Fixes for namespace prefixes, X509 handling etc #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 11 commits
October 4, 2010 11:24
When transforming the XML document during verification, the method calls implementing canonicalization were misspelled, so attempts to verify documents specifying the canonicalization transforms would fail.
The contents of the <X509Certificate> element were being treated as a PEM public key, rather than as a PEM certificate. This change uses Crypt::OpenSSL::X509 to convert the certificate to a public key, which permits use of this module to verify such documents.
This adds support for documents with namespaces such as SAML assertions. This module was stripping the namespace prefixes from the document as part of canonicalization, which means that verification would always fail.
This test shows that the module can be used to verify the signature on a SAML assertion using an X509 certificate.
The module was embedding a PEM-formatted public key as the value of the <X509Certificate> element, rather than the certificate. The public key was derived from the private key, so this change adds a new "cert" option to allow the corresponding certificate to be provided. This change permits the TODO in t/006_signing.t to be removed as the test now passes in its entirety.
When a document with an embedded X509 certificate has been successfully verified, the certificate will be available for verification. The certificate is returned as a Crypt::OpenSSL::X509 object.
This shows that we can successfully sign and then verify a SAML request using an X509 certificate.
The transform requested, http://www.w3.org/2001/10/xml-exc-c14n#, requests exclusive canonicalization - make sure that's what we apply.
We now use namespace prefixes when signing, on the elements we add to the document.
We canonicalize before signing, so we need to add that transform to the set in our SignedInfo. This causes the verify operation to also canonicalize. Update the signing test to show that even if the document to be signed is not already in canonical form we can successfully round- trip it.
This allows verifying signed documents where the certificate value is not included.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
Here's a few changes to XML::Sig which fix the problems I found trying to deal with SAML messages signed with X509 certificates:
These changes fix the "TODO" test in t/006_signing.t, and add a number of other tests. All the existing tests still pass.
I'd appreciate it if you could take a look at these changes.
Thanks,
Chris.