Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge changes from datagovsg fork #161

Merged
merged 16 commits into from
Sep 10, 2018
Merged

Merge changes from datagovsg fork #161

merged 16 commits into from
Sep 10, 2018

Conversation

LoneRifle
Copy link
Collaborator

@LoneRifle LoneRifle commented Sep 6, 2018
edited
Loading

This fork currently embodies fixes that addresses the following issues:

Fixes #113
Fixes #153
Fixes #158

Fixes #135

These are currently held in the datagovsg fork of xml-crypto, itself a fork of the Asana fork of the original.

I would also like to take the opportunity to request access to the repo so that I can merge changes, and access to the npm package so that I can cut releases for this library.

Hinaser and others added 15 commits June 8, 2018 17:48
@Hinaser
Fixed an issue where non-exclusive c14n did not import ancestors' nam…
1881583 
…espaces
@Hinaser
Added option for implicit transform
f685a74
@Hinaser
Added description for implicit transform to README
8ae1d13
@Hinaser
findAncestorNs() is now class method of SignedXml
3a8fcd8
@Hinaser
Fixed an issue where duplicate namespace could be imported from ancestor
5fb53c4
@Hinaser
Added unit test for new features
16aef2e
@Hinaser
Trying to be compatible with nodejs 0.10
79097be
@Hinaser
Trying to be compatible with node 0.10 Asana#2
e19798d
@Hinaser
Trying to be compatible with node 0.10 Asana#3
2450505
@srir
Merge pull request Asana#1 from yaronn/master
e8baf4a 
Update Asana/xml-crypto with upstream changes
@srir
Merge pull request Asana#2 from Hinaser/patch-for-non-exclusive-c14n
8d9571f 
Patch for non exclusive c14n
@srir
Fixes for canonicalization and signing
e0fe511 
- removed an old (~5y ago) hack for windows store XML canonicalization
  (and removed the test)
- fixed an issue with over-eager prefix inclusion in non-exclusive
  c14n algorithm (+ test)
- replaced a test for empty-URI that is impossible to update (because
  the private key is missing)
@meganmd
Fix default canonicalization to be non-exclusive and apply whenever t…
33f6a59 
…he output of transforms returns a node-set rather than an octet stream, which is whenever there are no transforms or the last transform is enveloped signature. Add back test for when canonicalization method is not specified in transforms
@meganmd
Merge pull request Asana#4 from Asana/megandaly-fix-auto-canonicaliza…
bcccb80 
…tion

Fix default canonicalization

Summary:
According to the Digest Method Spec [1], the DigestMethod takes a octet stream, ad if the output of the URI dereference is a node set instead, it needs to be converted as described in the Reference Processing Spec [2] to an octet stream. The Reference Processing Spec says to use Canonical XML. Enveloped Signature returns a node-set, as does dereferencing a same-document reference [3], [4]. Canonicalization algorithms are the only other transforms we support, and they all return an octet stream, so the only times we need to add canonicalization are if we haven't done any transforms or if the last one is enveloped signature.

https://www.w3.org/TR/xmldsig-core1/#sec-DigestMethod
https://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel
https://www.w3.org/TR/xmldsig-core1/#sec-EnvelopedSignature
https://www.w3.org/TR/xmldsig-core1/#sec-Same-Document
Tests:
Added back the test from when this was implemented slightly differently for Windows Mobile, checked against a SamlResponse without a canonicalization method in the transforms

Reviewer: @srir
@LoneRifle
enveloped-signature - only rm immediate child sigs
4ec5d5e 
212200b changed the xpath to match all signature nodes descended from
the specified local node. This is incorrect; the relevant spec says that
only immediate signature elements should be removed

This commit corrects the behaviour simply by changing the xpath to only
match immediate children

Fixes node-saml#135 , where further discussion can be found
@LoneRifle LoneRifle mentioned this pull request Sep 6, 2018
Merged
@yaronn
Copy link
Contributor

yaronn commented Sep 10, 2018

Hi, @LoneRifle added you as collaborator.

@LoneRifle
Copy link
Collaborator Author

I intend to make one more edit to package.json on our fork that will indicate a new release (0.10.2). Once I'm added as owner to the xml-crypto npm package, I'll publish a new release with all those changes, and tag the repo accordingly.

Thanks for having me look into this!

@LoneRifle LoneRifle merged commit 5aa48bb into node-saml:master Sep 10, 2018
@LoneRifle LoneRifle mentioned this pull request Sep 10, 2018
Closed
@yaronn
Copy link
Contributor

yaronn commented Sep 10, 2018

what's your npm username?

@LoneRifle
Copy link
Collaborator Author

LoneRifle commented Sep 10, 2018
edited
Loading

it's lonerifle (all small-caps one word)

@yaronn
Copy link
Contributor

yaronn commented Sep 10, 2018

done! can you bump a major version before publishing? given the amount of changes seems safer. also there is a github notification on a vulnerable dependency in the current source (hapijs / hoek).

@LoneRifle
Copy link
Collaborator Author

Sure, will do! I'll look into the vuln, bumping the major release, and possibly #160

@yaronn
Copy link
Contributor

yaronn commented Sep 10, 2018

thanks, you do awesome work!

@LoneRifle LoneRifle mentioned this pull request Oct 20, 2018
Closed
@cjbarth cjbarth added the bug label Jul 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
7 participants
@LoneRifle @yaronn @fcorneli @cjbarth @Hinaser @srir @meganmd