- From: Aleksey Sanin <aleksey@aleksey.com>
- Date: Wed, 11 Jun 2003 11:45:39 -0700
- To: w3c-ietf-xmldsig@w3.org
- Cc: venky@arvasoft.com
- Message-ID: <3EE778D3.20606@aleksey.com>
Hi, All!
One of XML Security Library users noticed a problem with C14N
implementation
in IBM Websphere. It might be interesting for people here and I also hope
that someone from IBM is still reading this mailing list and can respond
on this. And sorry for the spam to everyone else :(
The problem occurs in the case when you have an empty namespaces.
Websphere drops empty namespace declaration for C14n while xmlsec/libxml2
doesn't. For example, given that the following node is what you are
signing (notice the Namespace for <in0> is an empty string):
<getGreeting xmlns="http://Sample8.wsdk.ibm.com">
<in0 xmlns="">venky</in0>
</getGreeting>
Here is what Websphere's c14n outputs:
<getGreeting xmlns="http://Sample8.wsdk.ibm.com">
<in0>venky</in0>
</getGreeting>
While xmlsec/libxml2 outputs:
<getGreeting xmlns="http://Sample8.wsdk.ibm.com">
<in0 xmlns="">venky</in0>
</getGreeting>
The Websphere output seems wrong to me because it changes the namespace
for <in0> node. The spec
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#ProcessingModel
is clear that xmlns=" should be rendered in <in0> in this case because
there is a different default namespace declared in the parent of this node:
* Namespace Nodes-* A namespace node */N/* is ignored if the nearest
ancestor element of the node's parent element that is in the node-set
has a namespace node in the node-set with the same local name and
value as */N/*. Otherwise, process the namespace node */N/* in the
same way
as an attribute node, except assign the local name |xmlns| to the
default
namespace node if it exists (in XPath, the default namespace node has
an empty URI and local name).
You can find some more details in the xmlsec mailing list thread
http://www.aleksey.com/pipermail/xmlsec/2003/000976.html
With best regards,
Aleksey Sanin
Received on Wednesday, 11 June 2003 14:45:49 UTC