search

perl-net-saml2 / perl-XML-Sig

XML::Sig - A Perl toolkit to help sign and verify XML Digital Signatures.
https://metacpan.org/pod/XML::Sig
1 stars 2 forks source link

Every signature against every tag #7

Open philiprbrenan opened 3 years ago

philiprbrenan commented 3 years ago

An XML document might contain multiple signatures which might have been used to sign just sub documents within the entire document.

To avoid any possibility of doubt when using XML::Sig, please consider using each signature presented to check each sub document (the xml between an opening tag and its corresponding closing tag) and returning a hash which shows which signatures succeeded against which sub documents?

Such an arrangement would automatically validate SAML documents in which only the assertion was signed without further user action.

timlegge commented 3 years ago

Hi

The current https://github.com/perl-net-saml2/perl-XML-Sig/tree/validation-issues that fixes many issues in XML::Sig will itterate through all signatures found in the document and validate them against the proper part of the XML document thta has been signed by that signature.

If I am understanding you correctly you would like to see a verify return a hash containing each signature's Reference URI and a status of that signature check. I assume it would also be useful to specify whether a vailed check was due to the Digest of the signed XML or the signature of the SignedInfo

That sounds useful, maybe not as the main verify function but I am unsure when I will get to it. Based on the recent changes due to #5 I need to do some additonal review and changes first.

Tim

timlegge commented 3 years ago

I re-read your initial issue. To clarify, signatures are only applicable to specific XML nodes "sub documents". A signature is required to have a Reference node with a URI attribute. That URI attribute is used to find the XML node with the same ID attribute. There is no reason to check it against all nodes.

The current version of XML::Sig will validate each Signature in the document against the respective Node that it is associated with (where URI = ID).

I think the best approach is to create a hash of the reference URI that is being checked and its status in a normal verify like $self->refs-checked and then allow the calling program to call XML::Sig->get_reference_status()

The only issue here is XML::Sig currently returns a failure code on the first signature or digest to fail