santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raul Benito" <r...@apache.org>
Subject Re: subtree c14n canonicalization
Date Wed, 12 Jul 2006 14:36:13 GMT
It seems really weird to me
the correct one mast be with xmlns=""
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
   <CanonicalizationMethod xmlns=""
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>

But this case is really tested and stressed in real life.
Can you post the code(it is a bonus if it can compile cut'n'pasting
it), to dignase it further?

Regards





On 7/12/06, Robert Shanahan <bob@directdocs.com> wrote:
> The following XML is taken from the CanonSubtree sample app, but illustrates an
> issue that I've encountered, which is causing a signature verification interop
> problem (Keytools and xml-sec).
>
> I've slightly altered the XML from the CanonSubtree sample by adding xmlns="" to
> the CanonicalizationMethod element. The second chunk of XML is the result of
> Apache xml-sec 1.3 subtree (SignedInfo) canonicalization.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>   <SignedInfo>
>     <CanonicalizationMethod xmlns=""
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
>     <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>     <Reference URI="http://www.w3.org/TR/xml-stylesheet">
>       <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>       <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
>     </Reference>
>   </SignedInfo>
> <Signature>
>
>
> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
>     <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>     <Reference URI="http://www.w3.org/TR/xml-stylesheet">
>       <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>       <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
>     </Reference>
>   </SignedInfo>
>
>
> Note that xmlns="" has been omitted from the CanonicalizationMethod element.
> This is correct in the context of the subtree prior to adding doc level
> namespaces to the subtree root (i.e. <SignedInfo> vs <SignedInfo
> xmlns="http://www.w3.org/2000/09/xmldsig#">), but seems incorrect following the
> addition of the doc level namespace. I've read the W3C spec several times, yet
> it is still not clear to me what the correct behavior is.
>
> And apparently it was not clear to different implementors of the c14n spec,
> since Keytools retains xmlns="" in this type of context while xml-sec removes
> it, hence xml-sec cannot verify signatures created by Keytools in these contexts.
>
> I'd appreciate any insight or advice.
>
>


-- 
http://r-bg.com

Mime
View raw message