You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Lars Krapf <lk...@adobe.com> on 2014/08/22 13:38:05 UTC
XMLCipher digest / serialization problem
Hello xmlsec
I have a weird problem with XML decryption of a SAML assertion (digest
mismatch), and have really hit a wall here. Maybe you have a hint for
me. This worked fine in xmlsec 1.4.4 but after upgrading to 2.0.1 (Java,
in an OSGi environment) signature verification fails because of a digest
mismatch.
Here is what happens, as far as I understand it (please correct me if
I'm missing something):
1) I call XMLCipher.doFinal() on an EncryptedAssertion element
2) The contents are first decrypted to a byte-array, which is then
passed to AbstractSerializer.createContext() which wraps a <dummy>
element around it, traverses the elements up to the root node and adds
all parent namespaces to it.
So now we have something like this (the xmlns attributes in <dummy> come
from the parent samlp:Response element):
<dummy xmlns:samlp="urn:oasis.."
xmlns:saml="urn:oasis.."><saml:Assertion xmlns:samlp="urn:oasis.."
xmlns:saml="urn:oasis.." ID="..." IssueInstant="..."
Version="2.0">...</saml:Assertion></dummy>
3) This is then passed to deserialization to create the DOM representation.
Now, what happens in the deserialization is that the inner namespace
declarations get added as AttrImpl objects instead of AttrNSImpl (this
only happens to the two xmlns attributes, I suspect because they are
already defined in the dummy element?) - the other attributes from the
saml:Assertion element get added correctly as AttrNSImpl objects.
(the document is namespace aware).
Now, before digest computation c14n is called on this object.
(I'm using http://www.w3.org/2001/10/xml-exc-c14n#) -
However Canonicalizer20010315Excl now stumbles over the two attributes
from above, and does _not_ recognize them as namespace declarations,
because in handleAttributesSubtree() (Line 187)
attribute.getNamespaceURI() will obviously return null on these two
attributes, with the result that the NS attributes will get added twice,
leading to broken XML and a wrong digest computation.
This is what the contents look like before digest computation (note the
redundant xmlns:saml attribute):
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="..." IssueInstant="..." Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
If I debug into it, and suppress adding the NS attributes to the dummy
element in the AbstractSerializer, then everything works perfectly.
I suspect a bug in the XML parser/deserialization, but I'm really lost
here. Does anyone have a hint on where to look next? Or is this a known
issue?
Thanks and best greetings
Lars
Re: XMLCipher digest / serialization problem
Posted by Lars Krapf <lk...@adobe.com>.
Hi Scott
On 25.08.2014 16:28, Cantor, Scott wrote:
> What you tried still sounds like a bug to me, you may want to at least
> file it so there's a record of it.
Yep, I agree. Although I'm still not entirely sure where in the stack
the actual problem lies. Will try to condense this to a reproducible
test-case however, once I find some time.
Thanks again!
Lars
Re: XMLCipher digest / serialization problem
Posted by "Cantor, Scott" <ca...@osu.edu>.
On 8/25/14, 10:23 AM, "Lars Krapf" <lk...@adobe.com> wrote:
>Hello Scott
>
>Thanks a lot for your help!
>Using your method solved the problem for me as well.
What you tried still sounds like a bug to me, you may want to at least
file it so there's a record of it.
-- Scott
Re: XMLCipher digest / serialization problem
Posted by Lars Krapf <lk...@adobe.com>.
Hello Scott
Thanks a lot for your help!
Using your method solved the problem for me as well.
Cheers
Lars
On 22.08.2014 16:33, Cantor, Scott wrote:
> On 8/22/14, 7:38 AM, "Lars Krapf" <lk...@adobe.com> wrote:
>>
>> 1) I call XMLCipher.doFinal() on an EncryptedAssertion element
>
> While I can't say if there's a bug or not, I thought I'd note that
> OpenSAML does not do this. We're calling XMLCipher.decryptToByteArray and
> then parsing the results into a DocumentFragment.
>
> Our latest alpha releases are on xmlsec-2.0.1 now and we're not having any
> problems with that.
>
> -- Scott
>
> .
>
Re: XMLCipher digest / serialization problem
Posted by "Cantor, Scott" <ca...@osu.edu>.
On 8/22/14, 7:38 AM, "Lars Krapf" <lk...@adobe.com> wrote:
>
>1) I call XMLCipher.doFinal() on an EncryptedAssertion element
While I can't say if there's a bug or not, I thought I'd note that
OpenSAML does not do this. We're calling XMLCipher.decryptToByteArray and
then parsing the results into a DocumentFragment.
Our latest alpha releases are on xmlsec-2.0.1 now and we're not having any
problems with that.
-- Scott