mace-opensaml-users - Re: [OpenSAML] XML signatures and canonicalization
Subject: OpenSAML user discussion
List archive
- From: Mitchell Prentice <>
- To:
- Subject: Re: [OpenSAML] XML signatures and canonicalization
- Date: Fri, 3 Apr 2009 07:51:35 +1000
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=tUbNSNqrd7396pd1IMxmDueSX0r1YO9L5CDM7yjAfD5oU5YSosZV9DoMOG6VtCdZi3 B8F8nptJ4hJDpWxrxRZ+pHSRFluRnvhUxuKATxZN0EtC5d9WheMUKy+CxPLvmfkzON9p p/3Hoot1w85jq5R1oa5HeKr712qbtp+Y26hxs=
Thanks for the clarification. It's <ele1 ...><ele2 ...> changed to
<ele1 ...>
<ele2 ...>
<ele2 ...>
Thanks
Mitch
On Fri, Apr 3, 2009 at 2:16 AM, Jim Fox <> wrote:
As someone pointed out, it depends on what you call whitespace. You
can, for instance, with your c14n canonicalization, break lines between
attributes of an element without affecting the signature. So you could
reformat
<ele a1="text.." a2="mote text..">
as
<ele a1="text.."
a2="more text...">
and the signature would still be good. You could even reformat it as
<ele a2="more text..." a1="text..." >
without invalidating the signature. You cannot, however, add important
white space. Doing something like
<ele1 ...><ele2 ...>
reformatted to
<ele1 ...>
<ele2 ...>
would invalidate the signature, because the new white space becomes part
of the document.
Jim
> Yes, the sender is adding whitespace after signing. In their log file
> they log the signed SAML assertion. They then add whitespace and
> newlines (pretty print) after signing, log this also, and then send me
> the formatted signed assertion. I cannot verify this received
> assertion. However, if I take the entry from their log prior to their
> adding whitespace I can verify the signature. The signature looks
> fairly standard to me and uses
> http://www.w3.org/2001/10/xml-exc-c14n canonicalization.
>
> The sender is quite adamant that I should be able to verify the
> signature even though the XML has been subsequently modified with
> whitespace/new line characters and that canonicalization handles this.
>
> Unless I'm misunderstanding something I believe this is wrong and
> that's what everyone is confirming.
>
- XML signatures and canonicalization, Mitchell Prentice, 04/01/2009
- Re: [OpenSAML] XML signatures and canonicalization, Anil Saldhana, 04/01/2009
- Re: [OpenSAML] XML signatures and canonicalization, Mitchell Prentice, 04/02/2009
- RE: [OpenSAML] XML signatures and canonicalization, Bob Jacoby, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Chad La Joie, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Anil Saldhana, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Xavier Drudis Ferran, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Mitchell Prentice, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, edward . thompson, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Jim Fox, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Mitchell Prentice, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Anil Saldhana, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Mitchell Prentice, 04/02/2009
- Re: [OpenSAML] XML signatures and canonicalization, Anil Saldhana, 04/01/2009
Archive powered by MHonArc 2.6.16.