Shibboleth IdP 1 - Java
  1. Shibboleth IdP 1 - Java
  2. SIDPO-35

metadatatool signature verification fails with "many" namespaces

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 1.3.4
    • Fix Version/s: None
    • Component/s: Configuration
    • Labels:
      None
    • Java Version:
      Sun 1.6
    • Servlet Container:
      Apache Tomcat 5.0

      Description

      If metadatatool attempts to verify metadata with "many" namespace prefixes in scope at the same time (where "many" may be as few as 10) then it falls over with the following stack trace:

           [java] Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 23
           [java] at org.apache.xml.security.c14n.implementations.SymbMap.index(NameSpaceSymbTable.java:371)
           [java] at org.apache.xml.security.c14n.implementations.SymbMap.get(NameSpaceSymbTable.java:398)
           [java] at org.apache.xml.security.c14n.implementations.NameSpaceSymbTable.addMapping(NameSpaceSymbTable.java:193)
           [java] at org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.handleAttributesSubtree(Canonicalizer20010315Excl.java:143)
           [java] at org.apache.xml.security.c14n.implementations.CanonicalizerBase.canonicalizeSubTree(CanonicalizerBase.java:208)
           [java] at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:131)
           [java] at org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Canonicalizer20010315Excl.java:101)
           [java] at org.apache.xml.security.transforms.implementations.TransformC14NExclusive.enginePerformTransform(TransformC14NExclusive.java:100)
           [java] at org.apache.xml.security.transforms.Transform.performTransform(Transform.java:340)
           [java] at org.apache.xml.security.transforms.Transforms.performTransforms(Transforms.java:237)
           [java] at org.apache.xml.security.signature.Reference.getContentsAfterTransformation(Reference.java:433)
           [java] at org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Reference.java:603)
           [java] at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:688)
           [java] at org.apache.xml.security.signature.Reference.verify(Reference.java:736)
           [java] at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:317)
           [java] at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:223)
           [java] at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:590)
           [java] at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:557)
           [java] at edu.internet2.middleware.shibboleth.utils.MetadataTool.verifySignature(MetadataTool.java:313)
           [java] at edu.internet2.middleware.shibboleth.utils.MetadataTool.main(MetadataTool.java:250)

      This appears to be due to the following bug in the Apache XML security library V1.3:

          https://issues.apache.org/bugzilla/show_bug.cgi?id=38655

      This bug was fixed in V1.4 of the library, in 2006.

      One workround is to have the SAML TC define less new namespaces. Another which allows you to have large numbers of namespaces without a correspondingly large number of prefixes in scope is to perform namespace normalisation of some of the namespaces to *not* use prefixes, i.e., to redefine the default namespace. For example, in XSLT:

      <xsl:stylesheet version="1.0"
          xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
          ...
          exclude-result-prefixes="alg members">
          ....
         <xsl:template match="alg:*">
             <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
                 <xsl:apply-templates select="node()|@*"/>
             </xsl:element>
         </xsl:template>

      This normalises <alg:foo .../> to <foo xmlns="urn:oasis:names:tc:SAML:metadata:algsupport"/>. Applying this template to all of the metadata before signing appears to avoid triggering the problem, but obviously makes the metadata file larger.

        Activity

        Ian Young created issue -
        Hide
        Chad La Joie added a comment -
        IdP 1.3 is no longer supported and this bug will not be fixed.
        Show
        Chad La Joie added a comment - IdP 1.3 is no longer supported and this bug will not be fixed.
        Chad La Joie made changes -
        Field Original Value New Value
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Won't Fix [ 2 ]

          People

          • Assignee:
            Chad La Joie
            Reporter:
            Ian Young
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: