You realize, of course, that a document signed without canonicalization may well not verify. Attribute reordering is one of several types of changes that can happen to a document without affecting its meaning. Such "safe" alterations may occur between the time a document is signed and the time it is verified, especially if other XML processors have a crack at it in the mean time. To make sure these alterations don't affect signature verification, the XML digital signature recommendation (http://www.w3.org/TR/xmldsig-core/) provides for canonicalization of signed XML content (http://www.w3.org/TR/xml-c14n) before the signature is generated. It sounds like you're not implementing to the spec, but you should consider doing canonicalization anyway. It'll save you headaches eventually. I don't know if Xerces writes fully canonical documents, but the last I checked, the attribute ordering was at least close.
Alternatively, I suppose you could serialize the unsigned document, generate a signature, add the signature nodes to the original DOM tree, and reserialize the result. > -----Original Message----- > From: Andrzej Matejko [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 04, 2003 5:03 AM > To: [EMAIL PROTECTED] > Subject: DOMWriterImpl - how to serialize (write into memory > buffer) xml document > > > Hi, > > I need to serialize my signed xml document into string. And the > problem is: when I serialize xml document DOMWriteImpl > reorder (sorts in > alphabetic order) attributes in each node , change < and &, :(.. > My samlpe code (based on apache.org) looks like: > > ------------------------------begin--------------------------------- > XMLCh tempStr[100]; > XMLString::transcode("LS", tempStr, 99); > DOMImplementation *impl > =DOMImplementationRegistry::getDOMImplementation(tempStr); > DOMWriter *theSerializer = > ((DOMImplementationLS*)impl)->createDOMWriter(); > > DOMPrintFilter *myFilter=0; > // set user specified end of line sequence and output encoding > theSerializer->setNewLine(gMyEOLSequence); > theSerializer->setEncoding(gOutputEncoding); > > XMLFormatTarget *myFormTarget; > myFormTarget = new MemBufFormatTarget(50000); > > theSerializer->writeNode(myFormTarget, *doc); > > XMLByte *buf; > unsigned int uiBufLen = ((MemBufFormatTarget*)myFormTarget)->getLen(); > > const XMLByte* pcBuf; > pcBuf = ((MemBufFormatTarget*)myFormTarget)->getRawBuffer(); > > -------------------------------end--------------------------------- > > And the question is: how to serialize xml document in such > way, that > it isn't sorted, characters like '<', '&' are not changed into > ? > Why is it so important? because I have created digital > signature over > this document before serialization and after DOMWriterImpl > 'reorder-work' signature is broken. > > > looking for your help, > best regards, > andrew --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
