我正在尝试使用Nokogiri的XML规范化方法,但它产生的结果看起来很糟糕。您会注意到输出中的属性会重复出现。 (注意:我添加了换行符,所以它不是全部在一行。)
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost:4443/saml/consume" ID="oAZFJBqCw6ChQr.iRwKL92NHO5z" IssueInstant="2014-07-14T16:58:27.842Z" Version="2.0">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#oAZFJBqCw6ChQr.iRwKL92NHO5z" URI="#oAZFJBqCw6ChQr.iRwKL92NHO5z">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>lz5ELiJcFkWVaJ48H7aCvXHgi5c=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
这是Ruby代码,它直接来自流行的ruby-saml gem:
hashed_element = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
canon_algorithm = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
Rails.logger.debug("#{canon_hashed_element}") # the output you see above
首先,我无法弄清楚inclusive_namespaces的含义。它没有在Nokogiri文档中解释,但我认为它是可选的。在我的代码中,它被定义为一个空数组。 canon_algorithm设置为“1”,即SHA-1。这似乎是正确的。
以下是我正在尝试规范化的原始SAML响应。我已经拿走了所有敏感数据。
<samlp:Response Destination="https://localhost/saml/consume"
IssueInstant="2014-07-14T18:28:06.285Z"
ID="pcirkjej83Wugs3RrC0O2-ucb_c"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">efs.disney.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#pcirkjej83Wugs3RrC0O2-ucb_c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>DIGESTVALUEWOULDBEHERE</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SIGNATUREVALUEWOULDBEHERE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>SIGNINGCERTWOULDBEHERE</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>RSAKEYVALUEWOULDBEHERE</ds:Modulus>
<ds:Exponent>QWER</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
IssueInstant="2014-07-14T18:28:06.296Z"
ID="sF3NhJVZuYZwKqvjeHBvefNJ_T7"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml:Issuer>efs.disney.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Richard.Goldman@disney.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-07-14T18:33:06.296Z"
Recipient="https://localhost/saml/consume"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2014-07-14T18:33:06.296Z"
NotBefore="2014-07-14T18:23:06.296Z"
>
<saml:AudienceRestriction>
<saml:Audience>lumiere-dev</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-07-14T18:28:06.296Z"
SessionIndex="sF3NhJVZuYZwKqvjeHBvefNJ_T8"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="email"
>
<saml:AttributeValue xsi:type="xs:string"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>john.doe@test.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="last_name"
>
<saml:AttributeValue xsi:type="xs:string"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>Doe</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
如果有人知道为什么规范化没有按预期工作,请告诉我。非常感谢......
答案 0 :(得分:0)
答案是,joky的Nokogiri规范化在&lt; = 1.6.1中被打破。修复是升级到1.6.2。