Comments (7)
Thanks for reporting this! It might be a few days before I'm able to take a look but I'll try to get to it ASAP.
from goxmldsig.
(1) seems to be solved now. #20 is designed to solve (2). (3) remains unresolved.
Any updates? Thanks.
from goxmldsig.
Sorry for the delay. I've finally gotten some time to work on this project, I'm going to try and have a fix over the next few days.
from goxmldsig.
I've created a provider test in https://github.com/russellhaering/gosaml2, and between the two libraries made a lot of progress towards getting it passing - mostly I've totally reworked how namespaces are handled. All three issues you've identified here are resolved (although item 1 is resolved in the SAML library, by falling back to Assertion validation), but signature verification is still failing with the cert you provided.
Can you test whether this is working as expected for you now?
from goxmldsig.
It's failing at verifySignedInfo. Looking at the canonicalization, we're having problems there as well.
Current:
<dsig:SignedInfo =""><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:CanonicalizationMethod><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></dsig:SignatureMethod><dsig:Reference URI="#id-rT9rTqxdQC9j34YhVeNayUWC9EbIBgym6gp-MZt-"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></dsig:Transform><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>z1HD/59hv6UOd5+jeG+ihaFWLgI=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo>
Expected:
<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:CanonicalizationMethod><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></dsig:SignatureMethod><dsig:Reference URI="#id-rT9rTqxdQC9j34YhVeNayUWC9EbIBgym6gp-MZt-"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></dsig:Transform><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>z1HD/59hv6UOd5+jeG+ihaFWLgI=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo>
The test code I'm using:
func TestExternalXmlNs(t *testing.T) {
pemString, err := ioutil.ReadFile("rootxmlns.crt")
require.Nil(t, err)
pemBlock, _ := pem.Decode([]byte(pemString))
cert, err := x509.ParseCertificate(pemBlock.Bytes)
require.Nil(t, err)
doc := etree.NewDocument()
err = doc.ReadFromFile("rootxmlns.xml")
require.Nil(t, err)
assertion := doc.Root().FindElement("./Assertion")
require.NotNil(t, assertion)
for _, x := range doc.Root().Attr {
if x.Space == "xmlns" {
assertion.CreateAttr(x.Key, x.Value).Space = x.Space
}
}
ctx := NewDefaultValidationContext(&MemoryX509CertificateStore{Roots: []*x509.Certificate{cert}})
_, err = ctx.Validate(assertion)
require.Nil(t, err)
}
The attribute copying looks pretty messy to me. I think it should be handled in this library instead of in gosaml2. Thoughts?
from goxmldsig.
This should be working on master now, and the test case I created in gosaml2 with the values you provided is passing.
As far as at what level this should be handled: the reason for the current structure is that I want to keep the signature verification interface as safe as possible by default. Currently you pass it an element, and that element must have an enveloped signature from a trusted certificate. It will always return either an error, or a validated document rooted at the same element. I'm open to adding new validation calls with different behavior, but it's not obvious to me how best to structure a call that might return a partial document, or an only partially validated document.
You're definitely right about the attribute copying being a mess though. I hit that issue repeatedly in the course of fixing this, so I've added a utility method for doing it correctly: https://godoc.org/github.com/russellhaering/goxmldsig/etreeutils#NSSelectOne
Using that, you can simplify your test case to:
func TestExternalXmlNs(t *testing.T) {
pemString, err := ioutil.ReadFile("rootxmlns.crt")
require.Nil(t, err)
pemBlock, _ := pem.Decode([]byte(pemString))
cert, err := x509.ParseCertificate(pemBlock.Bytes)
require.Nil(t, err)
doc := etree.NewDocument()
err = doc.ReadFromFile("rootxmlns.xml")
require.Nil(t, err)
unverifiedAssertion, err := etreeutils.NSSelectOne(doc.Root(), "urn:oasis:names:tc:SAML:2.0:assertion", "Assertion")
if err != nil {
return nil, err
}
ctx := NewDefaultValidationContext(&MemoryX509CertificateStore{Roots: []*x509.Certificate{cert}})
_, err = ctx.Validate(unverifiedAssertion)
require.Nil(t, err)
}
from goxmldsig.
Tests are passing on my end as well. Closing.
from goxmldsig.
Related Issues (20)
- feature request: support signing using an external provider like AWS KMS HOT 1
- Missing copyright
- Crash on nil-pointer dereference with malformed input HOT 10
- Empty default ID attribute fails builds HOT 1
- Optionally allow expired signing certificates? HOT 2
- Feedback: More strongly typed errors as means to provide better diagnostics
- go.mod does not exist
- References Empty URI
- feature request: Manifest HOT 4
- Invalid Signature HOT 1
- How to use for SOAP? (Could not sign: undeclared namespace prefix: 'SOAP-ENV') HOT 8
- Could you please add a new tag for the latest commit?
- is it possible remove indentation after/during canonicalization?
- NSSelectOne returns nil pointer w/o error
- CanonicalizationMethod not being used.
- Facing issue in validating the signature of the xml file.
- v2 with minor breaking changes?
- Incorrect location of ds:Signature after signature, causes validation to fail
- X509Data element is missing fields
- C14N10 REC Canonicalizer does not follow
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from goxmldsig.