This sounds a lot like an issue that made me nuts a couple of weeks ago. By default, the .NET framework's XmlDocument.LoadXml() discards whitespace. Your partner will need to set XmlDocument.PreserveWhitespace = true before loading the document. If they're already doing that, I haven't a clue.
________________________________ From: Eduardo Mourão [mailto:eduardo....@gmail.com] Sent: Friday, July 24, 2009 10:50 AM To: security-dev@xml.apache.org Subject: Canonicalization Validation Hi, I'm having problems with .NET interoperability. My software receives signed XML documents and validates them, but, when I send to one of our partners (a .NET solution) it returns that the signature is not valid. I took a look at those XML files and noticed that all the rejected files and not properly canonicalized. Still, the signature is valid, but the KeyInfo node is not what .NET expects: This is a KeyInfo .NET will consider valid (line feeds in the certificate): <KeyInfo><X509Data><X509Certificate>MIIFUTCCBDmgAwIBAgIQRLTcfKrDweBHaHZM0lPUHTANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQG EwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEsMCoGA1UECxMjU2VjcmV0YXJpYSBkYSBSZWNlaXRh IEZlZGVyYWwgLSBTUkYxHDAaBgNVBAMTE0FDIENlcnRpU2lnbiBTUkYgVjMwHhcNMDcxMDI5MDAw MDAwWhcNMDgxMDI4MjM1OTU5WjCBvjELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlJKMRcwFQYDVQQH FA5SSU8gREUgSkFORUlSTzETMBEGA1UEChQKSUNQLUJyYXNpbDEqMCgGA1UECxQhU2VjcmV0YXJp YSBkYSBSZWNlaXRhIEZlZGVyYWwtU1JGMRMwEQYDVQQLFApTUkYgZS1DTlBKMTMwMQYDVQQDEypQ RVRST0JSQVMgRElTVFJJQlVJRE9SQSBTIEE6MzQyNzQyMzMwMDAxMDIwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBANbsRkIQMF5ZgXsv7KqIj13OSsotVxgxlbAS0c7DTPIT0Co3Q5pdwyFccJFy bQC+PXPUjcClDKkItjTUky7fSekGEjcYH+pzpDx2laEcPtwUR4fivca37Eea3EC4SZv79+A0ydrS UqSk9vINPcO4scpdypwq/qO9ZXNodYQHU/PNAgMBAAGjggIcMIICGDCBxQYDVR0RBIG9MIG6oD0G BWBMAQMEoDQEMjExMDQxOTU3MzQ3NTg2NDA2MTAwMDAwMDAwMDAwMDAwMDAwMDAwTTY5OTk0M1NT UE1HoCcGBWBMAQMCoB4EHEpPU0UgRURVQVJETyBERSBCQVJST1MgRFVUUkGgGQYFYEwBAwOgEAQO MzQyNzQyMzMwMDAxMDKgFwYFYEwBAwegDgQMMDAwMDAwMDAwMDAwgRxncnBzZWdickBici1wZXRy b2JyYXMuY29tLmJyMAkGA1UdEwQCMAAwYgYDVR0fBFswWTBXoFWgU4ZRaHR0cDovL2ljcC1icmFz aWwuY2VydGlzaWduLmNvbS5ici9yZXBvc2l0b3Jpby9sY3IvQUNDZXJ0aVNpZ25TUkZWMy9MYXRl c3RDUkwuY3JsMB8GA1UdIwQYMBaAFPadWV3+v8Vyzd3OxC5mGy7uCM92MA4GA1UdDwEB/wQEAwIF 4DBVBgNVHSAETjBMMEoGBmBMAQIBDDBAMD4GCCsGAQUFBwIBFjJodHRwOi8vaWNwLWJyYXNpbC5j ZXJ0aXNpZ24uY29tLmJyL3JlcG9zaXRvcmlvL2RwYzAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYB BQUHAwIwOAYIKwYBBQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5jZXJ0aXNpZ24u Y29tLmJyMA0GCSqGSIb3DQEBBQUAA4IBAQAcxZPM8IGZXBUgL7MhWOt8fcKiKwkUyI93+ItI1FRQ cRXhjV2d+0BICDPPlj0KEiZbwIjPttV+XHhuAHQf9UWkNh/VJhcAg3z6pA7iJ2qdMZ//YGBywpmq Ys5wxInJ2ywX4QRiUBhsf2mizAhfw+GAU4stTVhYVlt409lETSwWYNEzuI97BItO0Fn04E6REDNh xxCqGM4fsKlyMKDvhWUjKJ69DZoId5TXS3N/7Slaa1Gtzb/7OLvd2qS2Aon7TGd8HGS9CjKvUk7H Ecmmgdc9f76cAzdhyfx+EY+eje3KCmdxsdESzpmImWm/OXD47VKZmjvcdpoxrPVRRUwbqH0M</X509Certificate></X509Data></KeyInfo> And, this is what .NET says is not valid (no line feeds, the XML is just a single line): <KeyInfo><X509Data><X509Certificate>MIIGQzCCBSugAwIBAgIIKawin2Dsz20wDQYJKoZIhvcNAQEFBQAwTDELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxKDAmBgNVBAMTH1NFUkFTQSBDZXJ0aWZpY2Fkb3JhIERpZ2l0YWwgdjEwHhcNMDkwMzA5MTUwMDAwWhcNMTAwMzA5MTUwMDAwWjCB/TELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRgwFgYDVQQLEw8wMDAwMDEwMDA1NDI4NjAxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQLEwsoRU0gQlJBTkNPKTEUMBIGA1UECxMLKEVNIEJSQU5DTykxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQLEwsoRU0gQlJBTkNPKTE7MDkGA1UEAxMyRElTVFJJQlVJRE9SQSBFUVVBRE9SIERFIFBST0RVVE9TIERFIFBFVFJPTEVPIExUREEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrSbsECYkq+Vo8roCdGFP4zN/AKKVa592v/wNxwyCXAldNUXi1g5ctNlWalGF7KOumASIKCfe8gvsQftClaHr67FJ842ZpvfZYF1gAKViPUD6WsEWUtjWVuk8mSZwD0WipoFJY2AsJcj2vDQ7iS1LQ5TPRtXh0iJ3Kuk6zAAGORAgMBAAGjggL5MIIC9TAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFLdgqFv5sqauAO1069VKyZZoZvVcMIG8BgNVHREEgbQwgbGBE0hVTUJFUlRPQERJU0xVQi5DT02gPgYFYEwBAwSgNRMzMjkwODE5NjMzNDEwOTk1MTQ1MzAwMDAwMDAwMDAwMDAwMDAwMDAxODg2ODI1U1NQIFBFoCYGBWBMAQMCoB0TG0hVTUJFUlRPIERPIEFNQVJBTCBDQVJSSUxIT6AZBgVgTAEDA6AQEw4wMzEyODk3OTAwMDE3NqAXBgVgTAEDB6AOEwwwMDAwMDAwMDAwMDAwVwYDVR0gBFAwTjBMBgZgTAECAQYwQjBABggrBgEFBQcCARY0aHR0cDovL3d3dy5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29tLmJyL3JlcG9zaXRvcmlvL2RwYzCB8AYDVR0fBIHoMIHlMEmgR6BFhkNodHRwOi8vd3d3LmNlcnRpZmljYWRvZGlnaXRhbC5jb20uYnIvcmVwb3NpdG9yaW8vbGNyL3NlcmFzYWNkdjEuY3JsMEOgQaA/hj1odHRwOi8vbGNyLmNlcnRpZmljYWRvcy5jb20uYnIvcmVwb3NpdG9yaW8vbGNyL3NlcmFzYWNkdjEuY3JsMFOgUaBPhk1odHRwOi8vcmVwb3NpdG9yaW8uaWNwYnJhc2lsLmdvdi5ici9sY3IvU2VyYXNhL3JlcG9zaXRvcmlvL2xjci9zZXJhc2FjZHYxLmNybDCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLmNlcnRpZmljYWRvZGlnaXRhbC5jb20uYnIvc2VyYXNhY2R2MTBHBggrBgEFBQcwAoY7aHR0cDovL3d3dy5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29tLmJyL2NhZGVpYXMvc2VyYXNhY2R2MS5wN2IwDQYJKoZIhvcNAQEFBQADggEBAC2HSaaX+BT/vEU1hd9wtubY5gwqvJvS4e0+VidiQY7p5qeJfSkpnI4nXfi7MQHpQ1Ev93yl75KPmAQ0pRXnLM+ULg6ZGbg0pTc7rfk+TohPIojdCVGUADtk2JYdJjd0J1p3v2HYl3wHXewHANI/MHfI57OJ7QRKIjYvL5HOeI+MozHIahqfP5R81w/Os+ekvOFri3p2FuoVOG0rBZxVpsAaOjht//xWvsVVTj6p4VhukCSutQ7ksn3nXg1i76W99+T8XyLs2qmMRctrWLwn8uIN7OMrVH4XvSRpbPztc1iDyNKXP/Ol2UdiTfynQ+OAgUOzKXoHa8EEu6St3SNvGgg=</X509Certificate></X509Data></KeyInfo> How can I validate the canonicalization of an incoming signed XML file? Thank you very much, Eduardo Mourão
