Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] XML signatures and canonicalization

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] XML signatures and canonicalization


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [OpenSAML] XML signatures and canonicalization
  • Date: Thu, 02 Apr 2009 16:13:31 +0200
  • Openpgp:
  • Organization: SWITCH

I think you two are talking past each other.

You can take some arbitrary bit of XML, add whitespaces, and *then* sign
it and then verify it. So, assuming the person meant exactly what they
said, then they were telling the truth. However, you can not take that
same XML, sign it, then add whitespace and verify it.

Mitchell Prentice wrote:
> Thanks. It's actually SAML v1.1 not SAML v2.0 but I presume that makes no
> difference.
>
> Just to be absolutely certain, here's what the other party is saying: "It is
> expected behavior (and SAML compliant) to produce a SAML Assertion with
> white space and apply a digital signature to the XML without the white
> space".
>
> Can this statement ever be true?
>
> The other party goes on to imply that canonicalization handles the
> whitespace.
>
> Can this statement ever be true?
>
> From my experience and from looking at
> http://www.w3.org/TR/2001/REC-xml-c14n-20010315#Example-WhitespaceInContent
> I
> believe adding whitespace to the document content will always break
> signature validation.
>
> Thanks
> Mitch
> On Thu, Apr 2, 2009 at 8:49 AM, Anil Saldhana
> <>wrote:
>
>> Mitch,
>> you are correct. Whitespaces/pretty printing etc will fail sig
>> validation.
>>
>> Cheers.
>>
>>
>> On Wed, Apr 1, 2009 at 5:39 PM, Mitchell Prentice <
>> >
>> wrote:
>>
>>> Hello
>>>
>>> I have a signed SAML 2.0 assertion that includes
>>> http://www.w3.org/2001/10/xml-exc-c14n# canonicalization. Apparently the
>>> creator of this signed assertion signed the assertion and then formatted
>>> the
>>> assertion with whitespace characters after signing. I can verify the
>>> signature if the whitespace characters are not added but if the whitespace
>>> characters are added then the signature verification fails. The creator of
>>> the SAML assertion says that canonicalization is supposed to remove the
>>> whitespaces and that it's a bug if you cannot verify the signature even if
>>> the XML has been modified after signing by the inclusion of whitespaces.
>>> My
>>> understanding is that this is not the case and that you cannot add
>>> whitespace to the XML and still expect the signature to verify. Which is
>>> correct?
>>>
>>> Thanks
>>> Mitch
>>>
>>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page