Which is the proper XML exclusive canonicalization?

Question

I\'m using xmlseclibs to try and sign a SOAP document, but it does not seem to canonicalize things in the same way depending on whether I\'m signing or validating.

I\'ll

Answer 1

You are creating the DOM document improperly and trying to use the invalid in-memory tree. Either serialize and use the serialized result or properly create the namespace declarations in the tree before trying to sign. See the bug report for more information: http://code.google.com/p/xmlseclibs/issues/detail?id=6

Answer 2

Neither are the correct canonical-form!

The signing XML has a namespace declaration that comes after the non-namespace attributes, which breaks the Document Order rule:

Namespace nodes have a lesser document order position than attribute nodes.

The verification XML is missing the saml namespace node completely. Canonicalisation doesn't remove namespace nodes merely because there is no child content that references them. It only removes redundant namespace nodes (ie. namespaces that were already in effect on the parent).

I don't know enough about xmlseclibs to say why this is happening, but it's definitely wrong on both counts. FWIW the c14n function on my DOM here says:

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2010-02-04T15:27:43Z" MajorVersion="1" MinorVersion="1" ResponseID="pfxe85313e6-e688-299a-df06-30f55e24f65a">
<samlp:Status>
<samlp:StatusCode Value="samlp:Requester"></samlp:StatusCode>
</samlp:Status>
</samlp:Response>

eta: I just looked at xmlseclibs.php in the SVN, and there's not an easy fix for this as its current approach is fundamentally flawed. It tries to create a “canonicalised” DOM and then serialises it with plain old saveXML(). As there are C14N serialisation rules about attribute order and character escapes that saveXML does not promise to follow, there is no way this can possibly work.