Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Every signature against every tag #7

Open
philiprbrenan opened this issue Nov 22, 2020 · 2 comments
Open

Every signature against every tag #7

philiprbrenan opened this issue Nov 22, 2020 · 2 comments
Assignees
Labels
enhancement New feature or request

Comments

@philiprbrenan
Copy link

An XML document might contain multiple signatures which might have been used to sign just sub documents within the entire document.

To avoid any possibility of doubt when using XML::Sig, please consider using each signature presented to check each sub document (the xml between an opening tag and its corresponding closing tag) and returning a hash which shows which signatures succeeded against which sub documents?

Such an arrangement would automatically validate SAML documents in which only the assertion was signed without further user action.

@timlegge timlegge self-assigned this Nov 22, 2020
@timlegge timlegge added the enhancement New feature or request label Nov 22, 2020
@timlegge timlegge added this to the v0.29-TRIAL milestone Nov 22, 2020
@timlegge timlegge modified the milestones: v0.29-TRIAL, v0.31-TRIAL Nov 29, 2020
@timlegge
Copy link
Collaborator

Hi

The current https://github.com/perl-net-saml2/perl-XML-Sig/tree/validation-issues that fixes many issues in XML::Sig will itterate through all signatures found in the document and validate them against the proper part of the XML document thta has been signed by that signature.

If I am understanding you correctly you would like to see a verify return a hash containing each signature's Reference URI and a status of that signature check. I assume it would also be useful to specify whether a vailed check was due to the Digest of the signed XML or the signature of the SignedInfo

That sounds useful, maybe not as the main verify function but I am unsure when I will get to it. Based on the recent changes due to #5 I need to do some additonal review and changes first.

Tim

@timlegge
Copy link
Collaborator

timlegge commented Dec 7, 2020

I re-read your initial issue. To clarify, signatures are only applicable to specific XML nodes "sub documents". A signature is required to have a Reference node with a URI attribute. That URI attribute is used to find the XML node with the same ID attribute. There is no reason to check it against all nodes.

The current version of XML::Sig will validate each Signature in the document against the respective Node that it is associated with (where URI = ID).

I think the best approach is to create a hash of the reference URI that is being checked and its status in a normal verify like $self->refs-checked and then allow the calling program to call XML::Sig->get_reference_status()

The only issue here is XML::Sig currently returns a failure code on the first signature or digest to fail

@timlegge timlegge removed this from the v0.40-TRIAL milestone Mar 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants