santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Shanahan <...@directdocs.com>
Subject subtree c14n canonicalization
Date Wed, 12 Jul 2006 13:54:15 GMT
The following XML is taken from the CanonSubtree sample app, but illustrates an
issue that I've encountered, which is causing a signature verification interop
problem (Keytools and xml-sec).

I've slightly altered the XML from the CanonSubtree sample by adding xmlns="" to
the CanonicalizationMethod element. The second chunk of XML is the result of
Apache xml-sec 1.3 subtree (SignedInfo) canonicalization.

<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod xmlns=""
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
    <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
    <Reference URI="http://www.w3.org/TR/xml-stylesheet">
      <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
    </Reference>
  </SignedInfo>
<Signature>


<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
    <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
    <Reference URI="http://www.w3.org/TR/xml-stylesheet">
      <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
    </Reference>
  </SignedInfo>


Note that xmlns="" has been omitted from the CanonicalizationMethod element.
This is correct in the context of the subtree prior to adding doc level
namespaces to the subtree root (i.e. <SignedInfo> vs <SignedInfo 
xmlns="http://www.w3.org/2000/09/xmldsig#">), but seems incorrect following the
addition of the doc level namespace. I've read the W3C spec several times, yet
it is still not clear to me what the correct behavior is.

And apparently it was not clear to different implementors of the c14n spec,
since Keytools retains xmlns="" in this type of context while xml-sec removes
it, hence xml-sec cannot verify signatures created by Keytools in these contexts.

I'd appreciate any insight or advice.


Mime
View raw message