shibboleth-dev - Canonicalization issue with signed SWITCH Shibboleth metadata
Subject: Shibboleth Developers
List archive
- From: Andreas Åkre Solberg <>
- To: , GN2-JRA5 <>
- Cc: Hämmerle Lukas <>, La Joie Chad <>,
- Subject: Canonicalization issue with signed SWITCH Shibboleth metadata
- Date: Tue, 10 Jun 2008 13:24:51 +0200
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:content-type:mime-version:subject:date:cc :x-mailer:sender; b=nyzDIAiX+ZvmwA3vGeG43J83sENgNByvbvbV4eiKvq9mD69Zw/3S77lQT9anhpc/q4 JVII38gJtyoskLpBD/50QcQXQR2uaXlFANvb/ogBLC+0rj6kGSp+lsE3OWVHc2qVoqmC 7e/b8PtGXfurYON3lUEWHhLgRFITteWxiO6Dk=
| We have a student that is working with metadata-parsing and processing that discovered this problem with validating the signature of shibboleth metadata (SWITCH). Canonicalization of signed metadata When attempting to validate the signature of the metadata stored at http://www.switch.ch/aai/federation/SWITCHaai/metadata.switchaai_signed.xml using simpleSAMLphp (which uses xmlseclibs.php for handling of XMLSec signed data), I was unable to validate the signature. It turned out that the problem was a difference in the way canonicalization was performed. The canonicalization used while signing the metadata is "http://www.w3.org/2001/10/xml-exc-c14n#WithComments", which I assume means that the comments in the XML document should be included in the canonicalization. However, the digest value was calculated with comments removed. Is this a bug in the way canonicalization is performed in Shibboleth, or have I misunderstood how this canonicalization should be done? I have attached a perl script which can be used to calculate the canonicalization for this particular metadata. It reads XML data from stdin, removes the Signature element and the comments, and writes it to stdout. It also prints the calculated SHA1 digest value and found DigestValue to stderr. Example: $ ./canonicalize.pl <metadata.switchaai_signed.xml >/dev/null Calculated digest: zprNKLG8MARkxBKTE6DgfBiVI18= Original digest: zprNKLG8MARkxBKTE6DgfBiVI18= |
#!/usr/bin/perl
use strict;
use warnings;
use Digest::SHA1 qw(sha1_base64);
my $digest;
my $data = join('', <>); #Load file
#Find digest value from XML data.
if($data =~ m@<ds:DigestValue>(.*?)</ds:DigestValue>@s) {
$digest = $1;
}
$data =~ s@<ds:Signature.*?</ds:Signature>@@sg; #Remove Signature-element
$data =~ s@<!--.*?-->@@sg; #Remove comments
print($data); #Write canocalized data.
print(STDERR 'Calculated digest: ', sha1_base64($data), "=\n");
if($digest) {
print(STDERR "Original digest: $digest\n");
}
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Canonicalization issue with signed SWITCH Shibboleth metadata, Andreas Åkre Solberg, 06/10/2008
- RE: [Shib-Dev] Canonicalization issue with signed SWITCH Shibboleth metadata, Scott Cantor, 06/10/2008
- <Possible follow-up(s)>
- Canonicalization issue with signed SWITCH Shibboleth metadata, Andreas Åkre Solberg, 06/10/2008
Archive powered by MHonArc 2.6.16.