DO NOT REPLY [Bug 47853] New: digital signature reference validation failure when wrapping xml with soap namespace

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

           Summary: digital signature reference validation failure when
                    wrapping xml with soap namespace
           Product: Security
           Version: Java 1.4.2
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Canonicalization
        AssignedTo: security-dev@...
        ReportedBy: trattnh@...


I am using opensaml 2 to validate digital signature. Open saml uses the xmlsec
jar for validation.
This works fine when the saml assertion is validated as is.
The problem happens when the signed assertion is wrapped inside a soap
envelope.
The soap has the soap namespace added to it.

The problem is that the xmlns declaration is added to the SignedInfo during the
validation.

The xml being validated looks like:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments">


but if I check the canonicalized signed info with
signature.getSignedInfo().getCanonicalizedData();
I get:
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments">

The xmlns="http://www.w3.org/2000/09/xmldsig#" was added into the SignedInfo
and this is why the reference validation is failing.
(The signature is validated successfully, but the reference validation fails
because the extra namespace declaration was added).

How can this be solved?

Thanks,

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

sean.mullan@... changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from sean.mullan@... 2009-09-16 07:51:27 PDT ---
(In reply to comment #0)
This is not the reason the signature is invalid. SignedInfo validation is part
of the signature validation and not the reference validation. You need to check
the canonicalized data of the Reference(s) instead. Compare the data when you
validate it before and after you move it into the Soap envelope. It is likely a
problem in that you are using inclusive C14n instead of exclusive C14N and a
namespace in the Soap envelope is being include in the canonicalized Reference
and thus invalidating the digest and breaking the signature.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

trattnh@... changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #2 from trattnh@... 2009-09-16 10:51:33 PDT ---
Hi,
I am using exclusive canonicalization  
<CanonicalizationMethod
   Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments">
  ....


Basically what I did is sign the assertion and then all I did was manually edit
the file by adding <soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> at the beginning of
the file and </soapenv:Envelope> at the end of the file.
If I then try to validate the signature, the signature validates but the
reference does not. When using an inclusive canonicaliztion the signature also
does not validate, so using the exclusive c14n does have a positive effect, but
it does not help the reference validation.

If I were to add the Envelope tag with out the namespace declaration - it
validates successfully.


This is how I came to the conclusion that the reference validation problem only
occurs when adding tags with namespace declarations.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

sean.mullan@... changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #3 from sean.mullan@... 2009-09-16 11:01:43 PDT ---
(In reply to comment #2)
There is not enough information to proceed. Please attach the XML before and
after you added it to the soap envelope.

Also, get a dump of the canonicalized references in the good signature and the
bad signature and compare what is different. See:
http://weblogs.java.net/blog/mullan/archive/2006/02/more_xml_signat_1.html

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

--- Comment #4 from trattnh@... 2009-09-16 11:29:04 PDT ---
Created an attachment (id=24279)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24279)
file with namespace soap tags - fails reference validation

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

--- Comment #5 from trattnh@... 2009-09-16 11:30:12 PDT ---
Created an attachment (id=24280)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24280)
assertion only - passes reference validation

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

trattnh@... changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #6 from trattnh@... 2009-09-16 11:34:02 PDT ---
I attached the xmls with and without the soap tags (which I added manually)

I will now try to set the logging in order to see what the canonicalized
references look like in each of the files

Thanks for you quick replies,

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

--- Comment #7 from Scott Cantor <cantor.2@...> 2009-09-16 11:42:50 PDT ---
There's almost no chance this is a bug in xmlsec. Signature issues with
OpenSAML should be raised on that mailing list, not as xmlsec bugs. The actual
approach to doing so is as Sean says, comparing digest bytes.

There are known bugs in the OpenSAML XML layer around nesting because it
overuses the InclusivePrefix mechanism. Chances are that's the problem.

I would advise closing this and raising the issue on the right list once the
digest information is obtained.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

--- Comment #8 from trattnh@... 2009-09-17 04:42:10 PDT ---
Hi,

I did another test without using the opensaml jar. I only used the
xmlsec-1.4.2.jar - following is the manifest:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.0
Created-By: 1.4.2_17-b06 (Sun Microsystems Inc.)
Built-By: mullan

Name: xmlsec
Implementation-Title: Apache-XML-Security-J
Implementation-Version: 1.4.2 June 23 2008
Implementation-Vendor: Apache Software Foundation


I checked the canonicalized references in the good signature and the
bad signature and compared what is different according to the log.

In the assertion that was signed there are no namespace declarations for
soapenv (since the assertion was signed by itself - and only afterwards it was
copy pasted into the soap wrapper):


<saml:Assertion AssertionID="saml-2" ID="Assertion"
IssueInstant="2008-08-15T02:12:44.179Z" Issuer="urn:test-sts" MajorVersion="1"
MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Conditions NotBefore="2008-11-03T05:00:00.000Z"
NotOnOrAfter="2009-12-01T03:08:59.000Z"/>
  <saml:Advice/>
  <saml:AttributeStatement>
    <saml:Subject>
      <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">root</saml:NameID>
    </saml:Subject>
    <saml:Attribute Name="AppId">
      <saml:AttributeValue>SRM</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>



 but during validation the canonicalized reference looks like this:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
AssertionID="saml-2" ID="Assertion" IssueInstant="2008-08-15T02:12:44.179Z"
Issuer="urn:test-sts" MajorVersion="1" MinorVersion="1">
  <saml:Conditions NotBefore="2008-11-03T05:00:00.000Z"
NotOnOrAfter="2009-12-01T03:08:59.000Z"></saml:Conditions>
  <saml:Advice></saml:Advice>
  <saml:AttributeStatement>
    <saml:Subject>
      <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">root</saml:NameID>
    </saml:Subject>
    <saml:Attribute Name="AppId">
      <saml:AttributeValue>SRM</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>


As you can see, the xmlns declarations for soapenv and wsse were added to the
saml:Assertion tag even though
javax.xml.crypto.dsig.CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS is being
used.
This is why the reference validation is failing.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

sean.mullan@... changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #9 from sean.mullan@... 2009-09-17 06:11:43 PDT ---
Actually, you are using Inclusive C14N to canonicalize your Reference. This is
the Reference in your signature:

<Reference URI="#Assertion"><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>LFkVUeisRZJTnIwrlZ7pMxp/oeM=</DigestValue></Reference>

If a Reference that produces a node-set does not specify a canonicalization
algorithm as the last transform, then inclusive C14n is implicitly used. See
section 4.3.3.2 of http://www.w3.org/TR/xmldsig-core/:

"If the data object is a node-set and the next transform requires octets, the
signature application MUST attempt to convert the node-set to an octet stream
using Canonical XML [XML-C14N]."

The CanonicalizationMethod specified in the SignedInfo element does not apply
to the References, it only applies to the SignedInfo element.

To fix this, you need to add an explicit exclusive C14N transform after the
enveloped transform, ex:

<Reference URI="#Assertion"><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>LFkVUeisRZJTnIwrlZ7pMxp/oeM=</DigestValue></Reference>

You may want to check with Scott or the SAML forums as to the best practices
when signing SAML assertions.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

--- Comment #10 from trattnh@... 2009-09-17 07:39:38 PDT ---
Hi,
That was the problem.

Thanks for you prompt support.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.