support inclusive namespaces

[yaronn]

Follow up to #43

A reference like this:

 <ds:Reference URI="...">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#"  PrefixList="xs saml xsi">
              </xc14n:InclusiveNamespaces>
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
          </ds:DigestMethod>
          <ds:DigestValue>...</ds:DigestValue>
    </ds:Reference>

means that we need to add definitions for xs, saml and xsi on the canonicalized value of the node we validate. they should be bound to whatever they are bound to in the context of that node.

for example if we need to sign X:

<y xmlns:xs="1" xmlns:saml="2" xmlns:xsi="3">
    <x>
</y>

then X canonical form should be:

<x xmlns:xs="1" xmlns:saml="2" xmlns:xsi="3"></x>

[chriswininger]

So I am experiencing the problem described #43 , the xml response from the server contains to following

 <ds:Reference URI="#Assertion-uuidf584541e-014e-17eb-a6cd-94807f7070de">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                     <xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi" />
                  </ds:Transform>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
               <ds:DigestValue>S5R/9vfMHCMHOZnFpwNvKEVMDgY=</ds:DigestValue>
            </ds:Reference>

You mention in #43 there is a possible workaround that you will e-mail the user. Could you possibly post that work around? Thanks in advance.

[yaronn]

Hi

I have manually added to his SAML Assertion element the definitions of xmlns:saml, xmlns:xsi and xmlns:xs (which appeared elsewhere in the document). I believe he then went and automated the addition of those elements (just be careful not to change any white spaces.)
In terms of the defect above I have added the namespaces to X before verifying its signature. You should add the relevant namespaces to the element with id #Assertion-uuidf584541e-014e-17eb-a6cd-94807f7070de.

[chriswininger]

Ah, I see thanks. That did it.

[yaronn]

great!