You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Jon Olav Linde <Jo...@beepscience.com> on 2005/12/19 15:31:25 UTC
base64Binary, canonical form ?
Hi.
I am trying to find the correct canonical form of this
XML schema defined type: base64Binary
As far as I can read from the spec, the canonical form shall
contain no whitespace at all:
Canonical-base64Binary ::= (B64 B64 B64 B64)*
((B64 B64 B16 '=') | (B64 B04 '=='))?
(taken from http://www.w3.org/TR/xmlschema-2/datatypes.html#base64Binary)
However, when experimenting with the (Java) Canonicalizer class, using
the method ALGO_ID_C14N_EXCL_OMIT_COMMENTS, I see that it does include
whitespace (using xmlsec-1.2.1).
To illustrate, here is a sample XML fragment:
(For the sake of brevity, I use a line length of 4 instead of 76)
<b64Data>U29t
ZSBk
YXRh
Lg==
</b64Data>
Using Xerces, with validation turned on, I parse the document containing
this fragment. Then, when I canonicalize the resulting root node,
this is what I get:
<b64Data>U29t ZSBk YXRh Lg==</b64Data>
This element is defined in my experimental XML schema, like this:
<element name="b64Data" type="base64Binary"/>
Am I reading the spec incorrectly, or is this a bug in the canonicalizer ?
Any help is appreciated.
/Jon Olav Linde
RE: base64Binary, canonical form ?
Posted by Jon Olav Linde <Jo...@beepscience.com>.
I see. That answers my question perfectly.
Thank you very much.
/Jon Olav
> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: 19. desember 2005 15:47
> To: security-dev@xml.apache.org
> Subject: RE: base64Binary, canonical form ?
>
>
> > However, when experimenting with the (Java) Canonicalizer class, using
> > the method ALGO_ID_C14N_EXCL_OMIT_COMMENTS, I see that it does include
> > whitespace (using xmlsec-1.2.1).
>
> XML c14n is not the same as schema c14n. The inclusive and exclusive c14n
> specs do not specify that the resulting output is in schema c14n form, and
> since they don't involve schema at all, they wouldn't know what the types
> were in order to perform that step.
>
> > Am I reading the spec incorrectly, or is this a bug in the
> > canonicalizer ?
>
> You're confusing two specs.
>
> Note that the implication of this is that you have to be very careful when
> validating XML and then verifying signatures over it because of
> how parsers
> work. Using data normalization while parsing can corrupt the
> signature, and
> virtually every parser version has subtle differences in how they
> deal with
> base64.
>
> -- Scott
RE: base64Binary, canonical form ?
Posted by Scott Cantor <ca...@osu.edu>.
> However, when experimenting with the (Java) Canonicalizer class, using
> the method ALGO_ID_C14N_EXCL_OMIT_COMMENTS, I see that it does include
> whitespace (using xmlsec-1.2.1).
XML c14n is not the same as schema c14n. The inclusive and exclusive c14n
specs do not specify that the resulting output is in schema c14n form, and
since they don't involve schema at all, they wouldn't know what the types
were in order to perform that step.
> Am I reading the spec incorrectly, or is this a bug in the
> canonicalizer ?
You're confusing two specs.
Note that the implication of this is that you have to be very careful when
validating XML and then verifying signatures over it because of how parsers
work. Using data normalization while parsing can corrupt the signature, and
virtually every parser version has subtle differences in how they deal with
base64.
-- Scott