[xml] C14N does not handle empty-namespace declarations as the implementation in Java


I've filed the following bug-report, but Daniel Veillard told me, that
it'll be best to post on the mailing list and check with Aleksey. So
this is what I'll do now ;)

So here's my bugreport:

Please describe the problem:
The Problem is the following section of the C14N Recommondation:

4.7 Propagation of Default Namespace Declaration in Document Subsets
The XPath data model represents an empty default namespace with the absence of
a node, not with the presence of a default namespace node having an empty
value. Thus, with respect to the fact that element e3 in the following examples
is not namespace qualified, we cannot tell the difference between <e1
xmlns="a:b"><e2 xmlns=""><e3/></e2></e1> versus <e1 xmlns="a:b"><e2><e3
xmlns=""/></e2></e1>. All we know is that e3 was not namespace qualified on
input, so we preserve this information on output if e2 is omitted so that e3
does not take on the default namespace qualification of e1. 

The implementation of C14n in libxml2 does not seem to do have the same
behavior, as the implementation of Sun (for Java) or IBM (see
http://www.aleksey.com/pipermail/xmlsec/2003/000976.html ), thus I do not
think, this will change in the future.

I'm actually not quite sure, what is meant by that part of the specification,
so it might be quite possible, that Sun and IBM are correct, but libxml2 is

Steps to reproduce:
Try to canocalize the following XML-Document (I have reduced it to the
essential part):

<dsig:SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="">
count(ancestor-or-self::dsig:Signature  | here()/ancestor::dsig:Signature[1])
&gt;  count(ancestor-or-self::dsig:Signature)
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

Actual results:
libxml2 canocalisation adds, because in SignedInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"; is defined, loads of xmlns=""
declarations to all child nodes of SignedInfo and it does not remove the extra
namespace declaration in XPath (as it must accoriding to
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#SuperfluousNSDecl )

Expected results:
Java does not add the extra xmlns="" and removes the extra namespace
declaration in XPath. Because C14N is used for signing documents, all
implementations must behave the same, else the signatures cannot be verified.
So I expect libxml2 to behave as Java (and as it seems the rest of the world

Does this happen every time?
I only have tested it with this example (or slight modifications), but I
checked the code and it should not behave very differently in other cases.


PS: I already wrote a fix that seems to work for me, but I'm not quite sure, if it's really correct.
I think I actually only had one example case with that special problem to test it against.

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]