June 27, 2019

XML Signature / Canonicalization Bug in Widely Used Software

Chilkat has found what it believes to be a bug in the internal XML canonicalization functionality in some other software systems.

Chilkat’s XML canonicalization is correct, whereas some other established implementations are incorrect. Chilkat is adding a Behavior in v9.5.0.79 to allow for the bug to be reproduced so that XML signatures produced by Chilkat are compatible with these particular systems.

The bug has to do with the sorting of attributes in XML canonicalization. Specifically, the rules for sorting attributes are described here: https://www.w3.org/TR/xml-c14n11/#DocumentOrder

  • An element’s attribute nodes are sorted lexicographically with namespace URI as the primary key and local name as the secondary key (an empty namespace URI is lexicographically least).

For example, if we have the following XML:

<ClinicalDocument xmlns="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<value value="20" xsi:type="PQ"></value>
</ClinicalDocument>

The canonicalized XML is this:

<ClinicalDocument xmlns="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<value xsi:type="PQ" value="20"></value>
</ClinicalDocument>

Notice the order of the attributes “value” and “xsi:type” are reversed. Why is this? It’s because the attributes are first sorted by the primary key. The primary key is the namespace URI. The “value” attribute uses the default namespace, and in this case the default namespace URI is “urn:hl7-org:v3”. The namespace URI of the “xsi:type” attribute is “http://www.w3.org/2001/XMLSchema-instance”.

Therefore, we compare “http://www.w3.org/2001/XMLSchema-instance” with “urn:hl7-org:v3”. Based on this comparison, the “xsi:type” attribute comes first. This is what Chilkat does, and it is correct according to the XML canonicalization standards.

Apparently, some existing XML signature implementations simply compare “xsi:type” with “value” and sort based on the simple comparison. This is incorrect. To force Chilkat to create an XML signature in this incorrect way, the “AttributeSortingBug” keyword can be added to the Behaviors property (starting in Chilkat v9.5.0.79).

admin
0
Tags :

Tags

ActiveX asp async asynchronous C# callbacks charset Delphi email Encryption error messages events exchange server FTP GMail HTTP IMAP IOS Java Linking MHT MIME oauth2 Office365 pfx PHP pop3 port-forwarding regsvr32 release notes RSA SFTP SMTP socket SSH SSL TLS tunnel upload vb6 VC++ x64 xades XML zip