尝试验证 saml 2.0 响应时收到“签名验证失败。参考验证失败”

问题描述 投票:0回答:2

我尝试在 samltool.com 网站上验证我的 saml 响应,但不断收到“签名验证失败。参考验证失败”的消息。我在网上搜索并找到了一些建议,但是它要么不能修复错误,要么会产生新的错误。

这是我的回复,如有任何建议,我们将不胜感激

<samlp2:Response xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="SAML-027a0db7-ecd3-464e-b4e0-400870b6ab5a" IssueInstant="2020-11-19T10:41:21Z" Destination="[Destination]">
  <samlp2:Status>
    <samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp2:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_83213680-19ae-4e12-8ccd-d24a818ec1a6" IssueInstant="2020-11-19T16:41:21.370Z" Version="2.0">
    <saml2:Issuer>[Issuer]</saml2:Issuer>
    <saml2:Signature xmlns:saml2="http://www.w3.org/2000/09/xmldsig#">
      <saml2:SignedInfo>
        <saml2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <saml2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <saml2:Reference URI="#_83213680-19ae-4e12-8ccd-d24a818ec1a6">
          <saml2:Transforms>
            <saml2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <saml2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </saml2:Transforms>
          <saml2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <saml2:DigestValue>[DigestValue]</saml2:DigestValue>
        </saml2:Reference>
      </saml2:SignedInfo>
      <saml2:SignatureValue>[SignatureValue]</saml2:SignatureValue>
      <saml2:KeyInfo>
        <saml2:X509Data>
          <saml2:X509Certificate>[X509Cert]</saml2:X509Certificate>
        </saml2:X509Data>
      </saml2:KeyInfo>
    </saml2:Signature>
    <saml2:Subject>
      <saml2:NameID>[emailId]</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData Address="[ipaddress]" NotOnOrAfter="2020-11-29T06:00:00.000Z" Recipient="[Recipient]"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2020-11-19T16:41:21.370Z" NotOnOrAfter="2020-11-29T06:00:00.000Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>[SPEntityId]</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2020-11-19T16:41:21.370Z">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>[firstName]</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>[lastName]</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="emailId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>[emailId]</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="custCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>[custCode]</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="phone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>[phone]</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="ssoId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>[ssoId]</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</samlp2:Response>
xml x509certificate saml-2.0
2个回答
0
投票

我在响应之外但在状态之前添加了颁发者和签名,现在我收到“发现无效的签名元素。SAML 响应被拒绝”

<samlp2:Response Version="2.0" ID="SAML-18b9737d-5969-4231-a074-0ff5ca3ab0df" IssueInstant="2020-11-19T01:00:24Z" Destination="[Destination]" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.lacitizens.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1a4fdd97-53f3-4676-aec3-e00213f226eb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>[DigestValue]</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>[SignatureValue]</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>[X509Certificate]</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>  
  <samlp2:Status>
    <samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp2:Status>
 <saml2:Assertion ID="_1a4fdd97-53f3-4676-aec3-e00213f226eb" IssueInstant="2020-11-19T19:00:24.563Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://www.lacitizens.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1a4fdd97-53f3-4676-aec3-e00213f226eb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>[DigestValue]</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>[SignatureValue]</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>[X509Certificate]</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID>[emailId]</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="[ipaddress]" NotOnOrAfter="2020-11-29T06:00:00.000Z" Recipient="[recipient]" /></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-11-19T19:00:24.563Z" NotOnOrAfter="2020-11-29T06:00:00.000Z"><saml2:AudienceRestriction><saml2:Audience>[audience]</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2020-11-19T19:00:24.563Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[firstName]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[lastName]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="emailId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[emailId]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="custCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[custCode]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="phone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[phone]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="ssoId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[ssoId]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
</samlp2:Response>
0
投票

希望你一切都好。首先请告诉我们您是否解决了问题?

接下来基本上是我的问题部分(如果您熟悉,或者其他人对此有想法,请告诉我)。

不幸的是没有答案但是观察在我的情况下,如果samlResponseXMLString被格式化,我的具有正确签名的saml响应会由于参考验证失败(即计算的摘要值与预期不匹配)而失败。

详细说明(代码块是 XMLString 格式的示例,以提供示例):

  1. 我得到了已解码的 URL-Base64Encoded SAMLResponse XMLString 到 SAMLResponseXMLString 中,我们称其为 'XMLString_RAW' 它没有格式化,标签和内容之间没有空格。我验证 它通过 Opensaml 库(该库本身又通过 apache 进行验证) 安全库)。它已成功验证(甚至摘要值计算匹配)
    <?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2p:Response 

    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://app.com/api/saml/assertion" ID="_c0c49e3157cb4882002e5a3a505b5457" InResponseTo="6miJTbk50XLxlggXwUG8vn(5OUUO3-awq9MTzoYedJfK-NH" IssueInstant="2024-01-10T13:45:05.049Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C_IdOfIDP</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4a146c4e23e148bdc45d3bf6fe12f74b" IssueInstant="2024-01-10T13:45:05.049Z" Version="2.0"><saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C02d32jyc</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_4a146c4e23e148bdc45d3bf6fe12f74b"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Zw(DigestValue)+IP1/eifT4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>LEsM/5cBZ(Signature)kUI1G/yrJEYyAdIvE
    3nQFRgjvxrZzT/ZmOccDdOmL28flmMHX2mL2slYGk0W7o/4nYm686ttheMESWx0qrHlhdnsSPaFp
    k7aVCvfX17+/5Fl2lsN1kAuPBqMIQsbD83tYumOcvqi+gm0RZ8iVuaM94OdmBzAwcU8hFj7Ewt86
    pU0UehMq5EVJXZ36sXE5iq+kxLI8/pkULMYjztWKuL4KjBid+PMdSPXnAlrckatUg+G6WhYRtl8m
    wzIGqwmWAjZ52iZAZK8OtUBJpXZG/HDs2qITOw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName><ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAXJhuXJxMA0(CertificateEncoded)gNVBAoTC0dvb2dsZSBJ
    bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
  1. 现在假设如果我使用 Visual Studio 代码来格式化此 XMLString_RAW,我们称之为 XMLString_FORMATTED,签名将不会被验证,并且会发生错误,提及计算的摘要值不同。
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
    Destination="https://app.com/api/saml/assertion" ID="_c0c49e3157cb4882002e5a3a505b5457"
    InResponseTo="6miJTbk50XLxlggXwUG8vn(5OUUO3-awq9MTzoYedJfK-NH"
    IssueInstant="2024-01-10T13:45:05.049Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    https://accounts.google.com/o/saml2?idpid=C_IdOfIDP</saml2:Issuer>
<saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_4a146c4e23e148bdc45d3bf6fe12f74b" IssueInstant="2024-01-10T13:45:05.049Z" Version="2.0">
<saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C02d32jyc</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
    <ds:Reference URI="#_4a146c4e23e148bdc45d3bf6fe12f74b">
        <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>Zw(DigestValue)+IP1/eifT4=</ds:DigestValue>
    </ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LEsM/5cBZ(Signature)kUI1G/yrJEYyAdIvE
    3nQFRgjvxrZzT/ZmOccDdOmL28flmMHX2mL2slYGk0W7o/4nYm686ttheMESWx0qrHlhdnsSPaFp
    k7aVCvfX17+/5Fl2lsN1kAuPBqMIQsbD83tYumOcvqi+gm0RZ8iVuaM94OdmBzAwcU8hFj7Ewt86
    pU0UehMq5EVJXZ36sXE5iq+kxLI8/pkULMYjztWKuL4KjBid+PMdSPXnAlrckatUg+G6WhYRtl8m
    wzIGqwmWAjZ52iZAZK8OtUBJpXZG/HDs2qITOw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAXJhuXJxMA0(CertificateEncoded)gNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv

Screenshot of Error Message of XMLString_FORMATTED failing signature validation

PS:我尝试添加空格和' ' 在 XMLString_RAW 但它仍然 通过。但是当我将其格式化为 XMLString_FORMATTED 时,我不断收到 错误的消化值。专门搞乱了签名标签,但是 仍然无法理解。无法制作 XMLString_FORMATTED 手动按其通过的方向。目前正在研究它(更彻底地消化价值 计算,形成 mda(消息摘要算法),让我们看看。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.