Re: Problems with exclusive c14n and default namespaces

[Samuel Meder]

On Wed, 2004-11-17 at 22:43 -0600, Samuel Meder wrote:
> This may very well have fixed one of the problems, but it still did not
> fix the signature mismatch error I'm getting due to c14n. I'll follow up
> with a lot more detail in a bit.

I've attached the following:

assertion_service.xml - the signed saml assertion as created by the
service before sending using axis
assertion_client.xml - the assertion as received by the client
assertion_transformed_server.xml - the assertion on service with all
transforms applied
assertion_transformed_client.xml - the assertion on client with all
transforms applied

The assertions were dumped using:

            try
            {
                System.out.println("After Transforms:\n\n");
                System.out.println(new 
String(sig.getSignedInfo().getReferencedContentAfterTransformsItem(0).getBytes()));
            }
            catch(IOException e)
            {

            }

Obviously something is still very wrong.

/Sam

> /Sam 
> 
> On Mon, 2004-11-15 at 21:26 +0100, Raul Benito wrote:
> > Raul Benito wrote:
> > 
> > >
> > >>
> > >>
> > >> Shouldn't the xmlns="" mapping only be added if this mapping is in scope
> > >> and the ancestor element declaring the mapping is not visible (and since
> > >> NameSpaceSymbolTable always adds that mapping...). Also I'm not quite
> > >> sure that I understand the "else if":
> > >> CanonicalizerBase:canonicalizeXPathNodeSet seems to throw a exception if
> > >> it finds a attribute node in the _xpathNodeSet which would lead me to
> > >> assume that the node set would never contain the xmlns node?
> > >>
> > >> Might also be that I am completely misunderstanding things.
> > >> Canonicalization makes my brain hurt...
> > >>
> > >>  
> > >>
> > >
> > Here it is the patch that I think fix your problem(if you don't know or 
> > is difficult to you to apply the patch ask me privately and I can 
> > provide you a compiled jar). It is not the deffenitive one(the attr 
> > casting are redundant for the HEAD tree) as I'm currently working with a 
> > different thing but it will work for you.
> > Regards,
> > 
> > Raul
> > http://r-bg.com
> > 
> > Index: Canonicalizer20010315Excl.java
> > ===================================================================
> > RCS file: 
> > /home/cvs/xml-security/src/org/apache/xml/security/c14n/implementations/Canonicalizer20010315Excl.java,v
> > retrieving revision 1.17
> > diff -u -r1.17 Canonicalizer20010315Excl.java
> > --- Canonicalizer20010315Excl.java    24 Sep 2004 20:54:29 -0000    1.17
> > +++ Canonicalizer20010315Excl.java    15 Nov 2004 20:22:50 -0000
> > @@ -165,7 +165,7 @@
> >          Iterator it=visiblyUtilized.iterator();
> >          while (it.hasNext()) {
> >              String s=(String)it.next();                                   
> > -            Attr key=ns.getMapping(s);
> > +            Attr key=(Attr)ns.getMapping(s);
> >              if (key==null) {
> >                  continue;
> >              }
> > @@ -262,7 +262,7 @@
> >                  }   
> >              }
> >          }
> > -        if (!xmlnsDef ) {
> > +        if (isOutputElement && !xmlnsDef ) {
> >              ns.addMapping(XMLNS,"",nullNode);
> >          }
> >         
> > @@ -282,7 +282,7 @@
> >              Iterator it=visiblyUtilized.iterator();
> >              while (it.hasNext()) {
> >                  String s=(String)it.next();                            
> >            
> > -                Attr key=ns.getMapping(s);
> > +                Attr key=(Attr)ns.getMapping(s);
> >                  if (key==null) {
> >                      continue;
> >                  }
> > @@ -292,7 +292,7 @@
> >              Iterator it=this._inclusiveNSSet.iterator();
> >              while (it.hasNext()) {
> >                  String s=(String)it.next();               
> > -                Attr key=ns.getMappingWithoutRendered(s);
> > +                Attr key=(Attr)ns.getMappingWithoutRendered(s);
> >                  if (key==null) {
> >                      continue;
> >                  }
> > 
> > 
> 

<Assertion AssertionID="932aa4da-9aeb-484e-8ecf-99b4609c48f6" IssueInstant="2004-11-18T05:26:26Z" Issuer="DC=org,DC=DOEGrids,OU=Certificate Authorities,CN=DOEGrids CA 1" MajorVersion="1" MinorVersion="0" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><Conditions NotBefore="2004-11-18T05:26:26Z" NotOnOrAfter="2004-11-18T05:28:06Z"/><AuthorizationDecisionStatement Decision="Permit" Resource="FTPNamespace|ftp://sample1.org";><Subject><NameIdentifier Format="#X509SubjectName" NameQualifier="dummyDN">dummy DN</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:am:X509-PKI</ConfirmationMethod></SubjectConfirmation></Subject><Action Namespace="fileType">read</Action><Action Namespace="directory">read</Action></AuthorizationDecisionStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms xmlns:signs="urn:oasis:names:tc:SAML:1.0:assertion">
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";>
<dsig-xpath:XPath Filter="intersect" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2";>here()/ancestor::signs:Assertion[1]</dsig-xpath:XPath>
<dsig-xpath:XPath Filter="subtract" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2";>here()/ancestor::ds:Signature[1]</dsig-xpath:XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces PrefixList="code ds kind rw saml samlp signs #default xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>1P4tHsFzvYgx4KAEBHpQMSSy1pM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
S78gPVnzpVjNineV6V6I0Kn8zh8dcxz2vKnj3RmORx86nQfWnFRdP1RCwRkDOpiuvKXAQsSFpQRa
GkerMG/7iQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICuTCCAaGgAwIBAgIEEJvQxTANBgkqhkiG9w0BAQQFADBeMRMwEQYKCZImiZPyLGQBGRYDb3Jn
MRgwFgYKCZImiZPyLGQBGRYIZG9lZ3JpZHMxDzANBgNVBAsTBlBlb3BsZTEcMBoGA1UEAxMTU2Ft
dWVsIE1lZGVyIDE5NjM0NDAeFw0wNDExMTgwNDMwMzBaFw0wNDExMTgxNjM1MzBaMHIxEzARBgoJ
kiaJk/IsZAEZFgNvcmcxGDAWBgoJkiaJk/IsZAEZFghkb2VncmlkczEPMA0GA1UECxMGUGVvcGxl
MRwwGgYDVQQDExNTYW11ZWwgTWVkZXIgMTk2MzQ0MRIwEAYDVQQDEwkyNzg2NDY5ODEwXDANBgkq
hkiG9w0BAQEFAANLADBIAkEAyEix18UyUMK2w3Onb/7EXCSrfnAMxwotpvVF6KJ/qA5xcAWVizaJ
UPdtmGZY6It2l+DSDK/nvoLRlX/LH3xnRwIDAQABozMwMTAOBgNVHQ8BAf8EBAMCBLAwHwYKKwYB
BAGbUAGBXgEB/wQOMAwwCgYIKwYBBQUHFQEwDQYJKoZIhvcNAQEEBQADggEBAEVIF9ZDPZxZL0wh
1tHZi0VdJrjug8g59cTip5dWcKz7eusKWkR0eXt/vQ6gv0KqYLO2NUt8zVk1d32Z6v3nrg2NzxNR
EjwGqrxB7sZGkNnwWNKW+Ao8AkfE5gfqzVmuEOGDbKlXMeL2XYZhO5jpUSAMCQawl0SvCtDbfxmH
ygUuKUeTCLA4tSAXKcxTSkvNAV0W/KObKSOoZ9qq3zG4f2+GqujrPa1ahRo3uwl7YIJTEjkmaPqC
MFvJdC4D3LLb8WyB8LYofRVpwc0TtkotbiwjIEy4CN59sLtrTx5TGbDWDiK0Ukw6ichNP3Nr44i0
eC8h/LpG0SJgzgHt0LY2agc=
</ds:X509Certificate>
<ds:X509Certificate>
MIIDpzCCAo+gAwIBAgICBVEwDQYJKoZIhvcNAQEFBQAwaTETMBEGCgmSJomT8ixkARkWA29yZzEY
MBYGCgmSJomT8ixkARkWCERPRUdyaWRzMSAwHgYDVQQLExdDZXJ0aWZpY2F0ZSBBdXRob3JpdGll
czEWMBQGA1UEAxMNRE9FR3JpZHMgQ0EgMTAeFw0wNDAxMDcxNzEyNTJaFw0wNTAxMDYxNzEyNTJa
MF4xEzARBgoJkiaJk/IsZAEZFgNvcmcxGDAWBgoJkiaJk/IsZAEZFghkb2VncmlkczEPMA0GA1UE
CxMGUGVvcGxlMRwwGgYDVQQDExNTYW11ZWwgTWVkZXIgMTk2MzQ0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmsC01HNrzO0ddRWo6IajmK8A0iRCebL206gFwzH9uJHhH6pcYu1ro6Es
8Db36wb0u04DFhUsQBjEUoLanK9S7QhxeD9jkkpycX8mwfJhzxCeFMLG743Es0EfQJZNF4cOtnKy
zB8hBYbc52q5Xbo7Xdjz81yuzTYdyXnkxUgDCdXoPeYiPy+eRCJFnqo6lQ9QKhMTVWsfEUPpfoSy
C/YkMN0ag3H2bmWouZ/YauOQfCzCTtFDKP3+RroBhYDOkEoqyq77z204crdGYdQUlE5ata5ZbFtL
uBuCXkup1Y0f+AcPFiN8M24E3L7AJQ9VAJSELvfz8IWSBsFd+meEl/NanwIDAQABo2QwYjARBglg
hkgBhvhCAQEEBAMCBeAwDgYDVR0PAQH/BAQDAgTwMBwGA1UdEQQVMBOBEW1lZGVyQG1jcy5hbmwu
Z292MB8GA1UdIwQYMBaAFMoZHRKObqQ4XULUMQ4I29mNFw1dMA0GCSqGSIb3DQEBBQUAA4IBAQAq
30xAqkVK4dmXOVLbGqmcEaNDBaJeURYotUiAxrt9r/fTlLWpOUf3Dh2kQZiS3vJPc2GDvM7AF/AO
dfsrJ1wSmh44qubqsorBVy23urTI1nOvSMwaMJ5k03GiVdu0MGiMFDlz4W1OYgLVThxtFH7dQsuS
EiGvKK1LWZLT32b+uSI75K+x/UryJHFEpbSLCer6Tb31ZItg+eeUs08276Nu4tUyN6CIPGizueOd
ebGhj6o9YuS9rsbxUC73TabuZX6EeohIFN73+2nOX0kn0JgN+qAbh3ARdFj8f6zFRuzbeYX1Okxh
WUPNYSMbA+vV+rp6lv0+FN7E9Ao+1q9dLdLX
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature></Assertion>


<Assertion AssertionID="932aa4da-9aeb-484e-8ecf-99b4609c48f6" IssueInstant="2004-11-18T05:26:26Z" Issuer="DC=org,DC=DOEGrids,OU=Certificate Authorities,CN=DOEGrids CA 1" MajorVersion="1" MinorVersion="0" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><Conditions NotBefore="2004-11-18T05:26:26Z" NotOnOrAfter="2004-11-18T05:28:06Z"/><AuthorizationDecisionStatement Decision="Permit" Resource="FTPNamespace|ftp://sample1.org"; xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><NameIdentifier Format="#X509SubjectName" NameQualifier="dummyDN">dummy DN</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:am:X509-PKI</ConfirmationMethod></SubjectConfirmation></Subject><Action Namespace="fileType" xmlns="urn:oasis:names:tc:SAML:1.0:assertion">read</Action><Action Namespace="directory" xmlns="urn:oasis:names:tc:SAML:1.0:assertion">read</Action></AuthorizationDecisionStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:signs="urn:oasis:names:tc:SAML:1.0:assertion">
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<dsig-xpath:XPath Filter="intersect" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2";>here()/ancestor::signs:Assertion[1]</dsig-xpath:XPath>
<dsig-xpath:XPath Filter="subtract" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2";>here()/ancestor::ds:Signature[1]</dsig-xpath:XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ec:InclusiveNamespaces PrefixList="code ds kind rw saml samlp signs #default xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>1P4tHsFzvYgx4KAEBHpQMSSy1pM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
S78gPVnzpVjNineV6V6I0Kn8zh8dcxz2vKnj3RmORx86nQfWnFRdP1RCwRkDOpiuvKXAQsSFpQRa
GkerMG/7iQ==
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
MIICuTCCAaGgAwIBAgIEEJvQxTANBgkqhkiG9w0BAQQFADBeMRMwEQYKCZImiZPyLGQBGRYDb3Jn
MRgwFgYKCZImiZPyLGQBGRYIZG9lZ3JpZHMxDzANBgNVBAsTBlBlb3BsZTEcMBoGA1UEAxMTU2Ft
dWVsIE1lZGVyIDE5NjM0NDAeFw0wNDExMTgwNDMwMzBaFw0wNDExMTgxNjM1MzBaMHIxEzARBgoJ
kiaJk/IsZAEZFgNvcmcxGDAWBgoJkiaJk/IsZAEZFghkb2VncmlkczEPMA0GA1UECxMGUGVvcGxl
MRwwGgYDVQQDExNTYW11ZWwgTWVkZXIgMTk2MzQ0MRIwEAYDVQQDEwkyNzg2NDY5ODEwXDANBgkq
hkiG9w0BAQEFAANLADBIAkEAyEix18UyUMK2w3Onb/7EXCSrfnAMxwotpvVF6KJ/qA5xcAWVizaJ
UPdtmGZY6It2l+DSDK/nvoLRlX/LH3xnRwIDAQABozMwMTAOBgNVHQ8BAf8EBAMCBLAwHwYKKwYB
BAGbUAGBXgEB/wQOMAwwCgYIKwYBBQUHFQEwDQYJKoZIhvcNAQEEBQADggEBAEVIF9ZDPZxZL0wh
1tHZi0VdJrjug8g59cTip5dWcKz7eusKWkR0eXt/vQ6gv0KqYLO2NUt8zVk1d32Z6v3nrg2NzxNR
EjwGqrxB7sZGkNnwWNKW+Ao8AkfE5gfqzVmuEOGDbKlXMeL2XYZhO5jpUSAMCQawl0SvCtDbfxmH
ygUuKUeTCLA4tSAXKcxTSkvNAV0W/KObKSOoZ9qq3zG4f2+GqujrPa1ahRo3uwl7YIJTEjkmaPqC
MFvJdC4D3LLb8WyB8LYofRVpwc0TtkotbiwjIEy4CN59sLtrTx5TGbDWDiK0Ukw6ichNP3Nr44i0
eC8h/LpG0SJgzgHt0LY2agc=
</ds:X509Certificate>
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
MIIDpzCCAo+gAwIBAgICBVEwDQYJKoZIhvcNAQEFBQAwaTETMBEGCgmSJomT8ixkARkWA29yZzEY
MBYGCgmSJomT8ixkARkWCERPRUdyaWRzMSAwHgYDVQQLExdDZXJ0aWZpY2F0ZSBBdXRob3JpdGll
czEWMBQGA1UEAxMNRE9FR3JpZHMgQ0EgMTAeFw0wNDAxMDcxNzEyNTJaFw0wNTAxMDYxNzEyNTJa
MF4xEzARBgoJkiaJk/IsZAEZFgNvcmcxGDAWBgoJkiaJk/IsZAEZFghkb2VncmlkczEPMA0GA1UE
CxMGUGVvcGxlMRwwGgYDVQQDExNTYW11ZWwgTWVkZXIgMTk2MzQ0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmsC01HNrzO0ddRWo6IajmK8A0iRCebL206gFwzH9uJHhH6pcYu1ro6Es
8Db36wb0u04DFhUsQBjEUoLanK9S7QhxeD9jkkpycX8mwfJhzxCeFMLG743Es0EfQJZNF4cOtnKy
zB8hBYbc52q5Xbo7Xdjz81yuzTYdyXnkxUgDCdXoPeYiPy+eRCJFnqo6lQ9QKhMTVWsfEUPpfoSy
C/YkMN0ag3H2bmWouZ/YauOQfCzCTtFDKP3+RroBhYDOkEoqyq77z204crdGYdQUlE5ata5ZbFtL
uBuCXkup1Y0f+AcPFiN8M24E3L7AJQ9VAJSELvfz8IWSBsFd+meEl/NanwIDAQABo2QwYjARBglg
hkgBhvhCAQEEBAMCBeAwDgYDVR0PAQH/BAQDAgTwMBwGA1UdEQQVMBOBEW1lZGVyQG1jcy5hbmwu
Z292MB8GA1UdIwQYMBaAFMoZHRKObqQ4XULUMQ4I29mNFw1dMA0GCSqGSIb3DQEBBQUAA4IBAQAq
30xAqkVK4dmXOVLbGqmcEaNDBaJeURYotUiAxrt9r/fTlLWpOUf3Dh2kQZiS3vJPc2GDvM7AF/AO
dfsrJ1wSmh44qubqsorBVy23urTI1nOvSMwaMJ5k03GiVdu0MGiMFDlz4W1OYgLVThxtFH7dQsuS
EiGvKK1LWZLT32b+uSI75K+x/UryJHFEpbSLCer6Tb31ZItg+eeUs08276Nu4tUyN6CIPGizueOd
ebGhj6o9YuS9rsbxUC73TabuZX6EeohIFN73+2nOX0kn0JgN+qAbh3ARdFj8f6zFRuzbeYX1Okxh
WUPNYSMbA+vV+rp6lv0+FN7E9Ao+1q9dLdLX
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature></Assertion>

<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="5dc4aa1a-908b-4b28-affd-b973ba766777" IssueInstant="2004-11-18T06:11:54Z" Issuer="DC=org,DC=DOEGrids,OU=Certificate Authorities,CN=DOEGrids CA 1" MajorVersion="1" MinorVersion="0"><Conditions xmlns="" NotBefore="2004-11-18T06:11:54Z" NotOnOrAfter="2004-11-18T06:13:34Z"></Conditions><AuthorizationDecisionStatement xmlns="" Decision="Permit" Resource="FTPNamespace|ftp://sample1.org";><Subject><NameIdentifier Format="#X509SubjectName" NameQualifier="dummyDN">dummy DN</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:am:X509-PKI</ConfirmationMethod></SubjectConfirmation></Subject><Action Namespace="fileType">read</Action><Action Namespace="directory">read</Action></AuthorizationDecisionStatement> xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns=""</Assertion>


<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="5dc4aa1a-908b-4b28-affd-b973ba766777" IssueInstant="2004-11-18T06:11:54Z" Issuer="DC=org,DC=DOEGrids,OU=Certificate Authorities,CN=DOEGrids CA 1" MajorVersion="1" MinorVersion="0"><Conditions xmlns="" NotBefore="2004-11-18T06:11:54Z" NotOnOrAfter="2004-11-18T06:13:34Z"></Conditions><AuthorizationDecisionStatement Decision="Permit" Resource="FTPNamespace|ftp://sample1.org";><Subject><NameIdentifier xmlns="" Format="#X509SubjectName" NameQualifier="dummyDN">dummy DN</NameIdentifier><SubjectConfirmation xmlns=""><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:am:X509-PKI</ConfirmationMethod></SubjectConfirmation></Subject><Action Namespace="fileType">read</Action><Action Namespace="directory">read</Action></AuthorizationDecisionStatement> xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns="" xmlns=""</Assertion>