santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cantor, Scott" <canto...@osu.edu>
Subject RE: XML canonicalization
Date Thu, 06 Jun 2013 16:05:27 GMT
> Do you admit Apache Santuario was wrong on XML canonicalization?

No, but that's strictly from a quick eyeballing. The signature is missing a transform specifying
the c14n process to follow during the reference step. That means the actual data to digest
is handled with inclusive c14n 1.0, not by exclusive.

They are, I think, confusing the explicit choice of Exclusive C14n in the SignedInfo portion,
but that doesn't apply to the Reference step.

If I followed your email, you're saying the Santuario output of the Response is based on following
Inclusive, and I believe that's correct. But I don't have time right now to dig in exhaustively.

You might try validating your example using the C++ version of Santuario via the checksig
utility, or with OpenSAML's samlsign utility as a way to get more evidence that it's correct.

-- Scott



Mime
View raw message