[xmlsec] Microsoft .NET compatibility
Aleksey Sanin
aleksey@aleksey.com
Thu, 29 May 2003 20:53:00 -0700
Rob,
Sorry for a delay with reply on your messages. I thought that your problem
would require more time than I had. I finally got some time it tonight to
look at this issue and it does not seem that the problem is in line feeds
as you wrote.
I have created a simple templates with DOS end of line (\r\n) and signed
it.
As expected, xmlsec/libxml have removed all the line feeds (\r) symbols
from the output. Now I manually added \r symbol to each line in the file
and
tried to verify signature in the modified file. And verification succeeded!
This means, that xmlsec/libxml correctly throw away line feeds as it is
required by C14N specification. If you are interested, I can send you the
files I have used for testing but it's probably not relevant to your
problem.
After that I decided to go and check your original files. As far as I can
understand,there were two files signed by MS .NET:
microsoft.xml --- xmlsec was not able to verify digest
in <dsig:Reference/> element
microsoftfin.xml --- xmlsec was able to verify digest
in <dsig:Reference/> element but signature
verification for <dsig:SignedInfo/> element failed
I started with second file and removed all end of lines (\n) characters and
all spaces right after \n characters (i.e. formatting) from
<dsig:SignedInfo/>
element. And the signature for <dsig:SignedInfo/> was succesfully verified!
Now I did the same exersise with the first document. And xmlsec was able
to verify it too!
From these exersises I conclude that when MS .NET have signed the document
it did not have formatting (i.e. indentation and end of lines). This means
that most likely the formatting was added *after* the document was signed
(note that digest in microsoftfin.xml file was calculated other document
with formatting and this digest was successfully verified by xmlsec; this
means that it is not likely that C14N in .NET threw formatting out).
The first suspect is the code that dumps signed xml document into the file.
You've mentioned that you are sending the signed xml file over network.
I would suggest to try to dump XML file *directly* from network traffic
(I usually use nice tool called Ethereal
http://www.ethereal.com/download.html)
and try to verify the dumped document with xmlsec. Other option would be
to check the code that does dump document for you (I have tried to look
thru the source code you sent me but I could not find any problems there).
Bottom line:
I am not convinced that there is any problem in either xmlsec or MS .NET.
Right now it seems like one of your tools *adds formatting* when it dumps
signed XML document.
With best regards,
Aleksey