06 March 2012

XML Canonicalizer

When signing an XML file, obviously all need to agree on "proper" form
so use a canonicalizer
Java doesnt have one, so use apache rather than sun
-so far I have included all the apache xml jars,  ... several at least are required

public static String canon (String raw)
{
String cooked = null;
try
{
byte inputBytes[] = raw.getBytes();
org.apache.xml.security.c14n.Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
byte result[] = c14n.canonicalize(inputBytes);
cooked = new String(result);
}
catch (Exception ex)
{
print("\n canon excptn " + ex.getMessage());
print("\n raw " + raw + "\n");
}
return cooked;

However this doesnt seem to do much:




raw
<dc:FileDataCollection xmlns:dc="http://www.fredrick.dc" xmlns:dca="http://www.fredrick.dc/AuditRegisters" xmlns:dce="http://www.fredrick.dc/Events" xmlns:dct="http://www.fredrick.dc/Transactions" xmlns:dcv="http://www.fredrick.dc/Versions" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">




<FileHeader  >
            <FileHeaderTag>    FHTAG_EVENT_LOG</FileHeaderTag    >        
        <FileCreationDate>2012-02-21T15:45:55</FileCreationDate>
        <SignKeyVer>0</SignKeyVer>
    </FileHeader>
    <FileBody>
        <FileMessage>
            <MsgHeader>
                <MsgSequenceNumber></MsgSequenceNumber>    
                <MsgReportDate>2012-02-21T15:45:55</MsgReportDate>
                <DeviceID>65537</DeviceID>
                <ComplementDeviceID>0</ComplementDeviceID>
=======================================






 cooked Canonical 
<dc:FileDataCollection xmlns:dc="http://www.fredrick.dc" xmlns:dca="http://www.fredrick.dc/AuditRegisters" xmlns:dce="http://www.fredrick.dc/Events" xmlns:dct="http://www.fredrick.dc/Transactions" xmlns:dcv="http://www.fredrick.dc/Versions" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">




<FileHeader>
            <FileHeaderTag>    FHTAG_EVENT_LOG</FileHeaderTag>                   indent spaces same,  spaces in tag removed
        <FileCreationDate>2012-02-21T15:45:55</FileCreationDate>
        <SignKeyVer>0</SignKeyVer>
    </FileHeader>
    <FileBody>
        <FileMessage>
            <MsgHeader>
                <MsgSequenceNumber></MsgSequenceNumber>                          empty tag left
                
               
line-seperator  is LF 0x0A, no CR which is handy

The Client has sent me some demo XML signed files: the certificate is OK, has an OK public key, which verifies the Signature to a decent Digest. BUT the plaintext Digest is different!
One at least, probably both, have been cobbled together. And no SHA1 digest of  a range of versions of the raw input produce a digest identical to either of the 2 received.   Aint adversarial business grand!


Posted by C T Skinner at 6:19 PM

2 comments:

  1. C T SkinnerMarch 6, 2012 at 7:47 PM

    It may be that a grotesque convention has arisen,
    whereby canonicalization (c14n) is DIFFERENT for the sent Digest and the Signed Digest. Up to now I cant replicate either!

    ReplyDelete
  2. C T SkinnerMarch 6, 2012 at 7:51 PM

    Yet another c14n
    indent with spaces "0" - still cant replicate either digest

    ReplyDelete

Subscribe to: Post Comments (Atom)