OpenSAML user discussion

[Mitchell Prentice <>]

Yes, the sender is adding whitespace after signing. In their log file they log the signed SAML assertion. They then add whitespace and newlines (pretty print) after signing, log this also, and then send me the formatted signed assertion. I cannot verify this received assertion. However, if I take the entry from their log prior to their adding whitespace I can verify the signature. The signature looks fairly standard to me and uses http://www.w3.org/2001/10/xml-exc-c14n canonicalization.

 

The sender is quite adamant that I should be able to verify the signature even though the XML has been subsequently modified with whitespace/new line characters and that canonicalization handles this.

 

Unless I'm misunderstanding something I believe this is wrong and that's what everyone is confirming.

Thanks

Mitch

On Fri, Apr 3, 2009 at 12:23 AM, Anil Saldhana <> wrote:

The sender is modifying the assertion with white spaces after generating the signature. The receiver (Mitch) has received a signature and a modified assertion with white spaces. 

I think the discussion is about content that is already signed.  We are saying you cannot modify it lest signature failure. :)

On Thu, Apr 2, 2009 at 9:13 AM, Chad La Joie <> wrote:

I think you two are talking past each other.

You can take some arbitrary bit of XML, add whitespaces, and *then* sign
it and then verify it.  So, assuming the person meant exactly what they
said, then they were telling the truth.  However, you can not take that
same XML, sign it, then add whitespace and verify it.

Mitchell Prentice wrote:
> Thanks. It's actually SAML v1.1 not SAML v2.0 but I presume that makes no
> difference.
>
> Just to be absolutely certain, here's what the other party is saying: "It is
> expected behavior (and SAML compliant) to produce a SAML Assertion with
> white space and apply a digital signature to the XML without the white
> space".
>
> Can this statement ever be true?
>
> The other party goes on to imply that canonicalization handles the
> whitespace.
>
> Can this statement ever be true?
>
> From my experience and from looking at
> http://www.w3.org/TR/2001/REC-xml-c14n-20010315#Example-WhitespaceInContent I
> believe adding whitespace to the document content will always break
> signature validation.
>
> Thanks
> Mitch
> On Thu, Apr 2, 2009 at 8:49 AM, Anil Saldhana <>wrote:
>
>> Mitch,
>>   you are correct. Whitespaces/pretty printing etc will fail sig
>> validation.
>>
>> Cheers.
>>
>>
>> On Wed, Apr 1, 2009 at 5:39 PM, Mitchell Prentice <
>> > wrote:
>>
>>> Hello
>>>
>>> I have a signed SAML 2.0 assertion that includes
>>> http://www.w3.org/2001/10/xml-exc-c14n# canonicalization. Apparently the
>>> creator of this signed assertion signed the assertion and then formatted the
>>> assertion with whitespace characters after signing. I can verify the
>>> signature if the whitespace characters are not added but if the whitespace
>>> characters are added then the signature verification fails. The creator of
>>> the SAML assertion says that canonicalization is supposed to remove the
>>> whitespaces and that it's a bug if you cannot verify the signature even if
>>> the XML has been modified after signing by the inclusion of whitespaces. My
>>> understanding is that this is not the case and that you cannot add
>>> whitespace to the XML and still expect the signature to verify. Which is
>>> correct?
>>>
>>> Thanks
>>> Mitch
>>>
>>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
, http://www.switch.ch