I have been struggling for days for this little guy, xml-c14n11.
For those new, it is just "cleaning" the XML file with some rules by removing:
- Whitespaces
- Line breaks
- Comments
It sounds easy but I am thinking if the correct way to do it is using a library.
So I tried with the latest xmlsec-4.0.2.jar library with JavaObject.
I have wasted a lot of time making the canonicalize method work but failed.
I am getting error:
I guess I am passing the wrong type for InputBytes. (edit: Turn out the issue is OutputStream)
throws org.apache.xml.security.parser.XMLParserException, IOException, CanonicalizationException
This method tries to canonicalize the given bytes. It's possible to even canonicalize non-wellformed sequences if they are well-formed after being wrapped with a >a<...>/a<.
Parameters:
inputBytes -
writer - OutputStream to write the canonicalization result
secureValidation - Whether secure validation is enabled
Then I tried to find if there is any version that has different method signature (except only 1 parameter instead of 3) as available in many old code examples that I can found.
Happy that I found the last version is xmlsec 2.1.8 that works with passing a byte array.
Any version beyond this version, such as the latest version 4.0.2 requires 3 parameters.
Questions:
1. Should I stick to the version that works but it is reported the older version has vulnerabilities?
2. If I want to make use of the newer library, how can I fix it?
3. After canonicalized, the following string has changed? I worry this will affect the digest result.
Before:
After:
Edit: I reattached project with solution (removed sample input file containing sensitive data).
Select Build Configurations: Default/Legacy
Additional jars:
For those new, it is just "cleaning" the XML file with some rules by removing:
- Whitespaces
- Line breaks
- Comments
It sounds easy but I am thinking if the correct way to do it is using a library.
So I tried with the latest xmlsec-4.0.2.jar library with JavaObject.
I have wasted a lot of time making the canonicalize method work but failed.
I am getting error:
B4X:
Waiting for debugger to connect...
Program started.
Canonicalize Method: http://www.w3.org/2006/12/xml-c14n11
Error occurred on line: 62 (Main)
java.lang.RuntimeException: Method: canonicalize not matched.
at anywheresoftware.b4j.object.JavaObject.RunMethod(JavaObject.java:130)
at b4j.example.main._canonicalize(main.java:157)
at b4j.example.main._appstart(main.java:64)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at anywheresoftware.b4a.shell.Shell.runMethod(Shell.java:629)
at anywheresoftware.b4a.shell.Shell.raiseEventImpl(Shell.java:234)
at anywheresoftware.b4a.shell.Shell.raiseEvent(Shell.java:167)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at anywheresoftware.b4a.BA.raiseEvent2(BA.java:111)
at anywheresoftware.b4a.shell.ShellBA.raiseEvent2(ShellBA.java:100)
at anywheresoftware.b4a.BA.raiseEvent(BA.java:98)
at b4j.example.main.main(main.java:29)
Program terminated (StartMessageLoop was not called).canonicalize
public void canonicalize(byte[] inputBytes, OutputStream writer, boolean secureValidation)throws org.apache.xml.security.parser.XMLParserException, IOException, CanonicalizationException
This method tries to canonicalize the given bytes. It's possible to even canonicalize non-wellformed sequences if they are well-formed after being wrapped with a >a<...>/a<.
Parameters:
inputBytes -
writer - OutputStream to write the canonicalization result
secureValidation - Whether secure validation is enabled
Then I tried to find if there is any version that has different method signature (except only 1 parameter instead of 3) as available in many old code examples that I can found.
Java:
Canonicalizer canon = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
byte canonXmlBytes[] = canon.canonicalize(yourXmlBytes);
String canonXmlString = new String(canonXmlBytes);Any version beyond this version, such as the latest version 4.0.2 requires 3 parameters.
Questions:
1. Should I stick to the version that works but it is reported the older version has vulnerabilities?
2. If I want to make use of the newer library, how can I fix it?
3. After canonicalized, the following string has changed? I worry this will affect the digest result.
Before:
XML:
<cbc:AdditionalAccountID schemeAgencyName="CertEX"/>
XML:
<cbc:AdditionalAccountID schemeAgencyName="CertEX"></cbc:AdditionalAccountID>Edit: I reattached project with solution (removed sample input file containing sensitive data).
Select Build Configurations: Default/Legacy
Additional jars:
Last edited: