search

crewjam / saml

SAML library for go
BSD 2-Clause "Simplified" License
959 stars 430 forks source link

cannot validate signature on Response: Could not verify certificate against trusted certs #341

Open andypeng2015 opened 3 years ago

andypeng2015 commented 3 years ago

Hi, I am using version v0.4.5, i got redirected on /saml/acs where my request returns with a forbidden code, and this error happens intermittent, below is the IDP metadata and IDP response,

based on the call stack below, the roots certs come from IDP metadata and cert in the response matches, so I compared the cert, it matches so it should NOT throw error

https://github.com/crewjam/saml/blob/v0.4.5/service_provider.go#L817 https://github.com/crewjam/saml/blob/v0.4.5/service_provider.go#L897 https://github.com/russellhaering/goxmldsig/blob/3541f5e554eefd0d2ef501e27544650d62bf5d22/validate.go#L460

not sure if it's the same as #167, @gourlaa could you pls advise?

@crewjam appreciate if you can take a look, the issue disappear after restarting the app but it comes back once in a while

IDP metadata

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://sso.xxx.com/saml-idp/xxx/metadata/">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>C1</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>C1</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.xxx.com/saml-idp/xxx/logout/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.xxx.com/saml-idp/xxx/logout/"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.xxx.com/saml-idp/xxx/login/"/>

    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.xxx.com/saml-idp/xxx/login/"/>

  </md:IDPSSODescriptor>

</md:EntityDescriptor>

IDP response

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://api.xxx.com/saml/acs" ID="_ee1c1c4ee1a7458e8c027f174c42869d" InResponseTo="id-9532f46d81be47c034fd078a8e853f97bff349b0" IssueInstant="2021-03-26T01:02:29Z" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.xxx.com/saml-idp/xxx/metadata/</saml:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
         <ds:Reference URI="#_ee1c1c4ee1a7458e8c027f174c42869d">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>MmQoS2xJ4GXG9I</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>eKfUIa+HUbCISqhk3ZXD71</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>C1</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dc7f5bbb1afe45c8bd18a1b60ba7de2c" IssueInstant="2021-03-26T01:02:29Z" Version="2.0">
      <saml:Issuer>http://sso.xxx.com/saml-idp/xxx/metadata/</saml:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_dc7f5bbb1afe45c8bd18a1b60ba7de2c">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
               <ds:DigestValue>0y0EA54Evec</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>ijbpbqKULn1ibfePkLk5HZ3pfDsLcemrjXiKvYosRTWM9wnsm4d9</ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>C1</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml:Subject>
         <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" SPNameQualifier="https://api.xxx.com/saml/metadata">user</saml:NameID>
         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="id-9532f46d81be47c034fd078a8e853f97bff349b0" NotOnOrAfter="2021-03-26T01:17:29Z" Recipient="https://api.xxx.com/saml/acs" />
         </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="2021-03-26T00:47:29Z" NotOnOrAfter="2021-03-26T01:17:29Z">
         <saml:AudienceRestriction>
            <saml:Audience>https://api.xxx.com/saml/metadata</saml:Audience>
         </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="2021-03-26T01:02:29Z" SessionIndex="kuvBUJH5nJUiI2X1oT">
         <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement>
         <saml:Attribute Name="email">
            <saml:AttributeValue>user@xxx.com</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="Authentication_status">
            <saml:AttributeValue>password only</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response>
agis commented 1 year ago

Seeing the same issue. Did you get to the bottom of this?

sslankesh commented 1 year ago

I am also facing the same issue. Is there any update on this?

ghost commented 8 months ago

I'm experiencing the same issue. Any solutions provided?