[Mono-dev] Bug in SignedXml.GetIdElement
Atsushi Eno
atsushieno at veritas-vos-liberabit.com
Fri Jul 19 17:05:01 UTC 2013
(2013年07月17日 21:25), Jonathan Gagnon wrote:
>
>
> On Tue, Jul 16, 2013 at 12:16 PM, Atsushi Eno
> <atsushieno at veritas-vos-liberabit.com
> <mailto:atsushieno at veritas-vos-liberabit.com>> wrote:
>
> Jonathan Gagnon wrote:
>
> It does not work when the SAML document is not referring to
> any DTD. In my case, I receive the following exception when I
> call the CheckSignature method :
>
> System.Security.Cryptography.CryptographicException: Malformed
> reference object: [referenceId]
> at
> System.Security.Cryptography.Xml.SignedXml.GetReferenceHash
> (System.Security.Cryptography.Xml.Reference r, Boolean
> check_hmac) [0x00000] in <filename unknown>:0
> at
> System.Security.Cryptography.Xml.SignedXml.CheckReferenceIntegrity
> (System.Collections.ArrayList referenceList) [0x00000] in
> <filename unknown>:0
> at
> System.Security.Cryptography.Xml.SignedXml.CheckSignatureInternal
> (System.Security.Cryptography.AsymmetricAlgorithm key)
> [0x00000] in <filename unknown>:0
> at System.Security.Cryptography.Xml.SignedXml.CheckSignature
> (System.Security.Cryptography.AsymmetricAlgorithm key)
> [0x00000] in <filename unknown>:0
> at TestSAML.Program.Main (System.String[] args) [0x00000] in
> <filename unknown>:0
>
>
> Of course it happens because you should be processing
> corresponding DTD or XML Schema.
>
>
>
> The same code works in .NET and it does work if I modify the
> GetIdElement method to check for "ID".
>
> So in your opinion, I should create a class that derives from
> SignedXml and override GetIdElement?
>
>
> I'm not sure I would like to answer yes (if you want to have ID
> being processed) or no (you should actually process DTD or XSD).
>
>
> I added references to the corresponding XSDs but it doesn't seem to
> help. I'm still getting the same exception.
Because you didn't set up XmlDocument properly to process XSDs. (You're
discussing you're doing right without showing code.)
>
>
> It does fix the problem for me. But wouldn't it be better to
> modify SignedXml.GetIdElement() to behave more like .NET so
> that other users don't encounter the same problem?
>
>
> I don't support any use of API that violates W3C specification.
>
>
> From what I understand, the W3C specification is only about the
> signature part of a signed xml. There is nothing regarding other
> parts of the signed XML, and the SAML standard defines the id
> differently. So I'm not sure that supporting SAML ids would violate
> the W3C specification.
I don't understand your discussion. Any additional local attributes that
do not conform to the XML Schema defined in xmldsig specification
violates XML schema validation.
Atsushi Eno
>
> Though I'm just pointing out the facts. There may be people who
> want to take responsibility on the entire XML Signature stuff and
> go ahead to apply the changes.
>
> Atsushi Eno
>
> Thanks,
>
> Jonathan
>
>
> On Tue, Jul 16, 2013 at 10:24 AM, Atsushi Eno
> <atsushieno at veritas-vos-liberabit.com
> <mailto:atsushieno at veritas-vos-liberabit.com>
> <mailto:atsushieno at veritas-vos-liberabit.com
> <mailto:atsushieno at veritas-vos-liberabit.com>>> wrote:
>
> Whenever SAML document instance refers to its schema or
> DTD that
> will validate "ID" attribute as expected, since SignedXml
> internally uses XmlDocument.GetElementById () which is
> expected to
> collect "IDs" where "IDs" means a validated ID by
> XmlValidatingReader or any XmlReader that has
> XmlReaderSettings to
> consider XmlSchema or DTD. Hence that does not cause any
> problem
> for SAML.
>
> (Also note that SignedXml implementation could override
> SignedXml.GetIdElement(). Mono's WCF implementation makes
> use of
> it to support WS-Security ID attribute.)
>
> Atsushi Eno
>
> Jonathan Gagnon wrote:
>
> This is true for the signature, but not true for SAML
> assertions, where ids are defined as "ID" :
>
> http://schemas.stylusstudio.com/saml/nea261b70/complexType_AssertionType.html
>
> I don't know in which case we would need "id" in
> lowercase,
> but since .NET supports it, there is probably a valid
> reason
> for it too.
>
> *Jonathan Gagnon*
> Responsable des architectures systèmes
> 600, boulevard Armand-Frappier, bureau 200
> Laval (Québec) H7V 4B4
> Canada
> T : 450-662-6101 <tel:450-662-6101> <tel:450-662-6101
> <tel:450-662-6101>> poste 234
> <http://www.croesus.com>
>
> <http://www.facebook.com/pages/Croesus-Finansoft/345020305606240><http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141><https://twitter.com/CroesusFin>
>
>
>
> On Tue, Jul 16, 2013 at 2:30 AM, Atsushi Eno
> <atsushieno at veritas-vos-liberabit.com
> <mailto:atsushieno at veritas-vos-liberabit.com>
> <mailto:atsushieno at veritas-vos-liberabit.com
> <mailto:atsushieno at veritas-vos-liberabit.com>>
> <mailto:atsushieno at veritas-vos-liberabit.com
> <mailto:atsushieno at veritas-vos-liberabit.com>
>
> <mailto:atsushieno at veritas-vos-liberabit.com
> <mailto:atsushieno at veritas-vos-liberabit.com>>>> wrote:
>
> W3C XML Signature specification explicitly "Id" as
> the valid
> attribute name for referencing an element, by its XML
> Schema and DTD:
> http://www.w3.org/TR/xmldsig-core/#sec-Signature
> http://www.w3.org/TR/xmldsig-core/#sec-SignatureValue
> http://www.w3.org/TR/xmldsig-core/#sec-SignedInfo
> http://www.w3.org/TR/xmldsig-core/#sec-Reference
> http://www.w3.org/TR/xmldsig-core/#sec-KeyInfo
> http://www.w3.org/TR/xmldsig-core/#sec-Object
> http://www.w3.org/TR/xmldsig-core/#sec-Manifest
> http://www.w3.org/TR/xmldsig-core/#sec-SignatureProperties
>
> If Microsoft treats "id" or "ID" attributes as if
> they were ID
> (and not "iD" ?), they will have to fix their bug.
>
> Atsushi Eno
>
> (2013年07月12日 23:58), Jonathan Gagnon wrote:
>
> I have encountered a bug similar to 4938
>
> <https://bugzilla.xamarin.com/show_bug.cgi?id=4938>.
>
>
> My problem is that mono does not find the
> reference id
> because
> the id is in uppercase ('ID' instead of 'Id').
> This works
> correctly on .NET.
>
> As stated in the bug description, the problem
> is in the
> SignedXml class, GetIdElement method.
>
> I wrote a very simple patch that fixes the
> problem by
> looking
> for "id" and "ID". Should I do a pull request with
> that fix?
>
> *Jonathan Gagnon*
>
> Responsable des architectures systèmes
> 600, boulevard Armand-Frappier, bureau 200
> Laval (Québec) H7V 4B4
> Canada
> T : 450-662-6101 <tel:450-662-6101>
> <tel:450-662-6101 <tel:450-662-6101>> <tel:450-662-6101
> <tel:450-662-6101>
>
> <tel:450-662-6101 <tel:450-662-6101>>> poste 234
>
> <http://www.croesus.com>
>
> <http://www.facebook.com/pages/Croesus-Finansoft/345020305606240><http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141><https://twitter.com/CroesusFin>
>
>
>
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> <mailto:Mono-devel-list at lists.ximian.com>
> <mailto:Mono-devel-list at lists.ximian.com
> <mailto:Mono-devel-list at lists.ximian.com>>
> <mailto:Mono-devel-list at lists.ximian.com
> <mailto:Mono-devel-list at lists.ximian.com>
> <mailto:Mono-devel-list at lists.ximian.com
> <mailto:Mono-devel-list at lists.ximian.com>>>
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
>
>
>
>
>
>
>
More information about the Mono-devel-list
mailing list