[xmlsec] xmlsec and canonicalization
François Plou
fplou at webank.fr
Tue Mar 18 10:49:14 PDT 2014
Hi,
I am trying to sign an XML document where I add a linefeed between two
nodes.
To my understanding, according canonicalization (1.0), an xml document
like this :
<node>a</node>
<node>b</node>
must give the same digest and signature value as this one :
<node>a</node>
<node>b</node>
But this is not the case. When I use the option --store-reference, the
output show the extra line feed.
Below is my xml document :
<?xml version = "1.0" encoding = "UTF-8"?>
<Document xmlns = "urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02" >
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue />
<KeyInfo>
<KeyValue />
</KeyInfo>
</Signature>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
The ouput of --store-references is the following :
== PreDigest data - start buffer:
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
== PreDigest data - end buffer
== Result - start buffer:
v80V0QWK0r89EhOr4Kh4Q79ofZ/zYw2ReI4s8e0ebW4=
== Result - end buffer
== Manifest References List:
=== list size: 0
== Result - start buffer:
ELC9j9/SaQ3VOcVcZBV4ZFpHsRU7jfc25gHCx9/CyCQBLyNF6yqfzLjTuvg9NAvF
HaDXuKhLvTjtEG1hgvuXXkyKFgJkA+pJrIKcOmpVMcwgR85MpZ/1BumxEeHPtHif
PQp9ngJmQ6PzC7P3FFmDfNGoY3gOyiK/s+IecGtqr+A5JwALFFNkXgEp96DBqF4P
d2HRNH0LbIw0IKQN+BckTOxeLFNQ269fP0AFuFxVp8fVQfhGuMJHlNnr3lX2WHjw
emqcEW4X/0vcFcoKUsvGRRwz7eFYjjMjrghaOWW+byPYQrHFOV7o0wN9UC8TCN9R
YXnL/c3Rx7P+QkX7/f7n4g==
== Result - end buffer
If I remove the line feed between :
</Refs>
<Acct>
The output is slightly different :
== PreDigest data - start buffer:
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
== PreDigest data - end buffer
== Result - start buffer:
zYybkjAuafmZgmnEbWItuE4Q1+u76x4I5HExyHThFe0=
== Result - end buffer
== Manifest References List:
=== list size: 0
== Result - start buffer:
VsVLlG0KahJelXvXjo2Ozst5axBXxtWeR4So0P+PAAcOi6ihtTKc5oUUJjIEivbO
rCkdKuT4AFlbPEF8t4ErMAHS6iCP5JplF3zQA1YzVxGzmOQFRtpBookknF5wXu7H
adyr9dIuZPcudAX7ZV0R0iwRIJJwdZQgYvA4HgZJJ3eMlBj8K1Zp5WR4UbbkBacV
/dOnIIpRljd3YwxCnHp7hO6oizGOIkNhGbq6kkJ3ULGxWuT9/xy5IO64AV397PiK
R0VtvNDNXW2WFjLfJ3XBuaVUq2T/GVCB9tcXYPUh67wwqzAyiaHUcymYgg2CZ6kF
3eZvTwOjkVmrY7iYuAsqeQ==
== Result - end buffer
I am working on latest release of xmlsec and on Unix.
Is my understanding correct ?
Thanks.
Francois
More information about the xmlsec
mailing list