[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Subject: Re: ZXID bug? - c14n and line termination chars
> Hi, Sampo, I want to thank you for making ZXID available. I'm using it
> to add SAML support to a web app here at the Univ of Michigan, and it's
> been a pleasure to learn SAML by working with ZXID.
> I've run into a snag with signature validation with my partner site,
> United HealthCare, using SiteMinder for their SAML. We're doing
Can you be more specific about the version of SiteMinder?
> IdP-initiated SSO with POST-binding with UHC (IdP) sending me (SP)
> just a SAMLResponse. I'm using the zxidsimple(1) program for a shell
> script interface within a CGI script. So far we're testing without
> any assertion encryption. ZXID Version 0.64 here.
> We're getting "Message digest mismatch" in zxsig.c (see debug.txt
> attached). I've been able to determine the cause as being that the
> XML coming in on the wire has CarriageReturn+NewLine (CR-NL) line
> terminators, but apparently these aren't getting canonicalized to just
> NL line terminators before the digest is checked. If I take what comes
> in on the wire (see KluczHcgJgSj6u-457JQT9e8lyM attached, this is from
> /var/zxid/log/rely/*/wir/KluczHcgJgSj6u-457JQT9e8lyM) which is in CR-NL
> format, manually convert it to NL format, then feed that into ZXID,
> it all works.
> So since we believe any sort of line terminators should be accepted
> but converted to NL format for digest checking, we're wondering if ZXID
> could/should do that?
ZXID could do that, but whether it should depends on exclusive c14n spec
which is notoriously heavy reading
http://www.w3.org/TR/xml-exc-c14n/ (I used version dated 20010315)
Ok, spotted in the spec. Next version of ZXID will normalize line breaks,
i.e. any CRLF get converted to just LF.
> Best regards, Steve Kinzler
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> The information contained in this message may be CONFIDENTIAL and is
> for the intended addressee only. Any unauthorized use, dissemination
> of the information, or copying of this message is prohibited. If you
> are not the intended addressee, please notify the sender immediately
> and delete this message.