You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Marcel Müller <cr...@gmx.de> on 2004/05/17 08:05:32 UTC
Schema validation and signature verification
Hi there,
I try to validate my xml file first against the schema first , afterwards I
try to validate the envloped signature. Unfortunately that doesn't work. The
parser tells me that the schema validation was successful (no errors &
warnings) but the signature verification fails after that. Omitting the
schema validation and the signature verification works. I use the code from
the VerifySignature.java sample file. Xerces version is Xerces-J 2.6.2 .
Does anyone know what is going wrong ? This seems strange to me.
Cheers,
Marcel
p.s: Berin, thank you for your answer to my last question. I doubt I had
found that one ever!
--
NEU : GMX Internet.FreeDSL
Ab sofort DSL-Tarif ohne Grundgeb�hr: http://www.gmx.net/dsl
RE: Schema validation and signature verification
Posted by Scott Cantor <ca...@osu.edu>.
> As for normalization due to schema validation, I was under the impression
> that normalization done during schema validation is "virtual" and doesn't
> actually modify the actual bytes.
That's false. The parser will normalize the actual text nodes when it builds
the DOM, and it is those text nodes (not the original document's text) that
are fed into the c14n process. This is because XML Schema sets the
whiteSpace facet to "collapse" for that data type. Turning off normalization
bypasses the processing of that facet.
OTOH, I may be wrong, but I think that the XML linefeed handling is actually
done before any of the digesting happens when the input is an XML node set,
as opposed to an octet stream, so that for enveloped signatures, it doesn't
break anything no matter what the base64 looked like. It's the schema step
that breaks.
I think there may be some errata to XML Schema that related to base64
handling, but I'm not sure if it affects any of this. I think not.
-- Scott
RE: Schema validation and signature verification
Posted by Blake Dournaee <bl...@sarvega.com>.
Hi Marcel -
Without seeing your signature first hand, I can probably say that if your
enveloped data goes on for more than a full line, a compliant Base-64
encoding algorithm is supposed to insert carriage return and line feed
characters after each line (0x0D, 0x0A).
I've seen issues where a DOM tree has already been created, and the large
chunk of Base-64 encoded content is inserted into the tree. In effect, the
0x0D and 0x0A characters are also included. When the signature is
serialized, these characters are preserved. On the input side, however,
these characters will be stripped in accordance with [1]. This breaks the
digest.
Some would argue that C14n should take care of this, but it doesn't. The
reason why is because when the signature is processed by an XML compliant
processor, CR and LF characters (0x0D, and 0x0A) become 0xA. The problem is,
- if you've built the DOM tree and imported element content that was Base-64
encoded, the chunk of content will contain these characters.
Quote from [1]
"To simplify the tasks of applications, the XML processor MUST behave as if
it normalized all line breaks in external parsed entities (including the
document entity) on input, before parsing, by translating both the
two-character sequence #xD #xA and any #xD that is not followed by #xA to a
single #xA character."
As for normalization due to schema validation, I was under the impression
that normalization done during schema validation is "virtual" and doesn't
actually modify the actual bytes.
Regards,
Blake Dournaee
Senior Security Architect
Sarvega, Inc.
http://www.sarvega.com
[1] http://www.w3.org/TR/2004/REC-xml-20040204/#sec-line-ends
-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Monday, May 17, 2004 8:04 AM
To: security-dev@xml.apache.org
Subject: RE: Schema validation and signature verification
> Does anyone know what is going wrong ? This seems strange to me.
I can tell you that if you leave schema data type normalization on, any
base64 objects you may have in the signed data will be corrupted by the
validator. There may be other data types that get corrupted depending on
different factors, but base64 is the most common case.
In effect schema validation and signature verification are currently
incompatible because there's no schema-centric c14n transform that's widely
implemented.
The work around is to turn off the normalization step in the parser. That's
a hack, but it works.
-- Scott
RE: Schema validation and signature verification
Posted by Scott Cantor <ca...@osu.edu>.
> Does anyone know what is going wrong ? This seems strange to me.
I can tell you that if you leave schema data type normalization on, any
base64 objects you may have in the signed data will be corrupted by the
validator. There may be other data types that get corrupted depending on
different factors, but base64 is the most common case.
In effect schema validation and signature verification are currently
incompatible because there's no schema-centric c14n transform that's widely
implemented.
The work around is to turn off the normalization step in the parser. That's
a hack, but it works.
-- Scott