enveloped transformation + exclusive-canonicalization

[siacomuzzi]

Can both algorithms work together? I'm getting a digest mismatch error with the following "transforms" element:

<ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
    <xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi"/>
  </ds:Transform>
 </ds:Transforms>

Thanks

[siacomuzzi]

I'll try with this -> #48

[siacomuzzi]

I fixed that with your workaround, thanks @yaronn !

But I'm wondering if these namespaces should be added in the SAML assertion element by my SAML Identity Provider or it should be handled from my side (xml-crypto code in this case).

[siacomuzzi]

the following works for me (before call to this.getCanonXml):

if (ref.inclusiveNamespacesPrefixList) {
  var prefixList = ref.inclusiveNamespacesPrefixList instanceof Array ? ref.inclusiveNamespacesPrefixList : ref.inclusiveNamespacesPrefixList.split(' ');
  var supported_definitions = {
    'xs': 'http://www.w3.org/2001/XMLSchema',
    'xsi': 'http://www.w3.org/2001/XMLSchema-instance',
    'saml': 'urn:oasis:names:tc:SAML:2.0:assertion'
  }

  prefixList.forEach(function (prefix) {
    if (supported_definitions[prefix]) {
      elem[0].setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:' + prefix, supported_definitions[prefix]);
    }
  });
}

[yaronn]

great this works out and thanks for sharing the solution!

[bjrmatos]

@yaronn is this something that we can put in core? what needs to be done to make it ready? i have no idea which is the behaviour of InclusiveNamespaces transform 😃

[bjrmatos]

related to #60

[siacomuzzi]

I don't know why yet, but the following is not working with my workaround:

<ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
  </ds:Transform>
</ds:Transforms>

If I apply the workaround then I'm getting the digest mismatch error again.
But if I don't apply the workaround, digest verification works as expected.

saml assertion BEFORE workaround:

<saml2:Assertion Version="2.0" ID="_57da42f4cac42dd0e5510bc8cc3d2d3281e441" IssueInstant="2015-09-28T10:06:31Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  ...

saml assertion AFTER workaround:

<saml2:Assertion Version="2.0" ID="_57da42f4cac42dd0e5510bc8cc3d2d3281e441" IssueInstant="2015-09-28T10:06:31Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  ...