OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Query submitted to saml.xml.org

Paul Madsen wrote:
> http://saml.xml.org/forum/calculating-digest-of-an-authentication-statement
>
> Dear Sirs, my name is Gianluca from Italy
>  I'm trying to calculate the Digest value of a SAML Authentication
> STatement whith the SHA-1 algorithm. Let us suppose that we are dealing
> with a string representing the following node:
>
> <saml:AuthenticationStatement>
>     <saml:Subject>
>         <saml:NameIdentifier>GIANLUCA</saml:NameIdentifier>
>     </saml:Subject>
> </saml:AuthenticationStatement>
>
> When I try to calculate SHA-1 with the function  b64_sha1(str2Digest)
> what
> exactly should the string str2Digest contain? I mean it should be equal to
> "<saml:AuthenticationStatement><saml:Subject><saml:NameIdentifier>GIANLUCA<
> /saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement>"
> or only "GIANLUCA" or ....what else?

Its a pity he did not provide email address, but lets hope this reaches
him anyway.

1. There is no univesally agreed way to digest Authentication Statements
2. "Universally" agreed way to digest XML in general is exc-c14n (exclusive
   canonicalization) [XML-EXC-C14N]. This method is used by all certified
   SAML implementations. It is also the method used by digital
   signatures [XMLDSIG].
3. Canonicalization is difficult and typically 80% of digital signature
   failures derive from canonicalization bugs. Of those 95% are
   XML namespace related (curse the inventor of XML namespaces), and
   4% are whitespace related.
4. For what you are apparently trying to do, it is important to
   digest the entire canonicalized Authentication Statement.
   If the question had been about canonicalizing the NameID, it
   would still be important to digest the entire canonicalized
   Name Identifier as the actual value in isolation is meaningless.
   You need the identifier type and namespace qualification
   for the digest to be meaningful.

[XML-C14N] XML Canonicalization (non-exclusive),
http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: "Canonical XML
Version 1.0", W3C Recommendation, 15.3.2001,
http://www.w3.org/TR/xml-c14n, RFC3076

[XML-EXC-C14N] Exclusive XML Canonicalization,
http://www.w3.org/TR/xml-exc-c14n/

[XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation,
12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275

Cheers,
--Sampo

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]