duplicate reference in signature

[wilson-6731]

I'm getting a weird bug where the reference tag is duplicated whenever my frontend calls the backend to generate a SAML assertion. It occasionally happens and breaks signature verification regardless if I trim the excess reference nodes . Can anyone point me in the right direction on how to resolve this?
Thanks.

Here is the code snippet that I have performing the xml signature. Let me know if I need to post more information.

function signAssertion(assertion) {
  signer.addReference("//*[local-name(.)='Assertion']", ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#'], 'http://www.w3.org/2001/04/xmlenc#sha256')
  signer.signingKey = fs.readFileSync('./idp_priv.pem')
  signer.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
  signer.keyInfoProvider = new KeyProvider()
  signer.computeSignature(assertion, {
    location: {
      reference: '/saml:Assertion/saml:Issuer',
      action: 'after'
    }
  })
  return signer.getSignedXml()
}

[wilson-6731]

UPDATE: turns out that the duplicated reference tags do not affect the SAML response whenever I send it out, but it occasionally duplicates too much to a point that it returns a 400 error (for being too long)

[LoneRifle]

occasionally duplicates too much to a point that it returns a 400 error (for being too long)

Thanks for the details. Could you clarify the circumstances that lead to that (eg, are you calling signAssertion multiple times, or is a single call of that function resulting in multiple references)? Can you also produce the payload that shows the duplicated reference tag, and just for clarity, what you expect instead?

[wilson-6731]

Hi, sorry for the late reply. Here is an example payload that I am getting from my endpoint that is generating the SAML assertion. Here a snippet of a SAML assertion that throws an error on the service provider

<SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
                <Reference URI="#_2df5d36bdf187a599a37">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>4FiU39LSYlnpY3cdHWpW0kJt6ZIXaZy5ULFGxWhUO+M=</DigestValue>
                </Reference>
            </SignedInfo>

What intrigues me is that the signing function that I have is only called once and this issue happens randomly (sometimes there's 5, sometimes there's only 1 and sometimes its this).

[LoneRifle]

Thanks for this. It is going to take me a while to try to reproduce this given time issues on my end, but I'll try to look into it. In the meantime, let me know if you have a small self-contained test case that reproduces this issue so that it's easier for me to debug.

If you are also able to provide me the xml document that you were attempting to sign, that would be useful too. As a possible hint, the xpath you added as part of your reference will match all nodes whose local name is Assertion; the number of references you have in your payload will hencematch the number of matched <Assertion> nodes

[LoneRifle]

Inspection of section 5.4 of the core SAML spec suggests that there should only be one <Reference> element present per referenced node. As noted earlier, it is likely that the xpath that you have specified returns more than one node, and xml-crypto is (incorrectly) generating a corresponding reference for each of them.

I am currently in favour of throwing an error if the xpath query returns more than one element, as I feel that the caller may not always expect the first element from the query to be the desired reference. This also encourages the caller to provide a more specific xpath, a good practice in keeping compliance with the spec.

Wdyt?

[wilson-6731]

That sounds good! It kind of explains why the reference tag is returned multiple times, but it doesn't make any sense that the xpath in this case is finding multiple saml:Assertion tags as there is only one. Here is the syntax that I am currently using for the xpath..

"//*[local-name(.)='Assertion' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:assertion']"

[LoneRifle]

Doesn't // match no matter where in the document it is? Without seeing a sample payload I cannot verify if indeed your xpath should only return one element.

[wilson-6731]

here's a sample payload that needs to be signed:

<samlp:Response 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    ID="_f2b448d0e442839c7707" 
    Version="2.0" 
    IssueInstant="2018-12-31T17:37:10.827Z" 
    Destination="abc123">
    <saml:Issuer 
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">abc123
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion 
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
        Version="2.0" 
        ID="_750d269f4efd02caab53" 
        IssueInstant="2018-12-31T17:37:10.827Z">
        <saml:Issuer>abc123</saml:Issuer>
        <saml:Subject>
            <saml:NameID 
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">abc123
            </saml:NameID>
            <saml:SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData 
                    NotOnOrAfter="2018-12-31T18:37:10.827Z" 
                    Recipient="abc123/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions 
            NotBefore="2018-12-31T17:37:10.827Z" 
            NotOnOrAfter="2018-12-31T18:37:10.827Z">
            <saml:AudienceRestriction>
                <saml:Audience>abc123</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement 
            AuthnInstant="2018-12-31T17:37:10.827Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement 
            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <saml:Attribute 
                Name="customerId" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">abc123
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="vin" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">sample_vin
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="make" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">Honda
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="firstName" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">Honda
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="lastName" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">Tester17
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="emailAddress" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">sample_email
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="displayLanguage" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">en-US
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute 
                Name="vehicleDestinationCountry" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue 
                    xsi:type="xs:string">US
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

[LoneRifle]

Thanks for the information. Given the duplicate URI attributes in the <Reference> elements, there is likely a problem with xpath.js, on which this library is dependent on. I could de-dupe the elements but will have to key on something sane; I'm not sure if xpath-and-id will suffice since xpaths can be wildcard and the identifiers may not be sufficiently unique.

I could also switch from xpath.js to xpath, a better-maintained fork of the library. I'll then cut a minor release of xml-crypto and see how far you go with that, but that's far more involved and would take me some time to get out of the way.

[wilson-6731]

Converting to the xpath library would be a good idea. For the meantime, I can sandbox test the new xpath library with my sample payload. Thanks for the help and happy New Year! 🎉

[LoneRifle]

1.1.1 of xml-crypto has been published, see if this addresses your problems