[xmlsec] xmlsec and performing canonicalization by default

Aleksey Sanin aleksey at aleksey.com
Thu Apr 23 12:08:29 PDT 2009 

I've sent you the spec. Please, read the c14n part and what
the signature generator should do when c14n transform is missing.

Aleksey

Shlomo Yona wrote:
> Hello, Aleksey.
> 
>  
> 
> Thanks for your reply.
> 
>  
> 
> Let’s consider the following case:
> 
>  
> 
> Request - Content arrives already canonicalized, and the signed content 
> is not changed between the sender and recipient by intermediaries.
> 
> Response – Content arrives for server not-canonicalized, signed and sent 
> without canonicalizing it.
> 
>  
> 
> Canonicalization is only relevant for signature generation/verify, not 
> for encryption/decryption.
> 
>  
> 
> *W3C digital signature spec*
> 
> When signing, there are two levels of calculation:
> 
> 1.       Calculate digest of selected referenced sections of the 
> document (could be any section of the document).
> 
> 2.       Calculate digest on resultant SignedInfo element that contains 
> the Reference elements, containing the details of the referenced 
> sections along with their calculated digest value, and details on how 
> the SignedInfo digest and signature calculated.
> 
>  
> 
> In (1), canonicalization can be specified using a Transform element, but 
> it is **optional**.
> 
> In (2), CanonicalizationMethod is **mandatory**, but it is specified 
> **only for the SignedInfo element**.
> 
>  
> 
> So, you see, I wonder why xmlsec performs the canonicalization even when 
> transform is not explicitly listed in the content (thus canonicalization 
> is not mandatory)?
> 
>  
> 
> Thank you for your help.
> 
>  
> 
> Shlomo
> 
> ------------------------------------------------------------------------
> 
>  
> 
> *FROM: Aleksey Sanin* aleksey at aleksey.com 
> <mailto:xmlsec%40aleksey.com?Subject=%5Bxmlsec%5D%20xmlsec%20and%20performing%20canonicalization%20by%20default&In-Reply-To=D3EAD5A419F7AA45AC864B43E1BF6D0F607EA602E7%40exch11.olympus.f5net.com>/Thu 
> Apr 23 08:34:47 PDT 2009/
> 
>  
> 
> http://www.w3.org/TR/xmldsig-core/
> 
>  
> 
> Aleksey
> 
>  
> 
> Shlomo Yona wrote:
> 
>>/ Hello,/
> 
>>/ /
> 
>>/  /
> 
>>/ /
> 
>>/ It seems that xmlsec performs canonicalization (c14n) by default when /
> 
>>/ verifying signatures even when the input message contains no transform /
> 
>>/ element (dsig spec doesn’t require a transform element)./
> 
>>/ /
> 
>>/  /
> 
>>/ /
> 
>>/ Why?/
> 
>>/ /
> 
>>/  /
> 
>>/ /
> 
>>/ Is this behavior intentional?/
> 
>>/ /
> 
>>/  /
> 
>>/ /
> 
>>/ Thank you./
> 
>>/ /
> 
>>/  /
> 
>>/ /
> 
>>/ Shlomo/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list