[xmlsec] XML Signatures in SAML Land - Fingerprint-only Verification Possible?

Aleksey Sanin aleksey at aleksey.com
Thu Feb 14 16:57:55 PST 2013 

Take a look at this function. I think it might help with some of the
issues you are having:

https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html

On the xmlsec-openssl side, you need to understand the
xmlSecOpenSSLX509FindCert() function. In particular, I believe you
need to make sure that ski search (last if block) works with you certs.

Does it make sense?



Aleksey

On 2/14/13 4:41 PM, Paul Hinze wrote:
> Hello Aleksey et al,
> 
> Thanks for all your work on XMLSec, and apologies in advance for the
> long mail.
> 
> I'm working on a library in Ruby that uses ruby-ffi to interop with XMLSec.
> 
> The goal is to implement a sufficient subset of XMLSec functionality to
> allow it to serve as a valid backend for the ruby-saml library, which
> currently uses its own home-grown implementation of XML security
> standards. I believe that will allow ruby-saml to handle XML security
> considerations more "correctly" as well as provide the opportunity to
> have ruby-saml support signing, encrypting  and decrypting (which it
> currently does not).
> 
> I've got a basic framework up and running with a few passing tests, but
> now that I'm trying to exercise my code with a sample of real world SAML
> requests, I'm running into trouble with xmlSecDSigCtxVerify (with
> OpenSSL for crypto) refusing to verify signatures for which it cannot
> build a proper CA chain.
> 
> As far as I understand it, the de facto trust model for SAML
> integrations is to check the fingerprint of the signing certificate
> against a pre-shared fingerprint stored by the consumer when the trust
> relationship is established. Provided the fingerprint matches that of
> the signing cert, and provided the XML signature is verified against
> that cert, everything is assumed to be peachy.
> 
> Now, I'm aware that this trust model may be flawed, and I'm also aware
> that this model goes against the grain of the "web of trust" concept
> that OpenSSL is built on.
> 
> My question is whether it's technically feasible to utilize XMLSec to
> support this model. Essentially I need to be able to verify signatures
> for which the cert may be self-signed, or for which the CA cert is not
> immediately available.
> 
> My current working strategy is to extract the cert from the XML document
> in question and load it into the keys manager that will be used for the
> verification.
> 
> Here's the code that successfully passes tests against a self-signed
> cert I generated:
> 
> https://github.com/instructure/xml_security/blob/0e3cbc30da1558ad2ffa541482014727d088a153/lib/xml_security/signature_verifier.rb
> 
> Here is the test cert for which this code works:
> 
> https://gist.github.com/phinze/745c4b224dde8e0053fb
> 
> Now as I attempted to integrate with ruby-saml, I ran into a set of
> requests in the ruby-saml tests signed with the following key:
> 
> https://gist.github.com/phinze/fdce716947bc6128d6e6
> 
> Verifying those signatures with the same code yields an error here:
> 
> x509vfy.c:360 (xmlSecOpenSSLX509StoreVerify) - x509-store
> X509_verify_cert 4 subj={{redacted}};err=20;msg=unable to get local
> issuer certificate
> 
> My understanding is that the x509v3 extensions on the latter cert
> prevent it from acting as a CA for itself.
> 
> I've tried sticking XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS on
> the keyInfoReadCtx flags of the digital signature context, but that only
> yields a different error:
> 
> keys.c:1370 (xmlSecKeysMngrGetKey) -  xmlSecKeysMngrFindKey 1
> 
> From reading archives it seems like this flag disables the extraction of
> the certificate from the XML, which I'm guessing is what's happening in
> this case.
> 
> I'm also running into trouble with certs issued by a valid CA for which
> I do not have the CA cert in the context where my code is running, since
> the prior versions of the application relied only on a pre-shared
> fingerprint.
> 
> So, is there a way for me to pull this off? Or do I need to look
> elsewhere for code that can achieve the behavior I'm looking to model?
> 
> Thanks so much for your time,
> 
> Paul
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list