search

italia / spid-testenv2

New test Identity Provider for SPID
GNU Affero General Public License v3.0
35 stars 38 forks source link

Validazione Signature Metadata #178

Closed davidlibrera closed 5 years ago

davidlibrera commented 6 years ago

Secondo le regole tecniche, paragrafo 1.3.2, l'elemento Signature deve essere presente, mentre al momento non viene considerato.

Allego il metadata che ho utilizzato

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="http://sp.local:3000" entityID="http://sp.local:3000">
   <md:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>MIIEkzCCAnugAwIBAgIBADANBgkqhkiG9w0BAQ0FADANMQswCQYDVQQGEwJJVDAeFw0xODA5MDUxMzA2MDZaFw00ODA4MjgxMzA2MDZaMA0xCzAJBgNVBAYTAklUMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr9mv/bK+PpC0dFQJcrNu2bpv7VmfMZGICkWDIaYlgsbGtuQ3vZ6E8SOg2YXappwDlSIS2lPqE7g2C5BUPsBtNZ0Z85/NXkqQ7/K6gQBm3JtgPctWJtaW8CSbWgyJ3xWyK9aB4rDOVC4JkyxtbpZdsdbS7pj1wkcQRaAmiF4TsTjMzS4tuKsc0Jw8t+UvKou66Jcp0TKWf7X405mLzd/QB1J4+cnVbxIhyw9EXtz0bbTIK6mow15DXDUdn8AMcDua0/zE/fEm0uLQTHj3JziEjpkGDIe9PMmR3S9ubF/xUhNKhATTFFxPVXlfgSjGEOCbfJEWwoqSZi110ZCyyN3tTkDwqbNGKHxd2dAWIS65gQexio3Fcg/pobeTSP5i0rUhgshZcz6oERSSEJxTLC0vcAZzW8C7ANHPcIHZ/QX+SmJLFDz1hSNCC6gK3FfaVzuWcBG1F0sEuE8rdnC3nm58zrcFNEEmHtBvcMu7/HGIBvdSTf76DJJk3p6F8yaX1BoN0buO6iHTx/MWNqMzCYoLEoqBkJaE/Xd8lh06dWQiITseG3Q5YMLHOQGC34nSTZUQTFbCKyESGW3WzhYnXdkjre7b1xUfseynovbYA7QrJgE/8KmdatG/fR3hRYeAVtCulH814k/EzqEXFi0TTNPhjFovFzRvIfLk4ZNPUIJRSm0CAwEAATANBgkqhkiG9w0BAQ0FAAOCAgEAWTD/Ha4lkpoGmNaTKAgMeHfnCAYxD9UaohYVlpDaN6bQ7jFI1p9W7hdIYAVGrtZknSNcQ0rL9wV1psJCTC6bLSO2JV4nP/eYK20gLAJbrP8QdgyLfpyQNpSDpy8LbKnGXjL2RS2EiUw0XmSMmU/8bX4pzsY/ztYJ0t7POqb4H6/SfhdGRQ4yvZE8oqCn5lY/7p+o3Wkra4mgn07HxcO8W8KVESpQ3MEwt+pECi7I0gXAS1xU/V8g8SELdzfbOnKta8QkM52Bz3zN82Z+Q+UojRKKBgsxFOvAexh4obO7W+YEEfi2KMMOwIRCSiIUKZRqz7O0BJrnMHPNqd8U2jDO7iKWZedLJylq9RjcGqWSq9OUFEXbtXUQBkg335GdU5yzXVv3J4V9+7JfdGbboXshEpq8K84hN/5aGvwsXQ1gg9T7VpiIa4hSlSuXtHxbZUTw7KVr5oqjGXUakDfLwDXPy6PcFf0bbRqdIDQdUBcMfvS5qzNfLN9yPZkNbYzmDg2iWkrUwwMIHNi5s+Ylj1Ftn6XJG/XhSq/bLvjn6zY1Axb9COHfVbV5D3QwiyGvXIoKhANXv5vJTyKBKafrT9scqsO47tXY7IfnWj0hEjtlibyOLZvEEW5CC85yr4SFpq0yFiCrW8wzN66yrlzgQ4gFBDF5bbRosAY+DP6hfGEltkw=</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://sp.local:3000/spid/sso" index="0" isDefault="true" />
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://sp.local:3000/spid/slo" />
      <md:AttributeConsumingService index="0">
         <md:ServiceName xml:lang="it">Service 1</md:ServiceName>
         <md:RequestedAttribute Name="spidCode" />
         <md:RequestedAttribute Name="name" />
         <md:RequestedAttribute Name="familyName" />
         <md:RequestedAttribute Name="dateOfBirth" />
         <md:RequestedAttribute Name="gender" />
         <md:RequestedAttribute Name="companyName" />
         <md:RequestedAttribute Name="registeredOffice" />
         <md:RequestedAttribute Name="email" />
      </md:AttributeConsumingService>
   </md:SPSSODescriptor>
</md:EntityDescriptor>
alranel commented 6 years ago

Vero, però la firma deve essere apposta da AgID. Quindi in teoria bisognerebbe generare il metadata, farlo firmare ad AgID e pubblicarlo manualmente nel proprio SP. Questa cosa al momento non è attuata, quindi possiamo farne a meno anche perché non è implementabile...

davidlibrera commented 6 years ago

In spid-ruby ho finito ora questa https://github.com/italia/spid-ruby/issues/59 e la signature la genero con la chiave privata del service provider. Darà noia agli IdP? In quel caso rimuovo

alranel commented 6 years ago

@davidlibrera Le regole tecniche prevedono che la firma sia apposta dall'AgID, quindi firmarli con la chiave del SP non serve e anzi secondo me può creare confusione esporre metadati già firmati con chiave sbagliata..

fmarco commented 6 years ago

@alexrj la signature quindi va validata tramite regole spid oppure lo mettiamo come campo opzionale?

alranel commented 5 years ago

Direi che nel testenv non serva validare la signature del metadata SP