You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2008/05/13 09:15:17 UTC
DO NOT REPLY [Bug 44983] New: XSLT transformation should not be
canonicalized
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
Summary: XSLT transformation should not be canonicalized
Product: Security
Version: cvs
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: C++ Canonicalization
AssignedTo: security-dev@xml.apache.org
ReportedBy: Matej.Spiller@siol.net
After XSLT transformation, xml security canonicalize it. This is wrong
according to standard. User should manually append c14n transfomation.
>From standard:
The output of this transform is an octet stream. The processing rules for the
XSL style sheet or transform element are stated in the XSLT specification
[XSLT]. We RECOMMEND that XSLT transform authors use an output method of xml
for XML and HTML. As XSLT implementations do not produce consistent
serializations of their output, we further RECOMMEND inserting a transform
after the XSLT transform to canonicalize the output. These steps will help to
ensure interoperability of the resulting signatures among applications that
support the XSLT transform. Note that if the output is actually HTML, then the
result of these steps is logically equivalent [XHTML].
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #11 from Scott Cantor <ca...@osu.edu> 2010-05-12 10:23:34 EDT ---
Thanks, I'll wait to hear back before I check it in. The missing headers are
fixed in my copy.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #9 from Patrick Hagelkruys <pa...@gmail.com> 2010-05-12 09:14:22 EDT ---
for usage with xerces 2.8 I had to add 2 additional include files to compile
the library
#include <xercesc/util/XMLUniDefs.hpp>
#include <xercesc/util/Janitor.hpp>
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #3 from Patrick Hagelkruys <ha...@a-trust.at> 2010-05-07 11:17:06 EDT ---
Created an attachment (id=25415)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25415)
XSECDomToSafeBuffer.cpp
XSECDomToSafeBuffer class
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #1 from hagelkruys@a-trust.at 2010-05-07 09:08:36 EDT ---
I have the same problem, I am using XSLT on an enveloped Signature Transform.
In my case the dsig namespace is inserted into the resulting data and passed to
the hash function.
for a quick fix/test I've inserted a test-function and replaced the c14n
test-function: converts DOMNode to safeBuffer
safeBuffer test(xercesc::DOMNode *node)
{
DOMImplementationLS* impl =
DOMImplementationRegistry::getDOMImplementation(L"LS");
DOMWriter* wrt = impl->createDOMWriter();
MemBufFormatTarget* target = new MemBufFormatTarget();
wrt->writeNode(target,*node);
char* t = new char[target->getLen()+1];
memset(t,'\0',target->getLen()+1);
memcpy(t,target->getRawBuffer(),target->getLen());
safeBuffer ret = t;
delete[] t;
wrt->release();
delete target;
return ret;
}
and changes in DSIGTransformXSL::appendTransformer
// Create the XSLT transform
XSECnew(x, TXFMXSL(mp_txfmNode->getOwnerDocument()));
input->appendTxfm(x);
/*
// Again use C14n (convenient) to translate to a SafeBuffer
XSECC14n20010315 c14n(mp_txfmNode->getOwnerDocument(), mp_stylesheetNode);
safeBuffer sbStyleSheet;
unsigned int size, count;
unsigned char buf[512];
size = 0;
while ((count = c14n.outputBuffer(buf, 512)) != 0) {
sbStyleSheet.sbMemcpyIn(size, buf, count);
size += count;
}
sbStyleSheet[size] = '\0'; // Terminate as though a string
*/
safeBuffer sbStyleSheet = test(mp_stylesheetNode);
I will build an XSECDomToSafeBuffer class with the same syntax as
XSECC14n20010315, so there should only be small changes except the class :)
Coming in the next few days...
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
Scott Cantor <ca...@osu.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #13 from Scott Cantor <ca...@osu.edu> 2010-05-12 13:11:07 EDT ---
http://svn.apache.org/viewvc?view=revision&revision=943580
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
Scott Cantor <ca...@osu.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #25415|0 |1
is obsolete| |
Attachment #25416|0 |1
is obsolete| |
--- Comment #8 from Scott Cantor <ca...@osu.edu> 2010-05-11 17:10:41 EDT ---
Created an attachment (id=25429)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25429)
Proposed patch to fix bug for Xerces 2 and 3
Could you please test the attached self-contained patch to
DSIGTransformXSL.cpp?
Unless there's a need to factor out the serialization code, I'm inclined to
leave it inline.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
Patrick Hagelkruys <ha...@a-trust.at> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hagelkruys@a-trust.at
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
Scott Cantor <ca...@osu.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|cvs |C++ 1.5.1
--- Comment #7 from Scott Cantor <ca...@osu.edu> 2010-05-11 16:39:05 EDT ---
I believe your patch assumes an out of date DOM3 / Xerces API, so it will take
some reworking.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #12 from Patrick Hagelkruys <pa...@gmail.com> 2010-05-12 12:19:15 EDT ---
also works with xerces 3
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #4 from Patrick Hagelkruys <ha...@a-trust.at> 2010-05-07 11:17:56 EDT ---
Created an attachment (id=25416)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25416)
XSECDomToSafeBuffer.hpp
XSECDomToSafeBuffer class
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #2 from Patrick Hagelkruys <ha...@a-trust.at> 2010-05-07 09:18:17 EDT ---
sorry missing header file :)
You need to add following include command to the file DSIGTransformXSL.cpp
#include <xercesc/framework/MemBufFormatTarget.hpp>
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #10 from Patrick Hagelkruys <pa...@gmail.com> 2010-05-12 09:23:03 EDT ---
With xerces 2.8 the XSL Transform now seems correct.
I will test it with xerces 3.0 within the next few days.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #6 from Scott Cantor <ca...@osu.edu> 2010-05-07 13:11:41 EDT ---
Do you have a contributor's agreement on file with Apache? I can't accept a
patch of this size without that to cover copyright.
(I also can't produce a patch myself because I don't use Xalan or even build
the library with any of the XPath/XSLT support.)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44983] XSLT transformation should not be
canonicalized
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44983
--- Comment #5 from Patrick Hagelkruys <ha...@a-trust.at> 2010-05-07 11:20:14 EDT ---
Here is my DomToSafeBuffer class, is has not the same syntax as the c14n class,
but i think this way it is much easier.
I put the class into xsec/utils/
changes in DSIGTransformXSL::appendTransformer()
// Create the XSLT transform
XSECnew(x, TXFMXSL(mp_txfmNode->getOwnerDocument()));
input->appendTxfm(x);
/*
// Again use C14n (convenient) to translate to a SafeBuffer
XSECC14n20010315 c14n(mp_txfmNode->getOwnerDocument(), mp_stylesheetNode);
safeBuffer sbStyleSheet;
unsigned int size, count;
unsigned char buf[512];
size = 0;
while ((count = c14n.outputBuffer(buf, 512)) != 0) {
sbStyleSheet.sbMemcpyIn(size, buf, count);
size += count;
}
sbStyleSheet[size] = '\0'; // Terminate as though a string
*/
XSECDomToSafeBuffer tosb(mp_txfmNode->getOwnerDocument(),
mp_stylesheetNode);
safeBuffer sbStyleSheet = tosb.getSafeBuffer();
x->evaluateStyleSheet(sbStyleSheet);
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.