Trailing #xA in C14N from Hiroshi Maruyama on 2000-05-16 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: Hiroshi Maruyama <MARUYAMA@jp.ibm.com>
Date: Tue, 16 May 2000 14:49:58 +0900
To: w3c-ietf-xmldsig@w3.org
cc: "Kento Tamura" <TKENT@jp.ibm.com>
Message-ID: <492568E1.002030E1.00@d22mta10.yamato.ibm.com>

In http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/1999JulSep/0065.html,
I pointed out a potential interoperability problem in the different
interpretations
of C14N sepcification.

> There is an extra #xA (newline) in the definition of 'canonXML'.
> We may need to be clear if we will include this newline character
> in the hash calculation or not.  See the proposed C14N syntax below.
>
> [1]    canonXML    ::=    (PI #xA)* element #xA (PI #xA)*
> [2]    element    ::=    Stag (Datachar | element | PI)* Etag
> [3]    Stag    ::=    '<' Name NSDecl? (Att NSDecl?)* '>'
> [4]    Etag    ::=    '</' Name '>'
> [5]    NSDecl    ::=    #x20 'xmlns:' Prefix '=' '"' Attvalchar* '"'
> [6]    Att    ::=    #x20 Name '=' '"' Attvalchar* '"'
> [7]    Datachar    ::=    '&amp;' | '&lt;' | '&gt;' | '&#xD;'
>    | (Char - ('&' | '<' | '>' | #xD ))
> [8]    Attvalchar    ::=    '&amp;' | '&lt;' | '&quot;' | '&#x9;' | '&#xA;' |
'&#xD;'
>    | (Char - ('&' | '<' | '"' | #x9 | #xA | #xD))
> [9]    Name    ::=    (Prefix ':')? NCName
> [10]    Prefix    ::=    'n' [1-9] [0-9]*
> [11]    PI    ::=    '<?' PITarget (#x20 (Char+ - (Char* '?>' Char*)))? '?>'

> [12]    PITarget    ::=    NCName - (('X' | 'x') ('M' | 'm') ('L' | 'l'))

Our current implementation in XML Security Suite
(http://www.alphaworks.ibm.com/tech/xmlsecuritysuite)
applies 'element' to canonicalize elements (i.e., 'SignedInfo') and
 'canonXML'  otherwise.  Since the C14N draft does not
clearly say about canonicalization of an XML fragment, I think
we need to make it clear which production to be applied in
the DSig specification.  One thing that is worth mentioning is
that when C14N is specified in a 'Transform' element, its input
is always considered as an octet stream (according to the first
paragraph of 6.6).  It is thus subject to
XML parsing, which yields a document information item (not element),
and is canonicalized with a trailing #xA.

In other words, only 'SignedInfo' is canonicalized
using the production labeled 'element', while all the other
canonicalization (i.e., canonicalizations specified in 'Transform'
elements) uses 'canonXML'.

Accordingly, I would suggest to add something like the following in Section
6.5.2.

   When applying Canonical XML to an element, such as <code>SignedInfo</code>,
   the canonicalized form MUST match the production labeled
   <a href="http://www.w3.org/TR/xml-c14n#NT-element">
   element</a> in the Canonical XML specification.  When applying
   Canonical XML to a document, the canonicalized
   form MUST match the production labeled
   <a href="http://www.w3.org/TR/xml-c14n#NT-canonXML">
   canonXML</a> in the Canonical XML specification.
   Note that canonicalization specified in <code>Transform</code> must
   always use canonXML because its input is an octet stream (not
   an information item) and thus subject to XML parsing.





--
Hiroshi Maruyama
Manager, Internet & Language Technology, Tokyo Research Laboratory
+81-46-215-4576 (Note it has been changed!)
maruyama@jp.ibm.com

Received on Tuesday, 16 May 2000 01:50:27 UTC