[x3d-public] xmldsig# false-positive warning by Python xmlschema XML() method

Brutzman, Donald (Don) (CIV) brutzman at nps.edu
Sun Jul 16 10:04:47 PDT 2023 

Thanks for issue report.  Am first wondering, despite error message, was
your XML produced satisfactorily?

 

Next, troubleshooting.

 

"*** Python-to-XML well-formed XML document test failed." means that the
Python XML library failed to validate the XML output.

 

The error message shows exactly what it dislikes: having a hash tag # in the
xmldsig namespace, which in XML parlance refers to a namespace.

 

    XMLSchemaParseError cannot import namespace
'http://www.w3.org/2000/09/xmldsig#
<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23&data=05%7C01%7Cbrutzman%40nps.edu%7C62e4f8b58b7448
e6e1b108db85dd8561%7C6d936231a51740ea9199f7578963378e%7C0%7C0%7C638250958735
907841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9BQStQVSdrx59SRA0ALPIYLsm61LK12b
t%2BhABuwHgPw%3D&reserved=0> ': Entities are forbidden (entity_name='dsig')

 

The construct itself is OK, and used in XML documents with a digital
signature, as specified by

 

*	XML Signature Syntax and Processing Version 2.0
*	W3C Working Group Note 23 July 2015
*	http://www.w3.org/TR/xmldsig-core2

 

*	XML Signature Best Practices, W3C Working Group Note 11 April 2013
*	https://www.w3.org/TR/xmldsig-bestpractices

 

The second reference on best practices suggests a workaround of sorts
(manually coerce until it avoids an error).

*	3.4 For Applications: Signing XML without namespace information
("legacy XML") 
*	Best Practice 21: Applications: When creating an enveloping
signature over XML without namespace information, take steps to avoid having
that content inherit the XML Signature namespace.
*	Avoid enveloped content from inheriting the XML Signature namespace
by either inserting an empty default namespace declaration or by defining a
namespace prefix for the Signature Namespace usage. 
*
https://www.w3.org/TR/2013/NOTE-xmldsig-bestpractices-20130411/#signing-xml-
without-namespaces

 

The current code producing this warning in our x3d.py library is on line
15186.  The preceding lines of code use python's xmlschema package and then
xml.etree XML()

 

Root-cause analysis: this appears to be a failure in the xmlschema Python
library.  We will need to track down how to report an issue there. here
goes..

 

*	https://pypi.org/project/xmlschema

 

*	https://xmlschema.readthedocs.io/en/latest
*
https://xmlschema.readthedocs.io/en/latest/api.html#xmlschema.XMLSchemaNames
paceError

*	exception XMLSchemaNamespaceError
*	Raised when a wrong runtime condition is found with a namespace.

*	xmlschema project page
*	https://github.com/sissaschool/xmlschema

 

Bug report submitted:

*	xmlschema issues
*	validation problem, xmldsig# namespace for XML digital signature
#357
*	https://github.com/sissaschool/xmlschema/issues/357

 

I've added a TODO item in the x3d.py code generator to help us track this
down at some future point.  Code block follows for full clarity and future
reference.

 

        try:

            selfX3dXmlText = ''

            import xmlschema

            x3dSchemaUrl = 'https://www.web3d.org/specifications/x3d-' +
validationVersion + '.xsd'

            x3dschema = xmlschema.XMLSchema(x3dSchemaUrl)

            try:

                from xml.etree import ElementTree

                selfX3dXmlText = self.XML()

                selfX3dXmlTree = ElementTree.fromstring(selfX3dXmlText)

                print("Python-to-XML well-formed XML document  test of XML
output complete")

                x3dschema.is_valid(selfX3dXmlTree)

                print("Python-to-XML X3D", str(self.version), "schema
validation test of XML output complete")

            except SyntaxError as err: # Exception

                #
https://stackoverflow.com/questions/18176602/how-to-get-the-name-of-an-excep
tion-that-was-caught-in-python

                print("*** Python-to-XML X3D", str(self.version), "schema
validation test of XML output failed.")

                print("    x3dSchemaUrl=", x3dSchemaUrl)

                if hasattr(err,'position') and err.position[0]:

                    print("   ", type(err).__name__, "(line=" +
str(err.lineno) + ')', err)

                if selfX3dXmlText: # might have failed to generate

                    print(prependLineNumbers(selfX3dXmlText,err.lineno))

        except Exception as err: # usually ParseError

            #
https://docs.python.org/3/library/xml.etree.elementtree.html#exceptions

            print("*** Python-to-XML well-formed XML document test failed.")

            print("    x3dSchemaUrl=" + x3dSchemaUrl)

            print("    " + type(err).__name__, err)

            if hasattr(err,'position') and err.position[0]:

                lineNumber = err.position[0]

                print('type(err.position)=' + str(type(err.position)),
'lineNumber=' + str(lineNumber))

            else:

                lineNumber = 1

            if selfX3dXmlText: # might have failed to generate

                print(prependLineNumbers(selfX3dXmlText,lineNumber))

            # TODO handle xmldsig# namespace error by xmlschema library -
otherwise trap/identify this error

            # Submitted bug report: validation problem, xmldsig# namespace
for XML digital signature #357

            # https://github.com/sissaschool/xmlschema/issues/357

 

Again thanks for helpful issue report.  Have fun with X3D Python!

 

all the best, Don

-- 

Don Brutzman  Naval Postgraduate School, Code USW/Br        brutzman at nps.edu

Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA    +1.831.656.2149

X3D graphics, virtual worlds, navy robotics https://faculty.nps.edu/brutzman

 

From: John Carlson <yottzumm at gmail.com> 
Sent: Sunday, July 16, 2023 2:18 AM
To: Brutzman, Donald (Don) (CIV) <brutzman at nps.edu>; X3D Graphics public
mailing list <x3d-public at web3d.org>
Subject: Not sure what to do with this failure?

 

Text-python attached, see below weird issue. Should I upgrade? What is
happening with x3d.py and X3D 4.0?  The link is good, but it looks like the
schema doesn't validate?

 

Back to JSON.

 

py JinLOA4Canonical101.py.txt

x3d.py package 4.0.64.4 loaded, have fun with X3D Graphics!

Self-test diagnostics:

*** Python-to-XML well-formed XML document test failed.

    x3dSchemaUrl=https://www.web3d.org/specifications/x3d-4.0.xsd

    XMLSchemaParseError cannot import namespace
'http://www.w3.org/2000/09/xmldsig#': Entities are forbidden
(entity_name='dsig')

Python-to-VRML export of VRML output successful

Python-to-JSON export of JSON output successful (under development)

python load and self-test diagnostics complete.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20230716/b469548f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5464 bytes
Desc: not available
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20230716/b469548f/attachment-0001.p7s>

More information about the x3d-public mailing list