CODEWITHSUNDEEP
xmlxml-dsig
Katz
Katz

Reputation: 175

XML envelopped signature with Inclusivenamespace

Writing in 4D language, I had to write low level canonicalization functions to check signature on XML. Worked fine for a dozen cases, and now I'm up to a new difficulty : the XML includes "InclusiveNamespaces" transformation. I think that's what is breaking my signature check algorithm, and I can't figure out how it is supposed to work. My initial XML looks something like :

<saml2:Assertion ID="1234"
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#1234">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="xs"
                                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>xxx</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
    </ds:Signature>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Attribute Name="myAttribute"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                    xsi:type="xs:string">STRING</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

So I have an "Inclusive Namespace" for "xs", which is used in the xsi:type attribute value of the saml2:AttributeValue. My question is : What am I supposed to do with it in my canonicalization algorithm? With my current algo, it is simply removed, as it is not visibly used by any element or attribute, but I'm not sure where it is supposed to be kept. The RFC does mention this case, but not in enough details for me to figure this out... Any help is appreciated, including if you have your own code that allows you to canonicalize my example XML and return me the correct value. :)

Upvotes: 1

Views: 1047

Answers (1)

bsanchezb
bsanchezb

Reputation: 108

With inclusive canonicalization, you shall include all parent namespaces to the canonicalizing node, even if the namespace is not used within the node itself or its children. Please see specification for more details.

Upvotes: 0

Related Questions