yaronn
uri #_0 calculated digest is moCQ41at0XjsFFrVASWUSU1TcFc= but the xml is different
[ 'invalid signature: for uri #_0 calculated digest is moCQ41at0XjsFFrVASWUSU1TcFc= but the xml to validate supplies digest ZxGe79sKWbYVUMCvmOTZl0lWOzc=' ]
I do not have this issue with a library using xml-crypto 0.8.1. For some reason, the current version of xml-crypto is dropping samlp from the inclusive namespaces. Transforms from my saml request:
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/>
</Transform>
</Transforms>
canonXml from xml-crypto 0.8.1:
<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="samlr-c11a8ca2-bcbe-11e6-a76d-6003089a9766" IssueInstant="2016-12-07T20:50:15Z" Version="2.0">
<saml:Issuer>REDACTED</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">REDACTED</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="" NotOnOrAfter="2017-02-15T07:30:15Z" Recipient="REDACTED">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-09-29T10:10:15Z" NotOnOrAfter="2017-02-15T07:30:15Z">
<saml:AudienceRestriction>
<saml:Audience>example.org</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-12-07T20:50:15Z" SessionIndex="samlr-c11a8ca2-bcbe-11e6-a76d-6003089a9766">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">REDACTED</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
canonXml from xml-crypto 0.8.4:
<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-c11a8ca2-bcbe-11e6-a76d-6003089a9766" IssueInstant="2016-12-07T20:50:15Z" Version="2.0">
<saml:Issuer>REDACTED</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">REDACTED</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="" NotOnOrAfter="2017-02-15T07:30:15Z" Recipient="REDACTED">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-09-29T10:10:15Z" NotOnOrAfter="2017-02-15T07:30:15Z">
<saml:AudienceRestriction>
<saml:Audience>example.org</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-12-07T20:50:15Z" SessionIndex="samlr-c11a8ca2-bcbe-11e6-a76d-6003089a9766">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">REDACTED</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
samlp is not being added in the latest version and it is causing a mismatch between the saml assertions DigestValue and the calculated one.
@tjgragg , since you've found the issue, can you bisect the commits and find exactly what needs to be changed to get this working again and then create a PR with a test suite so that this doesn't break again?
