Exchanger XML Editor - Canonicalization and XML Digital Signatures



Similar documents
Introduction to XML Applications

DTD Tutorial. About the tutorial. Tutorial

DEVELOPING CONTRACT - DRIVEN WEB SERVICES USING JDEVELOPER. The purpose of this tutorial is to develop a java web service using a top-down approach.

LabVIEW Internet Toolkit User Guide

XML Digital Signature Implementation Guide

Listeners. Formats. Free Form. Formatted

XML: extensible Markup Language. Anabel Fraga

Set up My Sites (SharePoint Server

WebSphere Business Monitor

The Forger s Art Exploiting XML Digital Signature Implementations HITB 2013

17 March 2013 NIEM Web Services API Version 1.0 URI:

Digital Signing Specification

CA Nimsoft Service Desk

Forms Printer User Guide

Chapter 3: XML Namespaces

Eventia Log Parsing Editor 1.0 Administration Guide

Integrating with BarTender Integration Builder

HireDesk API V1.0 Developer s Guide

Representation of E-documents in AIDA Project

Appendix K Introduction to Microsoft Visual C++ 6.0

Web Services Security SOAP Messages with Attachments (SwA) Profile 1.1

Fireworks 3 Animation and Rollovers

DIRECTOR GENERAL OF THE LITHUANIAN ARCHIVES DEPARTMENT UNDER THE GOVERNMENT OF THE REPUBLIC OF LITHUANIA

Import and Export User Guide. PowerSchool 7.x Student Information System

ibolt V3.2 Release Notes

Extensible Markup Language (XML): Essentials for Climatologists

Commander. The World's Leading Software for Label, Barcode, RFID & Card Printing

F9 Integration Manager

DocuSign Quick Start Guide. Using the Bulk Recipient Feature. Overview. Table of Contents

General Product Questions Q. What is the Bell Personal Vault Vault?...4. Q. What is Bell Personal Vault Backup Manager?...4

Pharmacy Affairs Branch. Website Database Downloads PUBLIC ACCESS GUIDE

Kuali Financial System Interface Specification for Electronic Invoice Feed

Smooks Dev Tools Reference Guide. Version: GA

DocuSign Signing Resource File Information

HTML Web Page That Shows Its Own Source Code

Last Week. XML (extensible Markup Language) HTML Deficiencies. XML Advantages. Syntax of XML DHTML. Applets. Modifying DOM Event bubbling

Connections to External File Sources

Electronic Bank Account Management - EBAM

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

Job Cost Report JOB COST REPORT

MS Access Lab 2. Topic: Tables

Intellicus Enterprise Reporting and BI Platform

How To Set Up Total Recall Web On A Microsoft Memorybook (For A Microtron)

Developer Guide to Authentication and Authorisation Web Services Secure and Public

Alarms & Events Plug-In Help Kepware, Inc.

Exercise 4 Learning Python language fundamentals

Using the Thesis and Dissertation Templates

Introduction to Web Services

AccXES Account Management Tool Administrator s Guide Version 10.0

QUICK START GUIDE EDI Claims Link for Windows version 3.1

The McGill Knowledge Base. Last Updated: August 19, 2014

WebSphere Application Server security auditing

Oracle Endeca Commerce. URL Optimization API for Java Developer's Guide Version April 2013

Litigation Support connector installation and integration guide for Summation

Basics Series Basics Version 9.0

BusinessObjects Enterprise XI Release 2

Creating Digital Signatures

Help File. Version February, MetaDigger for PC

An XML Based Data Exchange Model for Power System Studies

McAfee Cloud Identity Manager

Import and Export User Guide PowerSchool Student Information System

How To Use Query Console

Java Security Web Services Security (Overview) Lecture 9

Importing and Exporting With SPSS for Windows 17 TUT 117

Network Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services

CENTRAL SUSQUEHANNA INTERMEDIATE UNIT Application: Fund Accounting

Xtreeme Search Engine Studio Help Xtreeme

IBM Operational Decision Manager Version 8 Release 5. Getting Started with Business Rules

CENTRAL SUSQUEHANNA INTERMEDIATE UNIT Application: Fund Accounting. Fund Accounting - Checking Accounts Learning Guide

Directions for the Well Allocation Deck Upload spreadsheet

Lab 9 Access PreLab Copy the prelab folder, Lab09 PreLab9_Access_intro

Evaluator s Guide. PC-Duo Enterprise HelpDesk v5.0. Copyright 2006 Vector Networks Ltd and MetaQuest Software Inc. All rights reserved.

Intelligent Event Processer (IEP) Tutorial Detection of Insider Stock Trading

Xcode User Default Reference. (Legacy)

How to Create and Send a Froogle Data Feed

Create Signature for the Scott County Family Y

USER GUIDE MANTRA WEB EXTRACTOR.

Features - Microsoft Data Protection Manager

Settings 1 September 2015

Developers Guide. Designs and Layouts HOW TO IMPLEMENT WEBSITE DESIGNS IN DYNAMICWEB. Version: English

Logix5000 Controllers Import/Export Project Components

Qlik REST Connector Installation and User Guide

Accounts Receivable Invoice Upload

Structured vs. unstructured data. Motivation for self describing data. Enter semistructured data. Databases are highly structured

Xerox Standard Accounting Import/Export User Information Customer Tip

How To Install An Aneka Cloud On A Windows 7 Computer (For Free)

Reading and Writing Files Using the File Utilities service

Published. Technical Bulletin: Use and Configuration of Quanterix Database Backup Scripts 1. PURPOSE 2. REFERENCES 3.

StreamServe Persuasion SP5 Document Broker Plus

Schematron Validation and Guidance

Kaldeera Workflow Designer 2010 User's Guide

Scribe Online Integration Services (IS) Tutorial

Transcription:

Exchanger XML Editor - Canonicalization and XML Digital Signatures Copyright 2005 Cladonia Ltd Table of Contents XML Canonicalization... 2 Inclusive Canonicalization... 2 Inclusive Canonicalization Example... 3 XPath and Canonicalization... 3 Exclusive Canonicalization... 4 Exclusive Canonicalisation Examples... 4 XML Signatures... 6 How to Create and Verify a Signature... 6 Signing using an ID attribute value... 7 Signing using an XPath... 7 Signature Type: Envelope versus Detached... 8 Signing large or non-xml documents... 8 C14N Method... 8 Exchanger XML Editor - Canonicalization 1

XML Canonicalization Exchanger XML Editor supports Inclusive and Exclusive canonicalization of documents according to the W3C Canonicalization specifications. Inclusive Canonicalization The following list contains a summary of the possible changes the input document undergoes during Inclusive Canonicalization: The document is encoded in UTF-8 Line breaks are normalized to #xa Attribute values are normalized (Character and parsed entity references are replaced; White space characters (#xd, #xa, #x9) are replaced by the space character #x20; If the attribute type is not CDATA, any leading and trailing space (#x20) characters are discarded, and any sequences of space (#x20) characters are replaced by a single space (#x20) character.) All attributes for which no declaration has been read should be treated by a non-validating processor as if declared CDATA. Note: a validating parser will produce different output to one that just checks well-formedness since leading/trailing spaces are discarded and sequences of spaces are collapsed for non-cdata atrributes by the validating parser - the canonicalisation spec requires that attribute values are normalized "as if by a validating processor". Character and parsed entity references in content are replaced The XML declaration is removed Whitespace outside of the document element is normalized All whitespace in character content is retained (excluding characters removed during line feed normalization) Default attributes are added to each element A DOCUMENT_TYPE node is discarded. Processing Instructions (PIs) before the document element are output followed by a new line each. PIs after the document element are output preceeded by a new line each. PIs are output with a single space between the target name and the value, if there is a value otherwise no space is output. The character #x0d is replaced by the character entity Comments before the document element are output followed by a new line. Comments after the document element are output preceeded by a new line. The character #x0d is replaced by the character entity Text and CDATA nodes are output as text, with special characters replaced by character references: & replaced by & < replaced by < > replaced by > and the character #x0d is replaced by the character entity Empty elements are converted to start-end tag pairs. Whitespace within start and end tags is normalized. Attribute value delimiters are set to quotation marks (double quotes) 2

Special characters in attribute values are replaced by character references: & replaced by & < replaced by < > replaced by > and the character #x0d is replaced by the character entity Relative namespaces are not allowed and will cause the canonicalization to fail. Namespaces and attributes: any superfluous redeclaration of namespaces or xml: attributes are dropped from the output - for example, if an element has an xml:space="preserve" and an ancestor has the same declaration without an intervening xml:space="default", then the xml:space attribute is dropped from the current element (and similarly for redeclared namespaces). Namespace and attribute ordering: namespaces are output before attributes. Namespaces are ordered based on the local name (prefix), with the default namespace, if it exists, being placed last because it has no local name. Attributes are ordered based on the namespace URI (not prefix!) as the primary key and the local name as the secondary key, with attributes in no namespace being placed last (remember, default namespace does not apply to attributes). Inclusive Canonicalization Example Open the file input/books.xml in the Inclusive Canonicalization project and select Security->Canonicalize. In the dialog, select Inclusive, send the output To New Document and click OK. This example shows up a number of canonicalization features, including entity and CDATA replacement, double quotes replacing single quotes around attribute values, attributes being ordered alphabetically, XML Declaration and DOCTYPE stripping, etc. XPath and Canonicalization XPaths can also be used to specify what portion of a document is to be canonicalized. Note that an XPath such as //person only identifies individual nodes (the apex nodes of subtrees starting at the person elements), whereas a construction similar to (//. //@* //namespace::*)[ancestor-or-self::person] is needed to describe the list of nodes contained within the person elements (for more details, see the Canonicalization specification). When using XPaths in Exchanger for Canonicalization or XML Signatures, you only need to enter the predicate, i.e. the part inside the square brackets [] which in the current example is ancestor-or-self::person. If you need to use namespace prefixes in your XPath predicates in Canonicalization, then you must declare them to the Editor either in the Canonicalize dialog or through the XML Preferences window (available via File->Preferences in the XML tab). See the section on using XPaths in Exchanger at the beginning of this document and the Preferences section at the end for more details on using namespace prefix mapping. 3

Exclusive Canonicalization Exclusive canonicalization deals with the canonicalization of document subsets and attempts to isolate the subset from its context - this is very important when content of one XML document type is embedded (or "enveloped") within another document type such as SOAP. Exclusive canonicalization adds extra restrictions, above and beyond the regular canonicalization issues outlined above. Visibly utilized namespaces: Namespaces are not automatically output on an element unless they are actually used on the element itself - this holds both for namespaces delared on ancestor elements and also for those declared on the element itself. If an unused namespace is used on a subsequent descendant, the appropriate namespace declaration is only output at that point. Included namespaces: specific namespace declarations can be explicitly output by supplying them to the exclusive canonicalization algorithm in the InclusiveNamespaces PrefixList. This is useful when a prefix is used in an attribute value (say, as part of an XPath specification) and would not be "visibly used" by default. xml: attributes that have been used on ancestors that are not part of the document subset are NOT output on the apex nodes of the document subset. Exclusive Canonicalisation Examples Open the file input/xc14ntest.xml in the Exclusive Canonicalization project and select Security->Canonicalize. In this example, we are going to exclusively canonicalize the verbatim element contents and see how the namespaces are affected. In the dialog, select Exclusive and set the XPath Predicate to ancestor-or-self::q:verbatim. (Note: you will need to add a Namespace Prefix Mapping entry with Prefix equals to q and URI equals http://www.q.com/sample/ and send the output To New Document. 4

Figure 1. Exclusive Canonicalization In the output (also available in the output directory in the project) notice how namespace declarations are only output when needed. Also note that while the w prefix is used in an attribute value on the b element, the namespace declartion is not output on the b element as the namepsace is not "visibly used" but is output on the i element where it is visible. 5

XML Signatures It is possible to create and verify a digital signature in Exchanger XML Editor according to the XML Digital Signature specification. How to Create and Verify a Signature Open the file input/full.xml in the Envelope XML Signature project. To create a signature for this document, select Security->Sign Document... and the following dialog will appear. 6

Figure 2. Sign Document Ensure that Current Document is selected as Input and in the Transforms section of the dialog, leave the C14N Method with its default setting (None) and leave the XPath field blank for now. Make sure that the output is set To New Document so as to not overwrite the existing file and then press Sign. A new document will open, consisting of the original document and a new Signature element made up of: A SignedInfo element with details of how the signature was generated. A SignatureValue element. A KeyInfo element with details of the key used. In this instance, the document was signed using a key that is shipped with the Exchanger XML Editor as can be seen in the SubjectName element: <ds:x509subjectname>cn=exchanger,ou=development,o=cladonia,c=ie</ds:x509subjectname> To verify that the signature is correct, just select Security->Verify Signature and a dialog should popup to say that the signature is valid. Now change the data in the new document (for example, change the second person's name from Jane Smith to Jane Jones) and verify the signature again. This time you will be notified that the signature is no longer valid. Signing using an ID attribute value Instead of signing an entire document, it is sometimes desirable to sign a particular subsection, for example, a manager may wish to sign the part of an employee's purchase order that deals with approval. One way to do this is using an ID attribute on the element that should be signed. Open the file input/id.xml in the Envelope XML Signature project - notice that this document is the same as in the preceding example, except now each Person element has an extra "id" attribute. Select Security->Sign Document... but this time enter the value 123 in the Id section of the Signature Type field in order to sign the first Person element in the document (containing the details of John Doe). Again, select To New Document for the output so as not to modify the original file and press Sign. In the new document, modify the second Person element, changing the name from Jane Smith to Jane Jones and select Security->Verify Signature. The signature is still reported as valid even though the overall document has been changed. Now modify the first Person element, changing the name from John Doe to Tom Doe and again select Security->Verify Signature. This time the signature is invalid because the element to which it relates has been changed. Notice in the SignedInfo section that the <ds:reference URI="#123"> element identifies which element has been signed. By default, when a schema/dtd is not present, only attributes named "id", "ID" and "Id" can be used for generating signtures in this way. Signing using an XPath XPaths can also be used to specify what portion of a document is to be signed. Note that an XPath such as //section only identifies individual section nodes, whereas a construction similar to (//. //@* //namespace::*)[ancestor-or-self::section] is needed to describe the list of nodes in each section element (for more details, see the Canonicalization specification and the XML Signature specification). To create a signature based on an XPath, open the file input/xpath.xml in the Envelope XML Signature project and select Security->Sign Document... Ensure that the Id field is blank and in the XPath field in the Transform section, enter ancestor-or-self::salary - this predicate is used by the signature code to refine the path (//. //@* //namespace::*). Again, select To New Document for the output so as not to modify the original file and press Sign. Now modifying the Salary element will invalidate the signature while changes to the Name or SSN element will not. 7

Signature Type: Envelope versus Detached In the preceding examples, we chose by default to create Envelope signatures, where the signature information is combined with the input data in a single file. It is also possible to create Detached signatures where the signature information lives in an entirely separate file from the input. Because the detached signature needs a URI for the file being signed, there is a slight restriction in Exchanger XML Editor that only files on disk can be signed using detached signatures (simply save any changes to an open document before creating a detached signature). Select Security->Sign Document... and set the input to From URL and select the desired XML file (for example, http://www.exchangerxml.com/cladonia.gif). Set the Signature Type to Detached, set the appropriate XPath if required (the output is automatically set To New Document) and press Sign. The detached signature is displayed in a new window and can be saved to file for future use. (An example of a detached signature is available in the Detached XML Signature project in the signed folder.) Note: Exchanger XML Editor does not currently support Enveloping signatures, the third type of signature defined in the XML Signature specification. Signing large or non-xml documents Any file can be signed, irrespective of whether it is XML or not, by specifying the URI and creating a detached signature with C14N Method set to None and not specifying an XPath transformation. Note that if an XML file is signed in this way, then no changes can be made to it (even non-significant whitespace changes) without invalidating the signature. Also, the URI of the input file is encoded in the detached signature so the file cannot be moved without invalidating the signature also. However, using a detached signature with extremely large XML files is sometimes the only possibility as the requirement to read the entire document into memory for a canonicalization or XPath transform can cause significant performance problems and with larger documents will cause out of memory errors (an expansion factor of between 4 and 10 is typical when building a DOM from an XML file on disk.) C14N Method The C14N Method drop down in the Transform section of the Sign Document... dialog specified which canonicalization method should be used. The choices are Inclusive Canonicalization removing comments, Inclusive Canonicalization preserving comments, Exclusive Canonicalization removing comments, Exclusive Canonicalization preserving comments and None. By default, the method is set to None. For more information on Canonicalization in general, see the earlier section. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information