Return-Path: 
 <security-dev-return-5236-apmail-xml-security-dev-archive=xml.apache.org@xml.apache.org>
Delivered-To: apmail-xml-security-dev-archive@www.apache.org
Received: (qmail 19042 invoked from network); 13 Jun 2006 14:42:51 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 13 Jun 2006 14:42:51 -0000
Received: (qmail 50829 invoked by uid 500); 13 Jun 2006 14:42:50 -0000
Delivered-To: apmail-xml-security-dev-archive@xml.apache.org
Received: (qmail 50809 invoked by uid 500); 13 Jun 2006 14:42:50 -0000
Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:security-dev@xml.apache.org>
List-Help: <mailto:security-dev-help@xml.apache.org>
List-Unsubscribe: <mailto:security-dev-unsubscribe@xml.apache.org>
Reply-To: security-dev@xml.apache.org
List-Id: <security-dev.xml.apache.org>
Delivered-To: mailing list security-dev@xml.apache.org
Received: (qmail 50798 invoked by uid 99); 13 Jun 2006 14:42:49 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Jun 2006 07:42:49 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [128.146.216.79] (HELO defang10.net.ohio-state.edu)
 (128.146.216.79)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Jun 2006 07:42:48 -0700
Received: from bytor (dhcp-128-146-242-196.it.ohio-state.edu
 [128.146.242.196])
	by defang10.net.ohio-state.edu (8.13.1/8.13.1) with ESMTP id k5DEgR8N002976
	for <security-dev@xml.apache.org>; Tue, 13 Jun 2006 10:42:27 -0400
From: "Scott Cantor" <cantor.2@osu.edu>
To: <security-dev@xml.apache.org>
Subject: RE: Use of exclusive c14n when encrypting elements in C++ lib
Date: Tue, 13 Jun 2006 10:42:26 -0400
Organization: The Ohio State University
Message-ID: <001c01c68ef7$972098c0$c4f29280@oit.ohiostate.edu>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Thread-index: AcaOztoXXFwV+MuoTvWcoHnDYYqJWQAKAkQw
In-reply-to: <448E8A45.7060506@wingsofhermes.org>
X-Spam-Score: undef - spam scanning disabled
X-CanItPRO-Stream: outbound
X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.12
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

> The whole thing about serialisation of data prior to encryption is
> fraught with problems.  Exc-c14n fixed some of them for me - but
> obviously there are others I missed!

I know, it's only my intuition that suggests to me that inclusive works
better for this use case, because signatures contain their own tranforms and
c14n directives. So sucking in additional namespaces during encryption
*shouldn't* cause breakage.

> Are you able to give me a fragment of something that breaks? I think I
> can see what you are getting at below, but a concrete example would make
> it easier for me :>.

Here's a simple example that *should* break:

<foo:bar xmlns:foo="..." xmlns:typens="..." xsi:type="typens:extension">
...
</foo

If I encrypt that element, your API will run excl c14n on the DOM to get the
octets. But under exclusive c14n, xmlns:typens is not visibly used, so it
will be stripped.

On the other end when I decrypt it, I'll get back this:

<foo:bar xmlns:foo="..." xsi:type="typens:extension">
...
</foo

If I don't validate, it will parse, because the parser isn't QName aware.
But my code will expect to process xsi:type properly, and won't find typens.

The usual solution of course is the inclusive prefix list, but I think here
your best bet is just use inclusive, so taking out the setExclusive() call
inside the encryption routine should work.

-- Scott