-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modified loadSignature to only check local name and not namespace name #59
Modified loadSignature to only check local name and not namespace name #59
Conversation
i think @yaronn could you explain why |
@bjrmatos I think you are probably right. Take the following example: sig.loadSignature(xmlString)
//at this point, sig.signatureXmlDoc doesn't have reference to the namespaces declared on the root element
sig.checkSignature(xmlString)
//now we will see a failure in validateSignatureValue because getCanonXml can't find the root namespace. |
See f0d4b45 for an implementation that passes a node object (and still accepts string). |
Thanks @brianhartsock, I've pushed it to npm. @bjrmatos - initially the concept was that xml-crypto should be xml library agnostic, so I did not want to rely on any specific xmldom objects. Maybe it was a mistake since it cause a performance hit and also some semantic issues like this. |
maybe we can make this more fun :) this is my proposal: maybe we can get rid of we will always search for an enveloped signature in xmlDocument, with this we can bring it back the condition: we will only use the last parameter ( what do you think? i can send a PR :) |
obviously, this will be a breaking change |
it's a good idea though will break a lot of code, tests and documentation. if you have time you can try it and see if it is risky or not. |
@bjrmatos I am obviously a fan of sending objects that somehow have reference to the entire XML document, otherwise it is easy to accidentally lose XML NS info as this PR solved. The issue I have is that it is unclear clear what is signed when passing the xml document in. An XML document can have numerous signatures on different nodes. If that's the case, what does |
right now, i think the API is not designed for a document with multilpe with my proposal For all instances of obviously we must refactor the function a little bit to handle the case, but this is the general idea :) |
if I understand correctly you are raising two issues:
currently issue 1 is solved with this PR (with a risk that some unrelated Signature node will be captured) and issue 2 requires end user to iterate over the signatures and validate each one. I'm ok with adding checkSignature support for xmldom inputs as long as it does not break current api (e.g. string inputs should also be accepted). I agree the current API does not fit multiple signatures since you need to explicitly load a single signature and validate it. Changing this behavior for checkSignature might cause unknown regressions. But we can add a new API function checkAllSignatures to do it. |
i really think Maybe this is a good excuse for a 1.0 version, i think we should define milestones and see how it goes. New Proposal:
the user wont need to specify the signature manually, xml-crypto will do it and will support multiple signature validation. |
@bjrmatos - I like it. this sounds like a great a candidate for version 1.0.0. Is this something you have the time to start implementing? the only concern is about exposing xmldom as a direct api type (rather than string). maybe if someone is using other xml parsers it would seem strange we force them to use our parser. but maybe in the future we can be parser agnostic or support a string overload, so not a big issue. |
yes i can start it :) maybe i was not clear enough, but my idea is that both Also, do you like the idea to letting the user to validate a specific signature?, as i mentioned we can do it vía a xmlPath expression so it won't require the user to parse anything :) |
got it, sounds good. will loadSignature still work and output a deprecation message or will it throw an exception and not work at all? letting validate a specific signature is nice to have but not a must for the first release. users that wish that can strip out manually the other signatures. |
since the target of these changes is a 1.0 version i think we should just deprecate the method and remove it from the public API (it will be used internally). is a major version change, i think we won't break anyone's codebase.. only people installing the module with i will work on this very soon :) thnks for your time! |
👍 sounds good! |
@bjrmatos how would you know what parts of the xml document are signed? That's my concern. Take the following: <root>
<node1>
<Signature>...</Signature
<data>...</data>
</node1>
<node2>
<data>...</data>
</node2>
</root> In this scenario, the caller would know what parts of the document are signed and should be trusted vs. what parts should be ignored. In the case of SAML, this could be incredibly dangerous, as a signed assertion should be trusted and an unsigned one shouldn't be. A caller could easily call Maybe I don't understand your plans for |
A
|
Loading the signature for XML documents that specify the signature namespace 'http://www.w3.org/2000/09/xmldsig#' on the root element of the document doesn't work because
loadSignature
only has the signature node (as XML), and therefore doesn't have reference to it's namespace.For example:
This will effectively find the Signature element, but then break finding any Reference elements inside of the
loadSignature
function.The other way to handle this is to change
loadSignature
to accept an XML DOM Node that has reference to the document instead of just a string, however this is obviously a big breaking change.I'm no XML expert so I could be missing something, but the scenario where the NS for signature is defined on the root element is happening to me when working with a few SAML implementations.