Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signature does not verify #22

Open
reteps opened this issue Jun 28, 2024 · 1 comment
Open

signature does not verify #22

reteps opened this issue Jun 28, 2024 · 1 comment

Comments

@reteps
Copy link

reteps commented Jun 28, 2024
edited
Loading

Hi, I setup the tool as documented.

I receive an error on the signature verification step.

DEBUG:saml2.sigver:xmlsec command: /usr/bin/xmlsec1 --verify --enabled-reference-uris empty,same-doc --pubkey-cert-pem /tmp/tmp69nwexpe.pem --id-attr:ID 
urn:oasis:names:tc:SAML:2.0:assertion:Assertion --node-id _TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu --output /tmp/tmprk8ikwba.xml /tmp/tmpl9ejayvq.xml
ERROR:saml2.sigver:returncode=1 error=func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=350:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: 
subject=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; 
issuer=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; err=18; msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=389:obj=x509-store:subj=unknown:error=71:certificate verification failed:

subject=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost;
issuer=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; err=18; msg=self signed certificate
func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha1:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify

With this XML:

<samlp:Response
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_38030cee04a47185cc67"  Version="2.0" IssueInstant="2024-06-28T15:56:54Z"  Destination="https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev">
	<saml:Issuer
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/XXXXXXXXXXXXXXXXXX
	</saml:Issuer>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</samlp:Status>
	<saml:Assertion
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu" IssueInstant="2024-06-28T15:56:54.885Z">
		<saml:Issuer>http://www.okta.com/XXXXXXXXXXXXXX</saml:Issuer>
		<Signature
			xmlns="http://www.w3.org/2000/09/xmldsig#">
			<SignedInfo>
				<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<Reference URI="#_TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu">
					<Transforms>
						<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</Transforms>
					<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<DigestValue>cHpIMLWm1x2HwENXtSxZXxSD/nU=</DigestValue>
				</Reference>
			</SignedInfo>
			<SignatureValue>ik3V/b6JlQMaa/eWqJmwn0jEH0BUJ7f/7xf3XP6AcF9VmlNetbA7MgUqOpN8lilZNAAyJPNkPdgIGpnNnN+23BNI38Hw72W4Iwcf1Xzoe+Mi6xbOJQsIWz3Brp66Vfj0sh2SfiIbBEpt4wV31NLZ1Rd85KylNrSLB2oJaR3A2XECEAqry2Eiwouxa3dh/a/7FiQjZ/cyzeoOF4u9x/wFRwvpdbS+H1o1f4jCL1J1vswYfdO6Dy2RgLtdefILP3lCe7/gHNsbMtXaBgeMsb+zP3OlQyO7AFBL186PduBbibqCz0fg2QVzXkd4U6E8VZwNhT5C1js/Iau783M86wacYQ==</SignatureValue>
			<KeyInfo>
				<X509Data>
					<X509Certificate>MIIDPDCCAiQCCQDydJgOlszqbzANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDMxMjE5NDYzM1oXDTI3MTExOTE5NDYzM1owYDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoTB0phbmt5Q28xEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGvJpRTTasRUSPqcbqCG+ZnTAurnu0vVpIG9lzExnh11o/BGmzu7lB+yLHcEdwrKBBmpepDBPCYxpVajvuEhZdKFx/Fdy6j5mH3rrW0Bh/zd36CoUNjbbhHyTjeM7FN2yF3u9lcyubuvOzr3B3gX66IwJlU46+wzcQVhSOlMk2tXR+fIKQExFrOuK9tbX3JIBUqItpI+HnAow509CnM134svw8PTFLkR6/CcMqnDfDK1m993PyoC1Y+N4X9XkhSmEQoAlAHPI5LHrvuujM13nvtoVYvKYoj7ScgumkpWNEvX652LfXOnKYlkB8ZybuxmFfIkzedQrbJsyOhfL03cMECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAeHwzqwnzGEkxjzSD47imXaTqtYyETZow7XwBc0ZaFS50qRFJUgKTAmKS1xQBP/qHpStsROT35DUxJAE6NY1Kbq3ZbCuhGoSlY0L7VzVT5tpu4EY8+Dq/u2EjRmmhoL7UkskvIZ2n1DdERtd+YUMTeqYl9co43csZwDno/IKomeN5qaPc39IZjikJ+nUC6kPFKeu/3j9rgHNlRtocI6S1FdtFz9OZMQlpr0JbUt2T3xS/YoQJn6coDmJL5GTiiKM6cOe+Ur1VwzS1JEDbSS2TWWhzq8ojLdrotYLGd9JOsoQhElmz+tMfCFQUFLExinPAyy7YHlSiVX13QH2XTu/iQQ==</X509Certificate>
				</X509Data>
			</KeyInfo>
		</Signature>
		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData NotOnOrAfter="2024-06-28T16:56:54.885Z" Recipient="https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev"/>
			</saml:SubjectConfirmation>
		</saml:Subject>
		<saml:Conditions NotBefore="2024-06-28T15:56:54.885Z" NotOnOrAfter="2024-06-28T16:56:54.885Z">
			<saml:AudienceRestriction>
				<saml:Audience>https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AttributeStatement
			xmlns:xs="http://www.w3.org/2001/XMLSchema"
			xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
			<saml:Attribute Name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
				<saml:AttributeValue xsi:type="xs:anyType">[email protected]</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="Email">
				<saml:AttributeValue xsi:type="xs:anyType">[email protected]</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="FirstName">
				<saml:AttributeValue xsi:type="xs:anyType">Jane</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="LastName">
				<saml:AttributeValue xsi:type="xs:anyType">Doe</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
		<saml:AuthnStatement AuthnInstant="2024-06-28T15:56:54.885Z">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
	</saml:Assertion>
</samlp:Response>

image
image

        'example-oktadev': {
            # must match the destination URL / audience URI in the SAML 2.0 settings of the IdP.
            'entityid': 'http://flask-pysaml2-example',
            'metadata_url': 'https://dev-22307139.okta.com/app/XXXXXXXXX/sso/saml/metadata'
        },
@reteps
Copy link
Author

reteps commented Jun 28, 2024

Possibly related to IdentityPython/pysaml2#963

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@reteps