shibboleth-dev - RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature
- Date: Thu, 30 Oct 2008 10:53:15 -0400
- Organization: The Ohio State University
> SAML POST Profile specifies UTF-8 encoded XMLs to be encoded with
> base64.
There's no requirement to use UTF-8 anywhere in SAML that I can think of.
> This base64 encoding causes the problem, as it does not treat
> the response xml as UTF-8.
It doesn't matter what it thinks the encoding is. Base64 operates on the
octets and produces ASCII, which should transmit cleanly no matter what the
container thinks the encoding is. At the other end, you get back the octets,
and the XML parser in the SP follows the encoding specified in the XML
declaration (or assumes UTF-8).
At least, that's my understanding of the process. If I'm wrong, it would be
in the base64 step, I guess, but I'm pretty sure base64 is ignorant of
character encoding of the data being encoded, for the simple reason that it
works on binary data too.
> I probably found the root of this problem inside opensaml2.
I don't think so.
> Here, at method populateVelocityContext,
>
> String messageXML = XMLHelper.
> nodeToString(
> messageContext.getOutboundSAMLMessage().getDOM());
I would assume nodeToString runs ignorant of the container transfer encoding,
and would probably produce UTF-8 XML by default.
> String encodedMessage =
> Base64.encodeBytes(
> messageXML.getBytes(), Base64.DONT_BREAK_LINES);
>
> I think that messageXML.getBytes() should be messageXML.getBytes("utf-8").
I don't see that it matters. XML is self-describing in a sense, and if the
transport medium is safe (and base64 is), it shouldn't affect anything. In
fact, this is exactly *why* we use base64. WS-Federation sticks the XML
directly into the form, HTML-encoded, but that is extremely messy and
vulnerable to this kind of problem.
> You are right that sysadmins should set the correct locale, but since
> SAML2 POST Profile _strictly requires_ the use of UTF-8 it should be
> better idea to enforce this inside the Java code and not on platform
> or container locales.
Where are you getting the idea that SAML 2 strictly requires UTF-8? It
wouldn't be the first time I forgot something I wrote myself, but I don't
recall writing that in the spec, and I don't see it in the spec now.
-- Scott
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, (continued)
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Scott Cantor, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/30/2008
- RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Scott Cantor, 10/30/2008
- Message not available
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/30/2008
- RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Scott Cantor, 10/30/2008
- Message not available
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
Archive powered by MHonArc 2.6.16.