[xmlsec] canonicalization and transcoding

Aleksey Sanin aleksey at aleksey.com
Fri Mar 28 22:26:38 PST 2003

I am not sure what do you mean by transcoding in application to XML but 
I believe you are
mixing canonicalization with something different. Canonicalization 
(c14N) is a process of
transformng an XML document or a part of XML document to a binary 
stream. You *have*
to do c14n in order to sign or digest XML data just because digests and 
signature work on
binary data only. Currently, several c14n algorithms are defined by W3C 
and all of them
are implemented in xmlsec library.

Next, there is no reason why XML parser should replace
    <foo />
The "<foo/>" is a perfectly valid XML. There is also no reason for XML 
to sort nodes (moreover, the parser that does it is actualy not an XML 
parser at all :) ).

Also when you specify encoding in the XML document, LibXML is smart 
enough to
do correct automatic encoding conversion when it reads or writes 
document. Internaly,
all the strings are UTF8 (see libxml documentation). And the 
signatures/digests are
calculated other UTF8 data as it is required by specification. However, 
when the result
document is dupmed to output in the example you've mentioned, it is 
back to the encoding specified in the document. Of course, you can force 
to write document in any other encoding but this is beyond the limits of 
the xmlsec library

You can use "xmlsec" command line utility to look "inside" the signature 
Try '--store-references' or '--store-signatures' options when verifiying 
a document.
It'll print out the binary stream just before calculating digest or 
signature. You can also
get access to the same data from your application (check the xmlsec 
utility sources for details).


>Do you mean that example dsig1.c does canonisation and transcoding?
>I tried to change encoding="Windows-1251" and added two tags without
>pair (<InnerTag attr1="10"/>). And after processing all tags are still
>without pairs and in that lexical order as thay was. Encoding also
>has not been changed.
>Should I describe DTD before trying to sign document?
>Best regards,  
>Slava Kostin
>xmlsec mailing list
>xmlsec at aleksey.com

More information about the xmlsec mailing list