Moodle

XML-SIG wrapper wrongly identifies signature method as DSA-SHA1

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Trivial Trivial
  • Resolution: Fixed
  • Affects Version/s: 1.9, 2.0
  • Fix Version/s: 2.0
  • Component/s: MNet
  • Labels:
    None
  • Affected Branches:
    MOODLE_19_STABLE, MOODLE_20_STABLE
  • Fixed Branches:
    MOODLE_20_STABLE

Description

The XML-SIG template in mnet_sign_message currently has the line:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
(line 211 of mnet/lib.php)
However, the signature produced is an RSA signature, and not a DSA signature, and so that line should be:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

Issue Links

This issue will help resolve:
MDL-21260 General open bugs Minor Open

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Dan Poltawski added a comment -

Makes sense to me.

Assigning to Peter for review and adding Nigel here as it looks like this is the same in mahara.

Show
Dan Poltawski added a comment - Makes sense to me. Assigning to Peter for review and adding Nigel here as it looks like this is the same in mahara.
Hide
Permalink
Nigel McNie added a comment -

Filed upstream for Mahara as https://eduforge.org/tracker/index.php?func=detail&aid=3240&group_id=176&atid=739

Show
Nigel McNie added a comment - Filed upstream for Mahara as https://eduforge.org/tracker/index.php?func=detail&aid=3240&group_id=176&atid=739
Hide
Permalink
Nigel McNie added a comment -

Hi - was just looking into this for Mahara. How do we know the signature produced is an RSA sig? The documentation at http://php.net/openssl_sign doesn't say anything about it, and the signature produced is binary.

Show
Nigel McNie added a comment - Hi - was just looking into this for Mahara. How do we know the signature produced is an RSA sig? The documentation at http://php.net/openssl_sign doesn't say anything about it, and the signature produced is binary.
Hide
Permalink
Hubert Chathi added a comment -

Well, there are several indications:

  • the keys are RSA keys (DSA and RSA keys are different), which can be seen by
    • dumping the certificate into a tool that gives you information about it
    • the same key is used for encryption and decryption and
      • the encryption envelope says "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
      • DSA cannot be used for both encryption and decryption – RSA can
  • my own Java implementation works when using RSA signatures, but not with DSA signatures
Show
Hubert Chathi added a comment - Well, there are several indications:
  • the keys are RSA keys (DSA and RSA keys are different), which can be seen by
    • dumping the certificate into a tool that gives you information about it
    • the same key is used for encryption and decryption and
      • the encryption envelope says "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
      • DSA cannot be used for both encryption and decryption – RSA can
  • my own Java implementation works when using RSA signatures, but not with DSA signatures
Hide
Permalink
Penny Leach added a comment -

Hubert - did you change this in your implementation? Are there any implications to actually changing it ? Is it possible that changing it would break anything? & Finally, you don't have a patch already, do you?

Show
Penny Leach added a comment - Hubert - did you change this in your implementation? Are there any implications to actually changing it ? Is it possible that changing it would break anything? & Finally, you don't have a patch already, do you?
Hide
Permalink
Hubert Chathi added a comment -

Hi Penny,
No, we didn't make a change in this on the Moodle end. I do have my Java implementation reporting RSA instead of DSA, and Moodle doesn't complain, so I don't think that it would break anything. As far as I know, that information is not used by anything – it's just there to comply with the XML-SEC spec; Moodle's parser doesn't look at that part of the XML at all. I can't say anything about whether it would break Mahara, the PHP library, or the Python library, but I highly doubt that it would.

No, I don't have a patch, but it's just a one-character change on line 211 (or thereabouts) of mnet/lib.php.

Show
Hubert Chathi added a comment - Hi Penny, No, we didn't make a change in this on the Moodle end. I do have my Java implementation reporting RSA instead of DSA, and Moodle doesn't complain, so I don't think that it would break anything. As far as I know, that information is not used by anything – it's just there to comply with the XML-SEC spec; Moodle's parser doesn't look at that part of the XML at all. I can't say anything about whether it would break Mahara, the PHP library, or the Python library, but I highly doubt that it would. No, I don't have a patch, but it's just a one-character change on line 211 (or thereabouts) of mnet/lib.php.
Hide
Permalink
Penny Leach added a comment -

fixed in head. i won't commit this to stable just in case.

Show
Penny Leach added a comment - fixed in head. i won't commit this to stable just in case.

People

Vote (0)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.