[xmlsec] XML Signatures in SAML Land - Fingerprint-only Verification Possible?

[Paul Hinze]

Hello Aleksey et al,

Thanks for all your work on XMLSec, and apologies in advance for the long
mail.

I'm working on a library in Ruby that uses ruby-ffi to interop with XMLSec.

The goal is to implement a sufficient subset of XMLSec functionality to
allow it to serve as a valid backend for the ruby-saml library, which
currently uses its own home-grown implementation of XML security standards.
I believe that will allow ruby-saml to handle XML security considerations
more "correctly" as well as provide the opportunity to have ruby-saml
support signing, encrypting  and decrypting (which it currently does not).

I've got a basic framework up and running with a few passing tests, but now
that I'm trying to exercise my code with a sample of real world SAML
requests, I'm running into trouble with xmlSecDSigCtxVerify (with OpenSSL
for crypto) refusing to verify signatures for which it cannot build a
proper CA chain.

As far as I understand it, the de facto trust model for SAML integrations
is to check the fingerprint of the signing certificate against a pre-shared
fingerprint stored by the consumer when the trust relationship is
established. Provided the fingerprint matches that of the signing cert, and
provided the XML signature is verified against that cert, everything is
assumed to be peachy.

Now, I'm aware that this trust model may be flawed, and I'm also aware that
this model goes against the grain of the "web of trust" concept that
OpenSSL is built on.

My question is whether it's technically feasible to utilize XMLSec to
support this model. Essentially I need to be able to verify signatures for
which the cert may be self-signed, or for which the CA cert is not
immediately available.

My current working strategy is to extract the cert from the XML document in
question and load it into the keys manager that will be used for the
verification.

Here's the code that successfully passes tests against a self-signed cert I
generated:

https://github.com/instructure/xml_security/blob/0e3cbc30da1558ad2ffa541482014727d088a153/lib/xml_security/signature_verifier.rb

Here is the test cert for which this code works:

https://gist.github.com/phinze/745c4b224dde8e0053fb

Now as I attempted to integrate with ruby-saml, I ran into a set of
requests in the ruby-saml tests signed with the following key:

https://gist.github.com/phinze/fdce716947bc6128d6e6

Verifying those signatures with the same code yields an error here:

x509vfy.c:360 (xmlSecOpenSSLX509StoreVerify) - x509-store X509_verify_cert
4 subj={{redacted}};err=20;msg=unable to get local issuer certificate

My understanding is that the x509v3 extensions on the latter cert prevent
it from acting as a CA for itself.

I've tried sticking XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS on the
keyInfoReadCtx flags of the digital signature context, but that only yields
a different error:

keys.c:1370 (xmlSecKeysMngrGetKey) -  xmlSecKeysMngrFindKey 1

>From reading archives it seems like this flag disables the extraction of
the certificate from the XML, which I'm guessing is what's happening in
this case.

I'm also running into trouble with certs issued by a valid CA for which I
do not have the CA cert in the context where my code is running, since the
prior versions of the application relied only on a pre-shared fingerprint.

So, is there a way for me to pull this off? Or do I need to look elsewhere
for code that can achieve the behavior I'm looking to model?

Thanks so much for your time,

Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130214/067b8537/attachment.html>