[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Trouble Verifying the XML Digest
Mark Fruhling wrote on 2009-12-17: > I don't mind writing the code in another language. Can you suggest > anything that you've have proven success with? My suggestion would be that you don't do it at all if there's an off the shelf package that does it for you. Secondly, you want to use an actual XML Signature library, not try and implement it by hand. The SAML piece is one thing, but you have virtually no hope of doing signatures correctly, and you'll end up with something very brittle. There are signature implementations in Java and C/C++, something in PHP, and some hope of seeing some in Ruby and Python at some point. Python may actually be out there from somebody I know in Sweden, but I don't have a link for you. > I was concerned that I was maybe canonicalizing the wrong chunk of the > SAML Response. Currently I'm only grabbing the Assertion element. Unless you're eliminating the Signature itself from the Assertion when you're hashing it, that would also be a bug. Your code was very low level, trying to simulate what an XML Signature has to do, and that's extremely tough. You would need to understand the spec in a lot of detail to pull that off. I saw some XPath in there too. XPath does some things intrinsically that are not always consistent with signature behavior when the signature itself isn't using XPath. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]