Permalink
Browse files

Changing namespace axis sorting based on XML-C14N spec

According to http://www.w3.org/TR/xml-c14n#DocumentOrder Section 2.2:

"An element's namespace nodes are sorted lexicographically by local name
(the default namespace node, if one exists, has no local name and is
therefore lexicographically least)."

The examples on section 3.3 (element e5) also show that the default
namespace shows first after canonicalization occurs.
  • Loading branch information...
1 parent cddc990 commit 68efb5126635afb3d66714790a862176079b5f54 @dtsato dtsato committed Sep 26, 2011
@@ -165,7 +165,11 @@ def write_namespace_axis(node, visible)
}
end
- list.sort!()
+ if list.delete('xmlns')
+ list = ["xmlns"] + list.sort
+ else
+ list.sort!
+ end
list.each{|prefix|
next if (prefix == "")
ns = node.namespace(prefix)
View
@@ -1,4 +1,4 @@
-<samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="122401A9D1742640618954CDD50CEC459150836A" IssueInstant="2010-09-10T00:00:50-05:00" Version="2.0"><samlp:Status><samlp:StatusCode ID="A6B45394506685EAD93131AD335775015C49B52C" Value="urn:oasis:names:tc:SAML:2.0:status:Failure"></samlp:StatusCode></samlp:Status><samlp:Assertion ID="11B542652811C7A1AC8B8265D92AB293CCA66B26" IssueInstant="2010-09-10T00:00:50-05:00"><Issuer>example.net</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"></NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></SubjectConfirmation></Subject><Conditions NotBefore="2010-09-10T00:00:50-05:00" NotOnOrAfter="2010-09-10T12:00:50-05:00"></Conditions><AuthnStatement AuthnInstant="2010-09-10T00:00:50-05:00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name="urn:example:profiles"><AttributeValue FriendlyName="type" type="example:profile:attribute">Person</AttributeValue><AttributeValue FriendlyName="SessionID" type="example:profile:attribute">02b5e2df689b97067dc51a0cd2029510</AttributeValue><AttributeValue FriendlyName="Role" type="example:profile:role">Public</AttributeValue></Attribute></AttributeStatement></samlp:Assertion><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="122401A9D1742640618954CDD50CEC459150836A"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default saml ds xs xsi"></InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>dQskOs0c6N7GbFJ13SbozqhEQTM=
+<samlp:ArtifactResponse xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="122401A9D1742640618954CDD50CEC459150836A" IssueInstant="2010-09-10T00:00:50-05:00" Version="2.0"><samlp:Status><samlp:StatusCode ID="A6B45394506685EAD93131AD335775015C49B52C" Value="urn:oasis:names:tc:SAML:2.0:status:Failure"></samlp:StatusCode></samlp:Status><samlp:Assertion ID="11B542652811C7A1AC8B8265D92AB293CCA66B26" IssueInstant="2010-09-10T00:00:50-05:00"><Issuer>example.net</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"></NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></SubjectConfirmation></Subject><Conditions NotBefore="2010-09-10T00:00:50-05:00" NotOnOrAfter="2010-09-10T12:00:50-05:00"></Conditions><AuthnStatement AuthnInstant="2010-09-10T00:00:50-05:00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name="urn:example:profiles"><AttributeValue FriendlyName="type" type="example:profile:attribute">Person</AttributeValue><AttributeValue FriendlyName="SessionID" type="example:profile:attribute">02b5e2df689b97067dc51a0cd2029510</AttributeValue><AttributeValue FriendlyName="Role" type="example:profile:role">Public</AttributeValue></Attribute></AttributeStatement></samlp:Assertion><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="122401A9D1742640618954CDD50CEC459150836A"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default saml ds xs xsi"></InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>dQskOs0c6N7GbFJ13SbozqhEQTM=
</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>d2rgUtclTSl7q68kZTkaFo8/rBZk/NEmkeKT7qM5doiVhHF4FrMuv7NdQVbQ
Vi//wyYk6i9u8s13tsYnliSo+4xGbWl112LrAp8U2E8pLjMxqLYQHXw6qV3h
TLhKw/k8sYS54nOye9t7M0VxHl+sKfX+YZFr8EI3ST2/BKFqm5c=
@@ -0,0 +1,10 @@
+<saml:Assertion ID='s272db1ff577ed4463edc408a3d7f3571aebf1696a' IssueInstant='2010-10-28T13:35:36Z' Version='2.0' xmlns='urn:oasis:names:tc:SAML:2.0:protocol' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>
+<saml:Issuer>http://dev.example.com:8080/opensso</saml:Issuer><saml:Subject>
+<saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' NameQualifier='http://dev.example.com:8080/opensso'>person@example.com</saml:NameID><saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'>
+<saml:SubjectConfirmationData InResponseTo='294e5540-c4c6-012d-1a98-0017f2dcb387' NotOnOrAfter='2010-10-28T13:45:36Z' Recipient='http://localhost:3000/auth/authenticate'/></saml:SubjectConfirmation>
+</saml:Subject><saml:Conditions NotBefore='2010-10-28T13:25:36Z' NotOnOrAfter='2010-10-28T13:45:36Z'>
+<saml:AudienceRestriction>
+<saml:Audience>saml-example</saml:Audience>
+</saml:AudienceRestriction>
+</saml:Conditions>
+<saml:AuthnStatement AuthnInstant='2010-10-28T13:35:36Z' SessionIndex='s2eddbcf944c22056cec33d0ea24a54217a164f601'><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name='name'><saml:AttributeValue xsi:type='xs:string' xmlns:xs='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>happy</saml:AttributeValue></saml:Attribute><saml:Attribute Name='uuid'><saml:AttributeValue xsi:type='xs:string' xmlns:xs='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>3c678d50-c357-012d-1a87-0017f2dcb387</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
@@ -0,0 +1,10 @@
+<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s272db1ff577ed4463edc408a3d7f3571aebf1696a" IssueInstant="2010-10-28T13:35:36Z" Version="2.0">
+<saml:Issuer>http://dev.example.com:8080/opensso</saml:Issuer><saml:Subject>
+<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="http://dev.example.com:8080/opensso">person@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+<saml:SubjectConfirmationData InResponseTo="294e5540-c4c6-012d-1a98-0017f2dcb387" NotOnOrAfter="2010-10-28T13:45:36Z" Recipient="http://localhost:3000/auth/authenticate"></saml:SubjectConfirmationData></saml:SubjectConfirmation>
+</saml:Subject><saml:Conditions NotBefore="2010-10-28T13:25:36Z" NotOnOrAfter="2010-10-28T13:45:36Z">
+<saml:AudienceRestriction>
+<saml:Audience>saml-example</saml:Audience>
+</saml:AudienceRestriction>
+</saml:Conditions>
+<saml:AuthnStatement AuthnInstant="2010-10-28T13:35:36Z" SessionIndex="s2eddbcf944c22056cec33d0ea24a54217a164f601"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="name"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">happy</saml:AttributeValue></saml:Attribute><saml:Attribute Name="uuid"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">3c678d50-c357-012d-1a87-0017f2dcb387</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
@@ -91,6 +91,16 @@ class TestXmlCanonicalizer < Test::Unit::TestCase
xml_expect = fixture("saml_expected_canonical_form.xml")
assert_equal xml_expect, xml_canonicalized
end
+
+ should "canonicalize a saml xml file with default namespace correctly" do
+ xml_canonicalizer = XML::Util::XmlCanonicalizer.new(false,true)
+
+ rexml = rexml_fixture("saml_with_default_namespace.xml")
+ xml_canonicalized = xml_canonicalizer.canonicalize(rexml)
+
+ xml_expect = fixture("saml_with_default_namespace_expected_canonical_form.xml")
+ assert_equal xml_expect, xml_canonicalized
+ end
should "canonicalize a saml file with inclusive namespaces" do
xml_canonicalizer = XML::Util::XmlCanonicalizer.new(false,true)

0 comments on commit 68efb51

Please sign in to comment.