I believe the SHA1 algorithm has no problem in F5 implementation, so I guess, for the same SAML response, F5 must have a different canonicalization result from Apache Santuario.
In Part 2, we see how the reference validation is done. In Apache Santuario, actually we can dump the canonicalization xml content which the reference hash is computed on.
Now, let us see if we can get the same thing on F5. After some assembly code analysis on F5, I think the hash is implemented in apd (Access Policy Daemon) around 0x0825C498.
Luckily I can do the remote debug of this process.
Luckily I managed to get the canonicalization xml content on F5. You can see the details from "Collecting the Canonicalization XML content on F5".
Now the truth is out.
- On element samlp:Response, the canonicalization xml content by F5 missed two attributes
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
- On element saml:Assertion, F5 coined an attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
I am not an expert on C14N (Canonical XML), but I am inclined to believe Apache is doing right - you should not remove the attributes which exist in the original xml, you should not coin an attribute which does not exist in the original xml.
For anyone who is interested in XML signature and who would like to prove that I am right(or wrong), here they are the files.
SAML response (txt)
SAML response (xml, decoded)
XML canonical by Apache
XML canonical by F5
No comments:
Post a Comment