[xmlsec] Difference between signature check for SAML and in the command line?

Yoann Gini yoann.gini at gmail.com
Sun Jul 3 07:39:24 UTC 2022 

Hello,

Thanks Aleksey and Timothy for helping.

The issue was that I've used a simple key pair instead of a (self) signed certificate. I should have thought about it before.

Those two questions put be on tracks specifying x509


> Le 3 juil. 2022 à 02:54, Aleksey Sanin <aleksey at aleksey.com> a écrit :
> 
> BTW, did you submit the trusted IdP X509 certificate to the samltool?
> 
> https://www.samltool.com/validate_response.php <https://www.samltool.com/validate_response.php>




> Le 3 juil. 2022 à 04:09, Timothy Legge <timlegge at gmail.com> a écrit :
> 
> I tested against perl's XML::Sig and that was the result.
> It is likely possible to validate if I had the public certificate in
> PEM format (not the public key itself).
> 
> https://www.samltool.com/validate_response.php requires the public
> certificate to validate against.




For the records and to help other users, answers below to the other parts of your messages:

> On Jul 2, 2022, at 8:43 PM, Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>> wrote:
> 
> What error(s) do you get from these tools?


From samltest I get this:

2022-07-02 23:07:56 DEBUG OpenSAML.MessageDecoder.SAML2 [73237] [default]: extracting issuer from SAML 2.0 protocol message
2022-07-02 23:07:56 DEBUG OpenSAML.MessageDecoder.SAML2 [73237] [default]: message from (http://127.0.0.1:8080/saml/sso)
2022-07-02 23:07:56 DEBUG OpenSAML.MessageDecoder.SAML2 [73237] [default]: searching metadata for message issuer...
2022-07-02 23:07:56 DEBUG OpenSAML.MessageDecoder.SAML2 [73237] [default]: recovered request/response correlation value (_282e31dacdbbdd363615c3fe8a207991)
2022-07-02 23:07:56 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [73237] [default]: evaluating message flow policy (correlation off, replay checking on, expiration 60)
2022-07-02 23:07:56 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [73237] [default]: ignoring InResponseTo, correlation checking is disabled
2022-07-02 23:07:56 DEBUG XMLTooling.StorageService [73237] [default]: inserted record (_D6906242-34B2-4441-8467-63FDB8D11EA5) in context (MessageFlow) with expiration (1656803511)
2022-07-02 23:07:56 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [73237] [default]: validating signature profile
2022-07-02 23:07:56 WARN OpenSAML.SecurityPolicyRule.XMLSigning [73237] [default]: unable to verify message signature with supplied trust engine
2022-07-02 23:07:56 WARN Shibboleth.SSO.SAML2 [73237] [default]: error processing incoming assertion: Message was signed, but signature could not be verified.

And from sameltool:

Response signature validation failed.


> Le 3 juil. 2022 à 02:54, Aleksey Sanin <aleksey at aleksey.com> a écrit :

> 

> You also probably want to put KeyInfo with X509 cert (or full certs chain) for the private key used for signing into the signature itself.


&

> Le 3 juil. 2022 à 04:09, Timothy Legge <timlegge at gmail.com> a écrit :
> 
> The SamlResponse does not include a key type or  KeyInfo in the
> document.  



Regarding the KeyInfo part, it's optional in SAML, we are supposed to provide this public key by another method before the first use. Usually with a metadata exchange between SP and IDP that happen over HTTPS.

The signature key doesn't have to be signed by an authority in SAML due to that point. The metadata exchange happens over a valid HTTPS stream which then gives the trust to the keys.

But as learned today, it has to be actual certificates, not just public keys, even if self signed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20220703/3b375b66/attachment.htm>

More information about the xmlsec mailing list