Closed fastbike closed 3 weeks ago
fastbike
commented
3 weeks ago Digging in a bit more, the internal TSignatureContext.Verify function makes a call to xmlSecDSigCtxVerify passing in the signature Context object and the Signature node.
After this call the Context status is xmlSecDSigStatusInvalid, and the Context failureReason is xmlSecDSigFailureReasonReference. According to the docs this indicates the digest does not match.
fastbike
commented
3 weeks ago Okay, false alarm. After grappling with this a for a two days I found some dodgy code that had been checked in by a workmate ...
XMLDocument := TXMLSecDocument.Create(TStringStream.Create(SAMLResponse, fmOpenRead), True);that should have read
XMLDocument := TXMLSecDocument.Create(TStringStream.Create(SAMLResponse, TEncoding.UTF8), True);
I have an application that uses Delphi-SAML to create a SAML Response, and sign it with a private key.
This token is then used to securely access another application. The second (relying) application has the public key (corresponding to the private key above). This application uses Delphi-SAML to verify that that the SAML has not been tampered with before validating timestamps etc, and then using Attributes from the Assertion.
If the Attributes only contain ACSII characters, this works as expected and the call to SignatureContext.Verify returns True as expected.
However if I include a unicode character such as "ā" then the Verify returns false.
I think this is because most of the import wrappers around the XMLSec binanries are using PAnsiChars. Should these be using PWideChars ? I naively tried replacing all the declarations but now get an error from the openSSL binaries.