Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

transform issue #43

Open
toshok opened this issue May 29, 2019 · 2 comments · Fixed by TykTechnologies/saml#1
Open

transform issue #43

toshok opened this issue May 29, 2019 · 2 comments · Fixed by TykTechnologies/saml#1

Comments

@toshok
Copy link

toshok commented May 29, 2019

I'm hitting the Expected Enveloped and C14N transforms error when validating signatures. The relevant <Transforms> element has only a single child:

<SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <Reference URI="#id">
        <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
    </Reference>
</SignedInfo>

The signature verifies if I hardcode pretty much any canonicalizer in the case where one isn't specified, but my reading of the spec doesn't seem to support this fallback canonicalizer. Any ideas?

Totally willing to spend some cycles investigating and bringing Reference transforms more inline with the spec if this is indeed some invalid behavior in goxmldsig.
@toshok
Copy link
Author

toshok commented May 29, 2019
edited
Loading

speaking of the spec language, I see:

3.2.1 Reference Validation
Canonicalize the SignedInfo element based on the CanonicalizationMethod in SignedInfo.
For each Reference in SignedInfo:

  1. Obtain the data object to be digested. (For example, the signature application may dereference the URI and execute Transforms provided by the signer in the Reference element, or it may obtain the content through other means such as a local cache.)
  2. Digest the resulting data object using the DigestMethod specified in its Reference specification.
  3. Compare the generated digest value against DigestValue in the SignedInfo Reference; if there is any mismatch, validation fails.

and then:

Note, After a Signature element has been created in Signature Generation for a signature with a same document reference, an implementation can serialize the XML content with variations in that serialization. This means that Reference Validation needs to canonicalize the XML document before digesting in step 1 to avoid issues related to variations in serialization.

This seems to imply that we should assume a canonicalizer (and possibly default to one if there isn't one listed in the <Transforms> element?)

@swsnider swsnider mentioned this issue Aug 14, 2020
Closed
@jhlange jhlange mentioned this issue Sep 24, 2020
Merged
This was referenced May 13, 2021
Closed
Merged
This was referenced Nov 16, 2021
Closed
Closed
@sredxny
Copy link

sredxny commented Nov 24, 2021

Hello! Can we close this? it seems like it was fixed and released in v1.1.1 ? To be specific in: #61

This was referenced Nov 29, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@toshok @sredxny