【发布时间】:2014-07-14 18:35:53
【问题描述】:
我正在尝试使用 Nokogiri 的 XML 规范化方法,但它产生的结果看起来很糟糕。您会注意到属性在输出中重复出现。 (注意:我添加了换行符,所以它不是全部在一行上。)
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost:4443/saml/consume" ID="oAZFJBqCw6ChQr.iRwKL92NHO5z" IssueInstant="2014-07-14T16:58:27.842Z" Version="2.0">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#oAZFJBqCw6ChQr.iRwKL92NHO5z" URI="#oAZFJBqCw6ChQr.iRwKL92NHO5z">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>lz5ELiJcFkWVaJ48H7aCvXHgi5c=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
这是直接来自流行的 ruby-saml gem 的 Ruby 代码:
hashed_element = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
canon_algorithm = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
Rails.logger.debug("#{canon_hashed_element}") # the output you see above
首先,我不知道 inclusive_namespaces 是什么意思。 Nokogiri 文档中没有解释,但我认为它是可选的。在我的代码中,它被定义为一个空数组。 canon_algorithm 设置为“1”,即 SHA-1。这似乎是正确的。
这是我试图规范化的原始 SAML 响应。我已取出所有敏感数据。
<samlp:Response Destination="https://localhost/saml/consume"
IssueInstant="2014-07-14T18:28:06.285Z"
ID="pcirkjej83Wugs3RrC0O2-ucb_c"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">efs.disney.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#pcirkjej83Wugs3RrC0O2-ucb_c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>DIGESTVALUEWOULDBEHERE</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SIGNATUREVALUEWOULDBEHERE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>SIGNINGCERTWOULDBEHERE</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>RSAKEYVALUEWOULDBEHERE</ds:Modulus>
<ds:Exponent>QWER</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
IssueInstant="2014-07-14T18:28:06.296Z"
ID="sF3NhJVZuYZwKqvjeHBvefNJ_T7"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml:Issuer>efs.disney.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Richard.Goldman@disney.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-07-14T18:33:06.296Z"
Recipient="https://localhost/saml/consume"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2014-07-14T18:33:06.296Z"
NotBefore="2014-07-14T18:23:06.296Z"
>
<saml:AudienceRestriction>
<saml:Audience>lumiere-dev</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-07-14T18:28:06.296Z"
SessionIndex="sF3NhJVZuYZwKqvjeHBvefNJ_T8"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="email"
>
<saml:AttributeValue xsi:type="xs:string"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>john.doe@test.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="last_name"
>
<saml:AttributeValue xsi:type="xs:string"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>Doe</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
如果有人对规范化未按预期工作的原因有任何线索,请告诉我。非常感谢...
【问题讨论】:
标签: ruby-on-rails xml nokogiri saml saml-2.0