<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Fri, Jul 19, 2013 at 1:05 PM, Atsushi Eno <span dir="ltr"><<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-vos-liberabit.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">(2013年07月17日 21:25), Jonathan Gagnon wrote:<div><div class="h5">
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
<br>
On Tue, Jul 16, 2013 at 12:16 PM, Atsushi Eno <<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-vos-<u></u>liberabit.com</a> <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>>> wrote:<br>

<br>
    Jonathan Gagnon wrote:<br>
<br>
        It does not work when the SAML document is not referring to<br>
        any DTD.  In my case, I receive the following exception when I<br>
        call the CheckSignature method :<br>
<br>
        System.Security.Cryptography.<u></u>CryptographicException: Malformed<br>
        reference object: [referenceId]<br>
          at<br>
        System.Security.Cryptography.<u></u>Xml.SignedXml.GetReferenceHash<br>
        (System.Security.Cryptography.<u></u>Xml.Reference r, Boolean<br>
        check_hmac) [0x00000] in <filename unknown>:0<br>
          at<br>
        System.Security.Cryptography.<u></u>Xml.SignedXml.<u></u>CheckReferenceIntegrity<br>
        (System.Collections.ArrayList referenceList) [0x00000] in<br>
        <filename unknown>:0<br>
          at<br>
        System.Security.Cryptography.<u></u>Xml.SignedXml.<u></u>CheckSignatureInternal<br>
        (System.Security.Cryptography.<u></u>AsymmetricAlgorithm key)<br>
        [0x00000] in <filename unknown>:0<br>
          at System.Security.Cryptography.<u></u>Xml.SignedXml.CheckSignature<br>
        (System.Security.Cryptography.<u></u>AsymmetricAlgorithm key)<br>
        [0x00000] in <filename unknown>:0<br>
          at TestSAML.Program.Main (System.String[] args) [0x00000] in<br>
        <filename unknown>:0<br>
<br>
<br>
    Of course it happens because you should be processing<br>
    corresponding DTD or XML Schema.<br>
<br>
<br>
<br>
        The same code works in .NET and it does work if I modify the<br>
        GetIdElement method to check for "ID".<br>
<br>
        So in your opinion, I should create a class that derives from<br>
        SignedXml and override GetIdElement?<br>
<br>
<br>
    I'm not sure I would like to answer yes (if you want to have ID<br>
    being processed) or no (you should actually process DTD or XSD).<br>
<br>
<br>
I added references to the corresponding XSDs but it doesn't seem to help.  I'm still getting the same exception.<br>
</blockquote>
<br></div></div>
Because you didn't set up XmlDocument properly to process XSDs. (You're discussing you're doing right without showing code.)<div class="im"><br>
<br></div></blockquote><div><br></div><div>You're probably right that I didn't set it up properly.  It seems to be a poorly documented part of .NET.  Do you have a link to a good example?</div><div><br></div><div>
Basically, I tried adding a reference to the xsd inside the SAML document but it didn't help.  Then I tried the following example without success : <a href="http://msdn.microsoft.com/en-us/library/ms162371.aspx">http://msdn.microsoft.com/en-us/library/ms162371.aspx</a></div>
<div><br></div><div>I also noticed that calling the Schemas.Add method is very slow (several seconds each time), and didn't want that overhead in our application.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
<br>
        It does fix the problem for me. But wouldn't it be better to<br>
        modify SignedXml.GetIdElement() to behave more like .NET so<br>
        that other users don't encounter the same problem?<br>
<br>
<br>
    I don't support any use of API that violates W3C specification.<br>
<br>
<br>
>From what I understand, the W3C specification is only about the signature part of a signed xml.  There is nothing regarding other parts of the signed XML, and the SAML standard defines the id differently.  So I'm not sure that supporting SAML ids would violate the W3C specification.<br>

</blockquote>
<br></div>
I don't understand your discussion. Any additional local attributes that do not conform to the XML Schema defined in xmldsig specification violates XML schema validation.<br></blockquote><div><br></div><div>What I'm saying is that the XML Schema defined in xmldsig specification is often applied to a subpart of an XML document.  Here is an example :</div>
<div><br></div><div><div><samlp:Response></div><div>  <saml:Assertion ID="abc"></div><div>    <ds:Signature xmlns:ds="<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div>    </ds:Signature></div><div>    ...</div><div>  </saml:Assertion></div><div></samlp:Response></div></div><div><br></div><div>So the XML Schema defined by the W3C specification only applies to what is inside the <ds:Signature> tags.  Thus, it doesn't violate the XML Schema to have an "ID" attribute for the <saml:Assertion>.</div>
<div><br></div><div>Also, if you look at some examples on the W3C sites, you will find that some of them use "ID" instead of "Id" (that could be a mistake though).  Like this one :</div><div><br></div>
<div><a href="http://www.w3.org/TR/xmldsig-core/#sec-NamespaceContext">http://www.w3.org/TR/xmldsig-core/#sec-NamespaceContext</a></div><div><br></div><div>Basically, my point is that it seems like there are more that one standards of XML signature.  SAML is one of them and it defines an ID as "ID" instead of "Id".  Microsoft seems to have decided to support it directly without the need to process the XSDs.  I thought it would be a good idea to have mono do the same and that is what my patch does.</div>
<div><br></div><div>Jonathan</div><div> <br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<br>
Atsushi Eno<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">
<br>
    Though I'm just pointing out the facts. There may be people who<br>
    want to take responsibility on the entire XML Signature stuff and<br>
    go ahead to apply the changes.<br>
<br>
    Atsushi Eno<br>
<br>
        Thanks,<br>
<br>
        Jonathan<br>
<br>
<br>
        On Tue, Jul 16, 2013 at 10:24 AM, Atsushi Eno<br>
        <<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-vos-<u></u>liberabit.com</a><br>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>><br></div><div class="im">
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a><br>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>>>> wrote:<br>
<br></div><div><div class="h5">
            Whenever SAML document instance refers to its schema or<br>
        DTD that<br>
            will validate "ID" attribute as expected, since SignedXml<br>
            internally uses XmlDocument.GetElementById () which is<br>
        expected to<br>
            collect "IDs" where "IDs" means a validated ID by<br>
            XmlValidatingReader or any XmlReader that has<br>
        XmlReaderSettings to<br>
            consider XmlSchema or DTD. Hence that does not cause any<br>
        problem<br>
            for SAML.<br>
<br>
            (Also note that SignedXml implementation could override<br>
            SignedXml.GetIdElement(). Mono's WCF implementation makes<br>
        use of<br>
            it to support WS-Security ID attribute.)<br>
<br>
            Atsushi Eno<br>
<br>
            Jonathan Gagnon wrote:<br>
<br>
                This is true for the signature, but not true for SAML<br>
                assertions, where ids are defined as "ID" :<br>
<br>
        <a href="http://schemas.stylusstudio.com/saml/nea261b70/complexType_AssertionType.html" target="_blank">http://schemas.stylusstudio.<u></u>com/saml/nea261b70/<u></u>complexType_AssertionType.html</a><br>
<br>
                I don't know in which case we would need "id" in<br>
        lowercase,<br>
                but since .NET supports it, there is probably a valid<br>
        reason<br>
                for it too.<br>
<br>
                *Jonathan Gagnon*<br>
                Responsable des architectures systèmes<br>
                600, boulevard Armand-Frappier, bureau 200<br>
                Laval (Québec) H7V 4B4<br>
                Canada<br></div></div><div class="im">
                T : <a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a><br>

        <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>>> poste 234<br>
                <<a href="http://www.croesus.com" target="_blank">http://www.croesus.com</a>><br>
                       <<a href="http://www.facebook.com/pages/Croesus-Finansoft/345020305606240" target="_blank">http://www.facebook.com/<u></u>pages/Croesus-Finansoft/<u></u>345020305606240</a>><<a href="http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141" target="_blank">http://www.<u></u>linkedin.com/company/croesus-<u></u>finansoft?trk=hb_tab_compy_id_<u></u>26141</a>><<a href="https://twitter.com/CroesusFin" target="_blank">https://twitter.com/<u></u>CroesusFin</a>><br>

<br>
<br>
<br></div><div><div class="h5">
                On Tue, Jul 16, 2013 at 2:30 AM, Atsushi Eno<br>
                <<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-vos-<u></u>liberabit.com</a><br>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>><br>
                <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a><br>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>>><br>
                <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a><br>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>><br>
<br>
                <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a><br>
        <mailto:<a href="mailto:atsushieno@veritas-vos-liberabit.com" target="_blank">atsushieno@veritas-<u></u>vos-liberabit.com</a>>>>> wrote:<br>
<br>
                    W3C XML Signature specification explicitly "Id" as<br>
        the valid<br>
                    attribute name for referencing an element, by its XML<br>
                Schema and DTD:<br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-Signature" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-Signature</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-SignatureValue" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-SignatureValue</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-SignedInfo" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-SignedInfo</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-Reference" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-Reference</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-KeyInfo" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-KeyInfo</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-Object" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-Object</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-Manifest" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-Manifest</a><br>
        <a href="http://www.w3.org/TR/xmldsig-core/#sec-SignatureProperties" target="_blank">http://www.w3.org/TR/xmldsig-<u></u>core/#sec-SignatureProperties</a><br>
<br>
                    If Microsoft treats "id" or "ID" attributes as if<br>
        they were ID<br>
                    (and not "iD" ?), they will have to fix their bug.<br>
<br>
                    Atsushi Eno<br>
<br>
                    (2013年07月12日 23:58), Jonathan Gagnon wrote:<br>
<br>
                        I have encountered a bug similar to 4938<br>
                               <<a href="https://bugzilla.xamarin.com/show_bug.cgi?id=4938" target="_blank">https://bugzilla.xamarin.com/<u></u>show_bug.cgi?id=4938</a>>.<br>
<br>
<br>
                        My problem is that mono does not find the<br>
        reference id<br>
                because<br>
                        the id is in uppercase ('ID' instead of 'Id').<br>
        This works<br>
                        correctly on .NET.<br>
<br>
                        As stated in the bug description, the problem<br>
        is in the<br>
                        SignedXml class, GetIdElement method.<br>
<br>
                        I wrote a very simple patch that fixes the<br>
        problem by<br>
                looking<br>
                        for "id" and "ID". Should I do a pull request with<br>
                that fix?<br>
<br>
                        *Jonathan Gagnon*<br>
<br>
                        Responsable des architectures systèmes<br>
                        600, boulevard Armand-Frappier, bureau 200<br>
                        Laval (Québec) H7V 4B4<br>
                        Canada<br>
                        T : <a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>><br></div></div>
        <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>>> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a><br>

        <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>><br>
<br>
                <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a> <tel:<a href="tel:450-662-6101" value="+14506626101" target="_blank">450-662-6101</a>>>> poste 234<div class="im">
<br>
<br>
                        <<a href="http://www.croesus.com" target="_blank">http://www.croesus.com</a>><br>
                                      <<a href="http://www.facebook.com/pages/Croesus-Finansoft/345020305606240" target="_blank">http://www.facebook.com/<u></u>pages/Croesus-Finansoft/<u></u>345020305606240</a>><<a href="http://www.linkedin.com/company/croesus-finansoft?trk=hb_tab_compy_id_26141" target="_blank">http://www.<u></u>linkedin.com/company/croesus-<u></u>finansoft?trk=hb_tab_compy_id_<u></u>26141</a>><<a href="https://twitter.com/CroesusFin" target="_blank">https://twitter.com/<u></u>CroesusFin</a>><br>

<br>
<br>
<br>
                        ______________________________<u></u>_________________<br>
                        Mono-devel-list mailing list<br>
        <a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.ximian.<u></u>com</a><br>
        <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a>><br>
                <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a><br>
        <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a>>><br>
                        <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a><br>
        <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a>><br>
                <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a><br></div>
        <mailto:<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.<u></u>ximian.com</a>>>><br>
        <a href="http://lists.ximian.com/mailman/listinfo/mono-devel-list" target="_blank">http://lists.ximian.com/<u></u>mailman/listinfo/mono-devel-<u></u>list</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote></div><br></div></div>