As discussed in #399, and with thanks to @srd90
4.x releases of this package introduced a breaking change, where getKeyInfo() would choose to consider the certificate <KeyInfo /> accompanying a <SignatureValue /> to validate the signature, over SignedXml.publicCert, a certificate identifying the requesting client obtained out-of-band, ahead of time, and known to the application at runtime.
The current behaviour adheres to spec12: notably,
questions of trust of such key information (e.g., its authenticity or strength) are out of scope of this specification [and presumably, compliant implementations] and left to the application2
That said, this default behaviour is potentially unsafe: a user of this package may neglect to test <KeyInfo /> for trustworthiness. It is also a change from 3.x behaviour, which ignored all <KeyInfo /> elements.
To date, we have held back on providing a safer default, since this package is undergoing significant change and has to remain largely stable to support the node-saml package, particularly given the time constraints the team faces, consisting purely of volunteers.
This issue hence proposes to change the default behaviour for getKeyInfo() to:
- move the current impl to an opt-in, and;
- provide an impl that either ignores
<KeyInfo />, or checks it against a known whitelist such as SignedXml.publicCert.
This issue also incorporates @cjbarth's proposal for a convenience method to check <KeyInfo/> against SignedXml.publicCert or other whitelist.
Given that this is a breaking change, this should be addressed in a major release
As discussed in #399, and with thanks to @srd90
4.xreleases of this package introduced a breaking change, wheregetKeyInfo()would choose to consider the certificate<KeyInfo />accompanying a<SignatureValue />to validate the signature, overSignedXml.publicCert, a certificate identifying the requesting client obtained out-of-band, ahead of time, and known to the application at runtime.The current behaviour adheres to spec12: notably,
That said, this default behaviour is potentially unsafe: a user of this package may neglect to test
<KeyInfo />for trustworthiness. It is also a change from3.xbehaviour, which ignored all<KeyInfo />elements.To date, we have held back on providing a safer default, since this package is undergoing significant change and has to remain largely stable to support the node-saml package, particularly given the time constraints the team faces, consisting purely of volunteers.
This issue hence proposes to change the default behaviour for
getKeyInfo()to:<KeyInfo />, or checks it against a known whitelist such asSignedXml.publicCert.This issue also incorporates @cjbarth's proposal for a convenience method to check
<KeyInfo/>againstSignedXml.publicCertor other whitelist.Given that this is a breaking change, this should be addressed in a major release
Footnotes
https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation ↩
https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-KeyInfo ↩ ↩2