[x3d-public] xmldsig# false-positive warning by Python xmlschema XML() method

John Carlson yottzumm at gmail.com
Sun Jul 16 10:47:01 PDT 2023 

I didn’t see any XML?  I’ll have to look again.  I didn’t realize the code
did that.  I ran it the input XML through X3dToPython.xslt it looks like.

On Sun, Jul 16, 2023 at 12:04 PM Brutzman, Donald (Don) (CIV) <
brutzman at nps.edu> wrote:

> Thanks for issue report.  Am first wondering, despite error message, was
> your XML produced satisfactorily?
>
>
>
> Next, troubleshooting.
>
>
>
> “**** Python-to-XML well-formed XML document test failed**.*” means that
> the Python XML library failed to validate the XML output.
>
>
>
> The error message shows exactly what it dislikes: having a hash tag # in
> the xmldsig namespace, which in XML parlance refers to a namespace.
>
>
>
>     XMLSchemaParseError cannot import namespace '
> http://www.w3.org/2000/09/xmldsig#
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23&data=05%7C01%7Cbrutzman%40nps.edu%7C62e4f8b58b7448e6e1b108db85dd8561%7C6d936231a51740ea9199f7578963378e%7C0%7C0%7C638250958735907841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9BQStQVSdrx59SRA0ALPIYLsm61LK12bt%2BhABuwHgPw%3D&reserved=0>':
> Entities are forbidden (entity_name='dsig')
>
>
>
> The construct itself is OK, and used in XML documents with a digital
> signature, as specified by
>
>
>
>    - XML Signature Syntax and Processing Version 2.0
>    - W3C Working Group Note 23 July 2015
>    - http://www.w3.org/TR/xmldsig-core2
>
>
>
>    - XML Signature Best Practices, W3C Working Group Note 11 April 2013
>    - https://www.w3.org/TR/xmldsig-bestpractices
>
>
>
> The second reference on best practices suggests a workaround of sorts
> (manually coerce until it avoids an error).
>
>    - 3.4 For Applications: Signing XML without namespace information
>    ("legacy XML")
>    - Best Practice 21: Applications: When creating an enveloping
>    signature over XML without namespace information, take steps to avoid
>    having that content inherit the XML Signature namespace.
>    - Avoid enveloped content from inheriting the XML Signature namespace
>    by either inserting an empty default namespace declaration or by defining a
>    namespace prefix for the Signature Namespace usage.
>    -
>    https://www.w3.org/TR/2013/NOTE-xmldsig-bestpractices-20130411/#signing-xml-without-namespaces
>
>
>
> The current code producing this warning in our x3d.py library is on line
> 15186.  The preceding lines of code use python’s xmlschema package and then
> xml.etree XML()
>
>
>
> Root-cause analysis: this appears to be a failure in the xmlschema Python
> library.  We will need to track down how to report an issue there… here
> goes….
>
>
>
>    - https://pypi.org/project/xmlschema
>
>
>
>    - https://xmlschema.readthedocs.io/en/latest
>    -
>    https://xmlschema.readthedocs.io/en/latest/api.html#xmlschema.XMLSchemaNamespaceError
>       - *exception *XMLSchemaNamespaceError
>       - Raised when a wrong runtime condition is found with a namespace.
>    - xmlschema project page
>    - https://github.com/sissaschool/xmlschema
>
>
>
> Bug report submitted:
>
>    - xmlschema issues
>    - validation problem, xmldsig# namespace for XML digital signature #357
>    - https://github.com/sissaschool/xmlschema/issues/357
>
>
>
> I’ve added a TODO item in the x3d.py code generator to help us track this
> down at some future point.  Code block follows for full clarity and future
> reference.
>
>
>
>         try:
>
>             selfX3dXmlText = ''
>
>             import xmlschema
>
>             x3dSchemaUrl = 'https://www.web3d.org/specifications/x3d-' +
> validationVersion + '.xsd'
>
>             x3dschema = xmlschema.XMLSchema(x3dSchemaUrl)
>
>             try:
>
>                 from xml.etree import ElementTree
>
>                 selfX3dXmlText = self.XML()
>
>                 selfX3dXmlTree = ElementTree.fromstring(selfX3dXmlText)
>
>                 print("Python-to-XML well-formed XML document  test of XML
> output complete")
>
>                 x3dschema.is_valid(selfX3dXmlTree)
>
>                 print("Python-to-XML X3D", str(self.version), "schema
> validation test of XML output complete")
>
>             except SyntaxError as err: # Exception
>
>                 #
> https://stackoverflow.com/questions/18176602/how-to-get-the-name-of-an-exception-that-was-caught-in-python
>
>                 print("*** Python-to-XML X3D", str(self.version), "schema
> validation test of XML output failed.")
>
>                 print("    x3dSchemaUrl=", x3dSchemaUrl)
>
>                 if hasattr(err,'position') and err.position[0]:
>
>                     print("   ", type(err).__name__, "(line=" +
> str(err.lineno) + ')', err)
>
>                 if selfX3dXmlText: # might have failed to generate
>
>                     print(prependLineNumbers(selfX3dXmlText,err.lineno))
>
>         except Exception as err: # usually ParseError
>
>             #
> https://docs.python.org/3/library/xml.etree.elementtree.html#exceptions
>
>             print("*** Python-to-XML well-formed XML document test
> failed.")
>
>             print("    x3dSchemaUrl=" + x3dSchemaUrl)
>
>             print("    " + type(err).__name__, err)
>
>             if hasattr(err,'position') and err.position[0]:
>
>                 lineNumber = err.position[0]
>
>                 print('type(err.position)=' + str(type(err.position)),
> 'lineNumber=' + str(lineNumber))
>
>             else:
>
>                 lineNumber = 1
>
>             if selfX3dXmlText: # might have failed to generate
>
>                 print(prependLineNumbers(selfX3dXmlText,lineNumber))
>
>             *# TODO handle xmldsig# namespace error by xmlschema library
> - otherwise trap/identify this error*
>
> *            # Submitted bug report: validation problem, xmldsig#
> namespace for XML digital signature #357*
>
> *            # https://github.com/sissaschool/xmlschema/issues/357
> <https://github.com/sissaschool/xmlschema/issues/357>*
>
>
>
> Again thanks for helpful issue report.  Have fun with X3D Python!
>
>
>
> all the best, Don
>
> --
>
> Don Brutzman  Naval Postgraduate School, Code USW/Br
> brutzman at nps.edu
>
> Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA
> +1.831.656.2149
>
> X3D graphics, virtual worlds, navy robotics
> https://faculty.nps.edu/brutzman
>
>
>
> *From:* John Carlson <yottzumm at gmail.com>
> *Sent:* Sunday, July 16, 2023 2:18 AM
> *To:* Brutzman, Donald (Don) (CIV) <brutzman at nps.edu>; X3D Graphics
> public mailing list <x3d-public at web3d.org>
> *Subject:* Not sure what to do with this failure?
>
>
>
> Text-python attached, see below weird issue. Should I upgrade? What is
> happening with x3d.py and X3D 4.0?  The link is good, but it looks like the
> schema doesn't validate?
>
>
>
> Back to JSON.
>
>
>
> py JinLOA4Canonical101.py.txt
>
> x3d.py package 4.0.64.4 loaded, have fun with X3D Graphics!
>
> Self-test diagnostics:
>
> *** Python-to-XML well-formed XML document test failed.
>
>     x3dSchemaUrl=https://www.web3d.org/specifications/x3d-4.0.xsd
>
>     XMLSchemaParseError cannot import namespace '
> http://www.w3.org/2000/09/xmldsig#': Entities are forbidden
> (entity_name='dsig')
>
> Python-to-VRML export of VRML output successful
>
> Python-to-JSON export of JSON output successful (under development)
>
> python load and self-test diagnostics complete.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20230716/09a41403/attachment-0001.html>

More information about the x3d-public mailing list