-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fails to validate responses from TrustLogin #55
base: master
Are you sure you want to change the base?
Conversation
|
Ah, hmm, that doesn't seem to be the case. It does look more like the problem is somewhere in how we process the XML. If I take the base64-decoded XML, manually remove the signature, run it through canonicalisation, and then calculate the hash, I end up with Manually done (correct hash)Base64-decoded response: <samlp:Response ID="_25221830-1c92-013c-0fd7-0242ac110006" Version="2.0" IssueInstant="2023-08-14T05:34:21Z" Destination="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="idd3205814ec823db32ea06686589747be" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_25221830-1c92-013c-0fd7-0242ac110006"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>jl2vwkcJmnjfAyL4SyPESS6SdW0vIKIimDfOXntDfb8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>GvYcB5rPR7bVvCs/Kqu70js/9JPslEqfQHdVOlHQQh0fMPvQwkzcZHGPtngRZIk22IS1a7m9+eMxqnzOdPs2TMXf/R0wx3NhJyAMHVxFT/pTdITUMmQbRSV/knPDuPDoluw1+ng2m5IVN6t6ya0V5+ldYecMoIS5HDg8XIuVTuljD6rU3KOAfUZ0y0zeaq3FWPSvAxd5jfs3uX8JNb4uPwyS8IZYaB7EJjY/QWfOY7wqGoLBwylf/QDewiLwLorGCgbaKQWo+v6g4CIg3VZulK+CqavS3Ax1H/nc7TcaZd8MCsH6f3eSZMEv8celxgGmkQk70ry69Js5zb9WQ5E/cw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDMzCCAhugAwIBAgIVANMNnkEBAZZT21ecmEs11XdA22uCMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzAeFw0yMzA4MTQwNTI3MzhaFw0zMzA4MTQwNTI3MzhaMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4PFYG7j0DKWgMkQ08Nz9z2f/WTFh6xUi3Pk5jHyIPQbwTW0TdPfXV8Gj5gl//nH+KMILS8WJHnY9RDUK0hkqUBAZLiX/HUDMcwOZ+8OPZSl/imtJTtoTEE6hBJEiT0sgtxS0bOI1TWdhnWiNMDO+Acp+K+0m8AGz9BgOyUT0TJN9wstyfpgASEK2Oy6VNhYfeCQ4QU47aZDhq/1Ei01wWLlIWZ4uZl9uzcROnKsmEmbkT+uAf5tcLG9PjR+XB58AiMvpufhvjsfnp9qVBTiTmgup9zbYfhzkNTKmr1Axi/FES5j7lfroWCSbr4dDw4S8wxTuUlF1v77PQ+/DFXVWMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc4EQUPj2jCUjOJZX4UGvvxu8jA+vjcC5armcZTSno+4AZ73JbZRU1NwxqzY+13W+m9DKN8bj6gRTHQeWptawrigABVROyNaYNeI+2wXcdf2eSqaS7pMSYKEzPAeSEk1ZPwh1/OvmmZLHhvSVaVxuou32x1NM6UaXIQlUUsS8x3NDETfTxDzSisusF5aCJxu9ONXCLUd3s75xn8zXPv1OluEJ1pcq6xHwaoDvwXV2l5eQdWvbZCulKQAy8dnUx0JOBFQg6UamxlKOKKNdOa6FU7M8wpZx0cNbCEME+KPthUFIIxHIvv0mOjPfJFzjCKicUHsVpdtQixe1L9gyLEtKTg==</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_252218e0-1c92-013c-0fd7-0242ac110006" IssueInstant="2023-08-14T05:34:21Z" Version="2.0"><Issuer>https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_252218e0-1c92-013c-0fd7-0242ac110006"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>gSWFLkQbebH/gsAzY6fblPf4sFsdZfnTcAmySTTF95M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>L48AXgwVFB/w7DyMdNsrLeLobBQYr95FWYoAHwT45cymHm8axBvzS2jHRBCzsWI94choy/xCI+XiVqx+IQcv+8hOIhDGbU7xUFQSFxYkU5DeqSE3znSom3+8WgF29B2pINaRBFZmGzUXGHCA+eYY7rGhss2YewGNiDiHFfpMODjT8BhJBZ5qa+A+K1rkZPwlo7FxlOhG0Cp4IyFJCSP6y/sf2vKJWQPX4rexHUmwcoIPyZJIUj+4bzuM/zq+DV5T1nxXhbYOBAdkUAHB2vEqaqMrA7a27FwShcfhMhfWB7mxrXhCz9YSINR1NUCYxkekKuWHEnkDDEhcem5PFzB02g==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDMzCCAhugAwIBAgIVANMNnkEBAZZT21ecmEs11XdA22uCMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzAeFw0yMzA4MTQwNTI3MzhaFw0zMzA4MTQwNTI3MzhaMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4PFYG7j0DKWgMkQ08Nz9z2f/WTFh6xUi3Pk5jHyIPQbwTW0TdPfXV8Gj5gl//nH+KMILS8WJHnY9RDUK0hkqUBAZLiX/HUDMcwOZ+8OPZSl/imtJTtoTEE6hBJEiT0sgtxS0bOI1TWdhnWiNMDO+Acp+K+0m8AGz9BgOyUT0TJN9wstyfpgASEK2Oy6VNhYfeCQ4QU47aZDhq/1Ei01wWLlIWZ4uZl9uzcROnKsmEmbkT+uAf5tcLG9PjR+XB58AiMvpufhvjsfnp9qVBTiTmgup9zbYfhzkNTKmr1Axi/FES5j7lfroWCSbr4dDw4S8wxTuUlF1v77PQ+/DFXVWMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc4EQUPj2jCUjOJZX4UGvvxu8jA+vjcC5armcZTSno+4AZ73JbZRU1NwxqzY+13W+m9DKN8bj6gRTHQeWptawrigABVROyNaYNeI+2wXcdf2eSqaS7pMSYKEzPAeSEk1ZPwh1/OvmmZLHhvSVaVxuou32x1NM6UaXIQlUUsS8x3NDETfTxDzSisusF5aCJxu9ONXCLUd3s75xn8zXPv1OluEJ1pcq6xHwaoDvwXV2l5eQdWvbZCulKQAy8dnUx0JOBFQg6UamxlKOKKNdOa6FU7M8wpZx0cNbCEME+KPthUFIIxHIvv0mOjPfJFzjCKicUHsVpdtQixe1L9gyLEtKTg==</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="idd3205814ec823db32ea06686589747be" NotOnOrAfter="2023-08-14T05:37:21Z" Recipient="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="2023-08-14T05:34:16Z" NotOnOrAfter="2023-08-14T06:34:21Z"><AudienceRestriction><Audience>https://v1.beta.ja-sore.de/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2023-08-14T05:34:21Z" SessionIndex="_252218e0-1c92-013c-0fd7-0242ac110006"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> Signature removed manually: <samlp:Response ID="_25221830-1c92-013c-0fd7-0242ac110006" Version="2.0" IssueInstant="2023-08-14T05:34:21Z" Destination="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="idd3205814ec823db32ea06686589747be" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_252218e0-1c92-013c-0fd7-0242ac110006" IssueInstant="2023-08-14T05:34:21Z" Version="2.0"><Issuer>https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_252218e0-1c92-013c-0fd7-0242ac110006"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>gSWFLkQbebH/gsAzY6fblPf4sFsdZfnTcAmySTTF95M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>L48AXgwVFB/w7DyMdNsrLeLobBQYr95FWYoAHwT45cymHm8axBvzS2jHRBCzsWI94choy/xCI+XiVqx+IQcv+8hOIhDGbU7xUFQSFxYkU5DeqSE3znSom3+8WgF29B2pINaRBFZmGzUXGHCA+eYY7rGhss2YewGNiDiHFfpMODjT8BhJBZ5qa+A+K1rkZPwlo7FxlOhG0Cp4IyFJCSP6y/sf2vKJWQPX4rexHUmwcoIPyZJIUj+4bzuM/zq+DV5T1nxXhbYOBAdkUAHB2vEqaqMrA7a27FwShcfhMhfWB7mxrXhCz9YSINR1NUCYxkekKuWHEnkDDEhcem5PFzB02g==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDMzCCAhugAwIBAgIVANMNnkEBAZZT21ecmEs11XdA22uCMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzAeFw0yMzA4MTQwNTI3MzhaFw0zMzA4MTQwNTI3MzhaMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4PFYG7j0DKWgMkQ08Nz9z2f/WTFh6xUi3Pk5jHyIPQbwTW0TdPfXV8Gj5gl//nH+KMILS8WJHnY9RDUK0hkqUBAZLiX/HUDMcwOZ+8OPZSl/imtJTtoTEE6hBJEiT0sgtxS0bOI1TWdhnWiNMDO+Acp+K+0m8AGz9BgOyUT0TJN9wstyfpgASEK2Oy6VNhYfeCQ4QU47aZDhq/1Ei01wWLlIWZ4uZl9uzcROnKsmEmbkT+uAf5tcLG9PjR+XB58AiMvpufhvjsfnp9qVBTiTmgup9zbYfhzkNTKmr1Axi/FES5j7lfroWCSbr4dDw4S8wxTuUlF1v77PQ+/DFXVWMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc4EQUPj2jCUjOJZX4UGvvxu8jA+vjcC5armcZTSno+4AZ73JbZRU1NwxqzY+13W+m9DKN8bj6gRTHQeWptawrigABVROyNaYNeI+2wXcdf2eSqaS7pMSYKEzPAeSEk1ZPwh1/OvmmZLHhvSVaVxuou32x1NM6UaXIQlUUsS8x3NDETfTxDzSisusF5aCJxu9ONXCLUd3s75xn8zXPv1OluEJ1pcq6xHwaoDvwXV2l5eQdWvbZCulKQAy8dnUx0JOBFQg6UamxlKOKKNdOa6FU7M8wpZx0cNbCEME+KPthUFIIxHIvv0mOjPfJFzjCKicUHsVpdtQixe1L9gyLEtKTg==</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="idd3205814ec823db32ea06686589747be" NotOnOrAfter="2023-08-14T05:37:21Z" Recipient="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="2023-08-14T05:34:16Z" NotOnOrAfter="2023-08-14T06:34:21Z"><AudienceRestriction><Audience>https://v1.beta.ja-sore.de/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2023-08-14T05:34:21Z" SessionIndex="_252218e0-1c92-013c-0fd7-0242ac110006"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> Canonicalised: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login" ID="_25221830-1c92-013c-0fd7-0242ac110006" InResponseTo="idd3205814ec823db32ea06686589747be" IssueInstant="2023-08-14T05:34:21Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_252218e0-1c92-013c-0fd7-0242ac110006" IssueInstant="2023-08-14T05:34:21Z" Version="2.0"><Issuer>https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_252218e0-1c92-013c-0fd7-0242ac110006"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>gSWFLkQbebH/gsAzY6fblPf4sFsdZfnTcAmySTTF95M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>L48AXgwVFB/w7DyMdNsrLeLobBQYr95FWYoAHwT45cymHm8axBvzS2jHRBCzsWI94choy/xCI+XiVqx+IQcv+8hOIhDGbU7xUFQSFxYkU5DeqSE3znSom3+8WgF29B2pINaRBFZmGzUXGHCA+eYY7rGhss2YewGNiDiHFfpMODjT8BhJBZ5qa+A+K1rkZPwlo7FxlOhG0Cp4IyFJCSP6y/sf2vKJWQPX4rexHUmwcoIPyZJIUj+4bzuM/zq+DV5T1nxXhbYOBAdkUAHB2vEqaqMrA7a27FwShcfhMhfWB7mxrXhCz9YSINR1NUCYxkekKuWHEnkDDEhcem5PFzB02g==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDMzCCAhugAwIBAgIVANMNnkEBAZZT21ecmEs11XdA22uCMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzAeFw0yMzA4MTQwNTI3MzhaFw0zMzA4MTQwNTI3MzhaMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4PFYG7j0DKWgMkQ08Nz9z2f/WTFh6xUi3Pk5jHyIPQbwTW0TdPfXV8Gj5gl//nH+KMILS8WJHnY9RDUK0hkqUBAZLiX/HUDMcwOZ+8OPZSl/imtJTtoTEE6hBJEiT0sgtxS0bOI1TWdhnWiNMDO+Acp+K+0m8AGz9BgOyUT0TJN9wstyfpgASEK2Oy6VNhYfeCQ4QU47aZDhq/1Ei01wWLlIWZ4uZl9uzcROnKsmEmbkT+uAf5tcLG9PjR+XB58AiMvpufhvjsfnp9qVBTiTmgup9zbYfhzkNTKmr1Axi/FES5j7lfroWCSbr4dDw4S8wxTuUlF1v77PQ+/DFXVWMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc4EQUPj2jCUjOJZX4UGvvxu8jA+vjcC5armcZTSno+4AZ73JbZRU1NwxqzY+13W+m9DKN8bj6gRTHQeWptawrigABVROyNaYNeI+2wXcdf2eSqaS7pMSYKEzPAeSEk1ZPwh1/OvmmZLHhvSVaVxuou32x1NM6UaXIQlUUsS8x3NDETfTxDzSisusF5aCJxu9ONXCLUd3s75xn8zXPv1OluEJ1pcq6xHwaoDvwXV2l5eQdWvbZCulKQAy8dnUx0JOBFQg6UamxlKOKKNdOa6FU7M8wpZx0cNbCEME+KPthUFIIxHIvv0mOjPfJFzjCKicUHsVpdtQixe1L9gyLEtKTg==</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="idd3205814ec823db32ea06686589747be" NotOnOrAfter="2023-08-14T05:37:21Z" Recipient="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="2023-08-14T05:34:16Z" NotOnOrAfter="2023-08-14T06:34:21Z"><AudienceRestriction><Audience>https://v1.beta.ja-sore.de/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2023-08-14T05:34:21Z" SessionIndex="_252218e0-1c92-013c-0fd7-0242ac110006"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> Library (incorrect hash)Signature removed automatically: <?xml version="1.0" encoding="UTF-8"?><samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login" ID="_25221830-1c92-013c-0fd7-0242ac110006" InResponseTo="idd3205814ec823db32ea06686589747be" IssueInstant="2023-08-14T05:34:21Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_252218e0-1c92-013c-0fd7-0242ac110006" IssueInstant="2023-08-14T05:34:21Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_252218e0-1c92-013c-0fd7-0242ac110006"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>gSWFLkQbebH/gsAzY6fblPf4sFsdZfnTcAmySTTF95M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>L48AXgwVFB/w7DyMdNsrLeLobBQYr95FWYoAHwT45cymHm8axBvzS2jHRBCzsWI94choy/xCI+XiVqx+IQcv+8hOIhDGbU7xUFQSFxYkU5DeqSE3znSom3+8WgF29B2pINaRBFZmGzUXGHCA+eYY7rGhss2YewGNiDiHFfpMODjT8BhJBZ5qa+A+K1rkZPwlo7FxlOhG0Cp4IyFJCSP6y/sf2vKJWQPX4rexHUmwcoIPyZJIUj+4bzuM/zq+DV5T1nxXhbYOBAdkUAHB2vEqaqMrA7a27FwShcfhMhfWB7mxrXhCz9YSINR1NUCYxkekKuWHEnkDDEhcem5PFzB02g==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIDMzCCAhugAwIBAgIVANMNnkEBAZZT21ecmEs11XdA22uCMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzAeFw0yMzA4MTQwNTI3MzhaFw0zMzA4MTQwNTI3MzhaMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4PFYG7j0DKWgMkQ08Nz9z2f/WTFh6xUi3Pk5jHyIPQbwTW0TdPfXV8Gj5gl//nH+KMILS8WJHnY9RDUK0hkqUBAZLiX/HUDMcwOZ+8OPZSl/imtJTtoTEE6hBJEiT0sgtxS0bOI1TWdhnWiNMDO+Acp+K+0m8AGz9BgOyUT0TJN9wstyfpgASEK2Oy6VNhYfeCQ4QU47aZDhq/1Ei01wWLlIWZ4uZl9uzcROnKsmEmbkT+uAf5tcLG9PjR+XB58AiMvpufhvjsfnp9qVBTiTmgup9zbYfhzkNTKmr1Axi/FES5j7lfroWCSbr4dDw4S8wxTuUlF1v77PQ+/DFXVWMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc4EQUPj2jCUjOJZX4UGvvxu8jA+vjcC5armcZTSno+4AZ73JbZRU1NwxqzY+13W+m9DKN8bj6gRTHQeWptawrigABVROyNaYNeI+2wXcdf2eSqaS7pMSYKEzPAeSEk1ZPwh1/OvmmZLHhvSVaVxuou32x1NM6UaXIQlUUsS8x3NDETfTxDzSisusF5aCJxu9ONXCLUd3s75xn8zXPv1OluEJ1pcq6xHwaoDvwXV2l5eQdWvbZCulKQAy8dnUx0JOBFQg6UamxlKOKKNdOa6FU7M8wpZx0cNbCEME+KPthUFIIxHIvv0mOjPfJFzjCKicUHsVpdtQixe1L9gyLEtKTg==</X509Certificate></X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="idd3205814ec823db32ea06686589747be" NotOnOrAfter="2023-08-14T05:37:21Z" Recipient="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2023-08-14T05:34:16Z" NotOnOrAfter="2023-08-14T06:34:21Z"><AudienceRestriction><Audience>https://v1.beta.ja-sore.de/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2023-08-14T05:34:21Z" SessionIndex="_252218e0-1c92-013c-0fd7-0242ac110006"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> Canonicalised: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login" ID="_25221830-1c92-013c-0fd7-0242ac110006" InResponseTo="idd3205814ec823db32ea06686589747be" IssueInstant="2023-08-14T05:34:21Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_252218e0-1c92-013c-0fd7-0242ac110006" IssueInstant="2023-08-14T05:34:21Z" Version="2.0"><Issuer>https://portal.trustlogin.com/herp-inc/idp/112693/saml</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_252218e0-1c92-013c-0fd7-0242ac110006"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>gSWFLkQbebH/gsAzY6fblPf4sFsdZfnTcAmySTTF95M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>L48AXgwVFB/w7DyMdNsrLeLobBQYr95FWYoAHwT45cymHm8axBvzS2jHRBCzsWI94choy/xCI+XiVqx+IQcv+8hOIhDGbU7xUFQSFxYkU5DeqSE3znSom3+8WgF29B2pINaRBFZmGzUXGHCA+eYY7rGhss2YewGNiDiHFfpMODjT8BhJBZ5qa+A+K1rkZPwlo7FxlOhG0Cp4IyFJCSP6y/sf2vKJWQPX4rexHUmwcoIPyZJIUj+4bzuM/zq+DV5T1nxXhbYOBAdkUAHB2vEqaqMrA7a27FwShcfhMhfWB7mxrXhCz9YSINR1NUCYxkekKuWHEnkDDEhcem5PFzB02g==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIDMzCCAhugAwIBAgIVANMNnkEBAZZT21ecmEs11XdA22uCMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzAeFw0yMzA4MTQwNTI3MzhaFw0zMzA4MTQwNTI3MzhaMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4PFYG7j0DKWgMkQ08Nz9z2f/WTFh6xUi3Pk5jHyIPQbwTW0TdPfXV8Gj5gl//nH+KMILS8WJHnY9RDUK0hkqUBAZLiX/HUDMcwOZ+8OPZSl/imtJTtoTEE6hBJEiT0sgtxS0bOI1TWdhnWiNMDO+Acp+K+0m8AGz9BgOyUT0TJN9wstyfpgASEK2Oy6VNhYfeCQ4QU47aZDhq/1Ei01wWLlIWZ4uZl9uzcROnKsmEmbkT+uAf5tcLG9PjR+XB58AiMvpufhvjsfnp9qVBTiTmgup9zbYfhzkNTKmr1Axi/FES5j7lfroWCSbr4dDw4S8wxTuUlF1v77PQ+/DFXVWMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc4EQUPj2jCUjOJZX4UGvvxu8jA+vjcC5armcZTSno+4AZ73JbZRU1NwxqzY+13W+m9DKN8bj6gRTHQeWptawrigABVROyNaYNeI+2wXcdf2eSqaS7pMSYKEzPAeSEk1ZPwh1/OvmmZLHhvSVaVxuou32x1NM6UaXIQlUUsS8x3NDETfTxDzSisusF5aCJxu9ONXCLUd3s75xn8zXPv1OluEJ1pcq6xHwaoDvwXV2l5eQdWvbZCulKQAy8dnUx0JOBFQg6UamxlKOKKNdOa6FU7M8wpZx0cNbCEME+KPthUFIIxHIvv0mOjPfJFzjCKicUHsVpdtQixe1L9gyLEtKTg==</X509Certificate></X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="idd3205814ec823db32ea06686589747be" NotOnOrAfter="2023-08-14T05:37:21Z" Recipient="https://bikkuri.v1.beta.ja-sore.de/auth/page/saml2/login"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="2023-08-14T05:34:16Z" NotOnOrAfter="2023-08-14T06:34:21Z"><AudienceRestriction><Audience>https://v1.beta.ja-sore.de/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2023-08-14T05:34:21Z" SessionIndex="_252218e0-1c92-013c-0fd7-0242ac110006"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> If we diff the canonicalised XML we can clearly see what the difference is: diff --git a/man-canon.xml b/lib-canon.xml
index 0d66c57..8203f66 100644
--- a/man-canon.xml
+++ b/lib-canon.xml
@@ -28,10 +28,10 @@
<ds:SignatureValue>
L48AXgwVFB/w7DyMdNsrLeLobBQYr95FWYoAHwT45cymHm8axBvzS2jHRBCzsWI94choy/xCI+XiVqx+IQcv+8hOIhDGbU7xUFQSFxYkU5DeqSE3znSom3+8WgF29B2pINaRBFZmGzUXGHCA+eYY7rGhss2YewGNiDiHFfpMODjT8BhJBZ5qa+A+K1rkZPwlo7FxlOhG0Cp4IyFJCSP6y/sf2vKJWQPX4rexHUmwcoIPyZJIUj+4bzuM/zq+DV5T1nxXhbYOBAdkUAHB2vEqaqMrA7a27FwShcfhMhfWB7mxrXhCz9YSINR1NUCYxkekKuWHEnkDDEhcem5PFzB02g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
- <ds:X509Data>
- <ds:X509Certificate>
- MIIDMzCCAhugAwIBAgIVANMNnkEBAZZT21ecmEs11XdA22uCMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzAeFw0yMzA4MTQwNTI3MzhaFw0zMzA4MTQwNTI3MzhaMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4PFYG7j0DKWgMkQ08Nz9z2f/WTFh6xUi3Pk5jHyIPQbwTW0TdPfXV8Gj5gl//nH+KMILS8WJHnY9RDUK0hkqUBAZLiX/HUDMcwOZ+8OPZSl/imtJTtoTEE6hBJEiT0sgtxS0bOI1TWdhnWiNMDO+Acp+K+0m8AGz9BgOyUT0TJN9wstyfpgASEK2Oy6VNhYfeCQ4QU47aZDhq/1Ei01wWLlIWZ4uZl9uzcROnKsmEmbkT+uAf5tcLG9PjR+XB58AiMvpufhvjsfnp9qVBTiTmgup9zbYfhzkNTKmr1Axi/FES5j7lfroWCSbr4dDw4S8wxTuUlF1v77PQ+/DFXVWMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc4EQUPj2jCUjOJZX4UGvvxu8jA+vjcC5armcZTSno+4AZ73JbZRU1NwxqzY+13W+m9DKN8bj6gRTHQeWptawrigABVROyNaYNeI+2wXcdf2eSqaS7pMSYKEzPAeSEk1ZPwh1/OvmmZLHhvSVaVxuou32x1NM6UaXIQlUUsS8x3NDETfTxDzSisusF5aCJxu9ONXCLUd3s75xn8zXPv1OluEJ1pcq6xHwaoDvwXV2l5eQdWvbZCulKQAy8dnUx0JOBFQg6UamxlKOKKNdOa6FU7M8wpZx0cNbCEME+KPthUFIIxHIvv0mOjPfJFzjCKicUHsVpdtQixe1L9gyLEtKTg==</ds:X509Certificate>
- </ds:X509Data>
+ <X509Data>
+ <X509Certificate>
+ MIIDMzCCAhugAwIBAgIVANMNnkEBAZZT21ecmEs11XdA22uCMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzAeFw0yMzA4MTQwNTI3MzhaFw0zMzA4MTQwNTI3MzhaMFMxCzAJBgNVBAYTAkpQMRwwGgYDVQQKDBNHTU8gR2xvYmFsU2lnbiBLLksuMRMwEQYDVQQLDApUcnVzdExvZ2luMREwDwYDVQQDDAhoZXJwLWluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4PFYG7j0DKWgMkQ08Nz9z2f/WTFh6xUi3Pk5jHyIPQbwTW0TdPfXV8Gj5gl//nH+KMILS8WJHnY9RDUK0hkqUBAZLiX/HUDMcwOZ+8OPZSl/imtJTtoTEE6hBJEiT0sgtxS0bOI1TWdhnWiNMDO+Acp+K+0m8AGz9BgOyUT0TJN9wstyfpgASEK2Oy6VNhYfeCQ4QU47aZDhq/1Ei01wWLlIWZ4uZl9uzcROnKsmEmbkT+uAf5tcLG9PjR+XB58AiMvpufhvjsfnp9qVBTiTmgup9zbYfhzkNTKmr1Axi/FES5j7lfroWCSbr4dDw4S8wxTuUlF1v77PQ+/DFXVWMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc4EQUPj2jCUjOJZX4UGvvxu8jA+vjcC5armcZTSno+4AZ73JbZRU1NwxqzY+13W+m9DKN8bj6gRTHQeWptawrigABVROyNaYNeI+2wXcdf2eSqaS7pMSYKEzPAeSEk1ZPwh1/OvmmZLHhvSVaVxuou32x1NM6UaXIQlUUsS8x3NDETfTxDzSisusF5aCJxu9ONXCLUd3s75xn8zXPv1OluEJ1pcq6xHwaoDvwXV2l5eQdWvbZCulKQAy8dnUx0JOBFQg6UamxlKOKKNdOa6FU7M8wpZx0cNbCEME+KPthUFIIxHIvv0mOjPfJFzjCKicUHsVpdtQixe1L9gyLEtKTg==</X509Certificate>
+ </X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
This difference, however, is already present in the pre-canonicalised XML. The problem is therefore somewhere in the code that parses the XML and removes the signature. The removal of the namespace in that one place is surprising since we set diff --git a/keyinfo-okta.xml b/keyinfo-trustlogin.xml
index e1a546f..baf6e16 100644
--- a/keyinfo-okta.xml
+++ b/keyinfo-trustlogin.xml
@@ -1,4 +1,4 @@
-<ds:KeyInfo>
+<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
</ds:X509Data>
-</ds:KeyInfo>
+</KeyInfo> |
I have had a quick look to see at what point we lose the let renderedXml = XML.renderLBS def docMinusSignature I am guessing that |
Ohhh I see, nice find! |
Chiming in from snoyberg/xml#190 . It seems to me that both the library-generated and the manually-generated XMLs have the same semantics: My understanding of the specification for XML namespaces is that:
Am I mistaken ? Relevant part of the specification:
|
@k0ral thanks for chiming in! Unfortunately, the equivalent semantics of the two documents are irrelevant here. The part of the SAML2 standard we are implementing here works roughly like this:
Therefore it is critical to the successful implementation of the SAML2 standard that we arrive with exactly the XML document that the identity provider used to compute the hash, because otherwise we end up with a different hash and the validation process fails. TL;DR: We care about textual equivalence of XML documents, not semantic equivalence. |
If I understand correctly, the (exclusive ?) c14n standard does not have the following property:
Is that correct ? |
According to @mbg the problem occurs within
Hence I think this does not hold because of the observation above. |
@fumieval We call If, as @k0ral notes, c14n-exclusive is supposed to produce equivalent output for semantically equivalent XML documents, then there are two possibilities as far as I can see:
But I'll look into this more to establish more clearly which is the case. |
Summary
I was trying a new Identity Provider called TrustLogin, and realised that it fails to validate the digest.
It passes other validation tools like https://samltool.io/ so I suspect something is not quite right in the canonicalisation phase, but I didn't manage to figure out why. Any ideas?
Apparently it is able to validate an assertion (using #45), but fails to validate an entire response.
Checklist
@since
annotations.