santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Cantor" <>
Subject Possible signature verify bug?
Date Wed, 11 Oct 2006 04:38:51 GMT

I think there's a really blatant bug in the C++ c14n code that's running
during signature verification. I think I only missed it before because I had
so much defensive code in place to output namespaces. I had a bug in my new
code that caused a namespace to be left off because the parent declared it,
and stumbled on to this test case.

I ran it through a vanilla test case that just parses the DOM and verifies
the signature, and the Reference isn't digesting properly. When I debugged
it, the bytes fed into the hash were missing a namespace declaration that
should have been pulled in from the parent of the node being referenced.

I've attached the test case, which is a nested SAML message with the
signature on the second-level element.

What's happening is that I have this declared (edited for brevity):

<samlp:ArtifactResponse xmlns:samlp="..." >
	<samlp:Response xmlns:saml="...">

The signature references the <samlp:Response> by ID.

The bug is that the transform chain produces this:

		<saml:Issuer xmlns:saml="...">
		<saml:Assertion xmlns:saml="...">

As you can see, xmlns:samlp isn't included from the parent/root element.
I think it should be, even though the reference is being transformed with
exclusive c14n. It's visibly used by the Response element, and so it should
get pulled in from the enclosing node. If I parse the DOM with that
namespace declaration manually added, the signature verifies, which tells me
that's the missing piece.

The document I attached verifies with the Java xmlsec code from what I can
tell. Oxygen is ok with it, anyway.

I haven't done any tests of the c14n engine by itself to produce test
output, but I would assume that's where the bug is.

-- Scott

View raw message