[xmlsec] The formatting blanks and C14N.
Dogon, Gil
GDogon at ndsisrael.com
Wed Nov 17 00:09:46 PST 2004
Hello.
I am a newby to xmlsec, and I am sorry if the question is elementary, but I did not see a reference to this issue in the mailing list before.
The question is as follows:
C14N is crucial to xml security, but it seems to be broken in a way by the formatting blanks.
Specificaly I am reffering to the libxml2 function xmlKeepBlanksDefault().
Now if it is called with a 0 argument, formatting blanks are dropped from the XML node set and if not (which is libxml2 default behaviour) they are kept.
Those 'formatting blanks' are kept internally as special additional text nodes, so the actual xml nodeset is DIFFERENT depending upon wheteher they are kept or not. This means also that the C14N results are dependent on it.
I have not seen reference to this behaviour in the standard W3C C14N and dsig documents but maybe I did not look thoroughly enough.
As it stands now, with the current xmlsec examples, the function xmlKeepBlanksDefault() is not called, hence the formatting blanks are indeed kept, and so if I have a signed document, and I insert a newline or space in the start of a line, in most probability it would break the signature, in effect defeating the purpose of C14N.
I guess my question about this behaviour would be best put as:
Is keeping the formatting blanks a bug or is that a feature ?
Thanks
***********************************************************************************
Information contained in this email message is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the postmaster at nds.com and destroy the original message.
***********************************************************************************
More information about the xmlsec
mailing list