[xmlsec] XMLSEC Reference URI question

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Thu Jul 25 12:48:12 PDT 2002

Thanks for the pointer into the spec and I think we've got this under
control now. We've got to work out a good XPath transform that works for our
compound documents but now that I can validate the documents that are
produced, we can incrementally refine the XPath until we get what we
Thanks again for your support -- now I've got a lot of code to write to port
my stuff from Xerces to libxml and add the signing/verification logic.

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Thursday, July 25, 2002 3:10 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: 'xmlsec at aleksey.com'; Dodd, Tim (ISS Atlanta)
Subject: Re: [xmlsec] XMLSEC Reference URI question

According to C14N spec all whitespaces and eol symbols are preserved.
For example, take a look here:
To be precise, in XML whitespaces are treated as "text" nodes and all C14N 
regular rules apply to these nodes (for example, you can exclude some
using XPath expression before C14N, etc.)
I am doing my best to make XMLSec library complaint with the specs and
in this particular case XMLSec strictly follows the C14N spec by preserving
the whitespaces. About the reasons why does it fail, I can add more details
possible options from my previous  email (whitespaces  were lost in Apache
there are only two possible places :) ):
    1) Apache does not treate whitespaces as "text" nodes and by this when 
    you run XPath expression these missed nodes are not included into output
    (and not processed by C14N)
    2) Apache does C14N in wrong way and removes white spaces


Moultrie, Ferrell (ISSAtlanta) wrote:

  Ok .. I finally edited the document enough to get it to verify. Here's
what I had to change -- I haven't had a chance to re-read the C14N spec in
detail so maybe you can tell me if it's an xmlsec problem or not. In order
to get it to verify, I removed all the leading whitespace (indenting with
tabs) from the signed document, I also removed all new-line sequences from
between the elements in the signed document. So -- the C14N transform (or
something else in the web world) is removing all the "formatting" (leading
tabs and EOL whitespace) from the XML in the Apache world. It's obviously
preserving that on the xmlsec side based on the buffer dump and the fact
that manually removing the whitespace works. I'd thought that the C14N
transform did that for me -- did I miss something or is there an issue with
the C14N transform in xmlsec. I'm going to go re-read the C14N spec now --
but if you can tell me how you think it should behave in xmlsec I'd
appreciate it!
PS, I'm attaching the original document from the web folks (*06.xml, fails)
and my edited version (*06a.xml, works).

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
Sent: Thursday, July 25, 2002 11:43 AM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: 'xmlsec at aleksey.com <mailto:xmlsec at aleksey.com> '; Dodd, Tim (ISS
Subject: Re: [xmlsec] XMLSEC Reference URI question

After quick look, the XMLSec output seems correct. XMLSec produced exactly
you've seleceted. However, the error says that digests do not match and this
means that 
Apache generated another output. I do see few possible options:
    1) Apache calculated wrong nodes set (from XPath expressions)
    2) Apache did different C14N for the same nodes set
    3) something else more stupid on Apache or XMLSec side
I would vote for option 1) since the C14N is very simple here (no
namespaces, etc.) and 
we already have seen problems with XPath transform in Apache. But only
Apache output
"just before digesting" can actually help to identify the problem.

With best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20020725/6927b7b3/attachment.htm

More information about the xmlsec mailing list