santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse Pelton" <...@PKC.com>
Subject XML-Security-C with OpenSSL overly strict about base64 line lengths
Date Fri, 18 Mar 2005 20:33:52 GMT
OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() uses OpenSSL's
EVP_Decode...() routines to decode the base64 contents of
SignatureValue.  This fails if line breaks don't occur where OpenSSL
thinks they should.  I think this is contrary to the specification (see
rationale below), and that this function should use XSCryptCryptoBase64,
as WinCAPICryptoKeyRSA::verifySHA1PKCS1Base64Signature() does, rather
than the EVP_Decode...() routines.

Rationale: Section 4.2 of the XML-Dsig spec
(http://www.w3.org/TR/xmldsig-core/) says that SignatureValues are of
Schema type base64Binary.
http://www.w3.org/TR/xmlschema-2/#base64Binary says, "For compatibility
with older mail gateways, [RFC 2045] suggests that base64 data should
have lines limited to at most 76 characters in length.  This line-length
limitation is not mandated in the lexical forms of base64Binary data and
must not be enforced by XML Schema processors."  If the line-length
limitation is not mandated, XSec should be able to handle arbitrary line
lengths.

I'm happy to file a bug and/or create a patch if that would be useful.

Mime
View raw message