mace-opensaml-users - RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
Subject: OpenSAML user discussion
List archive
RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
Chronological Thread
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
- Date: Tue, 2 Nov 2010 22:44:26 -0400
- Organization: The Ohio State University
> Well, I know it's significant after c14n . But I didn't expect the
> OpenSAML parsing code to assume the SignedInfo was pre-canonicalized.
> I thought it'd perform c14n on it, removing newlines.
That's my point, you're mistaking c14n for having something to do with
"removing newlines", which is not at all part of c14n. Newlines are
whitespace and are significant in XML. It doesn't matter where they are. It
isn't "correct" or "incorrect" to strip them from SignedInfo. If they're
there, they're signed and must be preserved.
Apache XML-Security itself produces specifically formatted DOM nodes itself.
We don't strip them or do anything with them, but if something else does
after signing, it will break. If something cares what they look like
beforehand, it can make changes as long as it does so before signing, but
after that, you preserve the XML byte for byte or your signature will break
90% of the time.
This is why the spec was essentially broken. It thought it knew what changes
people wanted to make to documents and accounted for them in c14n, but it
got it completely and utterly wrong, since most changes people expect will
be neutral are not.
-- Scott
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Jean-Michel Tremblay, 11/02/2010
- RE: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Brent Putman, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Brent Putman, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- <Possible follow-up(s)>
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Jim Fox, 11/02/2010
- RE: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
Archive powered by MHonArc 2.6.16.