Skip to content

Remove namespace-breaking reserialization of signature from example in README#105

Merged
bjrmatos merged 1 commit intonode-saml:masterfrom
brownstein:fix-verification-doc
Apr 11, 2016
Merged

Remove namespace-breaking reserialization of signature from example in README#105
bjrmatos merged 1 commit intonode-saml:masterfrom
brownstein:fix-verification-doc

Conversation

@brownstein
Copy link
Contributor

@brownstein brownstein commented Apr 11, 2016

This is a fix for the example signature validation documentation; the toString() call on the signature node turns out to be harmful, as it removes namespace metadata which would otherwise propagate from the parent document. In situations where the namespace is ds, this works out ok (as ds is provided as a default) but when using other strings for this namespace the example boilerplate fails.

In the example below, the definition of dsig would be undefined in a toString-orphaned signature, and the canonicalization algorithm would resolve the url as an empty string -- changing the underlying canonical text and causing the SignatureValue verification to fail.

<samlp:Response ... xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  ...
    <dsig:Signature>
      <dsig:SignedInfo>
        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <dsig:Reference URI="#id-2f7VgU-0XBjCqhLN2NWJyb-e5F2gWKOV9KT-c1nD">
          <dsig:Transforms>
            <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </dsig:Transforms>
          <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <dsig:DigestValue>...</dsig:DigestValue>
        </dsig:Reference>
      </dsig:SignedInfo>
     <dsig:SignatureValue>...</dsig:SignatureValue>
    </dsig:Signature>
  ...
</samlp:Response>

PR fixes this in the example, which realistically will get used as boilerplate in many integrations of this library. Having just spent three days chasing down the cause of one of our SAML integration failures, I think its a useful change.

@bjrmatos bjrmatos merged commit 3142b39 into node-saml:master Apr 11, 2016
@bjrmatos
Copy link
Contributor

bjrmatos commented Apr 11, 2016

thnk you! you're right toString() is considered harmful.. if you find other examples using it please send a PR 😄

@yaronn
Copy link
Contributor

yaronn commented Apr 11, 2016

@brownstein - sorry to hear it wasted you a few days to chase this (been there...) but so great that you came back with this PR!

cmordue added a commit to cmordue/saml20 that referenced this pull request Dec 13, 2017
@cmordue
Fix issue where SAML assertion validation fails if namespace is not d…
88cc927 
…efined on Signature node.

Remove namespace-breaking reserialization of signature which used to be in the documented example from xml-crypto but was removed due to this bug
See: node-saml/xml-crypto#105
This was referenced Dec 13, 2017
Open
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brownstein @bjrmatos @yaronn @cjbarth