- From: <extern.Gerhard.Kersten@itzbund.de>
- Date: Wed, 10 Jun 2020 10:43:08 +0000
- To: <xml-encryption@w3.org>
- Message-ID: <A9D29C51D880994A8DB9B176209FC47009299C22@VWP12004.vzd.zivb.net>
Hi all,
we are implementing a SAML based SSO framework, but the latest version of our
software rejects validation of the xenc11:MGF element in the SAML assertion.
Using a dedicated validator tool
(http://www.softwarebytes.org/xmlvalidation/), the error message is:
[Error] saml-test.xml:79:39:cvc-complex-type.2.4.c: The matching wildcard is
strict, but no declaration can be found for element 'xenc11:MGF'.
The reason for this is that xenc:EncryptionMethodType allows for
<any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
without specifying 'processContents="lax"', as most other 'any' declarations
do. Thus the validator is requested to check the schema for 'xenc11:MGF' This
will fail, because there is no 'import namespace' instruction for xenc11. The
'note that optional xenc11:MGF element may be used here' in the schema comment
is helpful for human readers, but unfortunately not fort he validator.
As I guess you do not like the idea importing xenc11 in the xenc schema, you
should at least use 'processContents="lax" to make schema validation optional
for this element. Otherwise schema validation has to be switched off
completely, which is a nightmare to security aware (aka paranoid) subjects.
Greetings
Gerhard
Offending fragment in our SAML assertion:
----- 8< ---------- 8< ---------- 8< ---------- 8< -----
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<xenc11:MGF
xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256"
/>
</xenc:EncryptionMethod>
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Friday, 12 June 2020 12:09:25 UTC