signature problem

[majagw]

an char in mdui:Description causes that pyff's signature of metadata is not validated by xmlsectool

[peter-]

Providing an example or pointer would be helpful, then.

[majagw]

The signature produced by pyff with this pipeline is verified by xmlsectool

• load:
  • http://aai.pionier.net.pl/ssoumk.xml
• select:
• sign: key: md.key cert: md.pem
• publish: p.xml

The same metadata with added char in mdui:Description gives a signature value which isn't validated by xmlsectool

• load:
  • http://aai.pionier.net.pl/ssoumk-1.xml
• select:
• sign: key: md.key cert: md.pem
• publish: p.xml

[zmousm]

Example:

  <md:EntityDescriptor entityID="https://login.offcampuspartners.com">
    <md:Extensions>
      <mdrpi:RegistrationInfo registrationAuthority="http://www.canarie.ca" registrationInstant="2016-02-02T06:43:00Z"/>
    </md:Extensions>
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
      <md:Extensions>
        <mdui:UIInfo>
          <mdui:DisplayName xml:lang="en">Off Campus Partners</mdui:DisplayName>
          <mdui:Description xml:lang="en">Off Campus Partners simplifies the off-campus housing&#13;
   search process for universities, property managers, and students. Our&#13;
   software platform powers the off-campus housing listing service at the&#13;
   nation's leading universities.</mdui:Description>
          <mdui:InformationURL xml:lang="en">http://www.offcampuspartners.com</mdui:InformationURL>
          <mdui:PrivacyStatementURL xml:lang="en">https://offcampuspartners.com/privacy-policy</mdui:PrivacyStatementURL>
        </mdui:UIInfo>
      </md:Extensions>
      [...]
    </md:SPSSODescriptor>
</md:EntityDescritptor>

The 
 character reference in the mdui:Description text node causes the problem: the digest computed by pyff is different than what is computed by, say, xmlsectool. And vice versa, if a document containing such a char ref is signed by xmlsectool, pyff does not validate the signature:

Traceback (most recent call last):
  File "/opt/pyff/lib/python2.7/site-packages/pyff/mdrepo.py", line 711, in parse_metadata
    t = self.check_signature(t, key)
  File "/opt/pyff/lib/python2.7/site-packages/pyff/mdrepo.py", line 669, in check_signature
    refs = xmlsec.verified(t, key, drop_signature=True)
  File "/opt/pyff/lib/python2.7/site-packages/xmlsec/__init__.py", line 485, in verified
    return _verify(t, keyspec, sig_path, drop_signature)
  File "/opt/pyff/lib/python2.7/site-packages/xmlsec/__init__.py", line 475, in _verify
    raise XMLSigException("No valid ds:Signature elements found")
XMLSigException: No valid ds:Signature elements found

[zmousm]

@majagw beat me to it :)

[leifj]

We track this over in leifj/pyXMLSecurity

[leifj]

I just pushed a commit that fixes this in pyXMLSecurity