[xmlsec] xmlsec and performing canonicalization by default

Shlomo Yona S.Yona at F5.com
Thu Apr 23 11:55:53 PDT 2009


Hello, Aleksey.

Thanks for your reply.

Let's consider the following case:

Request - Content arrives already canonicalized, and the signed content is not changed between the sender and recipient by intermediaries.
Response - Content arrives for server not-canonicalized, signed and sent without canonicalizing it.

Canonicalization is only relevant for signature generation/verify, not for encryption/decryption.

W3C digital signature spec
When signing, there are two levels of calculation:

1.       Calculate digest of selected referenced sections of the document (could be any section of the document).

2.       Calculate digest on resultant SignedInfo element that contains the Reference elements, containing the details of the referenced sections along with their calculated digest value, and details on how the SignedInfo digest and signature calculated.

In (1), canonicalization can be specified using a Transform element, but it is *optional*.
In (2), CanonicalizationMethod is *mandatory*, but it is specified *only for the SignedInfo element*.

So, you see, I wonder why xmlsec performs the canonicalization even when transform is not explicitly listed in the content (thus canonicalization is not mandatory)?

Thank you for your help.

Shlomo
________________________________

FROM: Aleksey Sanin aleksey at aleksey.com <mailto:xmlsec%40aleksey.com?Subject=%5Bxmlsec%5D%20xmlsec%20and%20performing%20canonicalization%20by%20default&In-Reply-To=D3EAD5A419F7AA45AC864B43E1BF6D0F607EA602E7%40exch11.olympus.f5net.com> Thu Apr 23 08:34:47 PDT 2009



http://www.w3.org/TR/xmldsig-core/



Aleksey



Shlomo Yona wrote:

> Hello,

>

>

>

> It seems that xmlsec performs canonicalization (c14n) by default when

> verifying signatures even when the input message contains no transform

> element (dsig spec doesn't require a transform element).

>

>

>

> Why?

>

>

>

> Is this behavior intentional?

>

>

>

> Thank you.

>

>

>

> Shlomo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090423/f53bb83a/attachment-0001.htm


More information about the xmlsec mailing list