Removing c14n2.0 options ignoreDTD and expandEntities from Pratik Datta on 2010-06-07 (public-xmlsec@w3.org from June 2010)

From: Pratik Datta <pratik.datta@oracle.com>
Date: Mon, 7 Jun 2010 09:48:01 -0700 (PDT)
To: XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <aaa24204-9183-4de3-b6fa-3eba9e36fbd3@default>

For my ACTION-580

As we discussed in the meeting, the input to C14n 2.0 is a list of subtrees.  Unlike C14N 1.x, it is not defined for an octet stream. So I am planning  to add this text in the end of section 2.1

"Note: Unlike Canonical XML 1.0, which needs to work in the transform chain and have the ability to input an octet stream or a nodeset and output an octet stream,  Canonical XML 2.0 does not have this requirement. Its input is always a list of included and excluded subtrees."


Also I am planning to remove the following options  from C14N2.0

ignoreDTD
expandEntities.

As Scott pointed out, these kind of options can only be specified during XML parsing. By the time the XML subtree comes to C14n gets, it has already been parsed, the DTD has already been looked at and entities already been expanded. C14n cannot do anything about it.


We still need to figure out a way to solve the entity expansion related attack, e.g this attack in Brad Hill's paper related to C14N 1.x:


Attacker attaches a DTD containing entities which are recursively defined, then inserts such an entity reference into the SignedInfo or the XML content identified by a Reference. Even if the system XML parser is set not to expand entities, the rules of C14N require expansion of entities.
Example: The following document will consume ~2 gigabytes of memory during canonicalization

<!DOCTYPE foo [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >
<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >
<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >
<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >
<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >
<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >
<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >
<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >
<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >
<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" >
]>


But we cannot solve it in C14n 2.0, since it doesn't do XML parsing any more.

Pratik

Received on Monday, 7 June 2010 16:49:59 UTC