SOAP Message Canonicalization (SM-C14N)

1. Introduction

SOAP 1.2 [SOAP Part1] intermediaries have some license when reserializing messages that pass through them. Current XML canonicalizations (see [XML C14N] and [EXCL C14N]) do not take into account the transforms that a SOAP intermediary can legally apply to messages passing through it. This note defines a transformation that renders all semantically equivalent SOAP messages identically. This transformation may be used in conjunction with an XML canonicalization algorithm prior to the generation of a message digest in producing XML digital signatures that are sufficiently robust to survive passage through one or more SOAP intermediaries.

1.1 Notational Conventions

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].

This note uses a number of namespace prefixes throughout; they are listed in Table 1. Note that the choice of any namespace prefix is arbitrary and not semantically significant (see [XML InfoSet]).

Table 1: Prefixes and Namespaces used in this specification.
Prefix	Namespace	Notes
env	"http://www.w3.org/2002/06/soap-envelope"	A normative XML Schema [XML Schema Part1], [XML Schema Part2] document for the "http://www.w3.org/2002/06/soap-envelope" namespace can be found at http://www.w3.org/2002/06/soap-envelope.

Namespace names of the general form "http://example.org/..." and "http://example.com/..." represent application or context-dependent URIs (see [RFC 2396]).

All parts of this note are normative, with the exception of examples and sections explicitly marked as "Non-Normative".

2. The Need for SOAP Message Canonicalization

2.1 A Simple Example

As a simple example of the kind of problem a SOAP intermediary can cause for an XML signature, consider the following SOAP message:

Example 1: SOAP message containing a SOAP header block and a SOAP body

<env:Envelope xmlns:env="http://www.w3.org/2002/06/soap-envelope">
 <env:Header>
  <n:alertcontrol env:mustUnderstand="false"
   xmlns:n="http://example.org/alertcontrol">
   <n:priority>1</n:priority>
   <n:expires>2001-06-22T14:00:00-05:00</n:expires>
  </n:alertcontrol>
 </env:Header>
 <env:Body>
  <m:alert xmlns:m="http://example.org/alert">
   <m:msg>Pick up Mary at school at 2pm</m:msg>
  </m:alert>
 </env:Body>
</env:Envelope>

A SOAP intermediary is at liberty to remove the env:mustUnderstand attribute from SOAP header blocks when its value is "false" or "0". If the message included a signature of the header block generated using XML Canonicalization [XML C14N] or Exclusive XML Canonicalization [EXCL C14N] then that signature would be invalidated if the intermediary removed the mustUnderstand attribute. There is therefore a requirement for a transformation that takes into account the variations that a SOAP intermediary can introduce. SOAP Message Canonicalization fulfils this requirement.

3. Specification of SOAP Message Canonicalization

SOAP Message Canonicalization is specified as an XML infoset transformation and consists of the following steps:

For child element information items of the SOAP Header element information item:
- If the SOAP mustUnderstand attribute information item is present with a value of "0" or "false" then remove the mustUnderstand attribute information item.
- If the SOAP mustUnderstand attribute information item is present with a value of "1" then change its value to "true".
- If the SOAP role attribute information item is present with a value of "http://www.w3.org/2002/06/soap-envelope/role/ ultimateReceiver" or "" then remove the role attribute information item.
- If the SOAP relay attribute information item is present with a value of "0" or "false" then remove the relay attribute information item.
- If the SOAP relay attribute information item is present with a value of "1" then change its value to "true".
Processing instruction information items that are children of the SOAP Envelope , Header , Fault , Code , Subcode , Value , Reason , Text , Node and Role element information items are removed.
Whitespace character information items that are children of the SOAP Envelope , Header , Fault , Code , Subcode , Value , Reason , Node and Role element information items are removed.

4. Use in XML Security

SOAP Message Canonicalization may be used as a Transform algorithm in XML Digital Signature [XML DSig] and XML Encryption [XML Enc]. It may be used in conjunction with other Transform algorithms and with a CanonicalizationMethod including XML Canonicalization [XML C14N] and Exclusive XML Canonicalization [EXCL C14N]. SOAP Message Canonicalization is identified with the following URI:

"http://www.w3.org/2002/11/sm-c14n"

5. References

5.1 Normative References

[SOAP Part1]: W3C Working Draft "SOAP Version 1.2 Part 1: Messaging Framework", Martin Gudgin, Marc Hadley, Jean-Jacques Moreau, Henrik Frystyk Nielsen, 26 June 2002. (See http://www.w3.org/TR/2002/WD-soap12-part1-20020626.)
[RFC 2119]: IETF "RFC 2119: Key words for use in RFCs to Indicate Requirement Levels", S. Bradner, March 1997. (See http://www.ietf.org/rfc/rfc2119.txt.)
[RFC 2396]: IETF "RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax", T. Berners-Lee, R. Fielding, L. Masinter, August 1998. (See http://www.ietf.org/rfc/rfc2396.txt.)
[XML Schema Part1]: W3C Recommendation "XML Schema Part 1: Structures", Henry S. Thompson, David Beech, Murray Maloney, Noah Mendelsohn, 2 May 2001. (See http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/.)
[XML Schema Part2]: W3C Recommendation "XML Schema Part 2: Datatypes", Paul V. Biron, Ashok Malhotra, 2 May 2001. (See http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/.)
[Namespaces in XML]: W3C Recommendation "Namespaces in XML", Tim Bray, Dave Hollander, Andrew Layman, 14 January 1999. (See http://www.w3.org/TR/1999/REC-xml-names-19990114/.)
[XML 1.0]: W3C Recommendation "Extensible Markup Language (XML) 1.0 (Second Edition)", Tim Bray, Jean Paoli, C. M. Sperberg-McQueen, Eve Maler, 6 October 2000. (See http://www.w3.org/TR/2000/REC-xml-20001006.)
[XML InfoSet]: W3C Recommendation "XML Information Set", John Cowan, Richard Tobin, 24 October 2001. (See http://www.w3.org/TR/2001/REC-xml-infoset-20011024/.)
[XML C14N]: W3C Recommendation "Canonical XML", John Boyer, 15 March 2001. (See http://www.w3.org/TR/xml-c14n.)
[EXCL C14N]: W3C Recommendation "Exclusive Canonical XML", John Boyer, Donald Eastlake, Joseph Reagle, 18 July 2001. (See http://www.w3.org/TR/xml-exc-c14n/.)
[XML DSig]: IETF Draft Standard/W3C Recommendation "XML-Signature Syntax and Processing", D. Eastlake, J. Reagle, and D. Solo, August 2001. (See http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/.)
[XML Enc]: W3C Proposed Recommendation "XML Encryption Syntax and Processing", Takeshi Imamura, Blair Dillaway, Ed Simon, October 2002. (See http://www.w3.org/TR/xmlenc-core/.)

5.2 Informative References

[SOAP 1.1]: W3C Note "Simple Object Access Protocol (SOAP) 1.1", Don Box, David Ehnebuske, Gopal Kakivaya, Andrew Layman, Noah Mendelsohn, Henrik Nielsen, Satish Thatte, Dave Winer, 8 May 2000. (See http://www.w3.org/TR/SOAP/.)

SOAP Message Canonicalization (SM-C14N)

W3C Note 15 January 2003

Abstract

Status of this Document

Table of Contents

Appendices