dssig:[Attribute] vs ds:[Attribute]

[Misosooup]

Hi, I am using this library to verify the SAMLResponse that comes back from IDP. This library is set to use dssig instead of ds hence the verification kept failing. Is it possible to have that updated so we can pass the namespace through instead?

[Misosooup]

I meant, dsig vs ds

[timlegge]

Can you attach the xml you are using? The code takes the XML and changes the namespace that is specified in the xml to the format it is expecting.

[Misosooup]

hmm. I tried giving it my XML but the verification kept failing, so I updated the code to use ds: instead of dsig and that worked.

The library that I used in my IDP comes from this package. https://github.com/robrichards/xmlseclibs/blob/master/src/XMLSecurityDSig.php

It's a PHP package. You can generate the XML from there if and pass that into the verification function to test it.

This is the XML that I am using. But you can't pass this into the verification as I have omitted some information.

  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <ds:Reference URI="#_3b2d5ce9fc37cd08def4d6b6ec5d7f3f7ba0fced3e"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>jiUfShuD8EHb8++fTVeWiYsLAtzvUETIwN0+vvJtORc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>rU91qPpkbZFa0pdrMX6w4438lK0YJpFk9mAH34JJIxEinXOHeH1O0W/SnndQLflabiaSslkyJnPWRX+ESbXrjsxIAh9VLCGQNdKrk2zTn7czAB33kzjdg1NLju5bywFiLk3CNS+Rm00h47vdMb4THJsBQWS5Wwz8C+uIRIZp3UDUjlhBdxglVQP7eIvkDx8pOKkNBxtrCYyTA6eZVR+3DDmTEo3bGK0gvRl0rtf80ZyJ4ZOPCxpUSmRUYzGu2+f/+cIo785YWgceNzfKvbcS+vrOKyotAYywXr4lLzDa5g/VNe7iXXptDdaz+YDXAmIy6vNTPyapplOnShh4bVUa1A==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>some cert</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_2678603ce7da18646b568134624d936c7323000ccd" Version="2.0" IssueInstant="2020-09-22T23:30:13Z"><saml:Issuer>http://somedomain/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <ds:Reference URI="#_2678603ce7da18646b568134624d936c7323000ccd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>4gsrSPj/BgJ28ALVsCPh+TfIpGoOlULzNofLf4idZKg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>lXgZvSROOELoxyL9O8AnHto00EqYEvQ7eIRPPn7x+syT4040265EvI0wwvA3R5l/V3KqL6GVRJ5umAaG5+Fdt0JV4FSSBl0WQM+6JR4ZuOAuRTykcqOKv9q9q+1Kz50qhe9ZmP1SJgHmWOaIhU1L7Ck9dsJzpBvMSPA1M8zEvBjgE/+2MHYjRVnNxk7vkEJ/LOm1dgbmXyCzLxOtWMaQnGWjkASAgKFUTelNazFgONKkvLjDcNoCvAtEXhS1KRsVi9Zy+TSGzll/wSFdGv4iLBTPqITvhRlGX/d66VDdYXlL58EqdA0LtX/Hv6vXG4bQqhP1lvbv48IZYdGHcXATjQ==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>some cert</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://somedomain" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_e7add42a63a1d085b3d3cc514c400b5c333c7fb46f</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2020-09-22T23:35:13Z" Recipient="http://somedomain/saml/sp/acs" InResponseTo="ecommerce"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2020-09-22T23:29:43Z" NotOnOrAfter="2020-09-22T23:35:13Z"><saml:AudienceRestriction><saml:Audience>http://development.something</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2020-09-22T22:41:14Z" SessionNotOnOrAfter="2020-09-23T06:41:14Z" SessionIndex="_9c7193e299b5ba99b4a0e1cb4e914203f92f5a5108"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">ecommerce:administrator</saml:AttributeValue></saml:Attribute><saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">administrator</saml:AttributeValue></saml:Attribute><saml:Attribute Name="active" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">1</saml:AttributeValue></saml:Attribute><saml:Attribute Name="type" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">some</saml:AttributeValue></saml:Attribute><saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">Administrator</saml:AttributeValue></saml:Attribute><saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">User</saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">administrator@somedomain.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="plainTextPassword" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:nil="true"></saml:AttributeValue></saml:Attribute><saml:Attribute Name="accessGroups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">someattribte</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>```

[timlegge]

The way it is "supposed to work" is that the verify will tell the parser to set the namespace to dsig when it matches http://www.w3.org/2000/09/xmldsig#. Then a request to the parser for the attribute dsig:xxx should return whatever the ds:xxx is.

I was looking at how it works a bit ago. If you have the ability to generate a test xml that I can test against that would be good.

Tim

On Wed, Sep 23, 2020 at 9:11 AM Misosooup notifications@github.com wrote:

hmm. I tried giving it my XML but the verification kept failing, so I updated the code to use ds: instead of dsig and that worked.

The library that I used in my IDP comes from this package. https://github.com/robrichards/xmlseclibs/blob/master/src/XMLSecurityDSig.php

It's a PHP package. You can generate the XML from there if and pass that into the verification function to test it.

This is the XML that I am using. But you can't pass this into the verification as I have omitted some information.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3b2d5ce9fc37cd08def4d6b6ec5d7f3f7ba0fced3e" Version="2.0" IssueInstant="2020-09-22T23:30:13Z" Destination="http://somedomain" InResponseTo="ecommerce"> http://somedomain/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

jiUfShuD8EHb8++fTVeWiYsLAtzvUETIwN0+vvJtORc=rU91qPpkbZFa0pdrMX6w4438lK0YJpFk9mAH34JJIxEinXOHeH1O0W/SnndQLflabiaSslkyJnPWRX+ESbXrjsxIAh9VLCGQNdKrk2zTn7czAB33kzjdg1NLju5bywFiLk3CNS+Rm00h47vdMb4THJsBQWS5Wwz8C+uIRIZp3UDUjlhBdxglVQP7eIvkDx8pOKkNBxtrCYyTA6eZVR+3DDmTEo3bGK0gvRl0rtf80ZyJ4ZOPCxpUSmRUYzGu2+f/+cIo785YWgceNzfKvbcS+vrOKyotAYywXr4lLzDa5g/VNe7iXXptDdaz+YDXAmIy6vNTPyapplOnShh4bVUa1A== some cert http://somedomain/saml2/idp/metadata.php 4gsrSPj/BgJ28ALVsCPh+TfIpGoOlULzNofLf4idZKg=lXgZvSROOELoxyL9O8AnHto00EqYEvQ7eIRPPn7x+syT4040265EvI0wwvA3R5l/V3KqL6GVRJ5umAaG5+Fdt0JV4FSSBl0WQM+6JR4ZuOAuRTykcqOKv9q9q+1Kz50qhe9ZmP1SJgHmWOaIhU1L7Ck9dsJzpBvMSPA1M8zEvBjgE/+2MHYjRVnNxk7vkEJ/LOm1dgbmXyCzLxOtWMaQnGWjkASAgKFUTelNazFgONKkvLjDcNoCvAtEXhS1KRsVi9Zy+TSGzll/wSFdGv4iLBTPqITvhRlGX/d66VDdYXlL58EqdA0LtX/Hv6vXG4bQqhP1lvbv48IZYdGHcXATjQ== some cert_e7add42a63a1d085b3d3cc514c400b5c333c7fb46f http://development.somethingurn:oasis:names:tc:SAML:2.0:ac:classes:Passwordecommerce:administratoradministrator1someAdministratorUseradministrator@somedomain.comsomeattribte — You are receiving this because you commented. Reply to this email directly, view it on GitHub , or unsubscribe .

[timlegge]

Since you have not replied in over a month I will close but give it a try with https://github.com/perl-net-saml2/perl-XML-Sig/tree/validation-issues. I fixed a number of issues with validation that were likely affecting you. XML::Sig sets that namesspace to dsig: so that it can handle document that use ds: instead. Let me know if you still have issues