Problem verifying integrity of signature from simplesamlphp

[brendon]

Hi there,

I'm getting mis-matched hashes when trying to verify a signature generated with a simplesamlphp server that we're trying to integrate with. We have no access to that server, so can't debug from that end. Essentially the hashes don't match up at the end of the code segment below. I've checked and the incoming XML specify's that their hash was generated with SHA1. I'm wondering if anyone could give me some pointers on how to troubleshoot this kind of problem? Obviously there must be a difference in the canonicalised markup on each side.

  REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |

    uri                   = ref.attributes.get_attribute("URI").value
    hashed_element        = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
    canoner               = XML::Util::XmlCanonicalizer.new(false, true)
    canon_hashed_element  = canoner.canonicalize(hashed_element)
    hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
    digest_value          = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text

    valid_flag            = hash == digest_value

    return valid_flag if !valid_flag
  end

[brendon]

It turns out that the cause of the incorrect hashing is a bug in the xmlcanonicalizer gem that you rely on.

A patch has already been submitted that fixes the problem, but the maintainer of the gem doesn't seem to have applied it. I have tested the patch and it does indeed work:

andrewferk/xmlcanonicalizer#1

I'll leave this open and monitor the progress with getting the patch accepted.

[brendon]

Will open a new ticket regarding shifting the dependency on what seems like an abandoned gem.