Re: [xml] C14N does not handle empty-namespace declarations as the implementation in Java

Am Sonntag, den 24.08.2008, 21:21 -0700 schrieb Aleksey Sanin:
Hi, Arne!

Sorry, but as I have replied in xmlsec mailing list, I believe
that libxml2 is doing the right thing here.


Hi Aleksey,
you might be perfectly right with adding one empty namespace.

But I think one thing is buggy non the less, in the c14n-specification
it says:

4.6 Superfluous Namespace Declarations
Unnecessary namespace declarations are not made in the canonical form.
Whether for an empty default namespace, a non-empty default namespace,
or a namespace prefix binding, the XML canonicalization method omits a
declaration if it determines that the immediate parent element in the
canonical form has an equivalent declaration in scope. The root document
element is handled specially since it has no parent element. All
namespace declarations in it are retained, except the declaration of an
empty default namespace is automatically omitted.

Thus, there should be at most one empty namespace declaration, because
an parent element has already defined the empty namespace declaration.
The same holds for the redefinition of "dsig" in the XPath element.


<dsig:SignedInfo xmlns="";
Algorithm=""/><dsig:Reference URI="">
count(ancestor-or-self::dsig:Signature  | here()/ancestor::dsig:Signature[1])
&gt;  count(ancestor-or-self::dsig:Signature)
<dsig:DigestMethod Algorithm=""/>

Actual results:
libxml2 canocalisation adds, because in SignedInfo
xmlns=""; is defined, loads of xmlns=""
declarations to all child nodes of SignedInfo and it does not remove the extra
namespace declaration in XPath (as it must accoriding to )

Expected results:
Java does not add the extra xmlns="" and removes the extra namespace
declaration in XPath. Because C14N is used for signing documents, all
implementations must behave the same, else the signatures cannot be verified.
So I expect libxml2 to behave as Java (and as it seems the rest of the world

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]