Re: [xml] C14N does not handle empty-namespace declarations as the implementation in Java

From: Arne Mueller <arne c mueller googlemail com>
To: Aleksey Sanin <aleksey aleksey com>
Cc: xml gnome org
Subject: Re: [xml] C14N does not handle empty-namespace declarations as the implementation in Java
Date: Tue, 26 Aug 2008 19:28:17 +0200

Am Sonntag, den 24.08.2008, 21:21 -0700 schrieb Aleksey Sanin:

Hi, Arne!

Sorry, but as I have replied in xmlsec mailing list, I believe
that libxml2 is doing the right thing here.

Aleksey


Hi Aleksey,
you might be perfectly right with adding one empty namespace.

But I think one thing is buggy non the less, in the c14n-specification
it says:

<quote>
4.6 Superfluous Namespace Declarations
Unnecessary namespace declarations are not made in the canonical form.
Whether for an empty default namespace, a non-empty default namespace,
or a namespace prefix binding, the XML canonicalization method omits a
declaration if it determines that the immediate parent element in the
canonical form has an equivalent declaration in scope. The root document
element is handled specially since it has no parent element. All
namespace declarations in it are retained, except the declaration of an
empty default namespace is automatically omitted.
</quote>

Thus, there should be at most one empty namespace declaration, because
an parent element has already defined the empty namespace declaration.
The same holds for the redefinition of "dsig" in the XPath element.

Arne


<dsig:SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";><dsig:XPath
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
count(ancestor-or-self::dsig:Signature  | here()/ancestor::dsig:Signature[1])
&gt;  count(ancestor-or-self::dsig:Signature)
</dsig:XPath>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>nDF2V/bzRd0VE3EwShWtsBzTEDc=</dsig:DigestValue></dsig:Reference>
</dsig:SignedInfo>

Actual results:
libxml2 canocalisation adds, because in SignedInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"; is defined, loads of xmlns=""
declarations to all child nodes of SignedInfo and it does not remove the extra
namespace declaration in XPath (as it must accoriding to
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#SuperfluousNSDecl )

Expected results:
Java does not add the extra xmlns="" and removes the extra namespace
declaration in XPath. Because C14N is used for signing documents, all
implementations must behave the same, else the signatures cannot be verified.
So I expect libxml2 to behave as Java (and as it seems the rest of the world
does)

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Follow-Ups:
- Re: [xml] C14N does not handle empty-namespace declarations as the implementation in Java
  - From: Aleksey Sanin

References:
- [xml] C14N does not handle empty-namespace declarations as the implementation in Java
  - From: Arne Mueller
- Re: [xml] C14N does not handle empty-namespace declarations as the implementation in Java
  - From: Aleksey Sanin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]