You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by GOURMELEN Gael FTRD/DMI/LAN <ga...@rd.francetelecom.com> on 2003/08/08 09:24:25 UTC

Interoperability issue

Hi,

I am currently developing an application based on the Apache XML Security C++ library and we have interoperability issues between the Java (Apache XML Security 1.0.5D2) and C++ (Apache XML Security v0.2) versions of this library.
Our development uses XML Digital Signature and the interoperability issue seems to come from the canonicalization implementation and more precisely the way XML attributes are sorted.

For example the following XML will be canonicalized differently by the 2 libraries and the verification of the XML signature with a C14n or Excl C14n transform produced by one Library on this Element will fail using the other library.
<MyElement id="123" xsi:type="foo:AnotherType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...
</MyElement>
- With the C++ Library the canonicalization will sort the attributes that way :
<MyElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="foo:AnotherType" id="123">
- With the Java Library the canonicalization will sort the attributes that way :
<MyElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="123" xsi:type="foo:AnotherType">

With the C++ Library, it seems that the namespace URI (http://www.w3.org/2001/XMLSchema-instance) is used as the key to sort the "xsi:type" attribute and not the prefix ("xsi") as recommended in the specification "<http://www.w3.org/TR/2001/REC-xml-c14n-20010315>". On the other hand, the Java implementation does not seem to follow this recommendation.

Has anyone faced this problem too ?
Which library (Java or C++) offers a correct implementation of the spec ?
Thanks for your help.

Gaël.

Re: Interoperability issue

Posted by Dave Flanagan <da...@trainingetc.com>.

Hello Gaël,

Looking at section 3.3 of the W3C's Reccomendation for Canonical XML
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#Example-SETags

Examination of the <e5> element in the above reference includes
six attributes for this element and shows how they are sorted when
canonicalized.

The note following the example states the following from the spec
"Note: In e5, b:attr precedes a:attr because the primary key is
namespace URI not namespace prefix, and attr2 precedes
b:attr because the default namespace is not applied to
unqualified attributes (so the namespace URI for attr2 is empty)."


In your example below, id="123" therefore should precede xsi:type="foo:AnotherType"
because the namespace URI for id is empty.

So it appears that the Java implementation is sorting the attributes
properly

Hope this helps
Dave Flanagan

GGFDL> Hi,

GGFDL> I am currently developing an application based on the Apache XML Security C++ library and we have interoperability issues between the Java (Apache XML Security 1.0.5D2) and C++ (Apache XML
GGFDL> Security v0.2) versions of this library.
GGFDL> Our development uses XML Digital Signature and the interoperability issue seems to come from the canonicalization implementation and more precisely the way XML attributes are sorted.

GGFDL> For example the following XML will be canonicalized differently by the 2 libraries and the verification of the XML signature with a C14n or Excl C14n transform produced by one Library on this
GGFDL> Element will fail using the other library.
GGFDL> <MyElement id="123" xsi:type="foo:AnotherType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
GGFDL> ...
GGFDL> </MyElement>
GGFDL> - With the C++ Library the canonicalization will sort the attributes that way :
GGFDL> <MyElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="foo:AnotherType" id="123">
GGFDL> - With the Java Library the canonicalization will sort the attributes that way :
GGFDL> <MyElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="123" xsi:type="foo:AnotherType">

GGFDL> With the C++ Library, it seems that the namespace URI (http://www.w3.org/2001/XMLSchema-instance) is used as the key to sort the "xsi:type" attribute and not the prefix ("xsi") as recommended
GGFDL> in the specification "<http://www.w3.org/TR/2001/REC-xml-c14n-20010315>". On the other hand, the Java implementation does not seem to follow this recommendation.

GGFDL> Has anyone faced this problem too ?
GGFDL> Which library (Java or C++) offers a correct implementation of the spec ?
GGFDL> Thanks for your help.

GGFDL> Gaël.

Re: Interoperability issue

Posted by Berin Lautenbach <be...@ozemail.com.au>.

Gael,

This would be a bug in the C++ library.

As Dave Flanagan pointed out, the attributes should be sorted using 
their namespace URI as their primary key, and the spec explicitly states 
that the empty namespace is lexigraphically lesser than any other URI 
(so should come first).

Have just checked a fix into CVS.  Am going to put a final release of 
1.0.0 out in the next few days (now that Xalan 1.6 is released), and the 
fix will also be in there.

Many thanks!

Cheers,
	Berin

GOURMELEN Gael FTRD/DMI/LAN wrote:
> 
> Hi,
> 
> I am currently developing an application based on the Apache XML 
> Security C++ library and we have interoperability issues between the 
> Java (Apache XML Security 1.0.5D2) and C++ (Apache XML Security v0.2) 
> versions of this library.
> 
> Our development uses XML Digital Signature and the interoperability 
> issue seems to come from the canonicalization implementation and more 
> precisely the way XML attributes are sorted.
> 
> For example the following XML will be canonicalized differently by the 2 
> libraries and the verification of the XML signature with a C14n or Excl 
> C14n transform produced by one Library on this Element will fail using 
> the other library.
> 
> <MyElement id="123" xsi:type="foo:AnotherType" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> ...
> </MyElement>
> - With the C++ Library the canonicalization will sort the attributes 
> that way :
> <MyElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="foo:AnotherType" id="123">
> - With the Java Library the canonicalization will sort the attributes 
> that way :
> <MyElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> id="123" xsi:type="foo:AnotherType">
> 
> With the C++ Library, it seems that the namespace URI 
> (http://www.w3.org/2001/XMLSchema-instance) is used as the key to sort 
> the "xsi:type" attribute and not the prefix ("xsi") as recommended in 
> the specification 
> "_____<http://www.w3.org/TR/2001/REC-xml-c14n-20010315>_". On the other 
> hand, the Java implementation does not seem to follow this recommendation.
> 
> Has anyone faced this problem too ?
> Which library (Java or C++) offers a correct implementation of the spec ?
> Thanks for your help.
> 
> Gaël.
>