You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Ma...@de.gi-de.com on 2002/10/30 10:58:53 UTC
inconsistent canonicalization
Hi,
This is the SignedInfo part of a document, signed by me.
The interesting thing is the difference between the
ds:CanonicalizationMethod tag and the ds:Transform tag.
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>/ProfileRoot/Profile[attribute::Version = "2.0.0" and
attribute::Date = "2002-06-11" and attribute::Time = "15:06:46"]</ds:XPath>
</ds:Transform>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
"/>
<ds:DigestValue>+hzc1KmdgoCo+i5m/jDgrvc435Q=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
As you can see, the Algorithm attribute of CanonicalizationMethod is "
http://www.w3.org/TR/2001/REC-xml-c14n-20010315", but of Transform it is "
http://www.w3.org/2001/10/xml-exc-c14n#", which is what I wanted.
So where does this difference come from?
I sign my document with
"transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS)",
but why has the CanonicalizationMethod a different transform?
Bye
Marco
Re: inconsistent canonicalization
Posted by Erwin van der Koogh <er...@sun.com>.
> When you want exclC14n for the SignedInfo (and not for a Reference), you
> must specify this when you create the XMLSignature object.
Remember how XMLSignature does not sign a Reference directly. It digests all
Reference into a SignedInfo and signs the SignedInfo.
Now remember that all xml content has to be c14ned before it can be
digested/signed.
So you definately need a c14n algorithm for the SignedInfo and you might
want one for the References if you are signing XML content there. These
algorithms can be different algorithms :)
Erwin
Re: inconsistent canonicalization
Posted by Christian Geuer-Pollmann <ge...@nue.et-inf.uni-siegen.de>.
When you want exclC14n for the SignedInfo (and not for a Reference), you
must specify this when you create the XMLSignature object.
--On Mittwoch, 30. Oktober 2002 10:58 +0100 Marco.Herrn@de.gi-de.com wrote:
> Hi,
>
> This is the SignedInfo part of a document, signed by me.
> The interesting thing is the difference between the
> ds:CanonicalizationMethod tag and the ds:Transform tag.
>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
> <ds:Reference URI="">
> <ds:Transforms>
> <ds:Transform Algorithm="
> http://www.w3.org/TR/1999/REC-xpath-19991116">
> <ds:XPath>/ProfileRoot/Profile[attribute::Version = "2.0.0"
> and attribute::Date = "2002-06-11" and attribute::Time =
> "15:06:46"]</ds:XPath> </ds:Transform>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/>
> <ds:DigestValue>+hzc1KmdgoCo+i5m/jDgrvc435Q=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> As you can see, the Algorithm attribute of CanonicalizationMethod is "
> http://www.w3.org/TR/2001/REC-xml-c14n-20010315", but of Transform it is "
> http://www.w3.org/2001/10/xml-exc-c14n#", which is what I wanted.
> So where does this difference come from?
>
> I sign my document with
> "transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS)",
> but why has the CanonicalizationMethod a different transform?
>
> Bye
> Marco
>
>