[xmlsec] Hi Aleksey - thx for the great work on xmlsec - a question about how xmlsec signs

Aleksey Sanin aleksey at aleksey.com
Tue May 23 09:55:37 PDT 2017 

In the future, it is best to use xmlsec mailing list.

You might want to read the spec (https://www.w3.org/TR/xmldsig-core/)
and in particular regarding your question, you will need to
understand the c14n process
(https://www.w3.org/TR/2001/REC-xml-c14n-20010315 and
https://www.w3.org/TR/xml-exc-c14n/).

You might also want to try --store-references option for xmlsec1
command line tool to view the exact dump of what was signed.

Best,

Aleksey

On 5/23/17 4:38 AM, Hans Kessock wrote:
> I’ve got a linux box using xmlsec to validate SAML assertion that are
> returned to it (it being the service provider in this scenario) and
> everything works GREAT.  I validate Ping IDP response, my own custom IDP
> responses (because that test IDP uses xmlsec to sign assertions) –
> everything works very well.
> 
>  
> 
> I’ve now got an administrator tool I need to create that is as small and
> dependency free as possible – that also needs to be able to produce
> signed assertions.
> 
>  
> 
> My problem is that I’ve tried to reproduce the digest value hash
> produced by xmlsec when signing and I’ve never been able to do so.  I’ve
> read so much stuff about xml digital signatures and SAML 2.0 by now that
> my eyes are crossed.
> 
> My next step was to look through the xmlsec code to see how it was you
> produce a signed xml doc; however, ironically, it’s so well written and
> extensible (as an execution buffer) that I can’t figure out exactly what
> it does! Lol.
> 
>  
> 
> If you’ve the time and patience, I wanted to present a piece of Xml
> below and ask you – what exactly does xmlsec do with it if I tell it to
> sign a specific ID?
> 
>  
> 
> If I sign the following Xml (apologies for the form – I wanted to show
> it exactly as I pass it to xmlsec) and specify: --id-attr:ID Assertion
> 
>  
> 
> <samlp:Response xmlns:saml = "urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://mastereng-enrollment.in.ionicsecurity.com/keyspace/C7DV/sp/55d34e208e66393e53551b79/default/saml"
> ID="r4aaaa888-6607-4d06-bd00-b6e31386f497"
> InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428"
> IssueInstant="2017-05-23T11:08:51Z"
> Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> ID="a3452e5ef-74cb-4559-8236-5a4994a73f9c"
> IssueInstant="2017-05-23T11:08:51Z"
> Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><saml:Subject><saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> SPNameQualifier="">email</saml:NameID><saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428"
> NotOnOrAfter="2017-05-23T11:23:51Z"
> Recipient="https://mastereng-enrollment.in.ionicsecurity.com/keyspace/C7DV/sp/55d34e208e66393e53551b79/default/saml"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions
> NotBefore="2017-05-23T11:08:51Z"
> NotOnOrAfter="2017-05-23T11:23:51Z"><saml:AudienceRestriction><saml:Audience>ionic</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
> AuthnInstant="authnstatement_instant"
> SessionIndex="r4aaaa888-6607-4d06-bd00-b6e31386f497"
> SessionNotOnOrAfter="2017-05-23T11:23:51Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute
> Name="email"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">hans at ionic.com</saml:AttributeValue></saml:Attribute><saml:Attribute
> Name="upn"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">hans at ionic.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
> URI="#a3452e5ef-74cb-4559-8236-5a4994a73f9c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue></ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue/><ds:KeyInfo><ds:KeyValue/></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response>
> 
>  
> 
> I get the following from xmlsec (which is accepted by my xmlsec backend
> of course):
> 
>  
> 
> <?xml version="1.0"?>
> 
> <samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://mastereng-enrollment.in.ionicsecurity.com/keyspace/C7DV/sp/55d34e208e66393e53551b79/default/saml"
> ID="r4aaaa888-6607-4d06-bd00-b6e31386f497"
> InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428"
> IssueInstant="2017-05-23T11:08:51Z"
> Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> ID="a3452e5ef-74cb-4559-8236-5a4994a73f9c"
> IssueInstant="2017-05-23T11:08:51Z"
> Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><saml:Subject><saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> SPNameQualifier="">email</saml:NameID><saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428"
> NotOnOrAfter="2017-05-23T11:23:51Z"
> Recipient="https://mastereng-enrollment.in.ionicsecurity.com/keyspace/C7DV/sp/55d34e208e66393e53551b79/default/saml"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions
> NotBefore="2017-05-23T11:08:51Z"
> NotOnOrAfter="2017-05-23T11:23:51Z"><saml:AudienceRestriction><saml:Audience>ionic</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
> AuthnInstant="authnstatement_instant"
> SessionIndex="r4aaaa888-6607-4d06-bd00-b6e31386f497"
> SessionNotOnOrAfter="2017-05-23T11:23:51Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute
> Name="email"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">hans at ionic.com</saml:AttributeValue></saml:Attribute><saml:Attribute
> Name="upn"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">hans at ionic.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
> URI="#a3452e5ef-74cb-4559-8236-5a4994a73f9c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>vZsVj16MJpcpg34UlutAHAcHqrE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>weFHX1LPALmbCcy756YzdEDnqyPXI/URZsvFA5KE50a2L07hDcDkNSfe9FLcwRTm
> 
> wjecs2eJNFAvlPR1QqHtjLlCaI/QUeSPyhOkCvVsrCaQWBH9AbmQRMR1VzEm5nEa
> 
> sXOyF8hsp/sdsW2zGpuJxOfFg/q3tksuJzbOR7cF5GBscEfZRZNmuuI/fJ8p62Lf
> 
> 4dN9dGFSMFzd3nhQ3tpWTi9XZAwD6qJ+15QF7gMsXx1q0tZnj3DClMf+QX4Qh/xt
> 
> 5mhSKvEii8ognd+mJxRLc90pzRdojzQdGIgB2gboP6jWHsGFy+DfPyTFQQ0YO0R2
> 
> 6rQ7u1MIvRjD9bliSNCEaEh/rtPLfcqGwDQF3wyYjiBF7ZmscWOu+k3YeqNYRWu6
> 
> Bh0SCUzeAtlRjB8lmhjWj7iwaXtEqIFX2B/B/W9ToLqrtBHTtPMgIKI4UwA/+dJh
> 
> ZFJef0dJ7RmZmIAWYAn7XctKT4oSPBydTHLifZuSyf5fxtNnmo0bu2NtlIv7NdP4
> 
> o1xh6AAy+zleXsR4MAyJTYX2KurSh1FffIhbxkmNjfR9cq8xcR49xbuSMn3yoPDD
> 
> HxDCmby5D1Nrh6dUb1/9haTeulEfT+eCncgJ/2oWHs89rh813X0kuoWXZwv+4umU
> 
> weNuVA7z90sFklZ+qfANfNH5QiAWwsZfCgkIE4Y3alU=</ds:SignatureValue><ds:KeyInfo><ds:KeyValue>
> 
> <ds:RSAKeyValue>
> 
> <ds:Modulus>
> 
> zlZSZixErcVurJ9puM+51AU8xqu5dvZUpnvV51ozaxmE7cK3SZV5mWS6GdWjz9ix
> 
> fgWxFLcGOEVM/VOAV9MYjsHsIrktZ3zY7qYAEvEIqgCv1++cuI9ChholYHy0Z4r/
> 
> +LXniSLGUV/GAecPeYndof+igQTNgK+kNqT8ohcsO9VptvqZtETg25GyiK/vIsK3
> 
> 5n3h8CLdj6y7hPfYPYZJKjAGbTZ0GrvUV5q5fuNHoBUnl0+D6snfJfEHj/vVtU2O
> 
> 1dhkktoPO0jyOWHyVpLgTT4Yyk2cFgkyyIdO9MDyOLPepxgg4hWS9gIuPBZAZcw1
> 
> 8bPNqenLMyD3h2nz+nvi1towBq6OD7FPJSkNMzhn2rjfXfVoh03N93cvQekRjU/5
> 
> In7H8nfQEo2zqxa1EYSEoEscqOcHT8f4NzQUD0j/7PXIfWiqPh048qSbCJifj9vW
> 
> WnmXdFN3Bt/ThceqXnuIHCCVT4JSEJYLd+FO/ktZngh2p/eTJS2iQrd5Yvpw6RwR
> 
> oSYlSexwwJFa0c2P/iIRO/daaE0Mx6rSPGDthmyR1ue//KCrh/V8JYjDifUVMwOt
> 
> VH1z8K6Qot438tPh25itOo2EAu9fzYXMcoLOlYQSxpwprtfpgMa/gWyXtDusFd5t
> 
> TDGMu8Jt4gti6C8LCO90/8dJ8anMiPT8PuL763yKgis=
> 
> </ds:Modulus>
> 
> <ds:Exponent>
> 
> AQAB
> 
> </ds:Exponent>
> 
> </ds:RSAKeyValue>
> 
> </ds:KeyValue></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response>
> 
>  
> 
> What I am wondering is – how precisely did
> <ds:DigestValue>vZsVj16MJpcpg34UlutAHAcHqrE=</ds:DigestValue> get computed?
> 
>  
> 
> One thing I was surprised by when I started using xmlsec was that I had
> to seed the assertion with extra xml before signing such as:
> 
>  
> 
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 
>                 <ds:SignedInfo>
> 
>                                 <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> 
>                                 <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> 
>                                 <ds:Reference URI="#@reference_uri">
> 
>                                                 <ds:Transforms>
> 
>                                                                
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> 
>                                                                
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> 
>                                                 </ds:Transforms>
> 
>                                                 <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> 
>                                                
> <ds:DigestValue></ds:DigestValue>
> 
>                                 </ds:Reference>
> 
>                 </ds:SignedInfo>
> 
>                 <ds:SignatureValue/>
> 
>                 <ds:KeyInfo>
> 
>                                 <ds:KeyValue/>
> 
>                 </ds:KeyInfo>
> 
> </ds:Signature>
> 
>  
> 
> When trying to compute my own digest hash  (which I could never get to
> match xmlsec’s) – is this Xml supposed to be taken into account?
> 
>  
> 
> Sorry, I’m just trying to figure out how to produce a signed assertion
> that my xmlsec driven backend will accept.  Following all of the
> examples and guidelines I could find have failed.
> 
>  
> 
> Much appreciated,
> 
>  
> 
>                 Hans
>

More information about the xmlsec mailing list