【问题标题】:Nokogiri XML canonicalize (canonicalizer) output looks funkyNokogiri XML canonicalize (canonicalizer) 输出看起来很时髦
【发布时间】:2014-07-14 18:35:53
【问题描述】:

我正在尝试使用 Nokogiri 的 XML 规范化方法,但它产生的结果看起来很糟糕。您会注意到属性在输出中重复出现。 (注意:我添加了换行符,所以它不是全部在一行上。)


<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost:4443/saml/consume" ID="oAZFJBqCw6ChQr.iRwKL92NHO5z" IssueInstant="2014-07-14T16:58:27.842Z" Version="2.0">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#oAZFJBqCw6ChQr.iRwKL92NHO5z" URI="#oAZFJBqCw6ChQr.iRwKL92NHO5z">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>lz5ELiJcFkWVaJ48H7aCvXHgi5c=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>

这是直接来自流行的 ruby​​-saml gem 的 Ruby 代码:

hashed_element       = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
canon_algorithm      = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
Rails.logger.debug("#{canon_hashed_element}")  # the output you see above

首先,我不知道 inclusive_namespaces 是什么意思。 Nokogiri 文档中没有解释,但我认为它是可选的。在我的代码中,它被定义为一个空数组。 canon_algorithm 设置为“1”,即 SHA-1。这似乎是正确的。


这是我试图规范化的原始 SAML 响应。我已取出所有敏感数据。

<samlp:Response Destination="https://localhost/saml/consume"
            IssueInstant="2014-07-14T18:28:06.285Z"
            ID="pcirkjej83Wugs3RrC0O2-ucb_c"
            Version="2.0"
            xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
            >
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">efs.disney.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <ds:Reference URI="#pcirkjej83Wugs3RrC0O2-ucb_c">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>DIGESTVALUEWOULDBEHERE</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>SIGNATUREVALUEWOULDBEHERE</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>SIGNINGCERTWOULDBEHERE</ds:X509Certificate>
        </ds:X509Data>
        <ds:KeyValue>
            <ds:RSAKeyValue>
                <ds:Modulus>RSAKEYVALUEWOULDBEHERE</ds:Modulus>
                <ds:Exponent>QWER</ds:Exponent>
            </ds:RSAKeyValue>
        </ds:KeyValue>
    </ds:KeyInfo>
</ds:Signature>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
                IssueInstant="2014-07-14T18:28:06.296Z"
                ID="sF3NhJVZuYZwKqvjeHBvefNJ_T7"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                >
    <saml:Issuer>efs.disney.com</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Richard.Goldman@disney.com</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2014-07-14T18:33:06.296Z"
                                          Recipient="https://localhost/saml/consume"
                                          />
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotOnOrAfter="2014-07-14T18:33:06.296Z"
                     NotBefore="2014-07-14T18:23:06.296Z"
                     >
        <saml:AudienceRestriction>
            <saml:Audience>lumiere-dev</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-07-14T18:28:06.296Z"
                         SessionIndex="sF3NhJVZuYZwKqvjeHBvefNJ_T8"
                         >
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
        <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                        Name="email"
                        >
            <saml:AttributeValue xsi:type="xs:string"
                                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                 >john.doe@test.com</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                        Name="last_name"
                        >
            <saml:AttributeValue xsi:type="xs:string"
                                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                 >Doe</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>


如果有人对规范化未按预期工作的原因有任何线索,请告诉我。非常感谢...

【问题讨论】:

    标签: ruby-on-rails xml nokogiri saml saml-2.0


    【解决方案1】:

    答案是 jruby 的 Nokogiri 规范化在

    更多信息在这里:https://github.com/onelogin/ruby-saml/issues/77

    【讨论】:

      猜你喜欢
      • 2018-01-21
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2018-09-12
      • 2015-09-18
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多