Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

duplicate reference in signature #165

Closed
Wi150nZ opened this issue Nov 21, 2018 · 11 comments
Closed

duplicate reference in signature #165

Wi150nZ opened this issue Nov 21, 2018 · 11 comments

Comments

@Wi150nZ
Copy link

Wi150nZ commented Nov 21, 2018
edited
Loading

I'm getting a weird bug where the reference tag is duplicated whenever my frontend calls the backend to generate a SAML assertion. It occasionally happens and breaks signature verification regardless if I trim the excess reference nodes . Can anyone point me in the right direction on how to resolve this?
Thanks.

Here is the code snippet that I have performing the xml signature. Let me know if I need to post more information.

function signAssertion(assertion) {
  signer.addReference("//*[local-name(.)='Assertion']", ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#'], 'http://www.w3.org/2001/04/xmlenc#sha256')
  signer.signingKey = fs.readFileSync('./idp_priv.pem')
  signer.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
  signer.keyInfoProvider = new KeyProvider()
  signer.computeSignature(assertion, {
    location: {
      reference: '/saml:Assertion/saml:Issuer',
      action: 'after'
    }
  })
  return signer.getSignedXml()
}
@Wi150nZ
Copy link
Author

Wi150nZ commented Dec 20, 2018

UPDATE: turns out that the duplicated reference tags do not affect the SAML response whenever I send it out, but it occasionally duplicates too much to a point that it returns a 400 error (for being too long)

@LoneRifle
Copy link
Collaborator

occasionally duplicates too much to a point that it returns a 400 error (for being too long)

Thanks for the details. Could you clarify the circumstances that lead to that (eg, are you calling signAssertion multiple times, or is a single call of that function resulting in multiple references)? Can you also produce the payload that shows the duplicated reference tag, and just for clarity, what you expect instead?

@Wi150nZ
Copy link
Author

Wi150nZ commented Dec 28, 2018
edited
Loading

Hi, sorry for the late reply. Here is an example payload that I am getting from my endpoint that is generating the SAML assertion. Here a snippet of a SAML assertion that throws an error on the service provider

<SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
            </SignedInfo>

What intrigues me is that the signing function that I have is only called once and this issue happens randomly (sometimes there's 5, sometimes there's only 1 and sometimes its this).

@LoneRifle
Copy link
Collaborator

LoneRifle commented Dec 30, 2018
edited
Loading

Thanks for this. It is going to take me a while to try to reproduce this given time issues on my end, but I'll try to look into it. In the meantime, let me know if you have a small self-contained test case that reproduces this issue so that it's easier for me to debug.

If you are also able to provide me the xml document that you were attempting to sign, that would be useful too. As a possible hint, the xpath you added as part of your reference will match all nodes whose local name is Assertion; the number of references you have in your payload will hencematch the number of matched <Assertion> nodes

@LoneRifle
Copy link
Collaborator

LoneRifle commented Dec 31, 2018
edited
Loading

Inspection of section 5.4 of the core SAML spec suggests that there should only be one <Reference> element present per referenced node. As noted earlier, it is likely that the xpath that you have specified returns more than one node, and xml-crypto is (incorrectly) generating a corresponding reference for each of them.

I am currently in favour of throwing an error if the xpath query returns more than one element, as I feel that the caller may not always expect the first element from the query to be the desired reference. This also encourages the caller to provide a more specific xpath, a good practice in keeping compliance with the spec.

Wdyt?

@Wi150nZ
Copy link
Author

Wi150nZ commented Dec 31, 2018

That sounds good! It kind of explains why the reference tag is returned multiple times, but it doesn't make any sense that the xpath in this case is finding multiple saml:Assertion tags as there is only one. Here is the syntax that I am currently using for the xpath..

"//*[local-name(.)='Assertion' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:assertion']"

@LoneRifle
Copy link
Collaborator

LoneRifle commented Dec 31, 2018
edited
Loading

Doesn't // match no matter where in the document it is? Without seeing a sample payload I cannot verify if indeed your xpath should only return one element.

@Wi150nZ
Copy link
Author

Wi150nZ commented Dec 31, 2018
edited
Loading

here's a sample payload that needs to be signed:

<samlp:Response 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    ID="_f2b448d0e442839c7707" 
    Version="2.0" 
    IssueInstant="2018-12-31T17:37:10.827Z" 
    Destination="abc123">
    <saml:Issuer 
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">abc123
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion 
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
        Version="2.0" 
        ID="_750d269f4efd02caab53" 
        IssueInstant="2018-12-31T17:37:10.827Z">
        <saml:Issuer>abc123</saml:Issuer>
        <saml:Subject>
            <saml:NameID 
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">abc123
            </saml:NameID>
            <saml:SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData 
                    NotOnOrAfter="2018-12-31T18:37:10.827Z" 
                    Recipient="abc123/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions 
            NotBefore="2018-12-31T17:37:10.827Z" 
            NotOnOrAfter="2018-12-31T18:37:10.827Z">
            <saml:AudienceRestriction>
                <saml:Audience>abc123</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement 
            AuthnInstant="2018-12-31T17:37:10.827Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement 
            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <saml:Attribute 
                Name="customerId" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">abc123
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="vin" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">sample_vin
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="make" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">Honda
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="firstName" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">Honda
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="lastName" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">Tester17
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="emailAddress" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">sample_email
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="displayLanguage" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">en-US
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="vehicleDestinationCountry" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">US
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

@LoneRifle
Copy link
Collaborator

LoneRifle commented Jan 1, 2019
edited
Loading

Thanks for the information. Given the duplicate URI attributes in the <Reference> elements, there is likely a problem with xpath.js, on which this library is dependent on. I could de-dupe the elements but will have to key on something sane; I'm not sure if xpath-and-id will suffice since xpaths can be wildcard and the identifiers may not be sufficiently unique.

I could also switch from xpath.js to xpath, a better-maintained fork of the library. I'll then cut a minor release of xml-crypto and see how far you go with that, but that's far more involved and would take me some time to get out of the way.

@Wi150nZ
Copy link
Author

Wi150nZ commented Jan 1, 2019
edited
Loading

Converting to the xpath library would be a good idea. For the meantime, I can sandbox test the new xpath library with my sample payload. Thanks for the help and happy New Year! 🎉

LoneRifle added a commit that referenced this issue Jan 1, 2019
@LoneRifle
Replace xpath.js with xpath
1027f79 
xpath.js was forked and has since been more actively maintained
than the original, so switch to using that instead

This commit seeks to resolve the issues found in #165 by
using the abovementioned package to avoid a possible bug
with xpath.js. See #165 for further information
@LoneRifle
Copy link
Collaborator

LoneRifle commented Jan 1, 2019
edited
Loading

1.1.1 of xml-crypto has been published, see if this addresses your problems

@Wi150nZ Wi150nZ closed this as completed Jan 11, 2019
@tenjaa tenjaa mentioned this issue Oct 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Wi150nZ @LoneRifle