santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carsten.Ag...@tietoenator.com>
Subject Floating name spaces
Date Wed, 22 Oct 2008 10:13:24 GMT
I'm trying to decrypt and verify an SAML assertion using the C++ XML
library.

 

Without encryption, using only the digital signature, this works fine:
The overall details are that an SAML assertion is embedded in a SAML
response and signed (the assertion) in situ with the Apache XML-Sec
library for Java.

 

The problem is that the hashes don't match - the signature verifies OK.

 

The problem seems to be that the transform applied before computing the
hash lets the name spaces float outside the assertion - this is what
actually gets hashed when trying to verify:

 

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"<saml:Assertion
ID="ID_0A302010011D2400070983450183BFEE"
IssueInstant="2007-01-01T00:00:00.000+01:00" Version="2.0"> ...
<<DELETED FOR CLARITY>> ... </saml:Assertion>

 

However, when the object is signed, the same transformation yields an
assertion which includes the namespace declarations, so the text which
is hashed in the two cases is not the same.

 

As I said, this problem is only seen when encrypting the document, when
the signature is verified without encryption, everything checks out, and
the hashed assertion has the namespaces embedded, not floating outside.

 

Incompability between the two implementations (Java and C++), or am I
missing something?

 

best regards

Carsten Agger, Denmark

 


Mime
View raw message