[Mono-dev] Bug in SignedXml.GetIdElement

Atsushi Eno atsushieno at veritas-vos-liberabit.com
Fri Jul 19 17:05:01 UTC 2013


(2013年07月17日 21:25), Jonathan Gagnon wrote:
>
>
> On Tue, Jul 16, 2013 at 12:16 PM, Atsushi Eno 
> <atsushieno at veritas-vos-liberabit.com 
> <mailto:atsushieno at veritas-vos-liberabit.com>> wrote:
>
>     Jonathan Gagnon wrote:
>
>         It does not work when the SAML document is not referring to
>         any DTD.  In my case, I receive the following exception when I
>         call the CheckSignature method :
>
>         System.Security.Cryptography.CryptographicException: Malformed
>         reference object: [referenceId]
>           at
>         System.Security.Cryptography.Xml.SignedXml.GetReferenceHash
>         (System.Security.Cryptography.Xml.Reference r, Boolean
>         check_hmac) [0x00000] in <filename unknown>:0
>           at
>         System.Security.Cryptography.Xml.SignedXml.CheckReferenceIntegrity
>         (System.Collections.ArrayList referenceList) [0x00000] in
>         <filename unknown>:0
>           at
>         System.Security.Cryptography.Xml.SignedXml.CheckSignatureInternal
>         (System.Security.Cryptography.AsymmetricAlgorithm key)
>         [0x00000] in <filename unknown>:0
>           at System.Security.Cryptography.Xml.SignedXml.CheckSignature
>         (System.Security.Cryptography.AsymmetricAlgorithm key)
>         [0x00000] in <filename unknown>:0
>           at TestSAML.Program.Main (System.String[] args) [0x00000] in
>         <filename unknown>:0
>
>
>     Of course it happens because you should be processing
>     corresponding DTD or XML Schema.
>
>
>
>         The same code works in .NET and it does work if I modify the
>         GetIdElement method to check for "ID".
>
>         So in your opinion, I should create a class that derives from
>         SignedXml and override GetIdElement?
>
>
>     I'm not sure I would like to answer yes (if you want to have ID
>     being processed) or no (you should actually process DTD or XSD).
>
>
> I added references to the corresponding XSDs but it doesn't seem to 
> help.  I'm still getting the same exception.

Because you didn't set up XmlDocument properly to process XSDs. (You're 
discussing you're doing right without showing code.)

>
>
>         It does fix the problem for me. But wouldn't it be better to
>         modify SignedXml.GetIdElement() to behave more like .NET so
>         that other users don't encounter the same problem?
>
>
>     I don't support any use of API that violates W3C specification.
>
>
> From what I understand, the W3C specification is only about the 
> signature part of a signed xml.  There is nothing regarding other 
> parts of the signed XML, and the SAML standard defines the id 
> differently.  So I'm not sure that supporting SAML ids would violate 
> the W3C specification.

I don't understand your discussion. Any additional local attributes that 
do not conform to the XML Schema defined in xmldsig specification 
violates XML schema validation.

Atsushi Eno


>
>     Though I'm just pointing out the facts. There may be people who
>     want to take responsibility on the entire XML Signature stuff and
>     go ahead to apply the changes.
>
>     Atsushi Eno
>
>         Thanks,
>
>         Jonathan
>
>
>         On Tue, Jul 16, 2013 at 10:24 AM, Atsushi Eno
>         <atsushieno at veritas-vos-liberabit.com
>         <mailto:atsushieno at veritas-vos-liberabit.com>
>         <mailto:atsushieno at veritas-vos-liberabit.com
>         <mailto:atsushieno at veritas-vos-liberabit.com>>> wrote:
>
>             Whenever SAML document instance refers to its schema or
>         DTD that
>             will validate "ID" attribute as expected, since SignedXml
>             internally uses XmlDocument.GetElementById () which is
>         expected to
>             collect "IDs" where "IDs" means a validated ID by
>             XmlValidatingReader or any XmlReader that has
>         XmlReaderSettings to
>             consider XmlSchema or DTD. Hence that does not cause any
>         problem
>             for SAML.
>
>             (Also note that SignedXml implementation could override
>             SignedXml.GetIdElement(). Mono's WCF implementation makes
>         use of
>             it to support WS-Security ID attribute.)
>
>             Atsushi Eno
>
>             Jonathan Gagnon wrote:
>
>                 This is true for the signature, but not true for SAML
>                 assertions, where ids are defined as "ID" :
>
>         http://schemas.stylusstudio.com/saml/nea261b70/complexType_AssertionType.html
>
>                 I don't know in which case we would need "id" in
>         lowercase,
>                 but since .NET supports it, there is probably a valid
>         reason
>                 for it too.
>
>                 *Jonathan Gagnon*
>                 Responsable des architectures systèmes
>                 600, boulevard Armand-Frappier, bureau 200
>                 Laval (Québec) H7V 4B4
>                 Canada
>                 T : 450-662-6101 <tel:450-662-6101> <tel:450-662-6101
>         <tel:450-662-6101>> poste 234
>                 <http://www.croesus.com>
>                
>         <http://www.facebook.com/pages/Croesus-Finansoft/345020305606240><http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141><https://twitter.com/CroesusFin>
>
>
>
>                 On Tue, Jul 16, 2013 at 2:30 AM, Atsushi Eno
>                 <atsushieno at veritas-vos-liberabit.com
>         <mailto:atsushieno at veritas-vos-liberabit.com>
>                 <mailto:atsushieno at veritas-vos-liberabit.com
>         <mailto:atsushieno at veritas-vos-liberabit.com>>
>                 <mailto:atsushieno at veritas-vos-liberabit.com
>         <mailto:atsushieno at veritas-vos-liberabit.com>
>
>                 <mailto:atsushieno at veritas-vos-liberabit.com
>         <mailto:atsushieno at veritas-vos-liberabit.com>>>> wrote:
>
>                     W3C XML Signature specification explicitly "Id" as
>         the valid
>                     attribute name for referencing an element, by its XML
>                 Schema and DTD:
>         http://www.w3.org/TR/xmldsig-core/#sec-Signature
>         http://www.w3.org/TR/xmldsig-core/#sec-SignatureValue
>         http://www.w3.org/TR/xmldsig-core/#sec-SignedInfo
>         http://www.w3.org/TR/xmldsig-core/#sec-Reference
>         http://www.w3.org/TR/xmldsig-core/#sec-KeyInfo
>         http://www.w3.org/TR/xmldsig-core/#sec-Object
>         http://www.w3.org/TR/xmldsig-core/#sec-Manifest
>         http://www.w3.org/TR/xmldsig-core/#sec-SignatureProperties
>
>                     If Microsoft treats "id" or "ID" attributes as if
>         they were ID
>                     (and not "iD" ?), they will have to fix their bug.
>
>                     Atsushi Eno
>
>                     (2013年07月12日 23:58), Jonathan Gagnon wrote:
>
>                         I have encountered a bug similar to 4938
>                        
>         <https://bugzilla.xamarin.com/show_bug.cgi?id=4938>.
>
>
>                         My problem is that mono does not find the
>         reference id
>                 because
>                         the id is in uppercase ('ID' instead of 'Id').
>         This works
>                         correctly on .NET.
>
>                         As stated in the bug description, the problem
>         is in the
>                         SignedXml class, GetIdElement method.
>
>                         I wrote a very simple patch that fixes the
>         problem by
>                 looking
>                         for "id" and "ID". Should I do a pull request with
>                 that fix?
>
>                         *Jonathan Gagnon*
>
>                         Responsable des architectures systèmes
>                         600, boulevard Armand-Frappier, bureau 200
>                         Laval (Québec) H7V 4B4
>                         Canada
>                         T : 450-662-6101 <tel:450-662-6101>
>         <tel:450-662-6101 <tel:450-662-6101>> <tel:450-662-6101
>         <tel:450-662-6101>
>
>                 <tel:450-662-6101 <tel:450-662-6101>>> poste 234
>
>                         <http://www.croesus.com>
>                              
>          <http://www.facebook.com/pages/Croesus-Finansoft/345020305606240><http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141><https://twitter.com/CroesusFin>
>
>
>
>                         _______________________________________________
>                         Mono-devel-list mailing list
>         Mono-devel-list at lists.ximian.com
>         <mailto:Mono-devel-list at lists.ximian.com>
>                 <mailto:Mono-devel-list at lists.ximian.com
>         <mailto:Mono-devel-list at lists.ximian.com>>
>                         <mailto:Mono-devel-list at lists.ximian.com
>         <mailto:Mono-devel-list at lists.ximian.com>
>                 <mailto:Mono-devel-list at lists.ximian.com
>         <mailto:Mono-devel-list at lists.ximian.com>>>
>         http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
>
>
>
>
>
>
>



More information about the Mono-devel-list mailing list