[xmlsec] xmlsec and canonicalization
François Plou
fplou at webank.fr
Wed Mar 19 01:45:15 PDT 2014
Thanks for your answer. I was looking in chapter 3.1 not 2.1 and the
sample is confusing.
Le 18/03/2014 19:08, Alexwell Sandro a écrit :
> Canonical XMLVersion 1.0 does not remove linefeeds. Only normalize.
> Windows put CRLF and Linux LF. C14N normalize to LF.
>
> See http://www.w3.org/TR/2001/REC-xml-c14n-20010315
> 2 XML Canonicalization
> 2.1 Data Model
> ...
> The XML processor performs the following tasks in order:
>
> 1. normalize line feeds
>
> ...
>
>
>
>
> On Tue, Mar 18, 2014 at 2:49 PM, François Plou <fplou at webank.fr
> <mailto:fplou at webank.fr>> wrote:
>
> Hi,
>
> I am trying to sign an XML document where I add a linefeed between
> two nodes.
> To my understanding, according canonicalization (1.0), an xml
> document like this :
>
> <node>a</node>
>
> <node>b</node>
>
> must give the same digest and signature value as this one :
>
> <node>a</node>
> <node>b</node>
>
> But this is not the case. When I use the option --store-reference,
> the output show the extra line feed.
>
> Below is my xml document :
>
> <?xml version = "1.0" encoding = "UTF-8"?>
> <Document xmlns = "urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02" >
> <AcctOpngReq>
> <Refs>
> <MsgId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </MsgId>
> <PrcId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </PrcId>
> </Refs>
>
> <Acct>
> <Id>
> <Othr>
> <Id>NOREF</Id>
> </Othr>
> </Id>
> <Tp>
> <Cd>CASH</Cd>
> </Tp>
> <Ccy>USD</Ccy>
> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
> <MnthlyTxNb>100</MnthlyTxNb>
> <AvrgBal>10000</AvrgBal>
> </Acct>
> <CtrctDts>
> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
> </CtrctDts>
> <UndrlygMstrAgrmt>
> <Ref>ABC/Acct/BBBBUS33</Ref>
> <Vrsn>1.0</Vrsn>
> </UndrlygMstrAgrmt>
> <AcctSvcrId>
> <FinInstnId>
> <BICFI>BBBBUS33</BICFI>
> </FinInstnId>
> </AcctSvcrId>
> <Org>
> <FullLglNm>ABC Corporation</FullLglNm>
> <CtryOfOpr>US</CtryOfOpr>
> <RegnDt>1999-09-01</RegnDt>
> <LglAdr>
> <StrtNm>Times Square</StrtNm>
> <BldgNb>7</BldgNb>
> <PstCd>NY 10036</PstCd>
> <TwnNm>New York</TwnNm>
> <Ctry>US</Ctry>
> </LglAdr>
> <OrgId>
> <Othr>
> <Id>01256485-85</Id>
> <SchmeNm>
> <Prtry>TAX</Prtry>
> </SchmeNm>
> </Othr>
> </OrgId>
> <MainMndtHldr>
> <Nm>Richard Jones</Nm>
> <PstlAdr>
> <AdrTp>HOME</AdrTp>
> <StrtNm>La Guardia Drive</StrtNm>
> <BldgNb>12</BldgNb>
> <PstCd>NJ 07054</PstCd>
> <TwnNm>Parsippany</TwnNm>
> <Ctry>US</Ctry>
> </PstlAdr>
> <Id>
> <DtAndPlcOfBirth>
> <BirthDt>1960-05-01</BirthDt>
> <CityOfBirth>New york</CityOfBirth>
> <CtryOfBirth>US</CtryOfBirth>
> </DtAndPlcOfBirth>
> </Id>
> </MainMndtHldr>
> </Org>
> <DgtlSgntr>
> <Pty>
> <Nm>fplou</Nm>
> </Pty>
> <Sgntr>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> <SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <Reference URI="">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> <Transform
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <DigestValue></DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue />
> <KeyInfo>
> <KeyValue />
> </KeyInfo>
> </Signature>
> </Sgntr>
> </DgtlSgntr>
> </AcctOpngReq>
> </Document>
>
> The ouput of --store-references is the following :
>
> == PreDigest data - start buffer:
> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
> <AcctOpngReq>
> <Refs>
> <MsgId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </MsgId>
> <PrcId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </PrcId>
> </Refs>
>
> <Acct>
> <Id>
> <Othr>
> <Id>NOREF</Id>
> </Othr>
> </Id>
> <Tp>
> <Cd>CASH</Cd>
> </Tp>
> <Ccy>USD</Ccy>
> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
> <MnthlyTxNb>100</MnthlyTxNb>
> <AvrgBal>10000</AvrgBal>
> </Acct>
> <CtrctDts>
> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
> </CtrctDts>
> <UndrlygMstrAgrmt>
> <Ref>ABC/Acct/BBBBUS33</Ref>
> <Vrsn>1.0</Vrsn>
> </UndrlygMstrAgrmt>
> <AcctSvcrId>
> <FinInstnId>
> <BICFI>BBBBUS33</BICFI>
> </FinInstnId>
> </AcctSvcrId>
> <Org>
> <FullLglNm>ABC Corporation</FullLglNm>
> <CtryOfOpr>US</CtryOfOpr>
> <RegnDt>1999-09-01</RegnDt>
> <LglAdr>
> <StrtNm>Times Square</StrtNm>
> <BldgNb>7</BldgNb>
> <PstCd>NY 10036</PstCd>
> <TwnNm>New York</TwnNm>
> <Ctry>US</Ctry>
> </LglAdr>
> <OrgId>
> <Othr>
> <Id>01256485-85</Id>
> <SchmeNm>
> <Prtry>TAX</Prtry>
> </SchmeNm>
> </Othr>
> </OrgId>
> <MainMndtHldr>
> <Nm>Richard Jones</Nm>
> <PstlAdr>
> <AdrTp>HOME</AdrTp>
> <StrtNm>La Guardia
> Drive</StrtNm>
> <BldgNb>12</BldgNb>
> <PstCd>NJ 07054</PstCd>
> <TwnNm>Parsippany</TwnNm>
> <Ctry>US</Ctry>
> </PstlAdr>
> <Id>
> <DtAndPlcOfBirth>
> <BirthDt>1960-05-01</BirthDt>
> <CityOfBirth>New york</CityOfBirth>
> <CtryOfBirth>US</CtryOfBirth>
> </DtAndPlcOfBirth>
> </Id>
> </MainMndtHldr>
> </Org>
> <DgtlSgntr>
> <Pty>
> <Nm>fplou</Nm>
> </Pty>
> <Sgntr>
>
> </Sgntr>
> </DgtlSgntr>
> </AcctOpngReq>
> </Document>
> == PreDigest data - end buffer
> == Result - start buffer:
> v80V0QWK0r89EhOr4Kh4Q79ofZ/zYw2ReI4s8e0ebW4=
> == Result - end buffer
> == Manifest References List:
> === list size: 0
> == Result - start buffer:
> ELC9j9/SaQ3VOcVcZBV4ZFpHsRU7jfc25gHCx9/CyCQBLyNF6yqfzLjTuvg9NAvF
> HaDXuKhLvTjtEG1hgvuXXkyKFgJkA+pJrIKcOmpVMcwgR85MpZ/1BumxEeHPtHif
> PQp9ngJmQ6PzC7P3FFmDfNGoY3gOyiK/s+IecGtqr+A5JwALFFNkXgEp96DBqF4P
> d2HRNH0LbIw0IKQN+BckTOxeLFNQ269fP0AFuFxVp8fVQfhGuMJHlNnr3lX2WHjw
> emqcEW4X/0vcFcoKUsvGRRwz7eFYjjMjrghaOWW+byPYQrHFOV7o0wN9UC8TCN9R
> YXnL/c3Rx7P+QkX7/f7n4g==
> == Result - end buffer
>
>
> If I remove the line feed between :
> </Refs>
>
> <Acct>
>
> The output is slightly different :
>
> == PreDigest data - start buffer:
> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
> <AcctOpngReq>
> <Refs>
> <MsgId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </MsgId>
> <PrcId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </PrcId>
> </Refs>
> <Acct>
> <Id>
> <Othr>
> <Id>NOREF</Id>
> </Othr>
> </Id>
> <Tp>
> <Cd>CASH</Cd>
> </Tp>
> <Ccy>USD</Ccy>
> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
> <MnthlyTxNb>100</MnthlyTxNb>
> <AvrgBal>10000</AvrgBal>
> </Acct>
> <CtrctDts>
> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
> </CtrctDts>
> <UndrlygMstrAgrmt>
> <Ref>ABC/Acct/BBBBUS33</Ref>
> <Vrsn>1.0</Vrsn>
> </UndrlygMstrAgrmt>
> <AcctSvcrId>
> <FinInstnId>
> <BICFI>BBBBUS33</BICFI>
> </FinInstnId>
> </AcctSvcrId>
> <Org>
> <FullLglNm>ABC Corporation</FullLglNm>
> <CtryOfOpr>US</CtryOfOpr>
> <RegnDt>1999-09-01</RegnDt>
> <LglAdr>
> <StrtNm>Times Square</StrtNm>
> <BldgNb>7</BldgNb>
> <PstCd>NY 10036</PstCd>
> <TwnNm>New York</TwnNm>
> <Ctry>US</Ctry>
> </LglAdr>
> <OrgId>
> <Othr>
> <Id>01256485-85</Id>
> <SchmeNm>
> <Prtry>TAX</Prtry>
> </SchmeNm>
> </Othr>
> </OrgId>
> <MainMndtHldr>
> <Nm>Richard Jones</Nm>
> <PstlAdr>
> <AdrTp>HOME</AdrTp>
> <StrtNm>La Guardia
> Drive</StrtNm>
> <BldgNb>12</BldgNb>
> <PstCd>NJ 07054</PstCd>
> <TwnNm>Parsippany</TwnNm>
> <Ctry>US</Ctry>
> </PstlAdr>
> <Id>
> <DtAndPlcOfBirth>
> <BirthDt>1960-05-01</BirthDt>
> <CityOfBirth>New york</CityOfBirth>
> <CtryOfBirth>US</CtryOfBirth>
> </DtAndPlcOfBirth>
> </Id>
> </MainMndtHldr>
> </Org>
> <DgtlSgntr>
> <Pty>
> <Nm>fplou</Nm>
> </Pty>
> <Sgntr>
>
> </Sgntr>
> </DgtlSgntr>
> </AcctOpngReq>
> </Document>
> == PreDigest data - end buffer
> == Result - start buffer:
> zYybkjAuafmZgmnEbWItuE4Q1+u76x4I5HExyHThFe0=
> == Result - end buffer
> == Manifest References List:
> === list size: 0
> == Result - start buffer:
> VsVLlG0KahJelXvXjo2Ozst5axBXxtWeR4So0P+PAAcOi6ihtTKc5oUUJjIEivbO
> rCkdKuT4AFlbPEF8t4ErMAHS6iCP5JplF3zQA1YzVxGzmOQFRtpBookknF5wXu7H
> adyr9dIuZPcudAX7ZV0R0iwRIJJwdZQgYvA4HgZJJ3eMlBj8K1Zp5WR4UbbkBacV
> /dOnIIpRljd3YwxCnHp7hO6oizGOIkNhGbq6kkJ3ULGxWuT9/xy5IO64AV397PiK
> R0VtvNDNXW2WFjLfJ3XBuaVUq2T/GVCB9tcXYPUh67wwqzAyiaHUcymYgg2CZ6kF
> 3eZvTwOjkVmrY7iYuAsqeQ==
> == Result - end buffer
>
> I am working on latest release of xmlsec and on Unix.
>
> Is my understanding correct ?
>
> Thanks.
>
> Francois
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140319/bb4c0f36/attachment-0001.html>
More information about the xmlsec
mailing list