Helping ordinary people create extraordinary websites!
HOME TUTORIALS SCRIPTS WEB HOSTING BLOG FORUM
Get Our Newsletter
Email:

XML Security Suite: Increasing the Security of E-Business

By Doug Tidwell
2005-05-18


Canonical XML

canonical form

The simplest form of something (Merriam-Webster's Collegiate Dictionary, Online Edition)

To calculate the digital signature, you need a common way to represent all XML documents. You can use the W3C's Canonical XML standard for this.

Even though two XML documents may not be identical, they may be equivalent for the purposes of an XML application. Consider the following two elements:

Listing 7. Equivalent but not identical XML



    <img alt="" src="dwlogo.gif" width="225" height="30"/>

    <img alt="" src="dwlogo.gif" height="30" width="225"/>

If you do a simple string comparison on these two elements, they're obviously not the same. From an XML processing perspective, though, they're equivalent. According to the XML 1.0 Recommendation, the order of attributes is not significant. Other insignificant differences between XML source documents are the amount of white space between attributes, and whether attributes with default values were actually included in the source document. To solve this problem, the W3C is currently defining a canonical form for XML documents.

The XML Security Suite provides an XML Canonicalizer utility, a prototype implementation of the W3C's emerging standard for Canonical XML. To convert an XML document to its canonical form, use one of the following two commands:

Listing 8. XML Canonicalizer

java C14nDOM 

 canonical-sonnet-DOM.xml

java C14nSAX 

 canonical-sonnet-SAX.xml

The C14nDOM application uses a DOM parser, while the C14nSAX application uses a SAX parser. Although you can use these applications to generate the canonical form of an XML document, they are primarily used by the XML signature code. (BTW, the c14n abbreviation means that canonicalization is spelled beginning with a c, has 14 letters, and ends with an n. You'll often see internationalization similarly written as i18n.)

Because the XML Signature code uses canonicalization to generate digital signatures, you can make certain changes to the original document without affecting the validity of the digital signature. As an example, add some white space inside a tag. Change the line: 

<sonnet type="Shakespearean">

to

<sonnet 

type="Shakespearean">

After you make this change, run the SampleVerify application again to make sure the digital signature is still valid:

Listing 9. SampleVerify application (canonical form of file)



java SampleVerify -dom < external-signature.xml

Signer: CN=Doug Tidwell, OU=developerWorks, O=IBM, L=Research Triangle 

Park, ST=North Carolina, C=US

SignedInfo Bytes: 1069

----------------------------------------

--> Location: file:///d:/xss4j/samples/sonnet.xml

    Validity: Ok

--> SignedInfo: Ok

--> All: Ok

----------------------------------------

Even though the document is different, the differences aren't semantically significant. Because the XML Security Suite uses the canonical form of the XML documents, the semantically insignificant differences are ignored.



Tutorial Pages:
» A brief overview of Web security
» Creating a secure session
» The XML Security Suite
» XML Signatures
» About the sample programs
» Creating a certificate
» Signing an internal XML resource
» Signing an external XML resource
» Signing a non-XML resource
» Verifying a digital signature
» The joys of nonrepudiability
» Canonical XML
» Element-level encryption
» Other utilities
» Summary
» Resources


First published by IBM DeveloperWorks

 | Bookmark
Related Tutorials:
» Starting with XML
» Performing Client-Side XSL Transformations
» Create a Google Sitemap for your Web Site
» XML and Scripting Languages
» Parsing Comma-Separated Values
» Servlets and XML: Made for Each Other