断言节点有两个id属性时如何验证签名成功?
How to validate signature successfully when there are two id attributes in an assertion node?
我有以下 SAML v2 XML。签名验证失败,因为断言节点中有两个 ID 属性。 ID 的值错误,referenceURI 指向的值在 Id 属性中。以下示例。
<?xml version="1.0"?>
<samlp:Response ID="gbfgoeahcoefemndehmcoeepmpdckdingbafamcb" IssueInstant="2017-08-23T04:44:36Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="fmcpoegiimapenheggdpjojncbljphgcnoalogap" Id="pfx1af01d88-2006-0901-3fa4-c54a400fad3c" IssueInstant="2017-08-23T04:44:36Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>example.com</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">foo@example.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2017-08-23T04:54:36Z" Recipient="https://www.example.com/saml/endpoint"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2017-08-23T04:39:36Z" NotOnOrAfter="2017-08-23T04:54:36Z">
<AudienceRestriction>
<Audience>https://www.example.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2017-08-23T04:44:36Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
<AuthenticatingAuthority>foobarbaz</AuthenticatingAuthority>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="random">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">foo@example.com</AttributeValue>
</Attribute>
</AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx1af01d88-2006-0901-3fa4-c54a400fad3c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>P4pZAc2fLYvaf92FrVGdgYKcBww=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>tdzLY9Gem64Va9urGwqwvP3G6TjEtEy6Ely+8/D7RQuAFAiy6jcX4bsUwh7zhzoV+Thg8hhjzXBpqSSmDnBhsl6GSMAnAvAelF/eDlQk0+/wH+USYBTD8gvzvxZiB5GU8EgF7F5lLzzof+YrAQ0Zg/TSewdkiNJFLvXSI1Kw5E7lmlTgFv75Myn7kdgFs115JjrIfLcuMePlw20I51CHQK/Fy4S+nqQsJEzT8nYZ0AM6iTUo8zOduLN7DpHn0yK2HNnKXFzCT6o9CGxtcOe+xxo4rL71YFiiGTxh/tk0qWELOeEk3MM4DPyO1qIJ3UNxqX22VGLVmSwTsa/9DKKhcA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID9DCCAtwCCQCOW98TM3+UkTANBgkqhkiG9w0BAQUFADCBuzELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREwDwYDVQQHDAhZb2tvaGFtYTEeMBwGA1UECgwVRlVKSVNPRlQgSU5DT1JQT1JBVEVEMSYwJAYDVQQLDB1JbmZvcm1hdGlvbiBTeXN0ZW0gRGVwYXJ0bWVudDEcMBoGA1UEAwwTZHNpZy5hdXRoLmZzaS5jby5qcDEgMB4GCSqGSIb3DQEJARYRbmV0d29ya0Bmc2kuY28uanAwHhcNMTEwNzA1MDUwMzQzWhcNMjUwMzEzMDUwMzQzWjCBuzELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREwDwYDVQQHDAhZb2tvaGFtYTEeMBwGA1UECgwVRlVKSVNPRlQgSU5DT1JQT1JBVEVEMSYwJAYDVQQLDB1JbmZvcm1hdGlvbiBTeXN0ZW0gRGVwYXJ0bWVudDEcMBoGA1UEAwwTZHNpZy5hdXRoLmZzaS5jby5qcDEgMB4GCSqGSIb3DQEJARYRbmV0d29ya0Bmc2kuY28uanAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxnlGqyqFwM0KJ5q8boYVXFcUvFSNytBn/ek8hydCXVkKBp9XYccJMJ9Ntz7uplQO7bmD80q72Sdz8rPiVwgrncq03rgV4M9viyDZYkeqT20ZefKoOJ+a9k6/79vQQ7Zy7FUzsJiysrD6slseeBup4Jc1M0TYpxaQ6aoEOVq8MFz0NFMWGLADKfQwlQHZQEJO0jIzvXsm5q0aDL26TJ2q9DOsqktNYH5zjn0jx/+EHF7Qv+1G3L6Vwf91KRgf/K3xnimyx7/8mpnIbMfYEY5bC1Er4rWNyILOIn4Sim0ooKHPa4SIU9hQGlg6wGemzcJ6OME3qDCGvuxaN77PwuTMpAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAK5DMpCmlWgH2yHG+JtgHkZkn65tKuvgkijkUktdSZXdnEfJ7bYwwrLF/cSL3n317ZwRqsUux5ems7Ryzr2zoRnnexxpEMvjbVTC27nWTs+Z25DFVyDZt3+sc4pxGnq25rAjpu+U5GegM/stZPeM2bCp/hZODLinK8r0d7e5YszPbsAxJkEts6O3C30ivWTixpEa36exJTbTPTYkZ3/6sHvJECmUKd0es0yLB4yPylLbrq8Pky2YlcmvqfTU1uDGVzLq4f20j7iEPROMEf9kpcT+usW/gvjy9/lB9aa6uAlFwPXq0KViJzSixHEly8edKZ5zk3j7rqs6n5me4XUdjEM=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
</samlp:Response>
我们可以看到有两个ID。我正在使用 OpenSAML v3,它给出了加密签名验证失败。我尝试了各种方法,比如在签名验证之前设置(.setID assertion "pfx1af01d88-2006-0901-3fa4-c54a400fad3c"),但都失败了。
我的主要代码在 Clojure 中。我也在 Groovy 中制作原型。请参阅 groovy 脚本。
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
db = dbf.newDocumentBuilder();
ByteArrayInputStream bis = new ByteArrayInputStream(xml.getBytes());
doc = db.parse(bis);
nl = doc.getElementsByTagName("ds:Signature");
DOMValidateContext ctx = new DOMValidateContext(key, nl.item(0));
println nl.item(0).getParentNode().toString()
ctx.setIdAttributeNS((Element) nl.item(0).getParentNode(), null, "Id");
XMLSignatureFactory sigF = XMLSignatureFactory.getInstance("DOM");
XMLSignature xmlSignature = sigF.unmarshalXMLSignature(ctx);
println xmlSignature.validate(ctx) // returns false
此验证在使用 C# 时成功,但在 Java 中不起作用。请帮忙。
我做了手动 XML-DSIG 验证。
我有以下 SAML v2 XML。签名验证失败,因为断言节点中有两个 ID 属性。 ID 的值错误,referenceURI 指向的值在 Id 属性中。以下示例。
<?xml version="1.0"?>
<samlp:Response ID="gbfgoeahcoefemndehmcoeepmpdckdingbafamcb" IssueInstant="2017-08-23T04:44:36Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="fmcpoegiimapenheggdpjojncbljphgcnoalogap" Id="pfx1af01d88-2006-0901-3fa4-c54a400fad3c" IssueInstant="2017-08-23T04:44:36Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>example.com</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">foo@example.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2017-08-23T04:54:36Z" Recipient="https://www.example.com/saml/endpoint"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2017-08-23T04:39:36Z" NotOnOrAfter="2017-08-23T04:54:36Z">
<AudienceRestriction>
<Audience>https://www.example.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2017-08-23T04:44:36Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
<AuthenticatingAuthority>foobarbaz</AuthenticatingAuthority>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="random">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">foo@example.com</AttributeValue>
</Attribute>
</AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx1af01d88-2006-0901-3fa4-c54a400fad3c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>P4pZAc2fLYvaf92FrVGdgYKcBww=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>tdzLY9Gem64Va9urGwqwvP3G6TjEtEy6Ely+8/D7RQuAFAiy6jcX4bsUwh7zhzoV+Thg8hhjzXBpqSSmDnBhsl6GSMAnAvAelF/eDlQk0+/wH+USYBTD8gvzvxZiB5GU8EgF7F5lLzzof+YrAQ0Zg/TSewdkiNJFLvXSI1Kw5E7lmlTgFv75Myn7kdgFs115JjrIfLcuMePlw20I51CHQK/Fy4S+nqQsJEzT8nYZ0AM6iTUo8zOduLN7DpHn0yK2HNnKXFzCT6o9CGxtcOe+xxo4rL71YFiiGTxh/tk0qWELOeEk3MM4DPyO1qIJ3UNxqX22VGLVmSwTsa/9DKKhcA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID9DCCAtwCCQCOW98TM3+UkTANBgkqhkiG9w0BAQUFADCBuzELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREwDwYDVQQHDAhZb2tvaGFtYTEeMBwGA1UECgwVRlVKSVNPRlQgSU5DT1JQT1JBVEVEMSYwJAYDVQQLDB1JbmZvcm1hdGlvbiBTeXN0ZW0gRGVwYXJ0bWVudDEcMBoGA1UEAwwTZHNpZy5hdXRoLmZzaS5jby5qcDEgMB4GCSqGSIb3DQEJARYRbmV0d29ya0Bmc2kuY28uanAwHhcNMTEwNzA1MDUwMzQzWhcNMjUwMzEzMDUwMzQzWjCBuzELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREwDwYDVQQHDAhZb2tvaGFtYTEeMBwGA1UECgwVRlVKSVNPRlQgSU5DT1JQT1JBVEVEMSYwJAYDVQQLDB1JbmZvcm1hdGlvbiBTeXN0ZW0gRGVwYXJ0bWVudDEcMBoGA1UEAwwTZHNpZy5hdXRoLmZzaS5jby5qcDEgMB4GCSqGSIb3DQEJARYRbmV0d29ya0Bmc2kuY28uanAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxnlGqyqFwM0KJ5q8boYVXFcUvFSNytBn/ek8hydCXVkKBp9XYccJMJ9Ntz7uplQO7bmD80q72Sdz8rPiVwgrncq03rgV4M9viyDZYkeqT20ZefKoOJ+a9k6/79vQQ7Zy7FUzsJiysrD6slseeBup4Jc1M0TYpxaQ6aoEOVq8MFz0NFMWGLADKfQwlQHZQEJO0jIzvXsm5q0aDL26TJ2q9DOsqktNYH5zjn0jx/+EHF7Qv+1G3L6Vwf91KRgf/K3xnimyx7/8mpnIbMfYEY5bC1Er4rWNyILOIn4Sim0ooKHPa4SIU9hQGlg6wGemzcJ6OME3qDCGvuxaN77PwuTMpAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAK5DMpCmlWgH2yHG+JtgHkZkn65tKuvgkijkUktdSZXdnEfJ7bYwwrLF/cSL3n317ZwRqsUux5ems7Ryzr2zoRnnexxpEMvjbVTC27nWTs+Z25DFVyDZt3+sc4pxGnq25rAjpu+U5GegM/stZPeM2bCp/hZODLinK8r0d7e5YszPbsAxJkEts6O3C30ivWTixpEa36exJTbTPTYkZ3/6sHvJECmUKd0es0yLB4yPylLbrq8Pky2YlcmvqfTU1uDGVzLq4f20j7iEPROMEf9kpcT+usW/gvjy9/lB9aa6uAlFwPXq0KViJzSixHEly8edKZ5zk3j7rqs6n5me4XUdjEM=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
</samlp:Response>
我们可以看到有两个ID。我正在使用 OpenSAML v3,它给出了加密签名验证失败。我尝试了各种方法,比如在签名验证之前设置(.setID assertion "pfx1af01d88-2006-0901-3fa4-c54a400fad3c"),但都失败了。
我的主要代码在 Clojure 中。我也在 Groovy 中制作原型。请参阅 groovy 脚本。
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
db = dbf.newDocumentBuilder();
ByteArrayInputStream bis = new ByteArrayInputStream(xml.getBytes());
doc = db.parse(bis);
nl = doc.getElementsByTagName("ds:Signature");
DOMValidateContext ctx = new DOMValidateContext(key, nl.item(0));
println nl.item(0).getParentNode().toString()
ctx.setIdAttributeNS((Element) nl.item(0).getParentNode(), null, "Id");
XMLSignatureFactory sigF = XMLSignatureFactory.getInstance("DOM");
XMLSignature xmlSignature = sigF.unmarshalXMLSignature(ctx);
println xmlSignature.validate(ctx) // returns false
此验证在使用 C# 时成功,但在 Java 中不起作用。请帮忙。
我做了手动 XML-DSIG 验证。