EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Avoid newline normalization on signing an XML file

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#34543
Posted: 09/25/2015 08:51:06
by Leonardo Herrera (Standard support level)
Joined: 02/14/2011
Posts: 66

Hello,

Still using Secure Black Box 9 VCL Professional.

I'm trying to sign an XML document that contains mixed CRLF and LF characters. I understand that XML canonicalization states that newlines must be normalized before signing, but our braindead taxes office implementation simply reject this, and I must comply.

Is it possible to avoid newline normalization when calculating a signature? I have created my own canonicalization object:
Code
TCanonWithoutNEL = class(TElXMLC14NTransform)
    function TransformData(const Data: ByteArray)
      : TSBTransformedDataType; override;
  end;


The only change is that I've replaced the LoadDocumentFromData function with my own version that just loads the stream without normalizing it:
Code
Result.LoadFromStream(Mem, '', false);


Is this the right approach? Is there any other place where newline normalization may be happening before signing an XML document?
#34549
Posted: 09/25/2015 13:56:34
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

Quote
I'm trying to sign an XML document that contains mixed CRLF and LF characters. I understand that XML canonicalization states that newlines must be normalized before signing,

No, the canonicalization does not explicitly require normalization of newline characters.

Different implementation canonicalize CR character in three different ways:
1. ignore it (usually a web applications, in fact it is okay if an application expect a canonicalized input),
2. canonicalize it as entity (a correct way as defined by specification, also SecureBlackbox do this, if a document loaded with disabled normalization option)
3. canonicalize it as is (some buggy application).

To solve possible compatibility issues with third party services we recommend to normalize newline characters before loading and signing a document.

But, if your third party service requires that all CR characters are kept and doesn't understand current signature, then you may try to pass canonicalized signed document to the service, for example:
Code
XMLDocument.LoadFromStream(stream, '', false); // load with disabled newline normalization option
..sign..
XMLDocument.SaveToStream(outStream, xcmCanonComment, ''); // save canonicalized document


Quote
The only change is that I've replaced the LoadDocumentFromData function with my own version that just loads the stream without normalizing it:
Is this the right approach? Is there any other place where newline normalization may be happening before signing an XML document?

I don't think so, LoadDocumentFromData() function is used to load a document from binary data, when the next transform in the chain requires nodes as input but previous transform returned binary output, for example, if transform chain contains several canonicalization transforms.

Reply

Statistics

Topic viewed 1225 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!