mace-opensaml-users - RE: [OpenSAML] XML signatures and canonicalization
Subject: OpenSAML user discussion
List archive
- From: "Bob Jacoby" <>
- To: <>
- Subject: RE: [OpenSAML] XML signatures and canonicalization
- Date: Thu, 2 Apr 2009 08:53:39 -0500
Mitchell, I think that is a perfectly valid statement. You are correct
that adding whitespace to the assertion and performing validation on the
assertion with that added whitespace will break the validation of the
signature. However, the standard process for validating a signature should include
canonicalization of what you are signing as the first step (assuming it was
used during the original signature process). Signature blocks contain metadata
about what canoncalization algorithm was used before signing specifically so
you can repeat it during validation. Bob From: Mitchell Prentice
[mailto:] Thanks. It's actually SAML v1.1 not SAML v2.0 but I presume
that makes no difference. Just to be absolutely certain, here's what the other party
is saying: "It is expected behavior (and SAML compliant) to produce a SAML
Assertion with white space and apply a digital signature to the XML without the
white space". Can this statement ever be true? The other party goes on to imply that canonicalization
handles the whitespace. Can this statement ever be true? From my experience and from looking at http://www.w3.org/TR/2001/REC-xml-c14n-20010315#Example-WhitespaceInContent I
believe adding whitespace to the document content will always break signature
validation. Thanks Mitch On Thu, Apr 2, 2009 at 8:49 AM, Anil Saldhana <>
wrote: Mitch, On Wed, Apr 1, 2009 at 5:39 PM, Mitchell Prentice <>
wrote: Hello I have a signed SAML 2.0 assertion that includes http://www.w3.org/2001/10/xml-exc-c14n#
canonicalization. Apparently the creator of this signed assertion signed the
assertion and then formatted the assertion with whitespace characters after
signing. I can verify the signature if the whitespace characters are not added
but if the whitespace characters are added then the signature verification
fails. The creator of the SAML assertion says that canonicalization is supposed
to remove the whitespaces and that it's a bug if you cannot verify the
signature even if the XML has been modified after signing by the inclusion of
whitespaces. My understanding is that this is not the case and that you cannot
add whitespace to the XML and still expect the signature to verify. Which is
correct? Thanks Mitch |
- XML signatures and canonicalization, Mitchell Prentice, 04/01/2009
- Re: [OpenSAML] XML signatures and canonicalization, Anil Saldhana, 04/01/2009
- Re: [OpenSAML] XML signatures and canonicalization, Mitchell Prentice, 04/02/2009
- RE: [OpenSAML] XML signatures and canonicalization, Bob Jacoby, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Chad La Joie, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Anil Saldhana, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Xavier Drudis Ferran, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Mitchell Prentice, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, edward . thompson, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Jim Fox, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Mitchell Prentice, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Anil Saldhana, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Mitchell Prentice, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Anil Saldhana, 04/01/2009
Archive powered by MHonArc 2.6.16.