SAML-xmlsec1 verification

2k views Asked by At

I signed my saml response xml with xmlsec command:

xmlsec1 --sign --privkey-pem keys/privkey.pem,keys/cert.pem --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Assertion" --output signed_res.xml saml_response.xml

Here is my XML:

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="GOSAMLRESPONSE1484161444050744957968075" Version="2.0" IssueInstant="2017-01-10T19:04:04Z" Destination="https://mail.google.com/a/demo.mediaagility.com" InResponseTo="aejlhgifgamagkaobldafdnifhllkclmdkdmgmjf">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://127.0.0.1/login</saml:Issuer>
    <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference ID="#GOSAMLASSERTION1484161444050744957968075">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>7qAlp8q4w58e7v5hQpU/xkbbaSM=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Nx8Kpiglxw+ZwXp80nvM6eH09DyHWNHsFMtIgXXBLKVSiOOc9tlvULKg5+09vRxU
O453dmRZ6OXEnpxkBD6WPC3YzJDoNFLWK+VytshgXLlk+kXMBPP+/fw0imkPP7cO
y8YAjdt6q9+QtSCFztYcIDya3Vrz3i9X0ggck0WcJX4=</ds:SignatureValue>
        <ds:KeyInfo>
        <ds:X509Data>
<ds:X509Certificate>MIICtjCCAh+gAwIBAgIJAJTeBUN2i9ZNMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
BAYTAkhSMQ8wDQYDVQQIEwZaYWdyZWIxITAfBgNVBAoTGE5la2Egb3JnYW5pemFj
aWphIGQuby5vLjELMAkGA1UEAxMCQ0EwHhcNMTIxMjI4MTYwODA1WhcNMTQxMjI4
MTYwODA1WjBvMQswCQYDVQQGEwJIUjEPMA0GA1UECBMGWmFncmViMQ8wDQYDVQQH
EwZaYWdyZWIxITAfBgNVBAoTGE5la2Egb3JnYW5pemFjaWphIGQuby5vLjEbMBkG
A1UEAxMSUHJvZ3JhbWVyc2thIGZpcm1hMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCgWApHV5cma0GY/v/vmwgciDQBgITcitx2rG0F+ghXtGiEJeK75VY7jQwE
UFCbgV+AaOY2NQChK2FKec7Hss/5y+jbWfX2yVwX6TYcCwnOGXenz+cgx2Fwqpu3
ncL6dYJMfdbKvojBaJQLJTaNjRJsZACButDsDtXDSH9QaRy+hQIDAQABo3sweTAJ
BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0
aWZpY2F0ZTAdBgNVHQ4EFgQUSo9ThP/MOg8QIRWxoPo8qKR8O2wwHwYDVR0jBBgw
FoAUAelckr4bx8MwZ7y+VlHE46Mbo+cwDQYJKoZIhvcNAQEFBQADgYEAy19Z7Z5/
/MlWkogu41s0RxL9ffG60QQ0Y8hhDTmgHNx1itj0wT8pB7M4KVMbZ4hjjSFsfRq4
Vj7jm6LwU0WtZ3HGl8TygTh8AAJvbLROnTjLL5MqI9d9pKvIIfZ2Qs3xmJ7JEv4H
UHeBXxQq/GmfBv3l+V5ObQ+EHKnyDodLHCk=</ds:X509Certificate>
</ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="GOSAMLASSERTION1484161444050744957968075" Version="2.0" IssueInstant="2017-01-10T19:04:04Z">
        <saml:Issuer>https://127.0.0.1/login</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">[email protected]</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2017-01-12T19:04:04Z" Recipient="https://mail.google.com/a/demo.mediaagility.com" InResponseTo="aejlhgifgamagkaobldafdnifhllkclmdkdmgmjf"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2017-01-10T19:04:04Z" NotOnOrAfter="2017-01-12T19:04:04Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://mail.google.com/a/demo.mediaagility.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2017-01-10T19:04:04Z" SessionNotOnOrAfter="2017-01-12T19:04:04Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

but when verifying the same signed saml xml using this command:

xmlsec1 --verify --X509-skip-strict-checks --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Assertion" --trusted-pem keys/cacert.pem saml_response.xml

I am getting this:

func=xmlSecBase64Decode:file=base64.c:line=740:obj=unknown:subj=buf != NULL:error=100:assertion: 
func=xmlSecBufferBase64NodeContentRead:file=buffer.c:line=563:obj=unknown:subj=xmlSecBase64Decode:error=1:xmlsec library function failed: 
func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1776:obj=sha1:subj=xmlSecBufferBase64NodeContentRead:error=1:xmlsec library function failed: 
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1602:obj=unknown:subj=xmlSecTransformVerifyNodeContent:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: 
Error: signature failed 
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "saml_response.xml"

I want to use SAML with Google as Google as SP.

0

There are 0 answers