You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm getting mis-matched hashes when trying to verify a signature generated with a simplesamlphp server that we're trying to integrate with. We have no access to that server, so can't debug from that end. Essentially the hashes don't match up at the end of the code segment below. I've checked and the incoming XML specify's that their hash was generated with SHA1. I'm wondering if anyone could give me some pointers on how to troubleshoot this kind of problem? Obviously there must be a difference in the canonicalised markup on each side.
REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |
uri = ref.attributes.get_attribute("URI").value
hashed_element = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
canoner = XML::Util::XmlCanonicalizer.new(false, true)
canon_hashed_element = canoner.canonicalize(hashed_element)
hash = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
digest_value = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
valid_flag = hash == digest_value
return valid_flag if !valid_flag
end
The text was updated successfully, but these errors were encountered:
It turns out that the cause of the incorrect hashing is a bug in the xmlcanonicalizer gem that you rely on.
A patch has already been submitted that fixes the problem, but the maintainer of the gem doesn't seem to have applied it. I have tested the patch and it does indeed work:
Hi there,
I'm getting mis-matched hashes when trying to verify a signature generated with a simplesamlphp server that we're trying to integrate with. We have no access to that server, so can't debug from that end. Essentially the hashes don't match up at the end of the code segment below. I've checked and the incoming XML specify's that their hash was generated with SHA1. I'm wondering if anyone could give me some pointers on how to troubleshoot this kind of problem? Obviously there must be a difference in the canonicalised markup on each side.
The text was updated successfully, but these errors were encountered: