You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Jesse Pelton <js...@PKC.com> on 2005/03/18 21:33:52 UTC

XML-Security-C with OpenSSL overly strict about base64 line lengths

OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() uses OpenSSL's
EVP_Decode...() routines to decode the base64 contents of
SignatureValue.  This fails if line breaks don't occur where OpenSSL
thinks they should.  I think this is contrary to the specification (see
rationale below), and that this function should use XSCryptCryptoBase64,
as WinCAPICryptoKeyRSA::verifySHA1PKCS1Base64Signature() does, rather
than the EVP_Decode...() routines.

Rationale: Section 4.2 of the XML-Dsig spec
(http://www.w3.org/TR/xmldsig-core/) says that SignatureValues are of
Schema type base64Binary.
http://www.w3.org/TR/xmlschema-2/#base64Binary says, "For compatibility
with older mail gateways, [RFC 2045] suggests that base64 data should
have lines limited to at most 76 characters in length.  This line-length
limitation is not mandated in the lexical forms of base64Binary data and
must not be enforced by XML Schema processors."  If the line-length
limitation is not mandated, XSec should be able to handle arbitrary line
lengths.

I'm happy to file a bug and/or create a patch if that would be useful.

Re: XML-Security-C with OpenSSL overly strict about base64 line lengths

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

Jesse Pelton wrote:

> OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() uses OpenSSL's
> EVP_Decode...() routines to decode the base64 contents of
> SignatureValue.  This fails if line breaks don't occur where OpenSSL
> thinks they should.  I think this is contrary to the specification (see
> rationale below), and that this function should use XSCryptCryptoBase64,
> as WinCAPICryptoKeyRSA::verifySHA1PKCS1Base64Signature() does, rather
> than the EVP_Decode...() routines.

Can you have a look at the code in CVS and let me know what you think? 
I fixed this a few months ago as I ran into the same problem.  But in 
this case, rather than use XSCryptCryptoBase64 I now "clean" the buffer 
and still let OpenSSL do it.  I suspect the better approach is as you 
propose - just use XSCryptCryptoBase64, but for some reason I decided to 
get fancy.

Cheers,
	Berin