search

node-saml / xml-crypto

Xml digital signature and encryption library for Node.js
MIT License
198 stars 173 forks source link

Invalid signature - while www.samltool.com does validate it correctly #149

Closed gijsboer closed 1 year ago

gijsboer commented 6 years ago

Hello,

I'm trying to use the signature validation option, but I can't get it to validate the signature unfortunately. I've tried using samlify and passport-saml, both are using xml-crypto and both give the same answer.

Certificate used to validate it:

-----BEGIN CERTIFICATE-----
MIIDDDCCAfSgAwIBAgIHBm6OO+sBhzANBgkqhkiG9w0BAQUFADA1MQswCQYDVQQG
EwJHQjEMMAoGA1UEChMDSHViMRgwFgYDVQQDEw9IVUJEVlNpZ25pbmdLZXkwHhcN
MTcwODI5MTczNjA5WhcNMjcwNzA4MTczNjA5WjA1MQswCQYDVQQGEwJHQjEMMAoG
A1UEChMDSHViMRgwFgYDVQQDEw9IVUJEVlNpZ25pbmdLZXkwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCg8e8WRsALeVAkyd+dsMkypIYAsF5edvn12Xir
+glns6ArCmUo0Xv07Jj8TE3JyELyhzQ25TTbCT54k1cxxK0NkaaWNbiLzMFfLj5/
qXPTEo/Lj0GLPsUi4DhH60cRGRJNGOmEPTbs7O9JKQscGmM+uU632JasRaNjTe1l
GSafH9w66IE9cDRzAGV7d6aAMwaeNah9DVrU9QdN0riC3e/mXbPPCXq/9YXoEjFF
AQyc4rNNsq6xbrCQDKEMwhUDBA58hmA4R4KlncECRIusunA2FKVWzowNczcXaDxf
1lctnHDmyzhQHCj9TFHhv1HvucO1sFVlWrw9AmcE8WNQgcXnAgMBAAGjITAfMB0G
A1UdDgQWBBQTFyhFplrjXY5ETHf2bL6qGD4vMDANBgkqhkiG9w0BAQUFAAOCAQEA
PPUwhptVGPZGaezTtDDXzQMlt8WnHNIQNA8R00nJnMrYAJyz586vKWm+/94P9wRX
o+v7/mh6gKAY9gY5RxKK23A0Ox1BFapAcKb+cg8Pwn3UL1j3k5uW7HSwoZXK12Cv
+PCxNIeEsIMi+Xs1vyAPmh6G/GvygnZgTPFnCyrCxIXQTg67a7/VBxEjQco6prDJ
/Gqee7XMMyJ3mCHWYOZ0TK9IeLYRaBb1+wrhI2pWuJn/HE69hL9XNHMQ25Oc8Cnl
2MVE1As/HtgzZEpMGlOnPbTRX6YxE4XvDlIIjIfW7FrKr+nzbKTcjiIGg2dndKIR
NIdox2FayCFhKOYHPhAgjA==
-----END CERTIFICATE-----

Idp Entity ID: https://ssodev.huberto.org/FIM/sps/HUBDVSAML20/saml20 Service provider EntityId: GatewayWAMService SP Attribute consume Service endpoint: https://ssodev.huberto.org/FIM/sps/HUBDVSAML20/saml20 Target URL: http://localhost:3000/login/callback

SAML response received/to be validated:

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://localhost:3000/login/callback" ID="FIMRSP_6b7fe2e3-0161-1c98-bb2b-9ce80b6ade73" InResponseTo="_3d190bc537134c6a5a1b" IssueInstant="2018-02-06T14:23:18Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://ssodev.huberto.org/FIM/sps/HUBDVSAML20/saml20</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion ID="Assertion-uuid6b7fe2c5-0161-10a7-a9f9-9ce80b6ade73" IssueInstant="2018-02-06T14:23:18Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://ssodev.huberto.org/FIM/sps/HUBDVSAML20/saml20</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="uuid6b7fe2cc-0161-182d-95b5-9ce80b6ade73"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#Assertion-uuid6b7fe2c5-0161-10a7-a9f9-9ce80b6ade73"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi"></xc14n:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>t8w4ZELtN7Zw/xm0L3EMc7QS+AABk749pOtQ80+oYyA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Ghw6/xnKL0Gpjd6l1XCWOytHouXAG79CJpKJiCXBr9vmyLF8Xgs8jaZGCj7zphYXHrlTvXiPVMu25tu3XRZaWwCGLT4ql5U6e+eZ17tcbp9bhFA5k38uTPXOSogQuODEuyPfihZiv7WPnMdCiBIMJX3yoQI4uBpsJRoWWbN/BxY1GYhySksO4b+p/zp1LfECblNvetC62mzhpCbYbWbLsCKCEsy4gjHIKqV36C6BLx/GjOLDokIXfLuEP2FLuiNMd3c1neO5TLISl/A1yCHesUcS4n7Dg3vnf2ax4eQ0ozg2WezvXq8BqsYtfBt3dGuROvEMZAz+xdM0qra9/6nfVA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDDDCCAfSgAwIBAgIHBm6OO+sBhzANBgkqhkiG9w0BAQUFADA1MQswCQYDVQQGEwJHQjEMMAoGA1UEChMDSHViMRgwFgYDVQQDEw9IVUJEVlNpZ25pbmdLZXkwHhcNMTcwODI5MTczNjA5WhcNMjcwNzA4MTczNjA5WjA1MQswCQYDVQQGEwJHQjEMMAoGA1UEChMDSHViMRgwFgYDVQQDEw9IVUJEVlNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg8e8WRsALeVAkyd+dsMkypIYAsF5edvn12Xir+glns6ArCmUo0Xv07Jj8TE3JyELyhzQ25TTbCT54k1cxxK0NkaaWNbiLzMFfLj5/qXPTEo/Lj0GLPsUi4DhH60cRGRJNGOmEPTbs7O9JKQscGmM+uU632JasRaNjTe1lGSafH9w66IE9cDRzAGV7d6aAMwaeNah9DVrU9QdN0riC3e/mXbPPCXq/9YXoEjFFAQyc4rNNsq6xbrCQDKEMwhUDBA58hmA4R4KlncECRIusunA2FKVWzowNczcXaDxf1lctnHDmyzhQHCj9TFHhv1HvucO1sFVlWrw9AmcE8WNQgcXnAgMBAAGjITAfMB0GA1UdDgQWBBQTFyhFplrjXY5ETHf2bL6qGD4vMDANBgkqhkiG9w0BAQUFAAOCAQEAPPUwhptVGPZGaezTtDDXzQMlt8WnHNIQNA8R00nJnMrYAJyz586vKWm+/94P9wRXo+v7/mh6gKAY9gY5RxKK23A0Ox1BFapAcKb+cg8Pwn3UL1j3k5uW7HSwoZXK12Cv+PCxNIeEsIMi+Xs1vyAPmh6G/GvygnZgTPFnCyrCxIXQTg67a7/VBxEjQco6prDJ/Gqee7XMMyJ3mCHWYOZ0TK9IeLYRaBb1+wrhI2pWuJn/HE69hL9XNHMQ25Oc8Cnl2MVE1As/HtgzZEpMGlOnPbTRX6YxE4XvDlIIjIfW7FrKr+nzbKTcjiIGg2dndKIRNIdox2FayCFhKOYHPhAgjA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">adamsanders@hub.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_3d190bc537134c6a5a1b" NotOnOrAfter="2018-02-06T14:24:18Z" Recipient="http://localhost:3000/login/callback"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-02-06T14:22:18Z" NotOnOrAfter="2018-02-06T14:24:18Z"><saml:AudienceRestriction><saml:Audience>GatewayWAMService</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2018-02-06T14:23:18Z" SessionIndex="uuid6b60debb-0161-110c-b2ef-9ce80b6ade73" SessionNotOnOrAfter="2018-02-06T15:23:18Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="userid" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><saml:AttributeValue xsi:type="xs:string">adamsanders@hub.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="companyId" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><saml:AttributeValue xsi:type="xs:string">4a922fd6-a785-4df3-ab9a-cc58a6fb1926</saml:AttributeValue></saml:Attribute><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailaddress"><saml:AttributeValue xsi:type="xs:string">adamsanders@hub.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="customerId" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><saml:AttributeValue xsi:type="xs:string">1307f831-d324-4a6c-877a-f2c69385c6a5</saml:AttributeValue></saml:Attribute><saml:Attribute Name="bankLegalEntityId" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><saml:AttributeValue xsi:type="xs:string">banka</saml:AttributeValue></saml:Attribute><saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><saml:AttributeValue xsi:type="xs:string">Adam2</saml:AttributeValue></saml:Attribute><saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><saml:AttributeValue xsi:type="xs:string">Sandersd2</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

The error that I get is in validationErrors:

invalid signature: for uri #Assertion-uuid6b7fe2c5-0161-10a7-a9f9-9ce80b6ade73 calculated digest is BeGu6QFyyKNnHOtMWsK0fc4KhOZAHt8SES2wFKZCOpo= but the xml to validate supplies digest t8w4ZELtN7Zw/xm0L3EMc7QS+AABk749pOtQ80+oYyA=

I half-assume that the canonicalized XML is wrong, but I can't determine what the canonicalized XML is that is being used on the IDP, since it's not in my control.

Does anyone know what the problem could be?

Let me know if more info is needed!

ColinLMacLeod1 commented 6 years ago

I have the same issue using SOOCirle as my IDP. When I check the request with https://www.samltool.com/validate_response.php is says it is valid

gijsboer commented 6 years ago

should have updated this ticket, but after I enabled SAML encryption in passport-saml, I could correctly validate it. And using the tool xmlsec, I was able to see the actual canonicalized XML, digest, and everything else that I needed to see what the difference was (there is, the canonicalized XML is different).

ColinLMacLeod1 commented 6 years ago

Thanks for the response! Do you know how enabling SAML encryption in passport-saml effected the implementation of xml-crypto? I'm just using xml-crypto. Were there additional transforms or options?

gijsboer commented 6 years ago

If I remember correctly, <sometag></sometag> would get translated as <sometag/> or the other way around. Xmlsec1 produces the right XML, so you can compare the output of xml-crypto against that and will show you the reason why it fails.

cjbarth commented 1 year ago

It appears that this issue is resolved, so I'll close it. If I'm mistaken, please reply to reopen.