This document lists known errata to the Recommendation. Each entry has the following information:
All Errata in this document are proposed in the sense of the process document. Proposed errata become normative when they are incorporated into an edited (or otherwise updated) version of the underlying specification.
The Simple Example should
include a leading < character on the closing DigestValue tag in
line [s10]:
[s10] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
Section 9.0, Schema, DTD, Data Model, and Valid Examples should only contain the XML Signature Schema Instance and XML Signature DTD material. The RDF Data Model is out of date, so that material should be removed from the section. The examples should also be removed from the section since they are misleading (e.g. including a "null transform"). The recommendation contains suitable examples in other sections. The title of the section should be changed to "Schema and DTD" in the heading and table of contents.
The following text is added to section 4.3.2 The SignatureMethod Element:
The ds:HMACOutputLength parameter is used for HMAC algorithms (including the
HMAC-SHA1 algorithm defined in this spec, and HMAC algorithms based on other hash algorithms).
The parameter specifies a truncation length in bits. If this parameter is trusted without
further verification, then this can lead to a security bypass [CVE-2009-0217].
Signatures MUST be deemed invalid if the truncation length is below half the underlying hash
algorithm's output length, or 80 bits, whichever of these two values is greater. Note that
some implementations are known to not accept truncation lengths that are lower than the
underlying hash algorithm's output length.
The first paragraph of section 6.3.1 HMAC is changed as follows:
The HMAC-SHA1 algorithm (RFC2104 [HMAC]) takes the truncation length in bits as a parameter;
if the parameter is not specified, then all the bits of the hash are output. For the HMAC-SHA1
algorithm, any signature with a truncation length of less than 80 bits MUST be deemed
invalid. An example of an HMAC-SHA1 SignatureMethod element: ...
This erratum addresses a vulnerability in a number of implementations of XML Signature. See CVE-2009-0217 and CERT Vulnerability Note 466161 for details.
The following text is added to section 6.3.1 HMAC:
For best interoperability, signature applications SHOULD set theHMACOutputLengthparameter to a value that is a multiple of 8. If the HMACOutputLength parameter is not divisible by 8, verifiers MAY use the nearest multiple of 8 that is smaller thanHMACOutputLengthinstead; the previous considerations about minimum values for HMACOutputLength apply. This optional cut-off is equivalent to ignoring the rightmost 1-7 bits of the HMAC's output.