You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Andrzej Matejko <an...@pro.onet.pl> on 2003/12/04 15:37:46 UTC
[C++] - varification, canonicalization, serialization
Hi,
I create xml document, add Singature node, create signature and then
serialize document in such way:
------------------------------begin---------------------------------
XMLCh tempStr[100];
XMLString::transcode("LS", tempStr, 99);
DOMImplementation *impl
=DOMImplementationRegistry::getDOMImplementation(tempStr);
DOMWriter *theSerializer =
((DOMImplementationLS*)impl)->createDOMWriter();
DOMPrintFilter *myFilter=0;
// set user specified end of line sequence and output encoding
theSerializer->setNewLine(gMyEOLSequence);
theSerializer->setEncoding(gOutputEncoding);
XMLFormatTarget *myFormTarget;
myFormTarget = new MemBufFormatTarget(50000);
theSerializer->writeNode(myFormTarget, *doc);
XMLByte *buf;
unsigned int uiBufLen = ((MemBufFormatTarget*)myFormTarget)->getLen();
const XMLByte* pcBuf;
pcBuf = ((MemBufFormatTarget*)myFormTarget)->getRawBuffer();
-------------------------------end---------------------------------
And pcBuf points to buffer with XML doc wich is unfortunatelly
reordered (I mean, DOMWriter sorts attributes in node, changes '<', and
'&'m etc.) and when I try to verify signature over this doc application
says 'verification failed'. The answer from xerces group was: you
probably have forgotten to canonicalize before signature. And here is
the question: is it possible? I thought, that xmldsig library during
signature creation and during signature verification canonicalizes my
xml document and that this is not important what is the order of
attributes in this document.
looking for your help,
andrew
Re: [C++] - varification, canonicalization, serialization
Posted by Andrzej Matejko <an...@pro.onet.pl>.
Hi,
I did as you said but the problem is still unresolved :(.
When I've looked into doc, etc. a have discovered, that problem is in
XSECCanon. When my xml doc return from there to node attributes are
sorted in such (in my opinion) strange way:
<Dekl Nr="12334567891" LiczbaOpak="30" MasaBrutto="55"
MiejscZlozTow="magazyn celny"></Dekl>
and it should be (as far as I understand rfc 3076:
<Dekl LiczbaOpak="30" MasaBrutto="55" MiejscZlozTow="magazyn celny"
Nr="12334567891"></Dekl>
I don't know what is going on.
Is there something (parameter, method) that I missed? Why does it
sort in such strange order? (when I verify this document it sorts in
'normal' order).
looking for help,
a little 'frustrated' andrew
> Andrew,
>
> You should not need to canonicalise prior to serialisation. The main
> point of canonicalisation is that it will take an XML input and produce
> the same byte sequence every time, provided the input has not materially
> changed. So in the serialised XML, you can do things like change
> <Element/> to <Element></Element> as this will be re-serialised into the
> canonical form by the signature function.
>
> The problem is generally around changing text nodes. These are
> canonicalised *as they are* and are simply transformed to UTF-8, so if
> you add a NL or anything like that, you run into problems.
>
> So my first thought would be to remove the
>
> theSerializer->setNewLine(gMyEOLSequence)
>
> and see if that helps (your EOLSequence may not canonicalise the same
> way as \n).
>
> The other thing I do is turn of PrettyPrinting using the setFeature
> method in DOMWriter. (I have a memory that it is off by default, but I
> generally do it for safety.)
>
> theSerializer->setFeature(XMLUni::fgDOMWRTFormatPrettyPrint, false);
>
> Hope that helps.
>
> Cheers,
> Berin
>
> Andrzej Matejko wrote:
>
>> Hi,
>>
>> I create xml document, add Singature node, create signature and then
>> serialize document in such way:
>>
>> ------------------------------begin---------------------------------
>> XMLCh tempStr[100];
>> XMLString::transcode("LS", tempStr, 99);
>> DOMImplementation *impl
>> =DOMImplementationRegistry::getDOMImplementation(tempStr);
>> DOMWriter *theSerializer =
>> ((DOMImplementationLS*)impl)->createDOMWriter();
>>
>> DOMPrintFilter *myFilter=0;
>> // set user specified end of line sequence and output encoding
>> theSerializer->setNewLine(gMyEOLSequence);
>> theSerializer->setEncoding(gOutputEncoding);
>>
>> XMLFormatTarget *myFormTarget;
>> myFormTarget = new MemBufFormatTarget(50000);
>>
>> theSerializer->writeNode(myFormTarget, *doc);
>>
>> XMLByte *buf;
>> unsigned int uiBufLen = ((MemBufFormatTarget*)myFormTarget)->getLen();
>>
>> const XMLByte* pcBuf;
>> pcBuf = ((MemBufFormatTarget*)myFormTarget)->getRawBuffer();
>>
>> -------------------------------end---------------------------------
>>
>> And pcBuf points to buffer with XML doc wich is unfortunatelly
>> reordered (I mean, DOMWriter sorts attributes in node, changes '<', and
>> '&'m etc.) and when I try to verify signature over this doc application
>> says 'verification failed'. The answer from xerces group was: you
>> probably have forgotten to canonicalize before signature. And here is
>> the question: is it possible? I thought, that xmldsig library during
>> signature creation and during signature verification canonicalizes my
>> xml document and that this is not important what is the order of
>> attributes in this document.
>>
>> looking for your help,
>> andrew
>>
>>
>>
>>
>>
>
>
> .
>
Re: [C++] - varification, canonicalization, serialization
Posted by Berin Lautenbach <be...@ozemail.com.au>.
Andrew,
You should not need to canonicalise prior to serialisation. The main
point of canonicalisation is that it will take an XML input and produce
the same byte sequence every time, provided the input has not materially
changed. So in the serialised XML, you can do things like change
<Element/> to <Element></Element> as this will be re-serialised into the
canonical form by the signature function.
The problem is generally around changing text nodes. These are
canonicalised *as they are* and are simply transformed to UTF-8, so if
you add a NL or anything like that, you run into problems.
So my first thought would be to remove the
theSerializer->setNewLine(gMyEOLSequence)
and see if that helps (your EOLSequence may not canonicalise the same
way as \n).
The other thing I do is turn of PrettyPrinting using the setFeature
method in DOMWriter. (I have a memory that it is off by default, but I
generally do it for safety.)
theSerializer->setFeature(XMLUni::fgDOMWRTFormatPrettyPrint, false);
Hope that helps.
Cheers,
Berin
Andrzej Matejko wrote:
> Hi,
>
> I create xml document, add Singature node, create signature and then
> serialize document in such way:
>
> ------------------------------begin---------------------------------
> XMLCh tempStr[100];
> XMLString::transcode("LS", tempStr, 99);
> DOMImplementation *impl
> =DOMImplementationRegistry::getDOMImplementation(tempStr);
> DOMWriter *theSerializer =
> ((DOMImplementationLS*)impl)->createDOMWriter();
>
> DOMPrintFilter *myFilter=0;
> // set user specified end of line sequence and output encoding
> theSerializer->setNewLine(gMyEOLSequence);
> theSerializer->setEncoding(gOutputEncoding);
>
> XMLFormatTarget *myFormTarget;
> myFormTarget = new MemBufFormatTarget(50000);
>
> theSerializer->writeNode(myFormTarget, *doc);
>
> XMLByte *buf;
> unsigned int uiBufLen = ((MemBufFormatTarget*)myFormTarget)->getLen();
>
> const XMLByte* pcBuf;
> pcBuf = ((MemBufFormatTarget*)myFormTarget)->getRawBuffer();
>
> -------------------------------end---------------------------------
>
> And pcBuf points to buffer with XML doc wich is unfortunatelly
> reordered (I mean, DOMWriter sorts attributes in node, changes '<', and
> '&'m etc.) and when I try to verify signature over this doc application
> says 'verification failed'. The answer from xerces group was: you
> probably have forgotten to canonicalize before signature. And here is
> the question: is it possible? I thought, that xmldsig library during
> signature creation and during signature verification canonicalizes my
> xml document and that this is not important what is the order of
> attributes in this document.
>
> looking for your help,
> andrew
>
>
>
>
>