[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Query submitted to saml.xml.org
Paul Madsen wrote: > http://saml.xml.org/forum/calculating-digest-of-an-authentication-statement > > Dear Sirs, my name is Gianluca from Italy > I'm trying to calculate the Digest value of a SAML Authentication > STatement whith the SHA-1 algorithm. Let us suppose that we are dealing > with a string representing the following node: > > <saml:AuthenticationStatement> > <saml:Subject> > <saml:NameIdentifier>GIANLUCA</saml:NameIdentifier> > </saml:Subject> > </saml:AuthenticationStatement> > > When I try to calculate SHA-1 with the function b64_sha1(str2Digest) > what > exactly should the string str2Digest contain? I mean it should be equal to > "<saml:AuthenticationStatement><saml:Subject><saml:NameIdentifier>GIANLUCA< > /saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement>" > or only "GIANLUCA" or ....what else? Its a pity he did not provide email address, but lets hope this reaches him anyway. 1. There is no univesally agreed way to digest Authentication Statements 2. "Universally" agreed way to digest XML in general is exc-c14n (exclusive canonicalization) [XML-EXC-C14N]. This method is used by all certified SAML implementations. It is also the method used by digital signatures [XMLDSIG]. 3. Canonicalization is difficult and typically 80% of digital signature failures derive from canonicalization bugs. Of those 95% are XML namespace related (curse the inventor of XML namespaces), and 4% are whitespace related. 4. For what you are apparently trying to do, it is important to digest the entire canonicalized Authentication Statement. If the question had been about canonicalizing the NameID, it would still be important to digest the entire canonicalized Name Identifier as the actual value in isolation is meaningless. You need the identifier type and namespace qualification for the digest to be meaningful. [XML-C14N] XML Canonicalization (non-exclusive), http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: "Canonical XML Version 1.0", W3C Recommendation, 15.3.2001, http://www.w3.org/TR/xml-c14n, RFC3076 [XML-EXC-C14N] Exclusive XML Canonicalization, http://www.w3.org/TR/xml-exc-c14n/ [XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation, 12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275 Cheers, --Sampo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]