shibboleth-dev - Canonicalization issue with signed SWITCH Shibboleth metadata
Subject: Shibboleth Developers
List archive
- From: Andreas Åkre Solberg <>
- To:
- Cc:
- Subject: Canonicalization issue with signed SWITCH Shibboleth metadata
- Date: Tue, 10 Jun 2008 14:16:46 +0200
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:content-type:mime-version:subject:date:cc :x-mailer:sender; b=b7SjcV0tLcpX1wTn/8/RQ4caJp4JC6wBkCMiOh7gG4L/jKiU7h6myMIbkTWYA4/6Ow OJisH/7VH2wAqRFMjzd3xkFpnani6A2R52RMbBgHqE1BeDpZKUcNCRQSTyL3paDuD7nW w6E+fc9XxO6xnGF8Mj9TeBzSy7hx4Yn+iU62M=
We have a student that is working with metadata-parsing and processing that discovered this problem with validating the signature of shibboleth metadata (SWITCH).
Canonicalization of signed metadata
When attempting to validate the signature of the metadata stored at
http://www.switch.ch/aai/federation/SWITCHaai/metadata.switchaai_signed.xml
using simpleSAMLphp (which uses xmlseclibs.php for handling of XMLSec
signed data), I was unable to validate the signature.
It turned out that the problem was a difference in the way
canonicalization was performed. The canonicalization used while signing
the metadata is "http://www.w3.org/2001/10/xml-exc-c14n#WithComments",
which I assume means that the comments in the XML document should be
included in the canonicalization. However, the digest value was
calculated with comments removed.
Is this a bug in the way canonicalization is performed in Shibboleth,
or have I misunderstood how this canonicalization should be done?
I have attached a perl script which can be used to calculate the
canonicalization for this particular metadata. It reads XML data from
stdin, removes the Signature element and the comments, and writes it to
stdout. It also prints the calculated SHA1 digest value and found
DigestValue to stderr.
[500 bytes of perl was apparantly too much for the sympa server, so contact me to get the script]
Example:
$ ./canonicalize.pl <metadata.switchaai_signed.xml >/dev/null
Calculated digest: zprNKLG8MARkxBKTE6DgfBiVI18=
Original digest: zprNKLG8MARkxBKTE6DgfBiVI18=
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Canonicalization issue with signed SWITCH Shibboleth metadata, Andreas Åkre Solberg, 06/10/2008
- RE: [Shib-Dev] Canonicalization issue with signed SWITCH Shibboleth metadata, Scott Cantor, 06/10/2008
- <Possible follow-up(s)>
- Canonicalization issue with signed SWITCH Shibboleth metadata, Andreas Åkre Solberg, 06/10/2008
Archive powered by MHonArc 2.6.16.