Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enveloped signature xpath #38

Closed

Conversation

rkaw92
Copy link

@rkaw92 rkaw92 commented Dec 18, 2019

This change prevents eating up nested Signature nodes when doing double signing: one for a node inside the document, and another signature that encapsulates the document with the signed node. This is a common scenario for SAML 2.0, where the Assertion is signed first, and then the containing root node is also signed.

Fixes #37

…tures

This change fixes a case where an overly-general XPath expression would
find all instances of ds:Signature nodes wherever they appeared,
which would make nested signing impossible.

Nested signing, where some node inside the document is signed, and then
the entire document also gets a signature which includes the node's
signature, is commonly used with SAML, where the Assertion is signed
first, and then the Response (root node) that contains the Assertion
must also be signed.

This bug was causing the contained Signature to be stripped, resulting in
invalid digest values.
@microshine
Copy link
Collaborator

@rkaw92 Thank you for your PR. I published a new version of xmldsig. It fixes that problem

@microshine microshine closed this Dec 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

"enveloped" canonicalization removes nested Signatures
2 participants