search

abarto / flask-pysaml2-example

A SAML2 Service Provider implemented using Flask and pysaml2
MIT License
10 stars 5 forks source link

signature does not verify #22

Open reteps opened 2 days ago

reteps commented 2 days ago

Hi, I setup the tool as documented.

I receive an error on the signature verification step.

DEBUG:saml2.sigver:xmlsec command: /usr/bin/xmlsec1 --verify --enabled-reference-uris empty,same-doc --pubkey-cert-pem /tmp/tmp69nwexpe.pem --id-attr:ID 
urn:oasis:names:tc:SAML:2.0:assertion:Assertion --node-id _TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu --output /tmp/tmprk8ikwba.xml /tmp/tmpl9ejayvq.xml
ERROR:saml2.sigver:returncode=1 error=func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=350:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: 
subject=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; 
issuer=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; err=18; msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=389:obj=x509-store:subj=unknown:error=71:certificate verification failed:

subject=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost;
issuer=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; err=18; msg=self signed certificate
func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha1:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify

With this XML:

<samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_38030cee04a47185cc67"  Version="2.0" IssueInstant="2024-06-28T15:56:54Z"  Destination="https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev">
    <saml:Issuer
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/XXXXXXXXXXXXXXXXXX
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu" IssueInstant="2024-06-28T15:56:54.885Z">
        <saml:Issuer>http://www.okta.com/XXXXXXXXXXXXXX</saml:Issuer>
        <Signature
            xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="#_TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>cHpIMLWm1x2HwENXtSxZXxSD/nU=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>ik3V/b6JlQMaa/eWqJmwn0jEH0BUJ7f/7xf3XP6AcF9VmlNetbA7MgUqOpN8lilZNAAyJPNkPdgIGpnNnN+23BNI38Hw72W4Iwcf1Xzoe+Mi6xbOJQsIWz3Brp66Vfj0sh2SfiIbBEpt4wV31NLZ1Rd85KylNrSLB2oJaR3A2XECEAqry2Eiwouxa3dh/a/7FiQjZ/cyzeoOF4u9x/wFRwvpdbS+H1o1f4jCL1J1vswYfdO6Dy2RgLtdefILP3lCe7/gHNsbMtXaBgeMsb+zP3OlQyO7AFBL186PduBbibqCz0fg2QVzXkd4U6E8VZwNhT5C1js/Iau783M86wacYQ==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIDPDCCAiQCCQDydJgOlszqbzANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDMxMjE5NDYzM1oXDTI3MTExOTE5NDYzM1owYDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoTB0phbmt5Q28xEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGvJpRTTasRUSPqcbqCG+ZnTAurnu0vVpIG9lzExnh11o/BGmzu7lB+yLHcEdwrKBBmpepDBPCYxpVajvuEhZdKFx/Fdy6j5mH3rrW0Bh/zd36CoUNjbbhHyTjeM7FN2yF3u9lcyubuvOzr3B3gX66IwJlU46+wzcQVhSOlMk2tXR+fIKQExFrOuK9tbX3JIBUqItpI+HnAow509CnM134svw8PTFLkR6/CcMqnDfDK1m993PyoC1Y+N4X9XkhSmEQoAlAHPI5LHrvuujM13nvtoVYvKYoj7ScgumkpWNEvX652LfXOnKYlkB8ZybuxmFfIkzedQrbJsyOhfL03cMECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAeHwzqwnzGEkxjzSD47imXaTqtYyETZow7XwBc0ZaFS50qRFJUgKTAmKS1xQBP/qHpStsROT35DUxJAE6NY1Kbq3ZbCuhGoSlY0L7VzVT5tpu4EY8+Dq/u2EjRmmhoL7UkskvIZ2n1DdERtd+YUMTeqYl9co43csZwDno/IKomeN5qaPc39IZjikJ+nUC6kPFKeu/3j9rgHNlRtocI6S1FdtFz9OZMQlpr0JbUt2T3xS/YoQJn6coDmJL5GTiiKM6cOe+Ur1VwzS1JEDbSS2TWWhzq8ojLdrotYLGd9JOsoQhElmz+tMfCFQUFLExinPAyy7YHlSiVX13QH2XTu/iQQ==</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jane.doe@example.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2024-06-28T16:56:54.885Z" Recipient="https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2024-06-28T15:56:54.885Z" NotOnOrAfter="2024-06-28T16:56:54.885Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AttributeStatement
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <saml:Attribute Name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                <saml:AttributeValue xsi:type="xs:anyType">jane.doe@example.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Email">
                <saml:AttributeValue xsi:type="xs:anyType">jane.doe@example.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="FirstName">
                <saml:AttributeValue xsi:type="xs:anyType">Jane</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="LastName">
                <saml:AttributeValue xsi:type="xs:anyType">Doe</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
        <saml:AuthnStatement AuthnInstant="2024-06-28T15:56:54.885Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

image image

        'example-oktadev': {
            # must match the destination URL / audience URI in the SAML 2.0 settings of the IdP.
            'entityid': 'http://flask-pysaml2-example',
            'metadata_url': 'https://dev-22307139.okta.com/app/XXXXXXXXX/sso/saml/metadata'
        },
reteps commented 2 days ago

Possibly related to https://github.com/IdentityPython/pysaml2/issues/963