Uploaded image for project: 'Shibboleth IdP 1 - Java'
  1. Shibboleth IdP 1 - Java
  2. SIDPO-35

metadatatool signature verification fails with "many" namespaces

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 1.3.4
    • Fix Version/s: None
    • Component/s: Configuration
    • Labels:
      None
    • Java Version:
      Sun 1.6
    • Servlet Container:
      Apache Tomcat 5.0

      Description

      If metadatatool attempts to verify metadata with "many" namespace prefixes in scope at the same time (where "many" may be as few as 10) then it falls over with the following stack trace:

           [java] Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 23
           [java] at org.apache.xml.security.c14n.implementations.SymbMap.index(NameSpaceSymbTable.java:371)
           [java] at org.apache.xml.security.c14n.implementations.SymbMap.get(NameSpaceSymbTable.java:398)
           [java] at org.apache.xml.security.c14n.implementations.NameSpaceSymbTable.addMapping(NameSpaceSymbTable.java:193)
           [java] at org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.handleAttributesSubtree(Canonicalizer20010315Excl.java:143)
           [java] at org.apache.xml.security.c14n.implementations.CanonicalizerBase.canonicalizeSubTree(CanonicalizerBase.java:208)
           [java] at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:131)
           [java] at org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Canonicalizer20010315Excl.java:101)
           [java] at org.apache.xml.security.transforms.implementations.TransformC14NExclusive.enginePerformTransform(TransformC14NExclusive.java:100)
           [java] at org.apache.xml.security.transforms.Transform.performTransform(Transform.java:340)
           [java] at org.apache.xml.security.transforms.Transforms.performTransforms(Transforms.java:237)
           [java] at org.apache.xml.security.signature.Reference.getContentsAfterTransformation(Reference.java:433)
           [java] at org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Reference.java:603)
           [java] at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:688)
           [java] at org.apache.xml.security.signature.Reference.verify(Reference.java:736)
           [java] at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:317)
           [java] at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:223)
           [java] at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:590)
           [java] at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:557)
           [java] at edu.internet2.middleware.shibboleth.utils.MetadataTool.verifySignature(MetadataTool.java:313)
           [java] at edu.internet2.middleware.shibboleth.utils.MetadataTool.main(MetadataTool.java:250)

      This appears to be due to the following bug in the Apache XML security library V1.3:

          https://issues.apache.org/bugzilla/show_bug.cgi?id=38655

      This bug was fixed in V1.4 of the library, in 2006.

      One workround is to have the SAML TC define less new namespaces. Another which allows you to have large numbers of namespaces without a correspondingly large number of prefixes in scope is to perform namespace normalisation of some of the namespaces to *not* use prefixes, i.e., to redefine the default namespace. For example, in XSLT:

      <xsl:stylesheet version="1.0"
          xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
          ...
          exclude-result-prefixes="alg members">
          ....
         <xsl:template match="alg:*">
             <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
                 <xsl:apply-templates select="node()|@*"/>
             </xsl:element>
         </xsl:template>

      This normalises <alg:foo .../> to <foo xmlns="urn:oasis:names:tc:SAML:metadata:algsupport"/>. Applying this template to all of the metadata before signing appears to avoid triggering the problem, but obviously makes the metadata file larger.

        Attachments

          Activity

            People

            • Assignee:
              lajoie@georgetown.edu Chad La Joie
              Reporter:
              ian@iay.org.uk Ian Young
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: