spid_sp_test.authn_request Error: failed to load public key

[angcap]

La validazione della AuthnRequest fallisce per la verifica della signature:

DEBUG:spid_sp_test.authnrequest:Running authn request signature validation: **xmlsec1 --verify --insecure --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest" --pubkey-pem /tmp/tmp5xjs7p7.crt /tmp/tmp4t_jss2t.xml** DEBUG:spid_sp_test.authnrequest:/tmp/tmp5xjs7p7.crt: unable to load certificate 139969306350912:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 139969306350912:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:713: 139969306350912:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=algorithm, Type=X509_ALGOR 139969306350912:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=signature, Type=X509_CINF 139969306350912:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509 139969306350912:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33: DEBUG:spid_sp_test.authn_request:The AuthnRequest MUST validate against XSD and MUST have a valid signature stderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=272:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: getname no start line func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=175:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmp5xjs7p7.crt Error: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmp5xjs7p7.crt Error: failed to load public key from "/tmp/tmp5xjs7p7.crt". Error: keys manager creation failed Unknown command

stdout: Usage: xmlsec [] []

xmlsec is a command line tool for signing, verifying, encrypting and decrypting XML documents. The allowed values are: --help display this help information and exit --help-all display help information for all commands/options and exit --help- display help information for command and exit --version print version information and exit --keys keys XML file manipulation --sign sign data and output XML document --verify verify signed document --sign-tmpl create and sign dynamicaly generated signature template --encrypt encrypt data and output XML document --decrypt decrypt data from XML document

Report bugs to http://www.aleksey.com/xmlsec/bugs.html

Written by Aleksey Sanin aleksey@aleksey.com.

Copyright (C) 2002-2016 Aleksey Sanin aleksey@aleksey.com. All Rights Reserved.. This is free software: see the source for copying information.

ERROR:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_xmldsig: AuthnRequest Signature validation ERROR:spid_sp_test.authn_request:AuthnRequest Signature validation

----------------

La AuthRequest è la seguente:

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost:8080/demo/samlsso" AttributeConsumingServiceIndex="1" Destination="https://localhost:8080/demo/samlsso" ForceAuthn="true" ID="a99acj424fja74b43iha0j94c0dh7i" IssueInstant="2021-10-21T12:47:29.641Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="aQualifier">https://localhost:8080</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#a99acj424fja74b43iha0j94c0dh7i"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>D7khaW39K58saS/4mJtdj6lZ3eZoPdvJ+7bHAhZbhno=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>tXNjW1Nd7h7x8w8naTPwjlrth67YzgPniX4WBhYuo1oKTcDkUDnYUhmd3S13LKtsCtC6i2x+WGJKhCZyeYnPCx++qpwIcNHYyR7oSQiBmk9J8xcVDQFoqhRZSu9eCk+XZqFSVTcf3qJ1wrN5soPMjhiAJpvE96eVymWr6zD/Ai5NX7SyDrUbZwcouOiy52bzPVUZEd1gfZta8kcgO5ixwIt4XcZZxClWTJLXN5SefqFQfrOO+A7TAs3C/afksF8OnQT8lJYVJolagvK8tEQk+yEU8Au5JOdZw1CcDnGx3oXgezwRMfJsBEeaU1i3A4bt4dyqwozOjszp48bcZiUmCw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDoTCCAomgAwIBAgIEJj30KDANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCSVQxDjAMBgNV BAgTBUl0YWx5MQ0wCwYDVQQHEwRSb21lMSwwKgYDVQQKEyNFbmdpbmVlcmluZyBJbmdlbmduZXJp YSBJbmZvcm1hdGljYTEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxDjAMBgNVBAMTBUVncGFsMB4XDTIx MTAyMTEyNDA0MVoXDTIyMDExOTEyNDA0MVowgYAxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFs eTENMAsGA1UEBxMEUm9tZTEsMCoGA1UEChMjRW5naW5lZXJpbmcgSW5nZW5nbmVyaWEgSW5mb3Jt YXRpY2ExFDASBgNVBAsTC0RldmVsb3BtZW50MQ4wDAYDVQQDEwVFZ3BhbDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMMzepDhDXZWsfPD7zEU5XeOCtFMNKPtwh/XMeQzaGf+W1RNFZfy ipC/G5agxIIUhbRdGAsJPV7NQ78H2XF/2T2xQoOhQCiLLyrvDTYO9hlSItDH6ZPhkgmGmidLZgmI vrqiVNZWhZ0vb9yeYqPQ5iJmrzGbffGW1rZAq9tpS2R9SAKE5TfgXurYVF/yChmtCv1qKrEzvVQ+ yRDMW5Y71r4rq1do/lopsKLjQAfPBsWVRnbF4y/a5QKgp8u/Bo4PHcJQ8ReB5Ggp7jW0aGdZlOTt +oqe3GAVFZWlPNXKnLKdgHIGQa2RRqPdTSQvmNp0Vn1+8FefVChXq25zOW5A+SsCAwEAAaMhMB8w HQYDVR0OBBYEFFBhpWM0SjefAxZJcBfEN2xFA2kaMA0GCSqGSIb3DQEBCwUAA4IBAQABlGlfBL2F JrUnOTcVrY+B/EVE9Q6uFaX2QKKO1owdZnUs+RiFHQHmGfpRNTUd2ker3BeyYBKVaMlZvMusRMek kqhZ3kJqb+Rh0xGCEB5mNeUa4hzrajmhryA/L1EQTTYG2B2tHzPmFquKGChfpXP7cWA/H/Ex1DmM BAGORFrxMxlEOarweX6lg/N5SLDYJVft8kH9wlsGCfkU4tnCPrxB0IOVA85AX19atbUQOGtDiYw5 dNqT/DKc07Lf58mrIF9FLyo5Vx8+VdPhri5smpHJLJvmKe4dI4dj1uftidGbeJBvxNEEleuhtC+9 c0iAKneuB942R885X1meCEPG+lXP</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/><saml2p:RequestedAuthnContext Comparison="minimum"><saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.spid.gov.it/SpidL2</saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext></saml2p:AuthnRequest>

La validazione viene eseguita con xmlsec con l'opzione --pubkey.pem, se salvo la request in un file /tmp/authn_request.xml ed eseguo la validazione senza l'opzione --pubkey-pem, xmlsec usa la chiave presente in KeyInfo e valida correttamente la richiesta:

$ xmlsec1 --verify --insecure --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest" --print-debug /tmp/authn_request.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: succeeded == flags: 0x00000000 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000200 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) === Transform: rsa-sha256 (href=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) === Transform: membuf-transform (href=NULL) == Signature Method: === Transform: rsa-sha256 (href=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) == Signature Key: == KEY === method: RSAKeyValue === key type: Public === key usage: -1 === key not valid before: 1634820041 === key not valid after: 1642596041 === rsa key: size = 2048 === list size: 1 === X509 Data: ==== Key Certificate: ==== Subject Name: /C=IT/ST=Italy/L=Rome/O=Engineering Ingengneria Informatica/OU=Development/CN=Egpal ==== Issuer Name: /C=IT/ST=Italy/L=Rome/O=Engineering Ingengneria Informatica/OU=Development/CN=Egpal ==== Issuer Serial: 263DF428 ==== Certificate: ==== Subject Name: /C=IT/ST=Italy/L=Rome/O=Engineering Ingengneria Informatica/OU=Development/CN=Egpal ==== Issuer Name: /C=IT/ST=Italy/L=Rome/O=Engineering Ingengneria Informatica/OU=Development/CN=Egpal ==== Issuer Serial: 263DF428 == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "#a99acj424fja74b43iha0j94c0dh7i" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: === uri xpointer expr: #a99acj424fja74b43iha0j94c0dh7i === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) === Transform: sha256 (href=http://www.w3.org/2001/04/xmlenc#sha256) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha256 (href=http://www.w3.org/2001/04/xmlenc#sha256) == Manifest References List: === list size: 0

Come mai viene estrapolato il contenuto di KeyInfo e considerato come chiave e non come certificato contenente chiave pubblica?

[peppelinux]

angelo se hai qualche elemento da condividere fa pure, sto per risponderti

[angcap]

Ho chiuso la issue poiché avevo registrato un service provider che nella sezione KeyDescriptor riportava un certificato diverso da quello usato nella generazione della AuthnRequest, deduco che la validazione della authnRequest utilizza la chiave estratta dal certificato presente nei metadata del serviceprovider registrato. Una volta corretto il certificato nei metadati del service provider e rieseguita la registrazione, la validazione va a buon fine.

[peppelinux]

esatto, la authn request viene validata sul certificato collezionato dal metadata