- 掃描 ID:
- b061d885-0416-458c-80da-ab962e816fce已完成
- 已提交的 URL:
- https://www.aleksey.com/pipermail/xmlsec/2012/009463.html
- 報告完成時間:
連結 · 找到 6 個
從頁面中識別的傳出連結
| 連結 | Text |
|---|---|
| http://www.w3.org/TR/2001/REC-xml-c14n-20010315 | http://www.w3.org/TR/2001/REC-xml-c14n-20010315 |
| http://www.w3.org/2000/09/xmldsig# | http://www.w3.org/2000/09/xmldsig# |
| http://www.w3.org/2001/XMLSchema | http://www.w3.org/2001/XMLSchema |
| http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
| http://www.w3.org/2000/09/xmldsig#enveloped-signature | http://www.w3.org/2000/09/xmldsig#enveloped-signature |
| http://www.w3.org/2001/04/xmlenc#sha256 | http://www.w3.org/2001/04/xmlenc#sha256 |
JavaScript 變數 · 找到 3 個
在頁面的視窗物件上載入的全域 JavaScript 變數是在函數外部宣告的變數,可從目前範圍內程式碼中的任何位置存取
| 名稱 | 類型 |
|---|---|
| onbeforetoggle | object |
| documentPictureInPicture | object |
| onscrollend | object |
主控台記錄訊息 · 找到 0 條
記錄到 Web 主控台的訊息
HTML
頁面的原始 HTML 主體
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head>
<title> [xmlsec] XML Sig verification failure due to Windows .NET c14n and libxml2 c14n difference
</title>
<link rel="Index" href="index.html">
<link rel="made" href="mailto:xmlsec%40aleksey.com?Subject=Re%3A%20%5Bxmlsec%5D%20XML%20Sig%20verification%20failure%20due%20to%20Windows%20.NET%20c14n%0A%20and%20libxml2%20c14n%20difference&In-Reply-To=%3C50076E20.6090202%40aleksey.com%3E">
<meta name="robots" content="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<link rel="Previous" href="009462.html">
<link rel="Next" href="009464.html">
</head>
<body bgcolor="#ffffff">
<h1>[xmlsec] XML Sig verification failure due to Windows .NET c14n and libxml2 c14n difference</h1>
<b>Aleksey Sanin</b>
<a href="mailto:xmlsec%40aleksey.com?Subject=Re%3A%20%5Bxmlsec%5D%20XML%20Sig%20verification%20failure%20due%20to%20Windows%20.NET%20c14n%0A%20and%20libxml2%20c14n%20difference&In-Reply-To=%3C50076E20.6090202%40aleksey.com%3E" title="[xmlsec] XML Sig verification failure due to Windows .NET c14n and libxml2 c14n difference">aleksey at aleksey.com
</a><br>
<i>Wed Jul 18 19:17:04 PDT 2012</i>
<p></p><ul>
<li>Previous message: <a href="009462.html">[xmlsec] problem with raw-x509-cert
</a></li>
<li>Next message: <a href="009464.html">[xmlsec] XML Sig verification failure due to Windows .NET c14n and libxml2 c14n difference
</a></li>
<li> <b>Messages sorted by:</b>
<a href="date.html#9463">[ date ]</a>
<a href="thread.html#9463">[ thread ]</a>
<a href="subject.html#9463">[ subject ]</a>
<a href="author.html#9463">[ author ]</a>
</li>
</ul>
<hr>
<!--beginarticle-->
<pre>Well, since I wrote c14n code for libxml2 I can tell you that
this code is doing the right thing :) This is actually a known
bug that was discovered 10 years ago or so. .NET implementation
doesn't follow the spec but they refuse to change it since it
might break backward compatibility with old broken versions.
Anyway, I might suggest that you use c14n 1.1 spec if you can.
I believe it was implemented correctly in .NET.
Aleksey
On 7/18/12 6:50 PM, Tom Wood wrote:
><i> Aleksey,
</i>><i> I have been extensively using XML Signatures in a project over the
</i>><i> past few months and have encountered what I believe is a significant
</i>><i> cross platform
</i>><i> problem. Fortunately, I have fully characterized the issue and can
</i>><i> even resolve it (through a hack though, not pretty). But the reasons for
</i>><i> the problem are troubling
</i>><i> and I think you would be interested. I am hoping you can shed light on
</i>><i> this issue or
</i>><i> at least point me to someone who can.
</i>><i>
</i>><i> Note that I have been working a lot with XMLSec and have compiled it from
</i>><i> source code and have a good working knowledge of the package and
</i>><i> interface and
</i>><i> have even added some debugging source code along the way. The problem
</i>><i> occurs with
</i>><i> XML files signed in Windows .NET systems (as well as with at least one
</i>><i> Java based
</i>><i> system).
</i>><i>
</i>><i> -------------------------------
</i>><i> I have diagnosed a problem wherein an XML signature produced on a Windows
</i>><i> .NET system could not be verified using XMLSec (both on Linux and Windows).
</i>><i> The reverse also occurs, where the same XML signed under XMLSec fails to
</i>><i> verify on the Windows .NET system. The actual issue lies with C14N, and
</i>><i> thus
</i>><i> technically, on the Linux side, involved libXML2, not XMLSec. But I
</i>><i> think you will be
</i>><i> interested. I appreciate your taking some time to read through this.
</i>><i>
</i>><i>
</i>><i> The root of the problem is actually very simple and only occurs when
</i>><i> the Signature CanonicalizationMethod is Inclusive C14N
</i>><i> (<a href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>).
</i>><i>
</i>><i>
</i>><i> Here is the relevant part of an example <Signature> block.
</i>><i>
</i>><i> <Signature:Signature xmlns="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"
</i>><i> xmlns:xsd="<a href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>"
</i>><i> xmlns:Signature="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>">
</i>><i> <SignedInfo>
</i>><i> <CanonicalizationMethod
</i>><i> Algorithm="<a href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/>
</i>><i> <SignatureMethod
</i>><i> Algorithm="<a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</a>"/>
</i>><i> <Reference URI="">
</i>><i> <Transforms><Transform
</i>><i> Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"/></Transforms>
</i>><i> <DigestMethod Algorithm="<a href="http://www.w3.org/2001/04/xmlenc#sha256">http://www.w3.org/2001/04/xmlenc#sha256</a>"/>
</i>><i> <DigestValue>PtRfa3EJKTr6yeeuokpGu4KvHnGPAcd1YqhZtts+qOs=</DigestValue>
</i>><i> </Reference>
</i>><i> </SignedInfo>
</i>><i> ...
</i>><i> ...
</i>><i>
</i>><i> Under Windows .NET C14N transformation, the <SignedInfo> node is
</i>><i> canonicalized to:
</i>><i>
</i>><i> <SignedInfo xmlns="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>">
</i>><i> <CanonicalizationMethod
</i>><i> Algorithm="<a href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"></CanonicalizationMethod>
</i>><i> <SignatureMethod
</i>><i> Algorithm="<a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</a>"></SignatureMethod>
</i>><i> <Reference URI="">
</i>><i> <Transforms><Transform
</i>><i> Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"></Transform></Transforms>
</i>><i> <DigestMethod
</i>><i> Algorithm="<a href="http://www.w3.org/2001/04/xmlenc#sha256">http://www.w3.org/2001/04/xmlenc#sha256</a>"></DigestMethod>
</i>><i> <DigestValue>PtRfa3EJKTr6yeeuokpGu4KvHnGPAcd1YqhZtts+qOs=</DigestValue>
</i>><i> </Reference>
</i>><i> </SignedInfo>
</i>><i>
</i>><i> Under XMLSec (using libXML2 underneath) C14N, the <SignedInfo> node is
</i>><i> canonicalized to:
</i>><i>
</i>><i> <SignedInfo xmlns="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"
</i>><i> xmlns:Signature="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"
</i>><i> xmlns:xsd="<a href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>">
</i>><i> <CanonicalizationMethod
</i>><i> Algorithm="<a href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"></CanonicalizationMethod>
</i>><i> <SignatureMethod
</i>><i> Algorithm="<a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</a>"></SignatureMethod>
</i>><i> <Reference URI="">
</i>><i> <Transforms><Transform
</i>><i> Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"></Transform></Transforms>
</i>><i> <DigestMethod
</i>><i> Algorithm="<a href="http://www.w3.org/2001/04/xmlenc#sha256">http://www.w3.org/2001/04/xmlenc#sha256</a>"></DigestMethod>
</i>><i> <DigestValue>PtRfa3EJKTr6yeeuokpGu4KvHnGPAcd1YqhZtts+qOs=</DigestValue>
</i>><i> </Reference>
</i>><i> </SignedInfo>
</i>><i>
</i>><i> The difference between the xmlns attrs in <SignedInfo> of course ruins
</i>><i> Signature portability across
</i>><i> these systems.
</i>><i>
</i>><i> It is interesting and useful to point out that if Exclusive C14N is
</i>><i> used, both systems canonicalize to
</i>><i> the same <SignedInfo>. It is simply set to <SignedInfo
</i>><i> xmlns="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"> and
</i>><i> so no problem occurs with cross platform verification.
</i>><i>
</i>><i> Note that a hacked XMLSec can verify a signature from the Windows system
</i>><i> if in midstream it subsititutes the
</i>><i> Exclusive C14N transform instead of using the requested Inclusive C14N
</i>><i> (from the XML Signature). I know this
</i>><i> because I hacked a copy of XMLSec to force use of Exclusive C14N and
</i>><i> suddenly XML
</i>><i> signatures from a Windows .NET system verified. So the problem is
</i>><i> strictly caused by the
</i>><i> difference in SignedInfo node Canonicalization.
</i>><i>
</i>><i> Can you or anyone your know tell me which code/system is correctly
</i>><i> appying the inclusive C14N algorithm,
</i>><i> Windows .NET or libXML2?
</i>><i> From my careful reading of the W3C Canonical XML spec,
</i>><i> I think the result should match the libXML2 result, wherein all
</i>><i> namespace attributes from
</i>><i> <Signature> should be propagated into <SignedInfo>, as in
</i>><i> <SignedInfo xmlns="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"
</i>><i> xmlns:Signature="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"
</i>><i> xmlns:xsd="<a href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>">
</i>><i> This is what libXML2 code produces.
</i>><i>
</i>><i> Have you or anyone you know encountered this issue?
</i>><i>
</i>><i> It quite surprises me that I would be the first whom has encountered
</i>><i> this problem. As I am sure you can appreciate, this is a serious issue
</i>><i> as cross platform verification is required.
</i>><i>
</i>><i> Thanks in advance,
</i>><i> Tom Wood
</i>><i> <a href="http://www.aleksey.com/mailman/listinfo/xmlsec">wood at xmission.com</a>
</i>><i>
</i>
</pre>
<!--endarticle-->
<hr>
<p></p><ul>
<!--threads-->
<li>Previous message: <a href="009462.html">[xmlsec] problem with raw-x509-cert
</a></li>
<li>Next message: <a href="009464.html">[xmlsec] XML Sig verification failure due to Windows .NET c14n and libxml2 c14n difference
</a></li>
<li> <b>Messages sorted by:</b>
<a href="date.html#9463">[ date ]</a>
<a href="thread.html#9463">[ thread ]</a>
<a href="subject.html#9463">[ subject ]</a>
<a href="author.html#9463">[ author ]</a>
</li>
</ul>
<hr>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec">More information about the xmlsec
mailing list</a><br>
</body></html>