I was reading [1] and wondered if there is either specific protections
already in place in Apache Santuario's XML security implementation, or
if it's up to callers of the API to make sure they use it in just the
right way ?
As a concrete example, implementations maybe doing something like
calling o.a.x.security.signature.XMLSignature's checkSignatuteValue()
with a reference to either the SAML's X509 certificate and/or the
Signature node.
If the latter is being extracted with
doc.getElementsByTagNameNS(SignatureSpecNS, "Signature") is this
sufficient protection against the new attack ?
[1]
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
--
*Tom Chiverton*
Lead Developer
e: [email protected] <mailto:[email protected]>
p: 0161 817 2922
t: @extravision <http://www.twitter.com/extravision>
w: www.extravision.com <http://www.extravision.com/>
Extravision - email worth seeing <http://www.extravision.com/>
Registered in the UK at: First floor, Tomorrow, MediaCityUK, Manchester,
M50 2AB.
Company Reg No: 05017214 VAT: GB 824 5386 19
This e-mail is intended solely for the person to whom it is addressed
and may contain confidential or privileged information.
Any views or opinions presented in this e-mail are solely of the author
and do not necessarily represent those of Extravision Ltd.
