SOAP Message Canonicalization (SM-C14N)

1. Introduction

SOAP 1.2 [SOAP Part1] intermediaries have some license when reserializing messages that pass through them. Current XML canonicalizations (see [XML C14N] and [EXCL C14N]) do not take into account the transforms that a SOAP intermediary can legally apply to messages passing through it. This note defines a canonicalization that serializes all semantically equivalent SOAP messages identically. This canonicalization is required prior to the generation of a message digest in producing XML digital signatures that are sufficiently robust to survive passage through one or more SOAP intermediaries.

An understanding of the Exclusive XML Canonicalization Recommendation [EXCL C14N] is required.

1.1 Notational Conventions

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].

This note uses a number of namespace prefixes throughout; they are listed in Table 1. Note that the choice of any namespace prefix is arbitrary and not semantically significant (see [XML InfoSet]).

Table 1: Prefixes and Namespaces used in this specification.
Prefix	Namespace	Notes
env	"http://www.w3.org/2002/06/soap-envelope"	A normative XML Schema [XML Schema Part1], [XML Schema Part2] document for the "http://www.w3.org/2002/06/soap-envelope" namespace can be found at http://www.w3.org/2002/06/soap-envelope.

Namespace names of the general form "http://example.org/..." and "http://example.com/..." represent application or context-dependent URIs (see [RFC 2396]).

All parts of this note are normative, with the exception of examples and sections explicitly marked as "Non-Normative".

2. The Need for SOAP Message Canonicalization

2.1 A Simple Example

As a simple of example of the kind of problem a SOAP intermediary can cause for an XML signature, consider the following SOAP message:

Example 1: SOAP message containing a SOAP header block and a SOAP body

<env:Envelope xmlns:env="http://www.w3.org/2002/06/soap-envelope">
 <env:Header>
  <n:alertcontrol env:mustUnderstand="false"
   xmlns:n="http://example.org/alertcontrol">
   <n:priority>1</n:priority>
   <n:expires>2001-06-22T14:00:00-05:00</n:expires>
  </n:alertcontrol>
 </env:Header>
 <env:Body>
  <m:alert xmlns:m="http://example.org/alert">
   <m:msg>Pick up Mary at school at 2pm</m:msg>
  </m:alert>
 </env:Body>
</env:Envelope>

A SOAP intermediary is at liberty to remove the env:mustUnderstand attribute from SOAP header blocks when its value is "false" or "0". If the message included a signature of the header block generated using XML Canonicalization [XML C14N] or Exclusive XML Canonicalization [EXCL C14N] then that signature would be invalidated if the intermediary removed the mustUnderstand attribute. There is therefore a requirement for a canonicalization that takes into account the variations that a SOAP intermediary can introduce. SOAP Message Canonicalization fulfils this requirement.

3. Specification of SOAP Message Canonicalization

SOAP Message Canonicalization is an extension of Exclusive XML Canonicalization [EXCL C14N]. The following processing is performed prior to applying the processing defined by [EXCL C14N]:

For child element information items of the SOAP Header element information item:
- If the SOAP mustUnderstand attribute information item is present with a value of "0" or "false" then remove the mustUnderstand attribute information item.
- If the SOAP mustUnderstand attribute information item is present with a value of "1" then change its value to "true".
- If the SOAP role attribute information item is present with a value of "http://www.w3.org/2002/06/soap-envelope/role/ ultimateReceiver" or "" then remove the role attribute information item.
- If the SOAP relay attribute information item is present with a value of "0" or "false" then remove the relay attribute information item.
- If the SOAP relay attribute information item is present with a value of "1" then change its value to "true".
Processing instruction information items that are children of the SOAP Envelope , Header , Fault , Code , Subcode , Value , Reason , Text , Node and Role element information items are removed.
Whitespace character information items that are children of the SOAP Envelope , Header , Fault , Code , Subcode , Value , Reason , Node and Role element information items are removed.

4. Use in XML Security

SOAP Message Canonicalization may be used as a Transform or CanonicalizationMethod algorithm in XML Digital Signature [XML DSig] and XML Encryption [XML Enc]. It is identified with one of the following URIs:

"http://www.w3.org/2002/11/sm-c14n"
"http://www.w3.org/2002/11/sm-c14n#WithComments"

Just as with [EXCL C14N] one may use the "#WithComments" parameter to include the serialization of XML comments. This algorithm also takes an optional explicit parameter of an empty InclusiveNamespaces element with a PrefixList attribute. The value of this attribute is the same as specified in [EXCL C14N].

5. References

5.1 Normative References

[SOAP Part1]: W3C Working Draft "SOAP Version 1.2 Part 1: Messaging Framework", Martin Gudgin, Marc Hadley, Jean-Jacques Moreau, Henrik Frystyk Nielsen, 26 June 2002. (See http://www.w3.org/TR/2002/WD-soap12-part1-20020626.)
[RFC 2119]: IETF "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels", S. Bradner, March 1997. (See http://www.ietf.org/rfc/rfc2119.txt.)
[RFC 2396]: IETF "RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax", T. Berners-Lee, R. Fielding, L. Masinter, August 1998. (See http://www.ietf.org/rfc/rfc2396.txt.)
[XML Schema Part1]: W3C Recommendation "XML Schema Part 1: Structures", Henry S. Thompson, David Beech, Murray Maloney, Noah Mendelsohn, 2 May 2001. (See http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/.)
[XML Schema Part2]: W3C Recommendation "XML Schema Part 2: Datatypes", Paul V. Biron, Ashok Malhotra, 2 May 2001. (See http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/.)
[Namespaces in XML]: W3C Recommendation "Namespaces in XML", Tim Bray, Dave Hollander, Andrew Layman, 14 January 1999. (See http://www.w3.org/TR/1999/REC-xml-names-19990114/.)
[XML 1.0]: W3C Recommendation "Extensible Markup Language (XML) 1.0 (Second Edition)", Tim Bray, Jean Paoli, C. M. Sperberg-McQueen, Eve Maler, 6 October 2000. (See http://www.w3.org/TR/2000/REC-xml-20001006.)
[XML InfoSet]: W3C Recommendation "XML Information Set", John Cowan, Richard Tobin, 24 October 2001. (See http://www.w3.org/TR/2001/REC-xml-infoset-20011024/.)
[XML C14N]: W3C Recommendation "Canonical XML", John Boyer, 15 March 2001. (See http://www.w3.org/TR/xml-c14n.)
[EXCL C14N]: W3C Recommendation "Exclusive Canonical XML", John Boyer, Donald Eastlake, Joseph Reagle, 18 July 2001. (See http://www.w3.org/TR/xml-exc-c14n/.)
[XML DSig]: IETF Draft Standard/W3C Recommendation "XML-Signature Syntax and Processing", D. Eastlake, J. Reagle, and D. Solo, August 2001. (See http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/.)
[XML Enc]: W3C Proposed Recommendation "XML Encryption Syntax and Processing", Takeshi Imamura, Blair Dillaway, Ed Simon, October 2002. (See http://www.w3.org/TR/xmlenc-core/.)

5.2 Informative References

[SOAP 1.1]: W3C Note "Simple Object Access Protocol (SOAP) 1.1", Don Box, David Ehnebuske, Gopal Kakivaya, Andrew Layman, Noah Mendelsohn, Henrik Nielsen, Satish Thatte, Dave Winer, 8 May 2000. (See http://www.w3.org/TR/SOAP/.)

SOAP Message Canonicalization (SM-C14N)

W3C Note 12 November 2002

Abstract

Status of this Document

Short Table of Contents

Table of Contents

Appendix