Debug xml dsig #4
Conversation
SAML2/XML/Signature.hs
Outdated
| doc' <- case mdoc' of | ||
| Right x | ||
| -> pure x | ||
| Left (err :: SomeException) |
There was a problem hiding this comment.
It'd be nice to move the SomeException type annotation up into try @SomeException so the exception type stays close to the try and makes it clear that we plan to catch ALL exceptions 😄
SAML2/XML/Signature.hs
Outdated
| Left err -> throwError . SignatureParseError $ show err | ||
| Right v -> pure v | ||
|
|
||
| signedInfoElem :: BS.ByteString |
There was a problem hiding this comment.
Some docstring or comments explaining the magic xPaths would be nice 😄
There was a problem hiding this comment.
Agreed, but i would have to figure out what that code does first... (It's not mine)
SAML2/XML/Signature.hs
Outdated
| $ mapM (`verifyReference` signedSubtree) (signedInfoReference signedInfoTyped) | ||
|
|
||
| unless (all isRight referenceChecks) $ | ||
| throwError . SignatureVerifyBadReferences $ show (signedInfoReference signedInfoTyped, referenceChecks) |
There was a problem hiding this comment.
If there's a left in the referenceChecks should we possibly sequence it to collect the error out? Or is it more descriptive to print everything out like this?
There was a problem hiding this comment.
It's a list of Eithers, and I want to keep track of how many errors there are, and which precisely.
I agree it looks weird, but I can't think of a better way to do it. Wanna try something and add a commit?
There was a problem hiding this comment.
In that case; how about show (signedInfoReference signedInfoTyped, lefts referenceChecks) instead? lefts will just grab all the errors from the list of Eithers
SAML2/XML/Signature.hs
Outdated
| capture' :: String -> IO a -> IO a | ||
| capture' actionName action = hCapture [stdout, stderr] action >>= \case | ||
| ("", !out) -> pure out | ||
| (noise, _) -> throwIO . ErrorCall $ actionName <> ": " <> noise |
There was a problem hiding this comment.
If any noise on stdout indicates an error; it's probably helpful to have the output of stderr appended here too.
There was a problem hiding this comment.
i think that's what this does, no?
(thanks for the other comments, more changes coming up!)
There was a problem hiding this comment.
Ahh; I see! I misunderstood; It looked at a glance that the tuple matched up with [stdout, stderr]; but in hindsight that does't make sense 👍
|
It's all greek to me 🤷♂️ Did this not change any behaviour in any of the tests? If that's the case we should almost certainly add some new tests to capture whatever was wrong before this change. |
It does make one test fail. See PR description. :-) To reproduce, run |
|
oh, and:
i've stared at this for over a day now, and not for the first time, and i feel the same way. :-). i don't think there is a way to implement xml:dsig though that would make the reader of the code feel any better about the world. that's just how xml standards are. |
i think i know what's going on here. Since libxml2 doesn't return errors, but spills them on stdout, stderr, I use hCapture that reads those into a string and returns it with together with the value.
The first solution I can think of is to trap and ignore this error |
I think this test had some issue with whitespace being changed after signing, and canonicalization does not touch whitespace that much. I am removing it because it is very likely that this is the issue, and very hard to robustly confirm it.
|
ready for review! |
| -- | ||
| -- TODO: change this function to return 'HXT.XmlTrees' and replace 'samlToDoc' with it. | ||
| samlToDoc' :: XP.XmlPickler a => a -> HXT.XmlTree | ||
| samlToDoc' = head . getChildren . head |
There was a problem hiding this comment.
samlToDoc' = head . getChildren . samlToDoc ?
There was a problem hiding this comment.
Or do you want it to remain like it is so that it would be easier to get rid of samlToDoc in the future?
| @@ -302,11 +306,6 @@ examples = zipWith ($) xs [1..] | |||
| where xs :: [Int -> VerifyExample] | |||
| xs = | |||
| [ VerifyExample | |||
| "<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAWOMMryDMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi02MDc2NDgxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTgwNTIzMDg1MTA1WhcNMjgwNTIzMDg1MjA1WjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNjA3NjQ4MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2HkpOuMhVFUCptrVB/Zm36cuFM+YMQjKdtqEoBJDLbtSbb7uFuvm5rMJ+1VSK5GKAM/Bec5WXTE2WMkifK5JaGOLS7q8+pgiWmqKE3KHMUmLAioe/1jzHkCobxis0FIVhyarRY97w0VMbDGzhPiU7pEopYpicJBzRL2UrzR+PebGgllvnaPzlg8ePtr9/xMv0QTJlYEyCctO4vT5Qa5Xlfek3Ox5yMJM1JPXzn7yuJN5R/Nf8jFprsdBSxNMzkcTRFGy8as2GCt/Xh9H+ef4CxSgRK5UXcUCrb5YMnBehEp2YiuWtw8QsGRR8elgnF3Uw9J2xEDkZIhurPy8OYmGNQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA7kxxg2aVjo7Oml83bUWk4UtaQKYMEY74mygG/JV09g1DVMAPAyjaaMFamDSjortKarMQ3ET5tj2DggQBsWQNzsr3iZkmijab8JLwzA2+I1q63S68OaW5uaR5iMR8zZCTh/fWWYqa1AP64XeGHp+RLGfbp/eToNfkQWu7fH2QtDMOeLe5VmIV9pOFHnySszoR/epMd3sdDLVgmz4qbrMTBWD+5rxWdYS2glmRXl7IIQHrdBTRMll7S6ks5prqKFTwfPvZVrTnzD83a39wl2jBJhOQLjmSfSwP9H0YFNb/NRaDbSDS7BPuAlotZsaPZIN95tu+t9wmFwdxcVG/9q/Vu</ds:X509Certificate></ds:X509Data></ds:KeyInfo>" | |||
| xmlReadMemory p (fromIntegral l) nullPtr nullPtr (#{const XML_PARSE_NOENT} .|. #{const XML_PARSE_DTDLOAD} .|. #{const XML_PARSE_DTDATTR} .|. #{const XML_PARSE_NONET} .|. #{const XML_PARSE_COMPACT}) | ||
| newDoc d | ||
| resetErrno | ||
| let config :: CInt |
There was a problem hiding this comment.
Would be nice to have comments for those flags, because it's not obvious from the names what they do.
There was a problem hiding this comment.
it's not my code, and i only touched these to make it slightly easier to read. also, i would argue this information belongs into the libxml2 manual.
|
I can't really vouch for the logic here. Having more tests for happy and unhappy paths would be nice: good signature, good signature but non-canonical encoding, bad signature, missing signature. |
Co-Authored-By: fisx <[email protected]>
i agree, but i won't do it in this PR. note that some of the tests you suggest are in saml2-web-sso (or even in wire-server, i would have to read up on the details). i will merge this now, if any of the answers i give are not enough please yell and i'll handle that in separate PRs. |
|
Okay
…On Wed, Feb 13, 2019, 21:04 fisx ***@***.*** wrote:
Merged #4 <#4> into master.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4 (comment)>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/ABc-arhE4SQT0p5wBW5i5ToCGnby0oWHks5vNG_FgaJpZM4a18E7>
.
|
These changes make XML signature validation more robust, and also more correct.
Tasks:
"failed to canonicalize input: xmlReadMemory: illegal operation (Inappropriate ioctl for device)")