OpenSAML user discussion

[Mitchell Prentice <>]

Thanks for the clarification. It's <ele1 ...><ele2 ...> changed to

 

 <ele1 ...>
 <ele2 ...>

Thanks

Mitch

On Fri, Apr 3, 2009 at 2:16 AM, Jim Fox <> wrote:

As someone pointed out, it depends on what you call whitespace.  You
can, for instance, with your c14n canonicalization, break lines between
attributes of an element without affecting the signature.  So you could
reformat

 <ele a1="text.." a2="mote text..">

as

 <ele a1="text.."
   a2="more text...">

and the signature would still be good.   You could even reformat it as

 <ele a2="more text..." a1="text..." >

without invalidating the signature.  You cannot, however, add important
white space.  Doing something like

  <ele1 ...><ele2 ...>

reformatted to

  <ele1 ...>
  <ele2 ...>

would invalidate the signature, because the new white space becomes part
of the document.

Jim

> Yes, the sender is adding whitespace after signing. In their log file
> they log the signed SAML assertion. They then add whitespace and
> newlines (pretty print) after signing, log this also, and then send me
> the formatted signed assertion. I cannot verify this received
> assertion. However, if I take the entry from their log prior to their
> adding whitespace I can verify the signature. The signature looks
> fairly standard to me and uses
> http://www.w3.org/2001/10/xml-exc-c14n canonicalization.
>
> The sender is quite adamant that I should be able to verify the
> signature even though the XML has been subsequently modified with
> whitespace/new line characters and that canonicalization handles this.
>
> Unless I'm misunderstanding something I believe this is wrong and
> that's what everyone is confirming.
>