santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47853] digital signature reference validation failure when wrapping xml with soap namespace
Date Thu, 17 Sep 2009 13:11:48 GMT changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #9 from 2009-09-17 06:11:43 PDT ---
Actually, you are using Inclusive C14N to canonicalize your Reference. This is
the Reference in your signature:

<Reference URI="#Assertion"><Transforms><Transform

If a Reference that produces a node-set does not specify a canonicalization
algorithm as the last transform, then inclusive C14n is implicitly used. See
section of

"If the data object is a node-set and the next transform requires octets, the
signature application MUST attempt to convert the node-set to an octet stream
using Canonical XML [XML-C14N]."

The CanonicalizationMethod specified in the SignedInfo element does not apply
to the References, it only applies to the SignedInfo element.

To fix this, you need to add an explicit exclusive C14N transform after the
enveloped transform, ex:

<Reference URI="#Assertion"><Transforms><Transform

You may want to check with Scott or the SAML forums as to the best practices
when signing SAML assertions.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

View raw message