XML schema validation 'Security' issue

Question

I have the following xsd:

<xsd:schema
    targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    elementFormDefault="qualified" attributeFormDefault="unqualified"
    blockDefault="#all" version="0.2">
    <xsd:import namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  schemaLocation="../MSG/IRS-WSTimeStampElementMessage.xsd" />
    <xsd:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="../MSG/IRS-WSSignatureElementMessage.xsd"/>
    <xsd:complexType name="SecurityHeaderType">
        <xsd:annotation>
            <xsd:documentation>This complexType defines header block to use for
                security-relevant data directed at a specific SOAP actor.
            </xsd:documentation>
        </xsd:annotation>
        <xsd:sequence>
            <xsd:element ref="ds:Signature" minOccurs="0"/>
            <xsd:element ref="wsu:Timestamp" minOccurs="0"/>            
        </xsd:sequence>
        <xsd:anyAttribute namespace="##other" processContents="lax" />
    </xsd:complexType>
    <xsd:element name="Security" type="wsse:SecurityHeaderType">
        <xsd:annotation>
            <xsd:documentation>This element defines the wsse:Security SOAP header
                element per Section 4.</xsd:documentation>
        </xsd:annotation>
    </xsd:element>
</xsd:schema>

And this is the XML I am trying to validate against schema above:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="TS-E68EBBF1696C5DD4AA143353323390073">
                <u:Created>2016-03-22T12:42:44.170Z</u:Created>
                <u:Expires>2016-03-22T12:52:44.170Z</u:Expires>
            </u:Timestamp>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                    <ds:Reference URI="#id-1">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>2gAU0kJV40nvR+Og=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#id-2">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>pISNeszVQ59HKCRbQ=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#TS-E68EBBF1696C5DD4AA143353323390073">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>mh7+cJJPRtrrn/s4N15AE=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>fhpY2IlKEdwBFWqNxbVEw7p+ojhw54+op+g==</ds:SignatureValue>
                <ds:KeyInfo>
                    <ds:X509Data>fshPnGE6H36KNqWMZqTf+X0oBls3dLz7TY=</ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </ds:Signature>
</wsse:Security>

What I could not understand is why during validation I'm getting following error:

ERROR: The element 'Security' in namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' has invalid child element 'Signature' in namespace 'http://www.w3.org/2000/09/xmldsig#'.

It looks like element defined in the namespace, but validator seems oblivious to it or just ignoring that fact for some reason.

score 3 · Accepted Answer · edited May 23 '17 at 12:15

3

They appear in the wrong order.. A sequence should appear in the order it is declared.. you have minimum occurrence of 0 set for the signature which is why it did not give you an issue for the timestamp being first.

if you do not want to enforce the order of appearance of your child elememts then you se xsd::all but it has its own issue/rules Difference between <xsd:all> and <xsd:sequence> in schema definition?

edited May 23 '17 at 12:15

Community

1
1

answered Mar 22 '16 at 18:46

Rob

2,618
2
22
29

Thank you very much! Sequence WAS the issue! Appreciate your help! – fatherOfWine Mar 22 '16 at 18:56
Always a pleasure to help out. – Rob Mar 24 '16 at 12:58

score 0 · Answer 2 · answered Mar 23 '16 at 22:47

0

To expand on what @Rob said.

When I created my Signature element, after using the ComputeSignature() method of the SignedXml object, I used the signedXml.GetXml() method to output the XML to an XmlElement object. Used that to hold the digital signature. I created a XmlNode object to hold the reference for the Security element, and then used the InsertBefore method to add the digital signature before the FirstChild of the Security element.

Doing this put the child elements of the Security element in the appropriate order.

// Compute the signature.
xSigned.ComputeSignature();

// Get the Xml representation of the signature and save it to an XmlElement object.
XmlElement xmlDigitalSignature = xSigned.GetXml();

// Replace the KeyInfo element of the DigitalSignature with the appropriate KeyInfo information.
xmlDigitalSignature = ReplaceKeyInfo(xmlDigitalSignature);

// Create a reference to the Security Element under the SOAP Header.
XmlNode securityNode = xdoc.DocumentElement.SelectSingleNode("//soapenv:Header/wsse:Security", XmlManager(xdoc));

// Add the element to the XmlDocument by moving the Signature Element to be the first child under the Security Element.
securityNode.InsertBefore(xdoc.ImportNode(xmlDigitalSignature, true), securityNode.FirstChild);

answered Mar 23 '16 at 22:47

Russ

678
8
26

Thanks, man! Already doing it, but with no avail nonetheless: still getting infamous error. Read their guidance again and came to conclusion: it's should called more properly: misguidance:( – fatherOfWine Mar 24 '16 at 13:38
@fatherOfWine have you gotten your submissions to work? – Russ Mar 30 '16 at 18:20
Yes I did. I left you update on your question. Have you seen it? – fatherOfWine Mar 30 '16 at 19:51
Thank you, I see that now. Unfortunately, for me, I believe I have all of the correct and appropriate fields in the Form1094C/1095C document in accordance to their schemas. – Russ Mar 30 '16 at 20:20
Sorry to hear that. I've left you another update. With short description of my solution and mentioned additional changes I've made to turn things around. – fatherOfWine Mar 30 '16 at 20:56
@fatherOfWine I have responded on that thread. It sounds like you may be doing things differently than I am. – Russ Mar 30 '16 at 21:24

XML schema validation 'Security' issue

2 Answers2