[xmlsec] exclusive canonicalization problem - multiple namespace declaration

Aleksey Sanin aleksey at aleksey.com
Fri Apr 16 11:41:26 PDT 2004 

It is a problems on both sides. The LibXML2 namespaces are a little
bit tricky and c14n code had a problem with understanding that attribute
namespace is the same as the namespace declaration in the node.

The patches for both libxml2 and xmlsec are attached (the libxml2 patch
fixes the testC14N test utility and does not change the core libxml2
functionality thus it is optional). I did a quick test and it seems
to be working fine but I will not be able to fully test and check in
these patches till next week.

Aleksey


Tomas Sieger wrote:

> Hi Aleksey,
>  do you think this is a problem on xmlSec / libxml2 side? Or am I doing 
> something wrong?
> Please, say a word, I'm under a serious time pressure :-).
> 
> thanks again,
>  Tomas
> 
> Tomas Sieger wrote:
> 
>> Yes, the c14n itself works well.
>> The problem arises when XPath is introduced:
>>
>> cat test.xpath
>> <XPath xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>> (//. | //@* | //namespace::*)[ancestor-or-self::SOAP-ENV:Body]
>> </XPath>
>>
>> ./testC14N --exc-with-comments test.xml test.xpath
>> <SOAP-ENV:Body 
>> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>>        <ns0:Ping xmlns:ns0="http://xmlsoap.org/Ping"
>>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>     xsi:type="ns0:ping">
>>            <ns0:text 
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>         xsi:type="xsd:string">Hello.</ns0:text>
>>        </ns0:Ping>
>> </SOAP-ENV:Body>
>>
>> This is the same behaviour (multiple namespace declaration)
>> I'm experiencing while signing an Id-referenced element and
>> then applying exclusive c14n onto the referenced element.
>> Exclusive c14n in this case copies namespaces declarations in
>> each element using the namespace (in my case the namespace is
>> used by attributes). Then, digest is computed from the canonicalized
>> element and the digest value does not match digest computed by
>> other dsig implementations - they do not declare namespaces
>> at each element, just at the first one - so the signature can't
>> be verified.
>>
>> Any ideas?
>>
>> Feel free to ask me for any debug outputs / patched sources to
>> help you easily reproduce the problem.
>>
>> thanks again
>>  Tomas
>>
>>
>> Aleksey Sanin wrote:
>>
>>> Seems to be working fine for me:
>>>
>>> D:\tmp\xml>testC14N.exe
>>> Error: wrong number of arguments.
>>> Usage: testC14N.exe <mode> <xml-file> [<xpath-expr>] 
>>> [<inclusive-ns-list>]
>>> where <mode> is one of following:
>>> --with-comments          XML file canonization w comments
>>> --without-comments       XML file canonization w/o comments
>>> --exc-with-comments      Exclusive XML file canonization w comments
>>> --exc-without-comments   Exclusive XML file canonization w/o comments
>>>
>>> $ xmllint --version
>>> xmllint: using libxml version 20608
>>>    compiled with: DTDValid FTP HTTP HTML C14N Catalog XPath XPointer 
>>> XInclude Unicode Regexps Automata Schemas
>>>
>>> $ cat test.xml
>>> <SOAP-ENV:Body
>>>        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>>>        <ns0:Ping
>>>            xmlns:ns0="http://xmlsoap.org/Ping"
>>>            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>            xsi:type="ns0:ping">
>>>            <ns0:text
>>>                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>                xsi:type="xsd:string">Hello.</ns0:text>
>>>        </ns0:Ping>
>>> </SOAP-ENV:Body>
>>>
>>> $ testC14N.exe --exc-with-comments test.xml
>>> <SOAP-ENV:Body 
>>> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>>>        <ns0:Ping xmlns:ns0="http://xmlsoap.org/Ping" 
>>> xmlns:xsi="http://www.w3.or
>>> g/2001/XMLSchema-instance" xsi:type="ns0:ping">
>>>            <ns0:text xsi:type="xsd:string">Hello.</ns0:text>
>>>        </ns0:Ping>
>>> </SOAP-ENV:Body>
>>>
>>>
>>> Aleksey
>>>
>>> Tomas Sieger wrote:
>>>
>>>> Hello,
>>>>  I'm experiencing a problem executing an exclusive XML
>>>> canonicalization. The canonicalization declares the same
>>>> namespace for two times at two elements in parent-child
>>>> relation. Consider the following example:
>>
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: c14n-namespaces.tar.gz
Type: application/gzip
Size: 621 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20040416/f9861e85/c14n-namespaces.tar.bin

More information about the xmlsec mailing list