santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47853] digital signature reference validation failure when wrapping xml with soap namespace
Date Thu, 17 Sep 2009 13:11:48 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

sean.mullan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #9 from sean.mullan@sun.com 2009-09-17 06:11:43 PDT ---
Actually, you are using Inclusive C14N to canonicalize your Reference. This is
the Reference in your signature:

<Reference URI="#Assertion"><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>LFkVUeisRZJTnIwrlZ7pMxp/oeM=</DigestValue></Reference>

If a Reference that produces a node-set does not specify a canonicalization
algorithm as the last transform, then inclusive C14n is implicitly used. See
section 4.3.3.2 of http://www.w3.org/TR/xmldsig-core/:

"If the data object is a node-set and the next transform requires octets, the
signature application MUST attempt to convert the node-set to an octet stream
using Canonical XML [XML-C14N]."

The CanonicalizationMethod specified in the SignedInfo element does not apply
to the References, it only applies to the SignedInfo element.

To fix this, you need to add an explicit exclusive C14N transform after the
enveloped transform, ex:

<Reference URI="#Assertion"><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>LFkVUeisRZJTnIwrlZ7pMxp/oeM=</DigestValue></Reference>

You may want to check with Scott or the SAML forums as to the best practices
when signing SAML assertions.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Mime
View raw message