Hi Marcel - Without seeing your signature first hand, I can probably say that if your enveloped data goes on for more than a full line, a compliant Base-64 encoding algorithm is supposed to insert carriage return and line feed characters after each line (0x0D, 0x0A).
I've seen issues where a DOM tree has already been created, and the large chunk of Base-64 encoded content is inserted into the tree. In effect, the 0x0D and 0x0A characters are also included. When the signature is serialized, these characters are preserved. On the input side, however, these characters will be stripped in accordance with [1]. This breaks the digest. Some would argue that C14n should take care of this, but it doesn't. The reason why is because when the signature is processed by an XML compliant processor, CR and LF characters (0x0D, and 0x0A) become 0xA. The problem is, - if you've built the DOM tree and imported element content that was Base-64 encoded, the chunk of content will contain these characters. Quote from [1] "To simplify the tasks of applications, the XML processor MUST behave as if it normalized all line breaks in external parsed entities (including the document entity) on input, before parsing, by translating both the two-character sequence #xD #xA and any #xD that is not followed by #xA to a single #xA character." As for normalization due to schema validation, I was under the impression that normalization done during schema validation is "virtual" and doesn't actually modify the actual bytes. Regards, Blake Dournaee Senior Security Architect Sarvega, Inc. http://www.sarvega.com [1] http://www.w3.org/TR/2004/REC-xml-20040204/#sec-line-ends -----Original Message----- From: Scott Cantor [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 8:04 AM To: [EMAIL PROTECTED] Subject: RE: Schema validation and signature verification > Does anyone know what is going wrong ? This seems strange to me. I can tell you that if you leave schema data type normalization on, any base64 objects you may have in the signed data will be corrupted by the validator. There may be other data types that get corrupted depending on different factors, but base64 is the most common case. In effect schema validation and signature verification are currently incompatible because there's no schema-centric c14n transform that's widely implemented. The work around is to turn off the normalization step in the parser. That's a hack, but it works. -- Scott
