Which is the proper XML exclusive canonicalization?

这一生的挚爱 提交于 2019-12-02 07:18:57

You are creating the DOM document improperly and trying to use the invalid in-memory tree. Either serialize and use the serialized result or properly create the namespace declarations in the tree before trying to sign. See the bug report for more information: http://code.google.com/p/xmlseclibs/issues/detail?id=6

Neither are the correct canonical-form!

The signing XML has a namespace declaration that comes after the non-namespace attributes, which breaks the Document Order rule:

Namespace nodes have a lesser document order position than attribute nodes.

The verification XML is missing the saml namespace node completely. Canonicalisation doesn't remove namespace nodes merely because there is no child content that references them. It only removes redundant namespace nodes (ie. namespaces that were already in effect on the parent).

I don't know enough about xmlseclibs to say why this is happening, but it's definitely wrong on both counts. FWIW the c14n function on my DOM here says:

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2010-02-04T15:27:43Z" MajorVersion="1" MinorVersion="1" ResponseID="pfxe85313e6-e688-299a-df06-30f55e24f65a">
<samlp:Status>
<samlp:StatusCode Value="samlp:Requester"></samlp:StatusCode>
</samlp:Status>
</samlp:Response>

eta: I just looked at xmlseclibs.php in the SVN, and there's not an easy fix for this as its current approach is fundamentally flawed. It tries to create a “canonicalised” DOM and then serialises it with plain old saveXML(). As there are C14N serialisation rules about attribute order and character escapes that saveXML does not promise to follow, there is no way this can possibly work.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!