search

tngan / samlify

Node.js library for SAML SSO
https://samlify.js.org
MIT License
610 stars 217 forks source link

Signature length not correct: got 257 but was expecting 256 #225

Closed securityvoid closed 4 years ago

securityvoid commented 6 years ago

Hello, I'm getting the following error message from my IdP when its processing the signed AuthnRequest generated from Samlify on the Service Provider.

Signature length not correct: got 257 but was expecting 256

This is an example AuthnRequest:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a9a06995-8cda-4042-9b80-d66f1118033c" Version="2.0" IssueInstant="2018-11-07T01:43:40.028Z" Destination="https://mysite.com/saml/auth" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://localhost:7071/api/v1/saml/post/ac">
    <saml:Issuer>https://localhost:7071/saml/metadata</saml:Issuer>
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_a9a06995-8cda-4042-9b80-d66f1118033c">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>2S1bBotRxtMZHGeHwHkPp98bvV1GioFmHxyYAe2erl0=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>UKSo4HYUyzjMD49G4CI8g1eEbECzWA2cs9YZTkm3Jt2FN8gM9OJ99GyEai7VInH4m0KsaStOjJWDhZokDwx/ifIcDKYLaopmVG/qo3CoCLzxXFvDHQjs4qMs/+qcKQRKkgzU2rOLOE/cu9wsyK9TPGxF8/w0IZN/t1LXy+9tLtbRDFSV5YkKm9oMTNpKZEI17ilg2yXTbY69BiJZP3u3Bd2Qj3CD6j6lEAiwMoRtr98U/ZWuQNk1f6lhtwCOyO/1i7ipsMRKVClX2DpqGS4E+ppyhs+hVcc7wNVpxHM6fCZp49CmfKmFylFpjxUyXRfq57/dLwk02bkzAfS1Yu1T/6c=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDbTCCAlSgAwIBAgIBADANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJ1czELMAkGA1UECAwCTlkxCzAJBgNVBAoMAkNOMSYwJAYDVQQDDB1jdGZkYXRhLWRldi5henVyZXdlYnNpdGVzLm5ldDAgFw0xODEwMTYwODQ3MDhaGA8yMTU1MDkwODA4NDcwOFowTzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAk5ZMQswCQYDVQQKDAJDTjEmMCQGA1UEAwwdY3RmZGF0YS1kZXYuYXp1cmV3ZWJzaXRlcy5uZXQwggEjMA0GCSqGSIb3DQEBAQUAA4IBEAAwggELAoIBAgC5mScqWHd8jXFnIvZ/lgv4TtpHCz+g+6d7DyqcNVy2ATMDpGm2r/JtjftWwb70ARF3vyyMiX4gK5HFjlxsruS+T5p/0zD8v6fQXoObgZYcSD+2bDRxVeZOTwh+MHu1wh6UOJvoZA0w8UmhJ1+4x4nA8B9LzN4YIiGeJdtUTfpraNoenn89YzN0p2FABLRCE3wh2b3Z37oXs4q3lHLxzohURZmiLQnIROOaeShtQ7wN0PXmF/7vUvpLCGtw8Kuk4SUlQQbeexyXLC6/LQKcHV+mgdZnFy/h5vR0HEZUmEBxI2TsbPHN369SqmdrlpAE09D420AW9tXGFGdJ1Cng9E2GEwIDAQABo1AwTjAdBgNVHQ4EFgQUYnwRAUL7TRRXEfHTGWcUm7VLxEcwHwYDVR0jBBgwFoAUYnwRAUL7TRRXEfHTGWcUm7VLxEcwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQIAFhLfssI9OLHOGNTE+gbrEG+YldlFk0zPC81SXhVqeSegpu/atN8aDeoVyaCIcx1ZPx7G29wvHNaBGGXAIQ3rKD4y2i0XyyGAUsN6FPksjloY1cbv1SX2eAGCiMSQNOOpO8QPCaRYkfArbuCQEAqOFNrRtdg2pQ8EL9+pdgOXylUYkxsWEt6mNOUEf5frr66fEeisqaB6sYgUBQTsdkd5PxZNXlclya7GkybjKS7Xzle398NubkntZGznQn7UqhmGc8NEx13MwV7KZBpM0B8I2X7iK3hnh6+1FhaAggWwgtZISAd4LRs13L919PyI+UUq4LawwRA2nHzApF9kFXJm3u4=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="false"/>
</samlp:AuthnRequest>

If you take a look at the signature, it does in fact appear to have a length of 257 instead of 256.

Interestingly, we have three environments utilizing the same code with samlify and the same IDP and only one environment has this issue. The environment that fails always fails, the environments that work always work.

Any thoughts/ideas on how to troubleshoot this?

tngan commented 6 years ago

@securityvoid Interesting, will need to take some time to have a look.

tngan commented 5 years ago

@securityvoid What are the difference(s) among your three environments ?

securityvoid commented 5 years ago

@tngan There is nothing different between the three environments besides the certificates. Code is literally deployed directly from source-control and the same source has been promoted to all environments.

tngan commented 4 years ago

@securityvoid Have you resolved this issue?

securityvoid commented 4 years ago

I worked around this, but I never resolved it.

I regenerated my SSL Certificates for the environment and the new certificates worked fine for that environment.

As I recall (This was awhile ago); I had to regenerate the certificate several times to finally get one that worked and one out of every 5 or so would still fail.

I moved on with one of the working certificates.

tngan commented 4 years ago

Ok, thanks for your update, then let me close this issue first.