You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Eric Johnson <er...@tibco.com> on 2011/10/26 13:59:23 UTC

Porting 1.4.6 changes to GenXDM, question on SANTUARIO-273

I just ported the changes from Santuario 1.4.5 --> 1.4.6 onto the GenXDM 
based port that I've been maintaining.

In the process of doing that, I noticed an oddity with this test case:

Santuario273Test.testC14n11Base()

The problem is that the test case logic verify a side effect of 
canonicalization (c14n), not the c14n itself. By which I mean, by my 
view of the c14n task, it ought not modify the input document. That an 
implementation might do so is a side effect of that implementation, not 
a desirable characteristic for which there should be a test.

Verifying the side-effect is obvious if you look at the following lines:

         c14n.canonicalizeSubtree(signedInfo);

         NamedNodeMap attributes = signedInfo.getAttributes();
         boolean foundBase = false;
         for (int i = 0; i<  attributes.getLength(); i++) {
             Node attribute = attributes.item(i);
             if ("base".equals(attribute.getLocalName())
                 &&  "http://www.acme.com/resources/subresources/".equals(attribute.getNodeValue())) {
                 foundBase = true;
                 break;
             }
         }
         if (!foundBase) {
             fail("The base attribute was not found or was incorrect");
         }

Notice that the return result from "canonicalizeSubtree(signedInfo)" 
isn't even used!

So I think that this test case should instead be testing that the c14n 
output matches:

<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#" xml:base="http://www.acme.com/resources/subresources/">
     <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
     <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
     <Reference URI="http://www.w3.org/TR/xml-stylesheet">
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
       <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
     </Reference>
   </SignedInfo>


... or, alternately, the test could reparse the output byte stream, then 
ask the value of the "xml:base" attribute on the reparsed result.

I'm tempted to re-open SANTUARIO-273 with a request to validate the 
canonicalization, rather than the modification to the input document.

I stumbled across this issue because the GenXDM-based port of the 
Santuario library does leave the original document unmodified for c14n, 
so (a) when I ported the test, the converted test makes no sense, 
because it is verifying that the original document remains unmodified 
via an API that only has an immutable view of the underlying document, 
and (b) the unported test using the original API entry point fails, 
because the input document isn't being modified.

I've been doing my best to leave the original tests of the santuario 
project passing whilst unmodified, but this test seems to be in error.

Please advise.

-Eric.