Development #10155
Ability to set the "DigestMethod" of a saml response
100%
Description
When building a signed SAML response, there is no way to set the "DigestMethod" of the signature to SHA256, It defaults to SHA1
Attached is a test case, note this is the same test case as issue 10154 hence the name "lasso-bug.tar.bz2"
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_A7F3AF0951AD63AB216597DE5743EC91">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
*<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>*
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
Files
Associated revisions
History
Updated by Benjamin Dauvergne over 8 years ago
- Status changed from Nouveau to Rejeté
LassoServer structure has a signature_method field for this.
Updated by Brett Gardner over 8 years ago
I don't want to set the SignatureMethod to SHA256, I'm already doing this, I want to set the DigestMethod
Updated by Benjamin Dauvergne over 8 years ago
- Status changed from Rejeté to Nouveau
It's not handled currently, please provide a patch.
Updated by Benjamin Dauvergne over 8 years ago
- Status changed from Nouveau to Résolu (à déployer)
- % Done changed from 0 to 100
Appliqué par commit 9525237236eef4097300d9b6e93d2178a7a72267.
Choose the Reference transform based on the chosen Signature transform (fixes #10155)
i.e. if the signature use SHA2 then use SHA2 of the same strength for digesting
references.