Am Sonntag, den 24.08.2008, 21:21 -0700 schrieb Aleksey Sanin:
Hi, Arne! Sorry, but as I have replied in xmlsec mailing list, I believe that libxml2 is doing the right thing here. Aleksey
Hi Aleksey, you might be perfectly right with adding one empty namespace. But I think one thing is buggy non the less, in the c14n-specification it says: <quote> 4.6 Superfluous Namespace Declarations Unnecessary namespace declarations are not made in the canonical form. Whether for an empty default namespace, a non-empty default namespace, or a namespace prefix binding, the XML canonicalization method omits a declaration if it determines that the immediate parent element in the canonical form has an equivalent declaration in scope. The root document element is handled specially since it has no parent element. All namespace declarations in it are retained, except the declaration of an empty default namespace is automatically omitted. </quote> Thus, there should be at most one empty namespace declaration, because an parent element has already defined the empty namespace declaration. The same holds for the redefinition of "dsig" in the XPath element. Arne
<dsig:SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI=""> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"><dsig:XPath xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature) </dsig:XPath> </dsig:Transform> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>nDF2V/bzRd0VE3EwShWtsBzTEDc=</dsig:DigestValue></dsig:Reference> </dsig:SignedInfo> Actual results: libxml2 canocalisation adds, because in SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#" is defined, loads of xmlns="" declarations to all child nodes of SignedInfo and it does not remove the extra namespace declaration in XPath (as it must accoriding to http://www.w3.org/TR/2001/REC-xml-c14n-20010315#SuperfluousNSDecl ) Expected results: Java does not add the extra xmlns="" and removes the extra namespace declaration in XPath. Because C14N is used for signing documents, all implementations must behave the same, else the signatures cannot be verified. So I expect libxml2 to behave as Java (and as it seems the rest of the world does)
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil