Fix: Handle InclusiveNamespaces in digest calculation for SAML Response

route443 · route443 · commit 9732986fcab9 · 2024-07-05T23:16:59.000Z
The issue was caused by the incorrect handling of the InclusiveNamespaces
element in the digest calculation process. According to the XML-DSig,
the exclusive canonicalization algorithm (XML-EXC-C14N) allows for
canonicalizing XML without including predefined namespaces unless specified
through the PrefixList attribute.
diff --git a/saml_sp.js b/saml_sp.js
@@ -960,7 +960,7 @@ async function digestSAML(signature, produce) {
         throw Error(`unexpected digest transform ${transforms[1]}`);
     }
 
-    const namespaces = transformAlgs[1].InclusiveNamespaces;
+    const namespaces = transforms[1].InclusiveNamespaces;
     const prefixList = namespaces ? namespaces.$attr$PrefixList: null;
 
     const withComments = transformAlgs[1].slice(39) == 'WithComments';

Original file line number	Diff line number	Diff line change
`@@ -960,7 +960,7 @@ async function digestSAML(signature, produce) {`
`960`	`960`	throw Error(`unexpected digest transform ${transforms[1]}`);
`961`	`961`	`}`
`962`	`962`
`963`		`- const namespaces = transformAlgs[1].InclusiveNamespaces;`
	`963`	`+ const namespaces = transforms[1].InclusiveNamespaces;`
`964`	`964`	`const prefixList = namespaces ? namespaces.$attr$PrefixList: null;`
`965`	`965`
`966`	`966`	`const withComments = transformAlgs[1].slice(39) == 'WithComments';`