OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] RE: Signing a SAML ArtifactResponse after adding SOAP binding elements

Yes, the signature is calculated AFTER canonicalization.   However,  only whitespace outside of the document root element or inside of a start/end tag (e.g.  between attributes) is normalized during canonicalization.   One other form of whitespace normalization during canonicalization is that linebreaks are converted to #xA. 

Remaining whitespace within XML elements (not in the XML tags themselves) is significant and should be carried forward through the canonicalization process.  


-----Original Message-----
From: John Kemp [mailto:john@jkemp.net] 
Sent: Monday, November 05, 2012 4:54 PM
To: Cahill, Conor P; Wouter van Vugt
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] RE: Signing a SAML ArtifactResponse after adding SOAP binding elements

Shouldn't the signature only be calculated AFTER first "canonicalizing" the XML (ie. removing the effect of any whitespace manipulations between signature generation and signature validation)? 

Whitespace should be rendered irrelevant by the canonicalization process (http://en.wikipedia.org/wiki/Canonicalization)


On Nov 5, 2012, at 4:46 PM, Cahill, Conor P wrote:

> From what you are saying, they are including the whitespace when they sign the assertion, but you are removing the whitespace when you strip the XML out of the SOAP message and this causes the signature to be invalid.
> Whitespace is significant within XML elements.  You should not be removing whitespace within the XML structure when you strip the assertion from the element.
> Conor
> From: Wouter van Vugt [mailto:wouter@code-counsel.net] 
> Sent: Monday, November 05, 2012 2:58 PM
> To: saml-dev@lists.oasis-open.org
> Subject: [saml-dev] Signing a SAML ArtifactResponse after adding SOAP binding elements
> Hi,
> My task is to interoperate with the Dutch identity management system DigiD and we have some issues with their SAML 2 implementation.
> The specific issue is with the artifact resolution protocol using the SOAP binding. We are finding that the ArtifactResponse message that we receive is digitally signedafter adding the SOAP envelope / body elements. Because the document is sent over the wire in an indented format, we are having issues validating the signature. We first strip of the SOAP envelope and body, and then validate the message. The XML structure has then changed because the whitespace is different between sender and responder.
> I am asking here to validate my assumption that you should:
> - First generate a signed SAML message, then add binding specific elements for the binding you are using
> - Prefer to send the XML over the wire in unformatted (non-indented) form to prevent representation issues between systems.
> I find the specification to be not exactly clear on these points, especially the first.
> Thanks! Hope you can help!
> Wouter

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]