W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2003

C14N problems with IBM Websphere

From: Aleksey Sanin <aleksey@aleksey.com>
Date: Wed, 11 Jun 2003 11:45:39 -0700
Message-ID: <3EE778D3.20606@aleksey.com>
To: w3c-ietf-xmldsig@w3.org
Cc: venky@arvasoft.com
Hi, All!

One of XML Security Library users noticed a problem with C14N 
implementation
in IBM Websphere. It might be interesting for people here and I also hope
that someone from IBM is still reading this mailing list and can respond
on this. And sorry for the spam to everyone else :(

The problem occurs in the case when you have an empty namespaces. 
Websphere drops empty namespace declaration for C14n while xmlsec/libxml2 
doesn't. For example, given that the following node is what you are 
signing (notice the Namespace for <in0> is an empty string):

  <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
   <in0 xmlns="">venky</in0>
  </getGreeting>

Here is what Websphere's c14n outputs:

  <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
   <in0>venky</in0>
  </getGreeting>

While xmlsec/libxml2 outputs:

  <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
   <in0 xmlns="">venky</in0>
  </getGreeting>


The Websphere output seems wrong to me because it changes the namespace
for <in0> node. The spec

    http://www.w3.org/TR/2001/REC-xml-c14n-20010315#ProcessingModel

is clear that xmlns=" should be rendered in <in0> in this case because
there is a different default namespace declared in the parent of this node:

*    Namespace Nodes-* A namespace node */N/* is ignored if the nearest
    ancestor element of the node's parent element that is in the node-set
    has a namespace node in the node-set with the same local name and
    value as */N/*. Otherwise, process the namespace node */N/* in the 
same way
    as an attribute node, except assign the local name |xmlns| to the 
default
    namespace node if it exists (in XPath, the default namespace node has
    an empty URI and local name).

You can find some more details in the xmlsec mailing list thread
    http://www.aleksey.com/pipermail/xmlsec/2003/000976.html


With best regards,

Aleksey Sanin
Received on Wednesday, 11 June 2003 14:45:49 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:17 GMT