OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Trouble Verifying the XML Digest

Mark Fruhling wrote on 2009-12-17:
> I don't mind writing the code in another language.  Can you suggest
> anything that you've have proven success with?

My suggestion would be that you don't do it at all if there's an off the
shelf package that does it for you.

Secondly, you want to use an actual XML Signature library, not try and
implement it by hand. The SAML piece is one thing, but you have virtually no
hope of doing signatures correctly, and you'll end up with something very

There are signature implementations in Java and C/C++, something in PHP, and
some hope of seeing some in Ruby and Python at some point. Python may
actually be out there from somebody I know in Sweden, but I don't have a
link for you.

> I was concerned that I was maybe canonicalizing the wrong chunk of the
> SAML Response.  Currently I'm only grabbing the Assertion element.

Unless you're eliminating the Signature itself from the Assertion when
you're hashing it, that would also be a bug. Your code was very low level,
trying to simulate what an XML Signature has to do, and that's extremely
tough. You would need to understand the spec in a lot of detail to pull that

I saw some XPath in there too. XPath does some things intrinsically that are
not always consistent with signature behavior when the signature itself
isn't using XPath.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]