Which algo is used? #2
Comments
|
Hi there, to be honest I've just inherited this gem as it was abandoned with a pretty severe bug. This gem is basically xmlcanonicalizer (lowercase) with the patch applied. I don't have intimate knowledge of how it works or which algorithm it sticks to, but I do know it canonicalises SAML messages fine, so perhaps if the SAML spec defines a particular algorithm to use, that would be it :) I'd be happy to accept a pull request that updated the Readme to mention which algorithrm it uses if you manage to find out and prove it conclusively :) |
|
I am not sure if you support any algo fully. I am sure that you don't support Exclusive Canonicalization which is one of the standard algos for SAML. Depending on what your goal is with this library, I think it would make more sense to build c extensions to libxml2 instead of implementing canonicalization spec. That way you would be able to support all W3C canonicalization algos (see: http://www.w3.org/TR/xml-c14n (V 1.0), http://www.w3.org/TR/xml-exc-c14n/ (V 1.0), there is also V 1.1 ) . However, I think ruby-saml should be made dependent on a library that has c extensions to xmlsec instead (see: http://www.aleksey.com/xmlsec/), since that would enable ruby-saml to fully support SAML without implementing the complete specification (which is quite huge, at least compared to the effort that they seem to be willing to put into it) in Ruby. It seems that there are not many open source developers that are willing to put in a lot of effort to implement the complete specifications for XML Security, XML Canonicalization, or SAML in Ruby. Hence, I propose that the Ruby libraries for these are transformed into C extensions instead of trying (and currently failing) to implement the full specifications. I very much appreciate that you created this library and hope that you will see my suggestions as an idea for how things might be improved. Of course, all of the above depends on yours and other's goals and desires which I am not privy to. |
|
Thanks bro :) You're probably right regarding using xmlsec for ruby-saml. Here's a bit of history though: I came across all of this when trying to implement ruby-saml in my project but found that the canonicalisation was failing due to a bug in the xmlcanonicalizer (lowercase) gem. ruby-saml depended on that at the time. There was already a patch that had been created and a pull request was pending but the gem maintainer wasn't responsive so I cloned his project and renamed it, applied the patch and published canonix. I personally haven't coded any of canonix and it's primary objective at this stage is to provide a canonicalisation routine that actually works for ruby-saml (at least it works for my purposes (interacting with simplesamlphp servers)). The ruby-saml team also took it on officially which is cool. Before discovering the patch, I did stumble across xmlsec, but it failed to compile on my mac which to me was a bad sign. There wasn't a lot of documentation (As far as I could find) to get it to work, so I gave up on that idea. Perhaps if the gem (https://github.com/wonnage/xmlsec-ruby) compiled correctly and easily, or had clear instructions on how to get up and running quickly, it could be an option. I think the best bet would be to encourage nokogiri to actually implement canonicalization as there seems to be a bit of a groundswell around that, and it seems like a natural place for a ruby implementation to sit. I hope that help :) Let me know if you have any more questions. |
|
Just to quickly follow up, I've never worked with C before and have no experience writing extensions in ruby. I'm probably the wrong person to talk to in regards to getting this done. I would be pleased however to accept patches that implemented this functionality while still maintaining the ease of installation that the current gem has :) |
|
Makes sense. It would be useful if you could add this information to the README. Then this issue can be closed. Unfortunately, wonnage/xmlsec-ruby seems to be abandoned and has at least one serious bug. Yes, lets hope Nokogiri implements full support for canonicalization. |
|
Indeed :) I've just pushed through an updated README and pointed to this issue for more details. Sam from Relevance is currently working on pushing through some good feature additions to ruby-saml that they made a while back but could never push up due to this flawed dependency on the old xmlcanonicalizer gem. For the most part the ruby-saml gem seems to work well for simple Single Sign On, and there is a patch for Single Logout in the works also. I think the main reason why this hasn't been tacked heavily by the Ruby community is the sheer complexity of the standard, and perhaps the fact that SAML seems to be more enterprise friendly and that there aren't that many enterprise ruby apps around willing to support it. I'm trying my hardest to get everyone on the same page with ruby-saml as it appears that many have just forked the repo, made their fixes and left it at that. :) |
|
sounds good :) |
There are several xml canonicalization algorithms. E.g.:
Canonical XML without comments: http://www.w3.org/TR/2001/REC-xml-c14n-20010315
Canonical XML with comments: http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
Exclusive XML canonicalization without comments: http://www.w3.org/2001/10/xml-exc-c14n#
Exclusive XML canonicalization with comments: http://www.w3.org/2001/10/xml-exc-c14n#WithComments
Which algo is used by canonix?
The text was updated successfully, but these errors were encountered: