[Mono-dev] Bug in SignedXml.GetIdElement
Jonathan Gagnon
jonathan.gagnon at croesus.com
Wed Jul 17 12:25:09 UTC 2013
On Tue, Jul 16, 2013 at 12:16 PM, Atsushi Eno <
atsushieno at veritas-vos-liberabit.com> wrote:
> Jonathan Gagnon wrote:
>
>> It does not work when the SAML document is not referring to any DTD. In
>> my case, I receive the following exception when I call the CheckSignature
>> method :
>>
>> System.Security.Cryptography.**CryptographicException: Malformed
>> reference object: [referenceId]
>> at System.Security.Cryptography.**Xml.SignedXml.GetReferenceHash
>> (System.Security.Cryptography.**Xml.Reference r, Boolean check_hmac)
>> [0x00000] in <filename unknown>:0
>> at System.Security.Cryptography.**Xml.SignedXml.**CheckReferenceIntegrity
>> (System.Collections.ArrayList referenceList) [0x00000] in <filename
>> unknown>:0
>> at System.Security.Cryptography.**Xml.SignedXml.**CheckSignatureInternal
>> (System.Security.Cryptography.**AsymmetricAlgorithm key) [0x00000] in
>> <filename unknown>:0
>> at System.Security.Cryptography.**Xml.SignedXml.CheckSignature
>> (System.Security.Cryptography.**AsymmetricAlgorithm key) [0x00000] in
>> <filename unknown>:0
>> at TestSAML.Program.Main (System.String[] args) [0x00000] in <filename
>> unknown>:0
>>
>
> Of course it happens because you should be processing corresponding DTD or
> XML Schema.
>
>
>
>> The same code works in .NET and it does work if I modify the GetIdElement
>> method to check for "ID".
>>
>> So in your opinion, I should create a class that derives from SignedXml
>> and override GetIdElement?
>>
>
> I'm not sure I would like to answer yes (if you want to have ID being
> processed) or no (you should actually process DTD or XSD).
>
>
I added references to the corresponding XSDs but it doesn't seem to help.
I'm still getting the same exception.
>
>
>> It does fix the problem for me. But wouldn't it be better to modify
>> SignedXml.GetIdElement() to behave more like .NET so that other users don't
>> encounter the same problem?
>>
>>
> I don't support any use of API that violates W3C specification.
>
>From what I understand, the W3C specification is only about the signature
part of a signed xml. There is nothing regarding other parts of the signed
XML, and the SAML standard defines the id differently. So I'm not sure
that supporting SAML ids would violate the W3C specification.
>
> Though I'm just pointing out the facts. There may be people who want to
> take responsibility on the entire XML Signature stuff and go ahead to apply
> the changes.
>
> Atsushi Eno
>
> Thanks,
>>
>> Jonathan
>>
>>
>> On Tue, Jul 16, 2013 at 10:24 AM, Atsushi Eno <atsushieno at veritas-vos-**
>> liberabit.com <atsushieno at veritas-vos-liberabit.com> <mailto:
>> atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>>>
>> wrote:
>>
>> Whenever SAML document instance refers to its schema or DTD that
>> will validate "ID" attribute as expected, since SignedXml
>> internally uses XmlDocument.GetElementById () which is expected to
>> collect "IDs" where "IDs" means a validated ID by
>> XmlValidatingReader or any XmlReader that has XmlReaderSettings to
>> consider XmlSchema or DTD. Hence that does not cause any problem
>> for SAML.
>>
>> (Also note that SignedXml implementation could override
>> SignedXml.GetIdElement(). Mono's WCF implementation makes use of
>> it to support WS-Security ID attribute.)
>>
>> Atsushi Eno
>>
>> Jonathan Gagnon wrote:
>>
>> This is true for the signature, but not true for SAML
>> assertions, where ids are defined as "ID" :
>>
>> http://schemas.stylusstudio.**com/saml/nea261b70/**
>> complexType_AssertionType.html<http://schemas.stylusstudio.com/saml/nea261b70/complexType_AssertionType.html>
>>
>> I don't know in which case we would need "id" in lowercase,
>> but since .NET supports it, there is probably a valid reason
>> for it too.
>>
>> *Jonathan Gagnon*
>> Responsable des architectures systèmes
>> 600, boulevard Armand-Frappier, bureau 200
>> Laval (Québec) H7V 4B4
>> Canada
>> T : 450-662-6101 <tel:450-662-6101> poste 234
>> <http://www.croesus.com>
>> <http://www.facebook.com/**pages/Croesus-Finansoft/**
>> 345020305606240<http://www.facebook.com/pages/Croesus-Finansoft/345020305606240>
>> ><http://www.**linkedin.com/company/croesus-**
>> finansoft?trk=hb_tab_compy_id_**26141<http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141>
>> ><https://twitter.com/**CroesusFin <https://twitter.com/CroesusFin>>
>>
>>
>>
>> On Tue, Jul 16, 2013 at 2:30 AM, Atsushi Eno
>> <atsushieno at veritas-vos-**liberabit.com<atsushieno at veritas-vos-liberabit.com>
>> <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>> >
>> <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>>
>> <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>>>>
>> wrote:
>>
>> W3C XML Signature specification explicitly "Id" as the valid
>> attribute name for referencing an element, by its XML
>> Schema and DTD:
>> http://www.w3.org/TR/xmldsig-**core/#sec-Signature<http://www.w3.org/TR/xmldsig-core/#sec-Signature>
>> http://www.w3.org/TR/xmldsig-**core/#sec-SignatureValue<http://www.w3.org/TR/xmldsig-core/#sec-SignatureValue>
>> http://www.w3.org/TR/xmldsig-**core/#sec-SignedInfo<http://www.w3.org/TR/xmldsig-core/#sec-SignedInfo>
>> http://www.w3.org/TR/xmldsig-**core/#sec-Reference<http://www.w3.org/TR/xmldsig-core/#sec-Reference>
>> http://www.w3.org/TR/xmldsig-**core/#sec-KeyInfo<http://www.w3.org/TR/xmldsig-core/#sec-KeyInfo>
>> http://www.w3.org/TR/xmldsig-**core/#sec-Object<http://www.w3.org/TR/xmldsig-core/#sec-Object>
>> http://www.w3.org/TR/xmldsig-**core/#sec-Manifest<http://www.w3.org/TR/xmldsig-core/#sec-Manifest>
>> http://www.w3.org/TR/xmldsig-**core/#sec-SignatureProperties<http://www.w3.org/TR/xmldsig-core/#sec-SignatureProperties>
>>
>> If Microsoft treats "id" or "ID" attributes as if they were ID
>> (and not "iD" ?), they will have to fix their bug.
>>
>> Atsushi Eno
>>
>> (2013年07月12日 23:58), Jonathan Gagnon wrote:
>>
>> I have encountered a bug similar to 4938
>> <https://bugzilla.xamarin.com/**show_bug.cgi?id=4938<https://bugzilla.xamarin.com/show_bug.cgi?id=4938>
>> >.
>>
>>
>> My problem is that mono does not find the reference id
>> because
>> the id is in uppercase ('ID' instead of 'Id'). This works
>> correctly on .NET.
>>
>> As stated in the bug description, the problem is in the
>> SignedXml class, GetIdElement method.
>>
>> I wrote a very simple patch that fixes the problem by
>> looking
>> for "id" and "ID". Should I do a pull request with
>> that fix?
>>
>> *Jonathan Gagnon*
>>
>> Responsable des architectures systèmes
>> 600, boulevard Armand-Frappier, bureau 200
>> Laval (Québec) H7V 4B4
>> Canada
>> T : 450-662-6101 <tel:450-662-6101> <tel:450-662-6101
>>
>> <tel:450-662-6101>> poste 234
>>
>> <http://www.croesus.com>
>> <http://www.facebook.com/**
>> pages/Croesus-Finansoft/**345020305606240<http://www.facebook.com/pages/Croesus-Finansoft/345020305606240>
>> ><http://www.**linkedin.com/company/croesus-**
>> finansoft?trk=hb_tab_compy_id_**26141<http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141>
>> ><https://twitter.com/**CroesusFin <https://twitter.com/CroesusFin>>
>>
>>
>>
>> ______________________________**_________________
>> Mono-devel-list mailing list
>> Mono-devel-list at lists.ximian.**com<Mono-devel-list at lists.ximian.com>
>> <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>> >
>> <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>> <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>> >>
>> http://lists.ximian.com/**mailman/listinfo/mono-devel-**list<http://lists.ximian.com/mailman/listinfo/mono-devel-list>
>>
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-devel-list/attachments/20130717/3127bb26/attachment.html>
More information about the Mono-devel-list
mailing list