You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Erdem Memisyazici (JIRA)" <ji...@apache.org> on 2016/11/08 20:27:59 UTC

[jira] [Resolved] (SANTUARIO-455) Default Attributes are Not Canonicalized

     [ https://issues.apache.org/jira/browse/SANTUARIO-455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erdem Memisyazici resolved SANTUARIO-455.
-----------------------------------------
    Resolution: Not A Problem

> Default Attributes are Not Canonicalized
> ----------------------------------------
>
>                 Key: SANTUARIO-455
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-455
>             Project: Santuario
>          Issue Type: Bug
>    Affects Versions: Java 2.0.7
>            Reporter: Erdem Memisyazici
>            Assignee: Colm O hEigeartaigh
>
> When attempting to validate a document's signature using _XMLSignature.checkSignatureValue_ the canonicalized output of the given Node does not include omitted default attributes as defined by https://www.w3.org/TR/2001/REC-xml-c14n-20010315 Section 3.3 Start and End Tags As the implementations do not seem to be XSD aware (but complies with definition), before comparing digest.
> Given an example from PSKC (RFC-6030) using (http://www.w3.org/2001/10/xml-exc-c14n):
> {code:xml}
> <pskc:ResponseFormat Encoding="DECIMAL" Length="6" />
> {code}
> Should be canonicalized as:
> {code:xml}
> <pskc:ResponseFormat CheckDigits="false" Encoding="DECIMAL" Length="6"></pskc:ResponseFormat>
> {code}
> Given a definition of:
> {code:xml}
> <xs:element name="ResponseFormat" minOccurs="0">
>                     <xs:complexType>
>                          <xs:attribute name="Encoding"
>                               type="pskc:ValueFormatType"
>                                                       use="required"/>
>                          <xs:attribute name="Length"
>                               type="xs:unsignedInt" use="required"/>
>                          <xs:attribute name="CheckDigits"
>                               type="xs:boolean" default="false"/>
>                     </xs:complexType>
>                </xs:element>
> {code}
> Before comparing ds:DigestValue, however this is not so, leading to failing the signature validation.
> The reason why I'm reporting this is, popular tools such as xmlsec (https://www.aleksey.com/xmlsec/) seem to be doing this during signing.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)