[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

Subject: Re: ZXID bug? - c14n and line termination chars

kinzler@xxxxxxxxx said:
> Hi, Sampo, I want to thank you for making ZXID available.  I'm using it
> to add SAML support to a web app here at the Univ of Michigan, and it's
> been a pleasure to learn SAML by working with ZXID.
> I've run into a snag with signature validation with my partner site,
> United HealthCare, using SiteMinder for their SAML.  We're doing

Can you be more specific about the version of SiteMinder?

> IdP-initiated SSO with POST-binding with UHC (IdP) sending me (SP)
> just a SAMLResponse.  I'm using the zxidsimple(1) program for a shell
> script interface within a CGI script.  So far we're testing without
> any assertion encryption.  ZXID Version 0.64 here.
> We're getting "Message digest mismatch" in zxsig.c (see debug.txt
> attached).  I've been able to determine the cause as being that the
> XML coming in on the wire has CarriageReturn+NewLine (CR-NL) line
> terminators, but apparently these aren't getting canonicalized to just
> NL line terminators before the digest is checked.  If I take what comes
> in on the wire (see KluczHcgJgSj6u-457JQT9e8lyM attached, this is from
> /var/zxid/log/rely/*/wir/KluczHcgJgSj6u-457JQT9e8lyM) which is in CR-NL
> format, manually convert it to NL format, then feed that into ZXID,
> it all works.

Interesting observation.

> So since we believe any sort of line terminators should be accepted
> but converted to NL format for digest checking, we're wondering if ZXID
> could/should do that?

ZXID could do that, but whether it should depends on exclusive c14n spec
which is notoriously heavy reading

http://www.w3.org/TR/xml-exc-c14n/  (I used version dated 20010315)

Ok, spotted in the spec. Next version of ZXID will normalize line breaks,
i.e. any CRLF get converted to just LF.


> Best regards,					Steve Kinzler
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> The information contained in this message may be CONFIDENTIAL and is
> for the intended addressee only.  Any unauthorized use, dissemination
> of the information, or copying of this message is prohibited.  If you
> are not the intended addressee, please notify the sender immediately
> and delete this message.