform. As you create the same signature referencing a modified document by omitting <?xml-stylesheet?> the signature verification succeeds.

I had to solve the problem and had come to conclusion that there is a bug in org.apache.xml.security.signature.XMLSignatureInput. The source of the problem is a line this._subNode=doc.getDocumentElement(); in void convertToNodes(). Assigning only root element removes xml-stylesheet. Changing the line to: this._subNode=doc; seems to fix it.

Attached out.zip has two files that show the situation.
Comment 1 coheigea 2009-06-18 04:52:20 UTC
Do you have a test-case for this issue?

Comment 2 Michal Listwan 2009-06-18 06:42:38 UTC
Created attachment 23828 [details]

Attachment verifies the pair (upp_sign.xml and out.xml). As the line is "this._subNode=doc.getDocumentElement();" verification of reference out.xml fails. With "this._subNode=doc" verification succeeds.

Signature was created with third party library. It caused an inconsistency that made me look for this bug.
Comment 3 coheigea 2009-06-18 08:48:59 UTC
Thanks Michael. I'll create a patch including a test-case for this issue. Do you have any objections to me adding the test code and signature files to the project?

Comment 4 Michal Listwan 2009-06-18 13:12:12 UTC
I have no objections.
Comment 5 coheigea 2009-06-19 04:12:41 UTC
Created attachment 23832 [details]
A patch for this issue

See attached for a patch for this issue. It includes the suggested fix to XMLSignatureInput, as well as a unit test that's derived from the submitted test-case.

Comment 6 coheigea 2009-07-10 06:32:03 UTC
Patch applied.