First, you should know that if your partner's validator removes whitespace from the signed document (in most contexts) before attempting to validate the signature, it does not conform to the digital signature specification. The canonicalization spec is very clear that most whitespace must be retained (see http://www.w3.org/TR/2001/REC-xml-c14n-20010315#Example-WhitespaceInContent). Second, it's possible that in order to support such a non-conformant implementation, you will have to generate non-conformant signatures with a non-conformant implementation of your own. The main issue that I see is whether the X509Certificate data is required to be broken every 76 characters (as in your example) or if that's an optional behavior. As near as I can tell, the line breaking is optional - see http://www.w3.org/TR/xmldsig-core/#dname-encrules (which indicates that X509Certificate is of type base64Binary) and http://www.w3.org/TR/xmlschema-2/#base64Binary (which defines the type). So, it looks like it is in principle possible to generate a valid signature that your partner's broken validator can process. You just need to make sure that when any given hash operation is performed, there's no whitespace in the document that XmlDocument.LoadXml() will remove. I can't tell you how to do that; maybe someone else on the list can.
________________________________ From: Eduardo Mourão [mailto:eduardo....@gmail.com] Sent: Friday, July 24, 2009 12:55 PM To: security-dev@xml.apache.org Subject: Re: Canonicalization Validation Unfortunely I don't have access to change the .NET signature validator. I beleive the white spaces are, in fact, the problem. The only solution I have in mind is make my signature validation act as the .NET validation. How can I validate the canocalization of this document? Eduardo Mourão SEFIN/CRE/GEINF Fone: (69) 3211-6100 ramal 1054 0800647-4700 On Fri, Jul 24, 2009 at 12:00 PM, Jesse Pelton <j...@pkc.com> wrote: This sounds a lot like an issue that made me nuts a couple of weeks ago. By default, the .NET framework's XmlDocument.LoadXml() discards whitespace. Your partner will need to set XmlDocument.PreserveWhitespace = true before loading the document. If they're already doing that, I haven't a clue. ________________________________ From: Eduardo Mourão [mailto:eduardo....@gmail.com] Sent: Friday, July 24, 2009 10:50 AM To: security-dev@xml.apache.org Subject: Canonicalization Validation Hi, I'm having problems with .NET interoperability. My software receives signed XML documents and validates them, but, when I send to one of our partners (a .NET solution) it returns that the signature is not valid. I took a look at those XML files and noticed that all the rejected files and not properly canonicalized. Still, the signature is valid, but the KeyInfo node is not what .NET expects: This is a KeyInfo .NET will consider valid (line feeds in the certificate): <KeyInfo><X509Data><X509Certificate>MIIFUTCCBDmgAwIBAgIQRLTcfKrDweBHaHZM0lPUHTANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQG EwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEsMCoGA1UECxMjU2VjcmV0YXJpYSBkYSBSZWNlaXRh IEZlZGVyYWwgLSBTUkYxHDAaBgNVBAMTE0FDIENlcnRpU2lnbiBTUkYgVjMwHhcNMDcxMDI5MDAw MDAwWhcNMDgxMDI4MjM1OTU5WjCBvjELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlJKMRcwFQYDVQQH FA5SSU8gREUgSkFORUlSTzETMBEGA1UEChQKSUNQLUJyYXNpbDEqMCgGA1UECxQhU2VjcmV0YXJp YSBkYSBSZWNlaXRhIEZlZGVyYWwtU1JGMRMwEQYDVQQLFApTUkYgZS1DTlBKMTMwMQYDVQQDEypQ RVRST0JSQVMgRElTVFJJQlVJRE9SQSBTIEE6MzQyNzQyMzMwMDAxMDIwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBANbsRkIQMF5ZgXsv7KqIj13OSsotVxgxlbAS0c7DTPIT0Co3Q5pdwyFccJFy bQC+PXPUjcClDKkItjTUky7fSekGEjcYH+pzpDx2laEcPtwUR4fivca37Eea3EC4SZv79+A0ydrS UqSk9vINPcO4scpdypwq/qO9ZXNodYQHU/PNAgMBAAGjggIcMIICGDCBxQYDVR0RBIG9MIG6oD0G BWBMAQMEoDQEMjExMDQxOTU3MzQ3NTg2NDA2MTAwMDAwMDAwMDAwMDAwMDAwMDAwTTY5OTk0M1NT UE1HoCcGBWBMAQMCoB4EHEpPU0UgRURVQVJETyBERSBCQVJST1MgRFVUUkGgGQYFYEwBAwOgEAQO MzQyNzQyMzMwMDAxMDKgFwYFYEwBAwegDgQMMDAwMDAwMDAwMDAwgRxncnBzZWdickBici1wZXRy b2JyYXMuY29tLmJyMAkGA1UdEwQCMAAwYgYDVR0fBFswWTBXoFWgU4ZRaHR0cDovL2ljcC1icmFz aWwuY2VydGlzaWduLmNvbS5ici9yZXBvc2l0b3Jpby9sY3IvQUNDZXJ0aVNpZ25TUkZWMy9MYXRl c3RDUkwuY3JsMB8GA1UdIwQYMBaAFPadWV3+v8Vyzd3OxC5mGy7uCM92MA4GA1UdDwEB/wQEAwIF 4DBVBgNVHSAETjBMMEoGBmBMAQIBDDBAMD4GCCsGAQUFBwIBFjJodHRwOi8vaWNwLWJyYXNpbC5j ZXJ0aXNpZ24uY29tLmJyL3JlcG9zaXRvcmlvL2RwYzAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYB BQUHAwIwOAYIKwYBBQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5jZXJ0aXNpZ24u Y29tLmJyMA0GCSqGSIb3DQEBBQUAA4IBAQAcxZPM8IGZXBUgL7MhWOt8fcKiKwkUyI93+ItI1FRQ cRXhjV2d+0BICDPPlj0KEiZbwIjPttV+XHhuAHQf9UWkNh/VJhcAg3z6pA7iJ2qdMZ//YGBywpmq Ys5wxInJ2ywX4QRiUBhsf2mizAhfw+GAU4stTVhYVlt409lETSwWYNEzuI97BItO0Fn04E6REDNh xxCqGM4fsKlyMKDvhWUjKJ69DZoId5TXS3N/7Slaa1Gtzb/7OLvd2qS2Aon7TGd8HGS9CjKvUk7H Ecmmgdc9f76cAzdhyfx+EY+eje3KCmdxsdESzpmImWm/OXD47VKZmjvcdpoxrPVRRUwbqH0M</X509Certificate></X509Data></KeyInfo> And, this is what .NET says is not valid (no line feeds, the XML is just a single line): <KeyInfo><X509Data><X509Certificate>MIIGQzCCBSugAwIBAgIIKawin2Dsz20wDQYJKoZIhvcNAQEFBQAwTDELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxKDAmBgNVBAMTH1NFUkFTQSBDZXJ0aWZpY2Fkb3JhIERpZ2l0YWwgdjEwHhcNMDkwMzA5MTUwMDAwWhcNMTAwMzA5MTUwMDAwWjCB/TELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRgwFgYDVQQLEw8wMDAwMDEwMDA1NDI4NjAxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQLEwsoRU0gQlJBTkNPKTEUMBIGA1UECxMLKEVNIEJSQU5DTykxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQLEwsoRU0gQlJBTkNPKTE7MDkGA1UEAxMyRElTVFJJQlVJRE9SQSBFUVVBRE9SIERFIFBST0RVVE9TIERFIFBFVFJPTEVPIExUREEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrSbsECYkq+Vo8roCdGFP4zN/AKKVa592v/wNxwyCXAldNUXi1g5ctNlWalGF7KOumASIKCfe8gvsQftClaHr67FJ842ZpvfZYF1gAKViPUD6WsEWUtjWVuk8mSZwD0WipoFJY2AsJcj2vDQ7iS1LQ5TPRtXh0iJ3Kuk6zAAGORAgMBAAGjggL5MIIC9TAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFLdgqFv5sqauAO1069VKyZZoZvVcMIG8BgNVHREEgbQwgbGBE0hVTUJFUlRPQERJU0xVQi5DT02gPgYFYEwBAwSgNRMzMjkwODE5NjMzNDEwOTk1MTQ1MzAwMDAwMDAwMDAwMDAwMDAwMDAxODg2ODI1U1NQIFBFoCYGBWBMAQMCoB0TG0hVTUJFUlRPIERPIEFNQVJBTCBDQVJSSUxIT6AZBgVgTAEDA6AQEw4wMzEyODk3OTAwMDE3NqAXBgVgTAEDB6AOEwwwMDAwMDAwMDAwMDAwVwYDVR0gBFAwTjBMBgZgTAECAQYwQjBABggrBgEFBQcCARY0aHR0cDovL3d3dy5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29tLmJyL3JlcG9zaXRvcmlvL2RwYzCB8AYDVR0fBIHoMIHlMEmgR6BFhkNodHRwOi8vd3d3LmNlcnRpZmljYWRvZGlnaXRhbC5jb20uYnIvcmVwb3NpdG9yaW8vbGNyL3NlcmFzYWNkdjEuY3JsMEOgQaA/hj1odHRwOi8vbGNyLmNlcnRpZmljYWRvcy5jb20uYnIvcmVwb3NpdG9yaW8vbGNyL3NlcmFzYWNkdjEuY3JsMFOgUaBPhk1odHRwOi8vcmVwb3NpdG9yaW8uaWNwYnJhc2lsLmdvdi5ici9sY3IvU2VyYXNhL3JlcG9zaXRvcmlvL2xjci9zZXJhc2FjZHYxLmNybDCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLmNlcnRpZmljYWRvZGlnaXRhbC5jb20uYnIvc2VyYXNhY2R2MTBHBggrBgEFBQcwAoY7aHR0cDovL3d3dy5jZXJ0aWZpY2Fkb2RpZ2l0YWwuY29tLmJyL2NhZGVpYXMvc2VyYXNhY2R2MS5wN2IwDQYJKoZIhvcNAQEFBQADggEBAC2HSaaX+BT/vEU1hd9wtubY5gwqvJvS4e0+VidiQY7p5qeJfSkpnI4nXfi7MQHpQ1Ev93yl75KPmAQ0pRXnLM+ULg6ZGbg0pTc7rfk+TohPIojdCVGUADtk2JYdJjd0J1p3v2HYl3wHXewHANI/MHfI57OJ7QRKIjYvL5HOeI+MozHIahqfP5R81w/Os+ekvOFri3p2FuoVOG0rBZxVpsAaOjht//xWvsVVTj6p4VhukCSutQ7ksn3nXg1i76W99+T8XyLs2qmMRctrWLwn8uIN7OMrVH4XvSRpbPztc1iDyNKXP/Ol2UdiTfynQ+OAgUOzKXoHa8EEu6St3SNvGgg=</X509Certificate></X509Data></KeyInfo> How can I validate the canonicalization of an incoming signed XML file? Thank you very much, Eduardo Mourão
