Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Figure out if referenced nodes should be detached from parent document when canonicalizing #226

Open
kislyuk opened this issue Apr 13, 2023 · 0 comments
Open

Figure out if referenced nodes should be detached from parent document when canonicalizing #226

kislyuk opened this issue Apr 13, 2023 · 0 comments

Comments

@kislyuk
Copy link
Member

kislyuk commented Apr 13, 2023
edited
Loading

When producing an enveloped signature for a document that declares a default namespace in the root element, references that refer to child nodes in the document are canonicalized differently when detached from the parent document vs. not. Specifically, empty xmlns declarations (xmlns="") can appear when not detaching, and disappear when detaching.

Prior to 34a0c0a, we were detaching the child nodes when signing, but not when verifying, so we produced some signatures we couldn't verify. The excise_empty_xmlns_declarations previously papered over this inconsistency, but now that it's off by default, it became apparent.

It's unclear from https://www.w3.org/TR/xml-c14n11/ and from test cases whether detaching is the correct approach for canonicalization.

One thing to keep in mind is that without roundtripping/detaching, there is no way to keep the canonicalization invariant to the enclosing document so it is probably the correct choice.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
1 participant
@kislyuk