You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Brent Putman <pu...@georgetown.edu> on 2007/05/29 20:43:04 UTC
Signature and children - redundant namespace declarations
When I generate a signature using XMLSignature, the library is
redundantly adding the signature namespace declaration on every child
element of the ds:Signature element. Is there any way that this
behavior can be avoided or turned off? Am I doing something wrong? I
looked in the docs, I couldn't find any relevant settings, but maybe I
missed something.
It would be ideal if it could be declared only once, on the ds:Signature
object itself. I know it's mostly a cosmetic thing, but one of our
OpenSAML users noticed and inquired about it, so I wanted to see if
there is an easy solution. If not, the only alternative I could think
of was to post-process the DOM and remove the redundant declarations
(before signing, of course).
Thanks,
Brent
Re: Signature and children - redundant namespace declarations
Posted by Raul Benito <ra...@apache.org>.
Hi all,
First of all sorry for the delay,
Regarding the circumventBug2560 should only be invoked when there is
an xpath transformation and the transformation contains the word
nodespace. In theory the only need to do this when the xpath use the
nodespace axis, but this approximation is good enough.
So if you are seeing this problem and you are not using xpath
transformation you can rise a bug
Regards,
Raul
On 5/30/07, Sean Mullan <Se...@sun.com> wrote:
> Ok, well I will have to let Raul answer. I know he did a lot of work to
> try to eliminate the circumventBug2560 dependency, but maybe there are
> still some lingering cases ...
>
> --Sean
>
> Brent Putman wrote:
> > Scott Cantor wrote:
> >> Alright, then there's another case in which the namespaces appear, these are
> >> nothing but enveloped + excl c14n.
> >>
> >> -- Scott
> >>
> >>
> >
> >
> > To add to what Scott said: I did a quick test and this also happens with
> > detached signatures with an external URI reference (so no enveloped
> > transform) and, just for the hell of it, inclusive c14n.
> >
> > BTW, this is with Java v1.4.1, forgot to mention that before. I seem to
> > remember it happened with 1.4.0 as well.
> >
> > --Brent
>
>
--
http://r-bg.com
Re: Signature and children - redundant namespace declarations
Posted by Sean Mullan <Se...@Sun.COM>.
Ok, well I will have to let Raul answer. I know he did a lot of work to
try to eliminate the circumventBug2560 dependency, but maybe there are
still some lingering cases ...
--Sean
Brent Putman wrote:
> Scott Cantor wrote:
>> Alright, then there's another case in which the namespaces appear, these are
>> nothing but enveloped + excl c14n.
>>
>> -- Scott
>>
>>
>
>
> To add to what Scott said: I did a quick test and this also happens with
> detached signatures with an external URI reference (so no enveloped
> transform) and, just for the hell of it, inclusive c14n.
>
> BTW, this is with Java v1.4.1, forgot to mention that before. I seem to
> remember it happened with 1.4.0 as well.
>
> --Brent
Re: Signature and children - redundant namespace declarations
Posted by Brent Putman <pu...@georgetown.edu>.
Scott Cantor wrote:
>
> Alright, then there's another case in which the namespaces appear, these are
> nothing but enveloped + excl c14n.
>
> -- Scott
>
>
To add to what Scott said: I did a quick test and this also happens with
detached signatures with an external URI reference (so no enveloped
transform) and, just for the hell of it, inclusive c14n.
BTW, this is with Java v1.4.1, forgot to mention that before. I seem to
remember it happened with 1.4.0 as well.
--Brent
RE: Signature and children - redundant namespace declarations
Posted by Scott Cantor <ca...@osu.edu>.
> > Anyway, does that include enveloped signatures?
> > Sometimes that's implemented with XPath and sometimes not.
>
> No, it used to but I believe Raul fixed that a while ago.
Alright, then there's another case in which the namespaces appear, these are
nothing but enveloped + excl c14n.
-- Scott
Re: Signature and children - redundant namespace declarations
Posted by Sean Mullan <Se...@Sun.COM>.
Scott Cantor wrote:
>> This should only happen if you have a dependency on XPath, for example
>> you are using an XPath Transform. This is to workaround a problem in
>> Xalan, in which the parent namespace nodes are not visible in the
>> children. See http://nagoya.apache.org/bugzilla/show_bug.cgi?id=2650
>
> I believe nagoya's gone in favor of the jira server.
Yes, sorry. Try this instead:
http://issues.apache.org/bugzilla/show_bug.cgi?id=2650
> Anyway, does that include enveloped signatures?
> Sometimes that's implemented with XPath and sometimes not.
No, it used to but I believe Raul fixed that a while ago.
--Sean
RE: Signature and children - redundant namespace declarations
Posted by Scott Cantor <ca...@osu.edu>.
> This should only happen if you have a dependency on XPath, for example
> you are using an XPath Transform. This is to workaround a problem in
> Xalan, in which the parent namespace nodes are not visible in the
> children. See http://nagoya.apache.org/bugzilla/show_bug.cgi?id=2650
I believe nagoya's gone in favor of the jira server.
Anyway, does that include enveloped signatures? Sometimes that's implemented
with XPath and sometimes not.
-- Scott
Re: Signature and children - redundant namespace declarations
Posted by Sean Mullan <Se...@Sun.COM>.
Brent Putman wrote:
> When I generate a signature using XMLSignature, the library is
> redundantly adding the signature namespace declaration on every child
> element of the ds:Signature element. Is there any way that this
> behavior can be avoided or turned off? Am I doing something wrong? I
> looked in the docs, I couldn't find any relevant settings, but maybe I
> missed something.
This should only happen if you have a dependency on XPath, for example
you are using an XPath Transform. This is to workaround a problem in
Xalan, in which the parent namespace nodes are not visible in the
children. See http://nagoya.apache.org/bugzilla/show_bug.cgi?id=2650
--Sean
>
> It would be ideal if it could be declared only once, on the ds:Signature
> object itself. I know it's mostly a cosmetic thing, but one of our
> OpenSAML users noticed and inquired about it, so I wanted to see if
> there is an easy solution. If not, the only alternative I could think
> of was to post-process the DOM and remove the redundant declarations
> (before signing, of course).
>
> Thanks,
> Brent
Re: Signature and children - redundant namespace declarations
Posted by Sean Mullan <Se...@Sun.COM>.
Brent Putman wrote:
>
> Sean Mullan wrote:
>> Yes, that should be fixed. It is not the same problem as the xalan
>> workaround which copies all the namespaces to every element in the doc.
>> I think the problem is in XMLUtils.createElementInSignatureSpace. It
>> really should only set the namespace attribute if it is the Signature
>> element.
>>
>> Can you file a bug?
>>
>
>
> Ok, bug filed. Incidentally, within the XML Security project in
> Bugzilla, there does not currently exist any version option for entering
> new issues for any Java 1.4.x versions, the highest version listed is
> "Java 1.3".
I know. I want to fix that but don't know how. Does anyone know whom to
contact to add more releases to bugzilla?
--Sean
Re: Signature and children - redundant namespace declarations
Posted by Brent Putman <pu...@georgetown.edu>.
Sean Mullan wrote:
>
> Yes, that should be fixed. It is not the same problem as the xalan
> workaround which copies all the namespaces to every element in the doc.
> I think the problem is in XMLUtils.createElementInSignatureSpace. It
> really should only set the namespace attribute if it is the Signature
> element.
>
> Can you file a bug?
>
Ok, bug filed. Incidentally, within the XML Security project in
Bugzilla, there does not currently exist any version option for entering
new issues for any Java 1.4.x versions, the highest version listed is
"Java 1.3".
> Incidentally, this problem does not occur if you are using the JSR 105
> API to create signatures which has its own marshalling code.
>
I'll look at that. I doubt we can easily switch (in the short term) our
OpenSAML 2 library code to use that new API (we started writing before
it was available), but it is something we may investigate doing in the
future.
Thanks,
Brent
Re: Signature and children - redundant namespace declarations
Posted by Sean Mullan <Se...@Sun.COM>.
Brent Putman wrote:
>
> Raul Benito wrote:
>> Can you post an example of the behaviour (a code and an output)?
>>
>
> Ok, here is a little test program I wrote. It's not OpenSAML-based,
> it's just straight DOM-based code. Parses the assertion.xml and signs
> the saml:Assertion, using enveloped and exclusive c14n on the single
> internal document Reference, and exclusive c14n for the signature c14n.
> No XPath transforms, etc.
>
> The signed-assertion.xml is the output I get when I run it with Sun's
> JDK 1.5.0. As you can see, all the Signature children have the ds
> namespace prefix redeclared.
>
> Let me know what you think.
Yes, that should be fixed. It is not the same problem as the xalan
workaround which copies all the namespaces to every element in the doc.
I think the problem is in XMLUtils.createElementInSignatureSpace. It
really should only set the namespace attribute if it is the Signature
element.
Can you file a bug?
Incidentally, this problem does not occur if you are using the JSR 105
API to create signatures which has its own marshalling code.
--Sean
>
> Thanks,
> Brent
>
>
> ------------------------------------------------------------------------
>
> <?xml version="1.0" encoding="UTF-16"?>
> <saml:Assertion ID="assertionID" IssueInstant="2007-04-13T23:46:00.100Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml:Issuer>http://www.example.org/idp</saml:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Reference URI="#assertionID" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">3Z41uwaAAFEiFh2ch1r0k9S4hiQ=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> V8g/NO6RKVxsCNz1hs5d2mAOklaZK80NsjCfELUO4w5qSpHaQPXchKzMf47/idiDGVgr1h3rxeKc
> 516X2n00wtw84Mo7J8hvgJWXrY5z5P96GJZkc1qW9ywmBWRdWq5z2fXFdrSkCpO/GvcLaYC5a2vI
> qGc4OV5QbGq52KFZQmo=
> </ds:SignatureValue>
> </ds:Signature><saml:Subject>
> <saml:NameID>smithj</saml:NameID>
> </saml:Subject>
> <saml:AttributeStatement>
> <saml:Attribute>
> <saml:AttributeValue Name="emailAddress">john.smith@example.org</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
>
>
> ------------------------------------------------------------------------
>
> <?xml version="1.0" encoding="UTF-8"?>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> Version="2.0" ID="assertionID" IssueInstant="2007-04-13T23:46:00.100Z">
> <saml:Issuer>http://www.example.org/idp</saml:Issuer>
> <saml:Subject>
> <saml:NameID>smithj</saml:NameID>
> </saml:Subject>
> <saml:AttributeStatement>
> <saml:Attribute>
> <saml:AttributeValue Name="emailAddress">john.smith@example.org</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
Re: Signature and children - redundant namespace declarations
Posted by Brent Putman <pu...@georgetown.edu>.
Raul Benito wrote:
> Can you post an example of the behaviour (a code and an output)?
>
Ok, here is a little test program I wrote. It's not OpenSAML-based,
it's just straight DOM-based code. Parses the assertion.xml and signs
the saml:Assertion, using enveloped and exclusive c14n on the single
internal document Reference, and exclusive c14n for the signature c14n.
No XPath transforms, etc.
The signed-assertion.xml is the output I get when I run it with Sun's
JDK 1.5.0. As you can see, all the Signature children have the ds
namespace prefix redeclared.
Let me know what you think.
Thanks,
Brent
Re: Signature and children - redundant namespace declarations
Posted by Raul Benito <ra...@apache.org>.
Can you post an example of the behaviour (a code and an output)?
On 5/29/07, Brent Putman <pu...@georgetown.edu> wrote:
> When I generate a signature using XMLSignature, the library is
> redundantly adding the signature namespace declaration on every child
> element of the ds:Signature element. Is there any way that this
> behavior can be avoided or turned off? Am I doing something wrong? I
> looked in the docs, I couldn't find any relevant settings, but maybe I
> missed something.
>
> It would be ideal if it could be declared only once, on the ds:Signature
> object itself. I know it's mostly a cosmetic thing, but one of our
> OpenSAML users noticed and inquired about it, so I wanted to see if
> there is an easy solution. If not, the only alternative I could think
> of was to post-process the DOM and remove the redundant declarations
> (before signing, of course).
>
> Thanks,
> Brent
>
--
http://r-bg.com