RE: Canonicalization, XAdES from Blake Dournaee on 2004-01-22 (w3c-ietf-xmldsig@w3.org from January to March 2004)

From: Blake Dournaee <blake@sarvega.com>
Date: Wed, 21 Jan 2004 17:02:44 -0800
To: "'Thomas Braun'" <ThoBr@t-online.de>
Cc: <w3c-ietf-xmldsig@w3.org>
Message-ID: <002601c3e083$71f735b0$6801a8c0@blake>
Hi Thomas,

My comment is inline.

"So when there is no Transforms specified, there is actually no 
canonicalization needed?"

This is not necessarily true. Even if no transforms are specified, there
is implicit canonicalization that may occur if the input to the digest
algorithm is not already in octet form. To be clear, the XML Signature
Recommendation specifies the following (from section 4.3.3.2):


"If the data object is a node-set and the next transform requires
octets, the signature application MUST attempt to convert the node-set
to an octet stream using Canonical XML [XML-C14N]."


What this means is that if your reference is of the form: <Reference
URI="#foo"> with no specified explicit transforms, C14N MUST still be
applied, because the final digest operation doesn't understand the
concept of a 'node-set'. Digest algorithms only operate on octets. This
means that the conversion MUST occur. Said another way, dereferencing
"#foo" results in a node-set, and a digest algorithm can't handle this,
so it is converted to octets using C14N.

Hope this Helps,

Blake Dournaee
Senior Security Architect
Sarvega, Inc.
http://www.sarvega.com/


-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Thomas Braun
Sent: Wednesday, January 21, 2004 4:22 PM
To: Rich Salz
Cc: w3c-ietf-xmldsig@w3.org
Subject: Re: Canonicalization, XAdES


> Reading that message and the followup, it wasn't clear that the
original
> poster was doing proper (or any) canonicalization.  For example, his
> Reference element didn't have a Transforms indicating c14n
transformation.

So when there is no Transforms specified, there is actually no 
canonicalization needed?

> The difficult is that you cannot specify namespace prefixes on the
> commandline.  This might work
> 	//*[Id='object']

Unfortunately this doesn't work - it results in an empty document.
You can specify the namespace - here the two ways of using the command:
.....
Usage: SerializeSubset <XPath expression> < <XML instance>
Usage: SerializeSubset -xml '<foo xmlns:hoge="...">...XPath 
expression...</foo>' < <XML instance>
.....

> You have to c14n the XML before hashing it.

Isn't
<Object xmlns="http://www.w3.org/2000/09/xmldsig#" Id="object">some
text</Object>
the proper canonicalized form? But as you say above, it's not shure that
it 
has to be canonicalized...?
It doesn't matter if I try
echo -e '<Object xmlns="http://www.w3.org/2000/09/xmldsig#"
Id="object">some 
text</Object>' | openssl sha1 -binary | openssl base64
or
echo -e '<Object Id="object">some text</Object>' | openssl sha1 -binary
| 
openssl base64
the result is never 7/XTsHaBSOnJ/jXD5v0zL6VKYsk=

Thanks


> > I want to explain my problems by means
> > of an example, which I have found in this mailing list:
> >
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2003OctDec/0014.htm
l
> >
> > I want to canonicalize the same element from the same doc as the guy
in
> > that posting.
>
> Reading that message and the followup, it wasn't clear that the
original
> poster was doing proper (or any) canonicalization.  For example, his
> Reference element didn't have a Transforms indicating c14n
transformation.
>
> > I'm using a sample-prog of the IBM XML-Security Suit
> > (http://www.trl.ibm.com/projects/xml/xss4j/docs/c14n.html) to
> > canonicalize a subset of a xml-doc. The command is:
> > "... xpath-expression < example.xml > canonicalized.xml"
> > Unfortunately, I can't figure out the proper xpath-expression to
obtain
> > the desired result (which means in this case "<Object
> > xmlns="http://www.w3.org/2000/09/xmldsig#" Id="object">some
> > text</Object>"). Could someone reveal the expression for this
example to
> > me?
>
> The difficult is that you cannot specify namespace prefixes on the
> commandline.  This might work
> 	//*[Id='object']
>
> > If I didn't misunderstand it, on the above mentioned desired result
the
> > hash and base64 should be performed. I try to do that with an
> > openssl-command: echo -e '<Object xmlns= ... ' | openssl sha1
-binary |
> > openssl base64 ...but the result differs from the right one given in
the
> > posting. So what's still wrong here?
>
> You have to c14n the XML before hashing it.
>
> Sorry, but I can't help you with your XAdES questions.
>
> 	/r$
Received on Wednesday, 21 January 2004 20:02:47 UTC