[xmlsec] exclusive canonicalization problem - multiple namespace declaration

Tomas Sieger tomas.sieger at systinet.com
Wed Apr 14 08:52:14 PDT 2004


Yes, the c14n itself works well.
The problem arises when XPath is introduced:

cat test.xpath
<XPath xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
(//. | //@* | //namespace::*)[ancestor-or-self::SOAP-ENV:Body]
</XPath>

./testC14N --exc-with-comments test.xml test.xpath
<SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        <ns0:Ping xmlns:ns0="http://xmlsoap.org/Ping"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:type="ns0:ping">
            <ns0:text xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xsi:type="xsd:string">Hello.</ns0:text>
        </ns0:Ping>
</SOAP-ENV:Body>

This is the same behaviour (multiple namespace declaration)
I'm experiencing while signing an Id-referenced element and
then applying exclusive c14n onto the referenced element.
Exclusive c14n in this case copies namespaces declarations in
each element using the namespace (in my case the namespace is
used by attributes). Then, digest is computed from the canonicalized
element and the digest value does not match digest computed by
other dsig implementations - they do not declare namespaces
at each element, just at the first one - so the signature can't
be verified.

Any ideas?

Feel free to ask me for any debug outputs / patched sources to
help you easily reproduce the problem.

thanks again
  Tomas


Aleksey Sanin wrote:
> Seems to be working fine for me:
> 
> D:\tmp\xml>testC14N.exe
> Error: wrong number of arguments.
> Usage: testC14N.exe <mode> <xml-file> [<xpath-expr>] [<inclusive-ns-list>]
> where <mode> is one of following:
> --with-comments          XML file canonization w comments
> --without-comments       XML file canonization w/o comments
> --exc-with-comments      Exclusive XML file canonization w comments
> --exc-without-comments   Exclusive XML file canonization w/o comments
> 
> $ xmllint --version
> xmllint: using libxml version 20608
>    compiled with: DTDValid FTP HTTP HTML C14N Catalog XPath XPointer 
> XInclude Unicode Regexps Automata Schemas
> 
> $ cat test.xml
> <SOAP-ENV:Body
>        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>        <ns0:Ping
>            xmlns:ns0="http://xmlsoap.org/Ping"
>            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>            xsi:type="ns0:ping">
>            <ns0:text
>                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                xsi:type="xsd:string">Hello.</ns0:text>
>        </ns0:Ping>
> </SOAP-ENV:Body>
> 
> $ testC14N.exe --exc-with-comments test.xml
> <SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>        <ns0:Ping xmlns:ns0="http://xmlsoap.org/Ping" 
> xmlns:xsi="http://www.w3.or
> g/2001/XMLSchema-instance" xsi:type="ns0:ping">
>            <ns0:text xsi:type="xsd:string">Hello.</ns0:text>
>        </ns0:Ping>
> </SOAP-ENV:Body>
> 
> 
> Aleksey
> 
> Tomas Sieger wrote:
> 
>> Hello,
>>  I'm experiencing a problem executing an exclusive XML
>> canonicalization. The canonicalization declares the same
>> namespace for two times at two elements in parent-child
>> relation. Consider the following example:





More information about the xmlsec mailing list