<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 16, 2013 at 12:16 PM, Atsushi Eno <span dir="ltr"><<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-vos-liberabit.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">Jonathan Gagnon wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It does not work when the SAML document is not referring to any DTD.  In my case, I receive the following exception when I call the CheckSignature method :<br>
<br>
System.Security.Cryptography.<u></u>CryptographicException: Malformed reference object: [referenceId]<br>
  at System.Security.Cryptography.<u></u>Xml.SignedXml.GetReferenceHash (System.Security.Cryptography.<u></u>Xml.Reference r, Boolean check_hmac) [0x00000] in <filename unknown>:0<br>
  at System.Security.Cryptography.<u></u>Xml.SignedXml.<u></u>CheckReferenceIntegrity (System.Collections.ArrayList referenceList) [0x00000] in <filename unknown>:0<br>
  at System.Security.Cryptography.<u></u>Xml.SignedXml.<u></u>CheckSignatureInternal (System.Security.Cryptography.<u></u>AsymmetricAlgorithm key) [0x00000] in <filename unknown>:0<br>
  at System.Security.Cryptography.<u></u>Xml.SignedXml.CheckSignature (System.Security.Cryptography.<u></u>AsymmetricAlgorithm key) [0x00000] in <filename unknown>:0<br>
  at TestSAML.Program.Main (System.String[] args) [0x00000] in <filename unknown>:0<br>
</blockquote>
<br></div>
Of course it happens because you should be processing corresponding DTD or XML Schema.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
The same code works in .NET and it does work if I modify the GetIdElement method to check for "ID".<br>
<br>
So in your opinion, I should create a class that derives from SignedXml and override GetIdElement?<br>
</blockquote>
<br></div>
I'm not sure I would like to answer yes (if you want to have ID being processed) or no (you should actually process DTD or XSD).<div class="im"><br></div></blockquote><div><br></div><div>I added references to the corresponding XSDs but it doesn't seem to help.  I'm still getting the same exception.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
It does fix the problem for me. But wouldn't it be better to modify SignedXml.GetIdElement() to behave more like .NET so that other users don't encounter the same problem?<br>
<br>
</blockquote>
<br></div>
I don't support any use of API that violates W3C specification.<br></blockquote><div><br></div><div>From what I understand, the W3C specification is only about the signature part of a signed xml.  There is nothing regarding other parts of the signed XML, and the SAML standard defines the id differently.  So I'm not sure that supporting SAML ids would violate the W3C specification.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Though I'm just pointing out the facts. There may be people who want to take responsibility on the entire XML Signature stuff and go ahead to apply the changes.<br>
<br>
Atsushi Eno<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks,<br>
<br>
Jonathan<div class="im"><br>
<br>
On Tue, Jul 16, 2013 at 10:24 AM, Atsushi Eno <<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-vos-<u></u>liberabit.com</a> <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>>> wrote:<br>

<br>
    Whenever SAML document instance refers to its schema or DTD that<br>
    will validate "ID" attribute as expected, since SignedXml<br>
    internally uses XmlDocument.GetElementById () which is expected to<br>
    collect "IDs" where "IDs" means a validated ID by<br>
    XmlValidatingReader or any XmlReader that has XmlReaderSettings to<br>
    consider XmlSchema or DTD. Hence that does not cause any problem<br>
    for SAML.<br>
<br>
    (Also note that SignedXml implementation could override<br>
    SignedXml.GetIdElement(). Mono's WCF implementation makes use of<br>
    it to support WS-Security ID attribute.)<br>
<br>
    Atsushi Eno<br>
<br>
    Jonathan Gagnon wrote:<br>
<br>
        This is true for the signature, but not true for SAML<br>
        assertions, where ids are defined as "ID" :<br>
<br>
        <a href="http://schemas.stylusstudio.com/saml/nea261b70/complexType_AssertionType.html" target="_blank">http://schemas.stylusstudio.<u></u>com/saml/nea261b70/<u></u>complexType_AssertionType.html</a><br>
<br>
        I don't know in which case we would need "id" in lowercase,<br>
        but since .NET supports it, there is probably a valid reason<br>
        for it too.<br>
<br>
        *Jonathan Gagnon*<br>
        Responsable des architectures systèmes<br>
        600, boulevard Armand-Frappier, bureau 200<br>
        Laval (Québec) H7V 4B4<br>
        Canada<br></div><div class="im">
        T : <a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>> poste 234<br>
        <<a href="http://www.croesus.com" target="_blank">http://www.croesus.com</a>><br>
        <<a href="http://www.facebook.com/pages/Croesus-Finansoft/345020305606240" target="_blank">http://www.facebook.com/<u></u>pages/Croesus-Finansoft/<u></u>345020305606240</a>><<a href="http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141" target="_blank">http://www.<u></u>linkedin.com/company/croesus-<u></u>finansoft?trk=hb_tab_compy_id_<u></u>26141</a>><<a href="https://twitter.com/CroesusFin" target="_blank">https://twitter.com/<u></u>CroesusFin</a>><br>

<br>
<br>
<br></div><div class="im">
        On Tue, Jul 16, 2013 at 2:30 AM, Atsushi Eno<br>
        <<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-vos-<u></u>liberabit.com</a><br>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>><br></div>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a><div><div class="h5"><br>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>>>> wrote:<br>
<br>
            W3C XML Signature specification explicitly "Id" as the valid<br>
            attribute name for referencing an element, by its XML<br>
        Schema and DTD:<br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-Signature" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-Signature</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-SignatureValue" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-SignatureValue</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-SignedInfo" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-SignedInfo</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-Reference" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-Reference</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-KeyInfo" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-KeyInfo</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-Object" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-Object</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-Manifest" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-Manifest</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-SignatureProperties" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-SignatureProperties</a><br>
<br>
            If Microsoft treats "id" or "ID" attributes as if they were ID<br>
            (and not "iD" ?), they will have to fix their bug.<br>
<br>
            Atsushi Eno<br>
<br>
            (2013年07月12日 23:58), Jonathan Gagnon wrote:<br>
<br>
                I have encountered a bug similar to 4938<br>
                <<a href="https://bugzilla.xamarin.com/show_bug.cgi?id=4938" target="_blank">https://bugzilla.xamarin.com/<u></u>show_bug.cgi?id=4938</a>>.<br>
<br>
<br>
                My problem is that mono does not find the reference id<br>
        because<br>
                the id is in uppercase ('ID' instead of 'Id'). This works<br>
                correctly on .NET.<br>
<br>
                As stated in the bug description, the problem is in the<br>
                SignedXml class, GetIdElement method.<br>
<br>
                I wrote a very simple patch that fixes the problem by<br>
        looking<br>
                for "id" and "ID". Should I do a pull request with<br>
        that fix?<br>
<br>
                *Jonathan Gagnon*<br>
<br>
                Responsable des architectures systèmes<br>
                600, boulevard Armand-Frappier, bureau 200<br>
                Laval (Québec) H7V 4B4<br>
                Canada<br></div></div>
                T : <a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a><div class="im">
<br>
        <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>>> poste 234<br>
<br>
                <<a href="http://www.croesus.com" target="_blank">http://www.croesus.com</a>><br>
                       <<a href="http://www.facebook.com/pages/Croesus-Finansoft/345020305606240" target="_blank">http://www.facebook.com/<u></u>pages/Croesus-Finansoft/<u></u>345020305606240</a>><<a href="http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141" target="_blank">http://www.<u></u>linkedin.com/company/croesus-<u></u>finansoft?trk=hb_tab_compy_id_<u></u>26141</a>><<a href="https://twitter.com/CroesusFin" target="_blank">https://twitter.com/<u></u>CroesusFin</a>><br>

<br>
<br>
<br>
                ______________________________<u></u>_________________<br>
                Mono-devel-list mailing list<br>
        <a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.ximian.<u></u>com</a><br>
        <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a>><br></div>
                <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a><br>
        <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a>>><br>
        <a href="http://lists.ximian.com/mailman/listinfo/mono-devel-list" target="_blank">http://lists.ximian.com/<u></u>mailman/listinfo/mono-devel-<u></u>list</a><br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote></div><br></div></div>