Re: Signature and children - redundant namespace declarations

Mon, 04 Jun 2007 15:00:33 -0700 


Raul Benito wrote:
> Can you post an example of the behaviour (a code and an output)?
>

Ok, here is a little test program I wrote.  It's not OpenSAML-based,
it's just straight DOM-based code.  Parses the assertion.xml and signs
the saml:Assertion, using enveloped and exclusive c14n on the single
internal document Reference, and exclusive c14n for the signature c14n. 
No XPath transforms, etc.

The signed-assertion.xml is the output I get when I run it with Sun's
JDK 1.5.0.  As you can see, all the Signature children have the ds
namespace prefix redeclared.

Let  me know what you think.

Thanks,
Brent

<?xml version="1.0" encoding="UTF-16"?>
<saml:Assertion ID="assertionID" IssueInstant="2007-04-13T23:46:00.100Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>http://www.example.org/idp</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#assertionID" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>3Z41uwaAAFEiFh2ch1r0k9S4hiQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
V8g/NO6RKVxsCNz1hs5d2mAOklaZK80NsjCfELUO4w5qSpHaQPXchKzMf47/idiDGVgr1h3rxeKc
516X2n00wtw84Mo7J8hvgJWXrY5z5P96GJZkc1qW9ywmBWRdWq5z2fXFdrSkCpO/GvcLaYC5a2vI
qGc4OV5QbGq52KFZQmo=
</ds:SignatureValue>
</ds:Signature><saml:Subject>
        <saml:NameID>smithj</saml:NameID>
    </saml:Subject>
    <saml:AttributeStatement>
        <saml:Attribute>
            <saml:AttributeValue Name="emailAddress">[EMAIL PROTECTED]</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    Version="2.0" ID="assertionID" IssueInstant="2007-04-13T23:46:00.100Z">
    <saml:Issuer>http://www.example.org/idp</saml:Issuer>
    <saml:Subject>
        <saml:NameID>smithj</saml:NameID>
    </saml:Subject>
    <saml:AttributeStatement>
        <saml:Attribute>
            <saml:AttributeValue Name="emailAddress">[EMAIL PROTECTED]</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

Attachment: SignatureNamespaceTest.java
Description: none

Reply via email to