Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...

Weblog

Xml Digital Signature Status

After a few day of extreme frustration Atsushi and I finally got some interesting results. All fifteen tests in Merlin's xmldsig test suite can now be validated successfully. This is funny because the current Microsoft implementation can only validate 14 of them because it doesn't accept an X509Data element that contains both an X509Certificate and a X509CRL. This time interoperability with the W3C specification is more important than compatibility with Microsoft implementation.

A large part of the frustration came from the Phaos test suite. No matter what we did we never got any signature to validate - even when using the MS runtime! Now that we got Merlin's tests running I'm almost convinced that the Phaos tests have some kind on encoding issue prior to (or when) being zipped.

During our difficulties I began to have some unfounded doubts about our C14N implementation (written by Aleksey Sanin of xmlsec). So I wrote a little tool that C14N a file so we could compare its results with Merlin's results. As it may be useful for lots of things, more productive than doubting our C14N implementation, like comparing XML documents, here's the source code:

// // c14n.cs - C14N // // Author: // Sebastien Pouliot <sebastien@ximian.com> // // (C) 2004 Novell (http://www.novell.com) // using System; using System.IO; using System.Text; using System.Xml; using System.Security.Cryptography; using System.Security.Cryptography.Xml; public class C14N { // default transform static string url = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; public static void Usage (string error) { Console.WriteLine ("C14N - Copyright (C) 2004 Novell.{0}", Environment.NewLine); if (error != null) { Console.WriteLine ("{0}Error: {1}{0}", Environment.NewLine, error); } Console.WriteLine ("Usage: c14n input [transform_url] [element]"); Console.WriteLine ("[input] \tXML document to canonalize"); Console.WriteLine ("[transform_url]\tTransformation algorithm URL"); Console.WriteLine (" \tDefault is{0}", url); Console.WriteLine ("[element] \tPartial C14N from this element and childs"); } public static void Main (string[] args) { if (args.Length < 1) { Usage (null); return; } string filename = args [0]; if (!File.Exists (filename)) { Usage (String.Format ("Missing file {0}", filename)); return; } XmlDocument xml = new XmlDocument (); xml.PreserveWhitespace = true; xml.Load (filename); MemoryStream ms = new MemoryStream (); for (int i=1; i < args.Length; i++) { if (args [i].StartsWith ("http://")) { url = args [i]; } else { XmlNodeList xnl = xml.GetElementsByTagName (args [i], SignedXml.XmlDsigNamespaceUrl); byte[] si = Encoding.UTF8.GetBytes (xnl [0].OuterXml); ms.Write (si, 0, si.Length); } } if (ms.Position == 0) { // process the whole document xml.Save (ms); } ms.Position = 0; Transform t = (Transform) CryptoConfig.CreateFromName (url); if (t == null) { Usage (String.Format ("Unknown transformation algorithm {0}", url)); return; } t.LoadInput (ms); StreamReader sr = new StreamReader ((Stream) t.GetOutput (), Encoding.UTF8); Console.Write (sr.ReadToEnd ()); } }

Side note: after hitting my head hard enough (guess on what ?) I finally figured out that C14N could mean CrazySebastien and not Canonicalization - but ran two letter shorts. Strangely I didn't had any more problem with C14N afterward...


3/16/2004 21:36:10 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.