Hi Heiner, Thanks for the response.
I've been giving this a little thought as I get up to speed with the whole xmldsig thing and pretty much reached the same conclusion. Fortunately my specific application pretty much has control over the xml creation and modification processes so I will be able to handle the use of whitespace between element tags. Thinking about it further I am reasonably sure that the other libraries that I am using (JAX-P etc) should deal with whitespace in a consistent manner (fingers crossed). I've looked at the Apache samples a little closer and they seem to be more 'real world' than the reference versions from Sun since they do things like access keystores rather than generate once off keys etc. The only downside I see is a scarcity of documentation or tutorials. What have you experiences been with the Apache libraries? Regards Marty -----Original Message----- From: Heiner Westphal [mailto:[EMAIL PROTECTED] Sent: Monday, 4 July 2005 5:55 PM To: security-dev@xml.apache.org Subject: Re: Enveloped suggestions Martin, the canonicalizer cannot know, if the <element></element> may contain other elements only, or if mixed content is allowed. So there is no way to tell the difference between significant and non significant whitespace. Else the canonicalization would remove non significant whitespace, I would guess. Just my 2 cent, Heiner Martin Ravell wrote: > Hmmmm, it may well be a misunderstanding on my part then. > > I had assumed (yep I know that I should never assume anything) that the > following would be handled by the canonicalisation process: > > <element> > <child>Whatever</child> > </element> > > Would be equivalent to > > <element><child>Whatever</child></element> > > > I was guessing that since the xml could go through various parsers and > modification processes that it would be possible for this sort of change to > be made but that the logical content of the two fragments above is the same. > > Following your email and other replies to my post I have tested the > whitespace inside element tags ('<' and '>') and the canonicalisation does > seem to work under the Sun reference sample code. (From the JWSDP 1.5) > > > > Regards > Marty > > -----Original Message----- > From: Jesse Pelton [mailto:[EMAIL PROTECTED] > Sent: Friday, 1 July 2005 10:14 PM > To: security-dev@xml.apache.org > Subject: RE: Enveloped suggestions > > Canonicalization leaves whitespace in document content alone (though any > whitespace in element tags - that is, between the '<' and '>' that start > and end a tag - is normalized). See > http://www.w3.org/TR/2001/REC-xml-c14n-20010315#Example-WhitespaceInCont > ent. What behavior are you seeing that seems inconsistent with the > specification? > > >>-----Original Message----- >>From: Martin Ravell [mailto:[EMAIL PROTECTED] >>Sent: Thursday, June 30, 2005 7:36 PM >>To: security-dev@xml.apache.org >>Subject: RE: Enveloped suggestions >> >>Just had a crack at using the id and it seems to work. Given >>that my app is >>building the XML to begin with I think I can live with the >>limitations you >>mentioned. >> >>I notice that the reference samples (JWSDP 1.5) seem to ignore the >>canonicalization process on both the signing and verification >>processes. (I >>tested removing some whitespace and wondered why it would not >>verify until I >>took a closer look at the code). >> >>So I guess I'm still interested in which of the Apache >>samples fits best >>(and does canonicalization properly). >> >> >> >>Regards >>Marty >> >>-----Original Message----- >>From: Martin Ravell [mailto:[EMAIL PROTECTED] >>Sent: Friday, 1 July 2005 8:28 AM >>To: security-dev@xml.apache.org >>Subject: RE: Enveloped suggestions >> >>Thanks for the pointer Scott. I'll take another look at the reference >>implementation. >> >>I'm kind of interested in the Apache security stuff now and >>my question on >>which of the samples to focus on still stands. Can you (or >>anyone out there >>on the list) suggest a tutorial or even just which of the samples best >>covers the process of creating an enveloped signature and >>then validates it? >> >> >>Thanks >>Marty >> >> >> >>-----Original Message----- >>From: Scott Cantor [mailto:[EMAIL PROTECTED] >>Sent: Friday, 1 July 2005 12:58 AM >>To: security-dev@xml.apache.org >>Subject: RE: Enveloped suggestions >> >> >>>I had also looked at the reference implementation that >> >>ships with the >>JWSDP >> >>>1.5 but had problems in being able to specify a particular >> >>element via >>URI. >> >>>The sample given seems to specify the whole document with a "" blank >> >>String >> >>>but when I try a relative URI (#elementname) it falls on it's arse. >> >>You can't specify an element in a fragment by name, only by >>ID. Which has >>its own set of endless problems since IDs are technically >>only legal in the >>presence of a DTD, so there are endless hacks to try and >>establish what >>attributes are IDs and they all require knowing ahead of time >>what's been >>signed. >> >>-- Scott >> >> >> >> > >
