search

robrichards / xmlseclibs

A PHP library for XML Security
BSD 3-Clause "New" or "Revised" License
386 stars 180 forks source link

Never modify original document #223

Open tvdijen opened 3 years ago

tvdijen commented 3 years ago

HI @robrichards !

I noticed that this method manipulates the original document that holds the sigNode and removes the entire signature from the bigger XML document.. This PR should fix it!

tvdijen commented 3 years ago

Since Travis has cut us all off: The tests still pass!

[saml@webapp-10 xmlseclibs]$ vendor/bin/phpunit tests PHPUnit 8.5.13 by Sebastian Bergmann and contributors.

............................ 28 / 28 (100%)

Time: 1.06 seconds, Memory: 4.00 MB

robrichards commented 3 years ago

@tvdijen Was about to review but saw its now closed. Is the original work still in progress (which I would try to monitor progress so speed up future review) or is it abandoned?

tvdijen commented 3 years ago

@robrichards It didn't really solve my problem in the end, so I figured I'd close it..

Perhaps you can explain to me why and under what circumstances it is necessary to remove the signature in the XMLSecuritySDig::validateReference-method? My issue is that I have a signed DOMElement, I run validateReference() on it, and after that my original DOMElement has lost it's ds:Signature structure.

I may have referred to an irrelevant PR.. The more relevant part of the code is here; https://github.com/simplesamlphp/xml-security/blob/master/src/XML/ds/Signature.php#L144-L178

It would definitely not hurt to merge this because it makes things a bit more readable and PSR-comliant, so I guess I can reopen it! Would be great if you can give your thought on the issue described

robrichards commented 3 years ago

@tvdijen I can't recall the exact reason but vaguely remember some issue I was having early on which is why the sig got removed. Possibly being so early on it was only supporting some specific cases at the time. I will need to dig into it a bit more to see if I can jog my memory

tvdijen commented 3 years ago

Well, at some point you have to figure out the document that the signature was calculated over... With an enveloped signature, it makes sense to extract the sig, recalculate the sig on the refnode and compare the two.. It should probably be just like that, but it would be great if it didn't modify the original document, because I need it at a later point with the signature intact.