Re: Undeclared namespace prefix

Mon, 29 Sep 2008 09:45:32 -0700 

All,

I've checked the input and output of c14n of xmlsec-1.4.2 and it seems
the c14n does not emit the ds: name space binding of the KeyInfo node.
Attached is the text file of the test run.

The same test but using xmlsec-1.4.1 shows the name space binding before
and after c14n.

The following the code snippet was used to produce the test output file:

...
        Canonicalizer c14n =
                
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS);
        System.out.println("Before c14n");
        System.out.println(XMLUtils.PrettyDocumentToString(doc));
        byte[] canonicalMessage = c14n.canonicalizeSubtree(doc);
        System.out.println("After c14n: " + new String(canonicalMessage));
...

the XMLUtils.PrettyDocumentToString(doc) (XMLUtils is not the xmlsec XMLUtils
but an own one :-) ) performs as follows:

public class XMLUtils {
    public static String PrettyDocumentToString(Document doc) {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ElementToStream(doc.getDocumentElement(), baos);
        return new String(baos.toByteArray());
    }

    public static void ElementToStream(Element element, OutputStream out) {
        try {
            DOMSource source = new DOMSource(element);
            StreamResult result = new StreamResult(out);
            TransformerFactory transFactory = TransformerFactory.newInstance();
            Transformer transformer = transFactory.newTransformer();
            transformer.transform(source, result);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

....

Thus the printout "before c14n" is the doc tree just before c14n. IMHO the 
Transformer
does not add/modify during transformation of the doc tree to a string.

Regards,
Werner

Scott Cantor schrieb:

Questions here: does the XML doc that goes into C14N misses any
xmlns: declarations at some important positions? If so - where should
we include these?


With either incl or excl, the ds namespace prefix should be emitted in both
spots, since it's visibly used in that element, and not used anywhere up
above it. So the first/only place it should appear is in the KeyInfo
element.

If you're saying that the XML listed first is directly passed (in DOM form)
into the c14n step, and the output is missing the ds namespace, then it's a
c14n bug.

Otherwise the bug is in the process being used to turn the original XML into
a DOM that you give to the c14n code.

-- Scott






Before c14n

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
xmlns:xsd="http://www.w3.org/2001/XMLSchema"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 soapenv:mustUnderstand="1"><wsse:BinarySecurityToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 wsu:Id="urn:uuid:53A8D861C43C9251E812227056952511" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>MIIDNDCCAp2gAwIBAgIBEDANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyMB4XDTA4MDQwNDE5MzIxOFoXDTEwMDQwNDE5MzIxOFowYTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxMGTXVuaWNoMQ8wDQYDVQQKEwZBcGFjaGUxDjAMBgNVBAsTBVdTUzRKMQ8wDQYDVQQDEwZXZXJuZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAINlL3/k0H/zvknpBtLo8jzXwx/IJU/CGSv6MsqJZ2fyZ6kpLlXCuSBUZ/tfkdxpuzhYq/Sc7A8csIk9gDf9RUbrhK0qKw0VP6DoCIJjS5IeN+NeJkx8YjmzLPmZqLYbNPXr/hy8CRrR6CqLTTSkBwoEJ+cDkfZrdH2/bND0FEIZAgMBAAGjgfYwgfMwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFSZXv0I5bG7XPEwjylwG3lmZGdiMIGYBgNVHSMEgZAwgY2AFL/FsHHolGIMacU1TZW/88Bd2EL6oWqkaDBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyggkAuBIOAWJ19mwwDQYJKoZIhvcNAQEEBQADgYEAUiUh/wORVcQYXxIh13h3w2Btg6Kj2g6V6YO0Utc/gEYWwT310C2OuroKAwwoHapMIIWiJRclIAiA8Hnb0Sv/puuHYD4G4NWFdiVjRord90eZJe40NMGruRmlqIRIGGKCv+wv3E6Ux1cWW862f5H9Eyrcocke2P+3GNAGy83vghA=</wsse:BinarySecurityToken><xenc:EncryptedKey
 Id="EncKeyId-urn:uuid:53A8D861C43C9251E812227056952682" 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
 URI="#urn:uuid:53A8D861C43C9251E812227056952511" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData><xenc:CipherValue>QNzRQyTf8By78r5vjLJRMgwdAWqcVArd7ycxrVADdWItCf+buh12Es05rAwO1GETg4LgPrENdkvsQ5uhwITQYveBW7f6ikDHENruKNhYzYQGofihxzQ+o6xIgQrla2SyqBZ26fdImMdZiCzyFb4YEk7w0GmASi2af+HlROgXRlA=</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList><xenc:DataReference 
URI="#EncDataId-1246293429"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soapenv:Header><soapenv:Body><xenc:EncryptedData
 Id="EncDataId-1246293429" Type="http://www.w3.org/2001/04/xmlenc#Content"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
 URI="#EncKeyId-urn:uuid:53A8D861C43C9251E812227056952682" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:CipherValue 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>JSjGbM2Jb7+oPGNEwdf9PhqrOIWJnGwyB/HHoZiy3cjvZM2D7U0G5Kgb9Bwz+LRjMFQghSnpHNnS
uwH9EeU8XnJLuI2BUQSb3X3x/FuaHWcjZncOtwg9HllTpD26MTEzuHJFpSnC/gEHcLueXzg324bN
zEwj9XqBvdBgmbRblDfNREcY+9XBrp5OxCWfkaGWoNUDefLBoTRsaTi5heclSxcudFx6lk/riHzZ
SRGQamR1kNbVj9BwJjKmNuEQHpq4ZOgkjB4cPFIHNBW9vwX+yQOgMpp3k5A79GkDDa9qCdaqvrka
nqFkZUrl4rhslRUDFKCnhve0vmDTtDta3o3uuOMxVolWpjn3dt04q5IcaXoHsKesNVDHsA==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body></soapenv:Envelope>

After c14n: 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
xmlns:xsd="http://www.w3.org/2001/XMLSchema"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 soapenv:mustUnderstand="1"><wsse:BinarySecurityToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
wsu:Id="urn:uuid:53A8D861C43C9251E812227056952511">MIIDNDCCAp2gAwIBAgIBEDANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyMB4XDTA4MDQwNDE5MzIxOFoXDTEwMDQwNDE5MzIxOFowYTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxMGTXVuaWNoMQ8wDQYDVQQKEwZBcGFjaGUxDjAMBgNVBAsTBVdTUzRKMQ8wDQYDVQQDEwZXZXJuZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAINlL3/k0H/zvknpBtLo8jzXwx/IJU/CGSv6MsqJZ2fyZ6kpLlXCuSBUZ/tfkdxpuzhYq/Sc7A8csIk9gDf9RUbrhK0qKw0VP6DoCIJjS5IeN+NeJkx8YjmzLPmZqLYbNPXr/hy8CRrR6CqLTTSkBwoEJ+cDkfZrdH2/bND0FEIZAgMBAAGjgfYwgfMwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFSZXv0I5bG7XPEwjylwG3lmZGdiMIGYBgNVHSMEgZAwgY2AFL/FsHHolGIMacU1TZW/88Bd2EL6oWqkaDBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyggkAuBIOAWJ19mwwDQYJKoZIhvcNAQEEBQADgYEAUiUh/wORVcQYXxIh13h3w2Btg6Kj2g6V6YO0Utc/gEYWwT310C2OuroKAwwoHapMIIWiJRclIAiA8Hnb0Sv/puuHYD4G4NWFdiVjRord90eZJe40NMGruRmlqIRIGGKCv+wv3E6Ux1cWW862f5H9Eyrcocke2P+3GNAGy83vghA=</wsse:BinarySecurityToken><xenc:EncryptedKey
 Id="EncKeyId-urn:uuid:53A8D861C43C9251E812227056952682">
<xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5";></xenc:EncryptionMethod>
<ds:KeyInfo>
<wsse:SecurityTokenReference><wsse:Reference 
URI="#urn:uuid:53A8D861C43C9251E812227056952511" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";></wsse:Reference></wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData><xenc:CipherValue>QNzRQyTf8By78r5vjLJRMgwdAWqcVArd7ycxrVADdWItCf+buh12Es05rAwO1GETg4LgPrENdkvsQ5uhwITQYveBW7f6ikDHENruKNhYzYQGofihxzQ+o6xIgQrla2SyqBZ26fdImMdZiCzyFb4YEk7w0GmASi2af+HlROgXRlA=</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList><xenc:DataReference 
URI="#EncDataId-1246293429"></xenc:DataReference></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soapenv:Header><soapenv:Body><xenc:EncryptedData
 Id="EncDataId-1246293429" 
Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc";></xenc:EncryptionMethod><ds:KeyInfo>
<wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
 
URI="#EncKeyId-urn:uuid:53A8D861C43C9251E812227056952682"></wsse:Reference></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>JSjGbM2Jb7+oPGNEwdf9PhqrOIWJnGwyB/HHoZiy3cjvZM2D7U0G5Kgb9Bwz+LRjMFQghSnpHNnS
uwH9EeU8XnJLuI2BUQSb3X3x/FuaHWcjZncOtwg9HllTpD26MTEzuHJFpSnC/gEHcLueXzg324bN
zEwj9XqBvdBgmbRblDfNREcY+9XBrp5OxCWfkaGWoNUDefLBoTRsaTi5heclSxcudFx6lk/riHzZ
SRGQamR1kNbVj9BwJjKmNuEQHpq4ZOgkjB4cPFIHNBW9vwX+yQOgMpp3k5A79GkDDa9qCdaqvrka
nqFkZUrl4rhslRUDFKCnhve0vmDTtDta3o3uuOMxVolWpjn3dt04q5IcaXoHsKesNVDHsA==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body></soapenv:Envelope>

Reply via email to