mace-opensaml-users - RE: verifying signature on saml assertions

Subject: OpenSAML user discussion

List archive

RE: verifying signature on saml assertions

From: Scott Cantor <>
To: 'Rakesh Aggarwal' <>, ,
Cc: 'Shamik Sharma' <>, 'Mike McEvoy' <>
Subject: RE: verifying signature on saml assertions
Date: Mon, 14 Apr 2003 17:55:04 -0400
Importance: Normal
Organization: The Ohio State University

> I wonder how extra newlines can break the signature
> verification. Wouldn't XML C14N take care of that?

No. This trips up lots of people. Whitespace is not ignored during c14n. Lots
of people assume that whitespace is just stripped, but
it's not. It's completely significant.

If you build a SAML object, sign it, serialize it with an extra linefeed,
parse it, and verify, you will get an error. Always.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--

RE: verifying signature on saml assertions, (continued)
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/14/2003
  - RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/14/2003
  - RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/16/2003

List archive

RE: verifying signature on saml assertions