正确的XML专有规范化是哪一个？ [英] Which is the proper XML exclusive canonicalization?

查看：123 发布时间：2020/6/7 19:14:21 php xml canonicalization canonical-form xmlseclibs

本文介绍了正确的XML专有规范化是哪一个？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在使用 xmlseclibs 来尝试对SOAP文档进行签名，但确实如此

I'm using xmlseclibs to try and sign a SOAP document, but it does not seem to canonicalize things in the same way depending on whether I'm signing or validating.

我将举一个例子。这是我要签名的XML：

I'll give you an example. This is the XML I am trying to sign:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" IssueInstant="2010-02-04T15:27:43Z" ResponseID="pfxe85313e6-e688-299a-df06-30f55e24f65a">
<samlp:Status>
<samlp:StatusCode Value="samlp:Requester"/>
</samlp:Status>
</samlp:Response>
</soapenv:Body>
</soapenv:Envelope>

我有一些在PHP中工作的代码，使用公钥和私钥证书的组合对其进行签名，而且似乎可行。它在< ds：Signature> 元素中添加了所有适当的东西，看起来很棒。但是，然后我再次使用xmlseclibs（和公共密钥证书）对它进行签名后立即尝试对其进行验证，从而对其进行了测试，但是验证失败。因此，完全相同的代码库同时进行了签名和验证，但是由于某些原因，这两个过程并不相同。

I got some code working in PHP to sign it using a combination of public key and private key certificates, and it seemed to work. It added the <ds:Signature> element with all the proper stuff, and it looked great. But then I tested it by immediately trying to validate it after signing it, again with xmlseclibs (and the public key certificate), but the validation failed. So the exact same code library is doing both the signing and validating, but the two processes don't agree for some reason.

我在xmlseclibs中添加了一些调试代码以查找知道它在做什么，我意识到它提供的签名密钥和它提供的验证密钥之所以不同，是因为它在两种情况下规范化了不同的事物。当我告诉它在< samlp：Response> 元素上签名时，这就是它所签名的规范形式（为方便阅读，我在此处添加了换行符）：

I added some debugging code to xmlseclibs to find out what it's doing, and I realized that the reason the signing key it comes up with and the validation key it comes up with are different are because it canonicalizes things differently in the two situations. When I tell it to sign the <samlp:Response> element, this is the canonical form it signs (I've added newlines here for readability):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2010-02-04T15:27:43Z" MajorVersion="1" MinorVersion="1" ResponseID="pfxe85313e6-e688-299a-df06-30f55e24f65a" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<samlp:Status>
<samlp:StatusCode Value="samlp:Requester">
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>

然而，当它用于验证签名时，这是它计算用来验证的规范形式（再次，我在这里添加了换行符）：

However when it goes to validate the signature, this is the canonical form it computes to validate against (again, I've added newlines here):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2010-02-04T15:27:43Z" MajorVersion="1" MinorVersion="1" ResponseID="pfxe85313e6-e688-299a-df06-30f55e24f65a">
<samlp:Status>
<samlp:StatusCode Value="samlp:Requester">
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>

如您所见，此版本省略了 xmlns：saml < samlp：Response> 元素的code>属性，而第一个则没有。（请注意，这与 xmlns：samlp 属性不同，后者都包含在其中。）这显然很像xmlseclibs中的错误，但我还是愿意这样做。如果我只是知道哪种规范形式是正确的格式，请乐于修复自己。专有规范化是否应忽略该属性？还是应该包含它？

So as you can see, this version omits the xmlns:saml attribute from the <samlp:Response> element, while the first does not. (Note that this is different from the xmlns:samlp attribute, which is included in both.) This seems pretty clearly like a bug in xmlseclibs, but nonetheless it's one I'd be happy to fix myself if I just knew which canonical form was the correct one. Should that attribute be omitted by exclusive canonicalization? Or should it be included? Which one is the correct exclusive canonical form?

正确的XML专有规范化是哪一个？ [英] Which is the proper XML exclusive canonicalization?

问题描述

推荐答案

相关文章

PHP最新文章

热门教程

热门工具

登录关闭

正确的XML专有规范化是哪一个？ [英] Which is the proper XML exclusive canonicalization?

问题描述

推荐答案

相关文章

PHP最新文章

热门教程

热门工具

登录 关闭

登录关闭