[Mono-dev] Bug in SignedXml.GetIdElement

Jonathan Gagnon jonathan.gagnon at croesus.com
Mon Jul 22 13:17:39 UTC 2013


On Fri, Jul 19, 2013 at 1:05 PM, Atsushi Eno <
atsushieno at veritas-vos-liberabit.com> wrote:

> (2013年07月17日 21:25), Jonathan Gagnon wrote:
>
>
>>
>> On Tue, Jul 16, 2013 at 12:16 PM, Atsushi Eno <atsushieno at veritas-vos-**
>> liberabit.com <atsushieno at veritas-vos-liberabit.com> <mailto:
>> atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>>>
>> wrote:
>>
>>     Jonathan Gagnon wrote:
>>
>>         It does not work when the SAML document is not referring to
>>         any DTD.  In my case, I receive the following exception when I
>>         call the CheckSignature method :
>>
>>         System.Security.Cryptography.**CryptographicException: Malformed
>>         reference object: [referenceId]
>>           at
>>         System.Security.Cryptography.**Xml.SignedXml.GetReferenceHash
>>         (System.Security.Cryptography.**Xml.Reference r, Boolean
>>         check_hmac) [0x00000] in <filename unknown>:0
>>           at
>>         System.Security.Cryptography.**Xml.SignedXml.**
>> CheckReferenceIntegrity
>>         (System.Collections.ArrayList referenceList) [0x00000] in
>>         <filename unknown>:0
>>           at
>>         System.Security.Cryptography.**Xml.SignedXml.**
>> CheckSignatureInternal
>>         (System.Security.Cryptography.**AsymmetricAlgorithm key)
>>         [0x00000] in <filename unknown>:0
>>           at System.Security.Cryptography.**Xml.SignedXml.CheckSignature
>>         (System.Security.Cryptography.**AsymmetricAlgorithm key)
>>         [0x00000] in <filename unknown>:0
>>           at TestSAML.Program.Main (System.String[] args) [0x00000] in
>>         <filename unknown>:0
>>
>>
>>     Of course it happens because you should be processing
>>     corresponding DTD or XML Schema.
>>
>>
>>
>>         The same code works in .NET and it does work if I modify the
>>         GetIdElement method to check for "ID".
>>
>>         So in your opinion, I should create a class that derives from
>>         SignedXml and override GetIdElement?
>>
>>
>>     I'm not sure I would like to answer yes (if you want to have ID
>>     being processed) or no (you should actually process DTD or XSD).
>>
>>
>> I added references to the corresponding XSDs but it doesn't seem to help.
>>  I'm still getting the same exception.
>>
>
> Because you didn't set up XmlDocument properly to process XSDs. (You're
> discussing you're doing right without showing code.)
>
>
>
You're probably right that I didn't set it up properly.  It seems to be a
poorly documented part of .NET.  Do you have a link to a good example?

Basically, I tried adding a reference to the xsd inside the SAML document
but it didn't help.  Then I tried the following example without success :
http://msdn.microsoft.com/en-us/library/ms162371.aspx

I also noticed that calling the Schemas.Add method is very slow (several
seconds each time), and didn't want that overhead in our application.



>
>>
>>         It does fix the problem for me. But wouldn't it be better to
>>         modify SignedXml.GetIdElement() to behave more like .NET so
>>         that other users don't encounter the same problem?
>>
>>
>>     I don't support any use of API that violates W3C specification.
>>
>>
>> From what I understand, the W3C specification is only about the signature
>> part of a signed xml.  There is nothing regarding other parts of the signed
>> XML, and the SAML standard defines the id differently.  So I'm not sure
>> that supporting SAML ids would violate the W3C specification.
>>
>
> I don't understand your discussion. Any additional local attributes that
> do not conform to the XML Schema defined in xmldsig specification violates
> XML schema validation.
>

What I'm saying is that the XML Schema defined in xmldsig specification is
often applied to a subpart of an XML document.  Here is an example :

<samlp:Response>
  <saml:Assertion ID="abc">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    </ds:Signature>
    ...
  </saml:Assertion>
</samlp:Response>

So the XML Schema defined by the W3C specification only applies to what is
inside the <ds:Signature> tags.  Thus, it doesn't violate the XML Schema to
have an "ID" attribute for the <saml:Assertion>.

Also, if you look at some examples on the W3C sites, you will find that
some of them use "ID" instead of "Id" (that could be a mistake though).
 Like this one :

http://www.w3.org/TR/xmldsig-core/#sec-NamespaceContext

Basically, my point is that it seems like there are more that one standards
of XML signature.  SAML is one of them and it defines an ID as "ID" instead
of "Id".  Microsoft seems to have decided to support it directly without
the need to process the XSDs.  I thought it would be a good idea to have
mono do the same and that is what my patch does.

Jonathan



>
> Atsushi Eno
>
>
>
>>     Though I'm just pointing out the facts. There may be people who
>>     want to take responsibility on the entire XML Signature stuff and
>>     go ahead to apply the changes.
>>
>>     Atsushi Eno
>>
>>         Thanks,
>>
>>         Jonathan
>>
>>
>>         On Tue, Jul 16, 2013 at 10:24 AM, Atsushi Eno
>>         <atsushieno at veritas-vos-**liberabit.com<atsushieno at veritas-vos-liberabit.com>
>>         <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>> >
>>         <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>>         <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>>>>
>> wrote:
>>
>>             Whenever SAML document instance refers to its schema or
>>         DTD that
>>             will validate "ID" attribute as expected, since SignedXml
>>             internally uses XmlDocument.GetElementById () which is
>>         expected to
>>             collect "IDs" where "IDs" means a validated ID by
>>             XmlValidatingReader or any XmlReader that has
>>         XmlReaderSettings to
>>             consider XmlSchema or DTD. Hence that does not cause any
>>         problem
>>             for SAML.
>>
>>             (Also note that SignedXml implementation could override
>>             SignedXml.GetIdElement(). Mono's WCF implementation makes
>>         use of
>>             it to support WS-Security ID attribute.)
>>
>>             Atsushi Eno
>>
>>             Jonathan Gagnon wrote:
>>
>>                 This is true for the signature, but not true for SAML
>>                 assertions, where ids are defined as "ID" :
>>
>>         http://schemas.stylusstudio.**com/saml/nea261b70/**
>> complexType_AssertionType.html<http://schemas.stylusstudio.com/saml/nea261b70/complexType_AssertionType.html>
>>
>>                 I don't know in which case we would need "id" in
>>         lowercase,
>>                 but since .NET supports it, there is probably a valid
>>         reason
>>                 for it too.
>>
>>                 *Jonathan Gagnon*
>>                 Responsable des architectures systèmes
>>                 600, boulevard Armand-Frappier, bureau 200
>>                 Laval (Québec) H7V 4B4
>>                 Canada
>>                 T : 450-662-6101 <tel:450-662-6101> <tel:450-662-6101
>>         <tel:450-662-6101>> poste 234
>>                 <http://www.croesus.com>
>>                        <http://www.facebook.com/**
>> pages/Croesus-Finansoft/**345020305606240<http://www.facebook.com/pages/Croesus-Finansoft/345020305606240>
>> ><http://www.**linkedin.com/company/croesus-**
>> finansoft?trk=hb_tab_compy_id_**26141<http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141>
>> ><https://twitter.com/**CroesusFin <https://twitter.com/CroesusFin>>
>>
>>
>>
>>                 On Tue, Jul 16, 2013 at 2:30 AM, Atsushi Eno
>>                 <atsushieno at veritas-vos-**liberabit.com<atsushieno at veritas-vos-liberabit.com>
>>         <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>> >
>>                 <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>>         <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>> >>
>>                 <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>>         <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>> >
>>
>>                 <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>
>>         <mailto:atsushieno at veritas-**vos-liberabit.com<atsushieno at veritas-vos-liberabit.com>>>>>
>> wrote:
>>
>>                     W3C XML Signature specification explicitly "Id" as
>>         the valid
>>                     attribute name for referencing an element, by its XML
>>                 Schema and DTD:
>>         http://www.w3.org/TR/xmldsig-**core/#sec-Signature<http://www.w3.org/TR/xmldsig-core/#sec-Signature>
>>         http://www.w3.org/TR/xmldsig-**core/#sec-SignatureValue<http://www.w3.org/TR/xmldsig-core/#sec-SignatureValue>
>>         http://www.w3.org/TR/xmldsig-**core/#sec-SignedInfo<http://www.w3.org/TR/xmldsig-core/#sec-SignedInfo>
>>         http://www.w3.org/TR/xmldsig-**core/#sec-Reference<http://www.w3.org/TR/xmldsig-core/#sec-Reference>
>>         http://www.w3.org/TR/xmldsig-**core/#sec-KeyInfo<http://www.w3.org/TR/xmldsig-core/#sec-KeyInfo>
>>         http://www.w3.org/TR/xmldsig-**core/#sec-Object<http://www.w3.org/TR/xmldsig-core/#sec-Object>
>>         http://www.w3.org/TR/xmldsig-**core/#sec-Manifest<http://www.w3.org/TR/xmldsig-core/#sec-Manifest>
>>         http://www.w3.org/TR/xmldsig-**core/#sec-SignatureProperties<http://www.w3.org/TR/xmldsig-core/#sec-SignatureProperties>
>>
>>                     If Microsoft treats "id" or "ID" attributes as if
>>         they were ID
>>                     (and not "iD" ?), they will have to fix their bug.
>>
>>                     Atsushi Eno
>>
>>                     (2013年07月12日 23:58), Jonathan Gagnon wrote:
>>
>>                         I have encountered a bug similar to 4938
>>                                <https://bugzilla.xamarin.com/**
>> show_bug.cgi?id=4938 <https://bugzilla.xamarin.com/show_bug.cgi?id=4938>
>> >.
>>
>>
>>                         My problem is that mono does not find the
>>         reference id
>>                 because
>>                         the id is in uppercase ('ID' instead of 'Id').
>>         This works
>>                         correctly on .NET.
>>
>>                         As stated in the bug description, the problem
>>         is in the
>>                         SignedXml class, GetIdElement method.
>>
>>                         I wrote a very simple patch that fixes the
>>         problem by
>>                 looking
>>                         for "id" and "ID". Should I do a pull request with
>>                 that fix?
>>
>>                         *Jonathan Gagnon*
>>
>>                         Responsable des architectures systèmes
>>                         600, boulevard Armand-Frappier, bureau 200
>>                         Laval (Québec) H7V 4B4
>>                         Canada
>>                         T : 450-662-6101 <tel:450-662-6101>
>>         <tel:450-662-6101 <tel:450-662-6101>> <tel:450-662-6101
>>         <tel:450-662-6101>
>>
>>                 <tel:450-662-6101 <tel:450-662-6101>>> poste 234
>>
>>
>>                         <http://www.croesus.com>
>>                                       <http://www.facebook.com/**
>> pages/Croesus-Finansoft/**345020305606240<http://www.facebook.com/pages/Croesus-Finansoft/345020305606240>
>> ><http://www.**linkedin.com/company/croesus-**
>> finansoft?trk=hb_tab_compy_id_**26141<http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141>
>> ><https://twitter.com/**CroesusFin <https://twitter.com/CroesusFin>>
>>
>>
>>
>>                         ______________________________**_________________
>>                         Mono-devel-list mailing list
>>         Mono-devel-list at lists.ximian.**com<Mono-devel-list at lists.ximian.com>
>>         <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>> >
>>                 <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>>         <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>> >>
>>                         <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>>         <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>> >
>>                 <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>>         <mailto:Mono-devel-list at lists.**ximian.com<Mono-devel-list at lists.ximian.com>
>> >>>
>>         http://lists.ximian.com/**mailman/listinfo/mono-devel-**list<http://lists.ximian.com/mailman/listinfo/mono-devel-list>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-devel-list/attachments/20130722/04672ac0/attachment-0001.html>


More information about the Mono-devel-list mailing list