search

moov-io / signedxml

pure go library for processing signed XML documents
MIT License
52 stars 44 forks source link

unable to find refereced xml #15

Closed greenpau closed 1 year ago

greenpau commented 4 years ago

An attempt to sign the following response fails with unable to find refereced xml.

Relevant code follows:

func getSigningKey(fp string) (*rsa.PrivateKey, error) {
    fileContent, err := ioutil.ReadFile(fp)
    if err != nil {
        return nil, err
    }
    block, _ := pem.Decode(fileContent)
    if block == nil || block.Type != "RSA PRIVATE KEY" {
        return nil, fmt.Errorf("failed to decode PEM block containing RSA PRIVATE KEY")
    }
    key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
    if err != nil {
        return nil, err
    }
    return key, nil
}

...

    // XML Signing
    signingKey, err := getSigningKey("assets/idp/azure_ad_app_signing_pkcs1_key.pem")
    if err != nil {
        t.Fatalf("error parsing signing key: %s", err)
    }
    signer, err := signedxml.NewSigner(authRequestPayloadPlain.String())
    if err != nil {
        t.Fatalf("error initializing XML signer: %s", err)
    }
    signedAuthRequestPayloadPlain, err := signer.Sign(signingKey)
    if err != nil {
        t.Fatalf("error signing XML doc: %s", err)
    }

 <samlp:Response ID="_9eefb041-27fe-4014-bf4b-932cd5f7f5d5" Version="2.0" IssueInstant="2020-04-21T04:44:24.286Z" Destination="https://127.0.0.1:3443/saml" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
          <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/1b9e886b-8ff2-4378-b6c8-6771259a5f51/</Issuer>
          <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
          </samlp:Status>
          <Assertion ID="_7298c1f7-4411-4bc6-b8e4-77622e935418" IssueInstant="2020-04-21T04:44:23.125Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
            <Issuer>https://sts.windows.net/1b9e886b-8ff2-4378-b6c8-6771259a5f51/</Issuer>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
              <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_0369ee56-8152-4f92-b8c3-e1481fe74300">
                  <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <DigestValue>asdf</DigestValue>
                </Reference>
              </SignedInfo>
              <SignatureValue>asdf</SignatureValue>
            </Signature>
            <Subject>
              <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">greenpau@contoso.com</NameID>
              <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2020-04-21T05:44:28.208Z" Recipient="https://127.0.0.1:3443/saml"/>
              </SubjectConfirmation>
            </Subject>
            <Conditions NotBefore="2020-04-21T04:39:28.099Z" NotOnOrAfter="2020-04-21T05:44:28.208Z">
              <AudienceRestriction>
                        <Audience>urn:caddy:mygatekeeper</Audience>
              </AudienceRestriction>
            </Conditions>
            <AttributeStatement>
              <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue>1b9e886b-8ff2-4378-b6c8-6771259a5f51</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue>158d7011-cfd7-41b8-b456-8a8264ac5a04</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
                <AttributeValue>Greenberg, Paul</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue>https://sts.windows.net/1b9e886b-8ff2-4378-b6c8-6771259a5f51/</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
                <AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
                <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
                <AttributeValue>AzureAD_Editor</AttributeValue>
                <AttributeValue>AzureAD_Viewer</AttributeValue>
                <AttributeValue>AzureAD_Administrator</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>Paul</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>Greenberg</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>greenpau@contoso.com</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>greenpau@contoso.com</AttributeValue>
              </Attribute>
              <Attribute Name="http://claims.contoso.com/SAML/Attributes/RoleSessionName">
                <AttributeValue>greenpau@contoso.com</AttributeValue>
              </Attribute>
              <Attribute Name="http://claims.contoso.com/SAML/Attributes/Role">
                <AttributeValue>AzureAD_Editor</AttributeValue>
                <AttributeValue>AzureAD_Viewer</AttributeValue>
                <AttributeValue>AzureAD_Administrator</AttributeValue>
              </Attribute>
              <Attribute Name="http://claims.contoso.com/SAML/Attributes/MaxSessionDuration">
                <AttributeValue>3600</AttributeValue>
              </Attribute>
            </AttributeStatement>
            <AuthnStatement AuthnInstant="2020-04-21T05:44:28.358Z" SessionIndex="_7298c1f7-4411-4bc6-b8e4-77622e935418">
              <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
              </AuthnContext>
            </AuthnStatement>
          </Assertion>
        </samlp:Response>
ma314smith commented 4 years ago

It looks like the issue is with the sample XML you provided. There isn't an ID anywhere in the document that matches the Reference URI (_0369ee56-8152-4f92-b8c3-e1481fe74300).

greenpau commented 4 years ago

@ma314smith , thank you! :+1: I found an open PR and thought it was relevant, but never got back to it :-(

adamdecaf commented 1 year ago

@greenpau were you able to resolve this? Or is it still an open issue?