[xmlsec] xmlsec and performing canonicalization by default
S.Yona at F5.com
Thu Apr 23 11:55:53 PDT 2009
Thanks for your reply.
Let's consider the following case:
Request - Content arrives already canonicalized, and the signed content is not changed between the sender and recipient by intermediaries.
Response - Content arrives for server not-canonicalized, signed and sent without canonicalizing it.
Canonicalization is only relevant for signature generation/verify, not for encryption/decryption.
W3C digital signature spec
When signing, there are two levels of calculation:
1. Calculate digest of selected referenced sections of the document (could be any section of the document).
2. Calculate digest on resultant SignedInfo element that contains the Reference elements, containing the details of the referenced sections along with their calculated digest value, and details on how the SignedInfo digest and signature calculated.
In (1), canonicalization can be specified using a Transform element, but it is *optional*.
In (2), CanonicalizationMethod is *mandatory*, but it is specified *only for the SignedInfo element*.
So, you see, I wonder why xmlsec performs the canonicalization even when transform is not explicitly listed in the content (thus canonicalization is not mandatory)?
Thank you for your help.
FROM: Aleksey Sanin aleksey at aleksey.com <mailto:xmlsec%40aleksey.com?Subject=%5Bxmlsec%5D%20xmlsec%20and%20performing%20canonicalization%20by%20default&In-Reply-To=D3EAD5A419F7AA45AC864B43E1BF6D0F607EA602E7%40exch11.olympus.f5net.com> Thu Apr 23 08:34:47 PDT 2009
Shlomo Yona wrote:
> It seems that xmlsec performs canonicalization (c14n) by default when
> verifying signatures even when the input message contains no transform
> element (dsig spec doesn't require a transform element).
> Is this behavior intentional?
> Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the xmlsec