XML signature with samlsign and xmlsec1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

XML signature with samlsign and xmlsec1

Paolo Smiraglia-2
Hi guys, I've a question for you about XML signature made with "samlsign" tool.

I'm not sure this is the right place to ask. If not, sorry for the OT.

Let's go into details...

* The signer certificate (self-signed) has been generated by setting
the subjectAlternativeName to "DNS:<FQDN>,URI:<ENTITY_ID>"

* The original xml document (SAML metadata generated with
"metagen.sh") has been signed with "samlsign"

* The resulting signed metadata contains under <KeyInfo> two <KeyName>
elements with the signer FQDN and ENTITY_ID (as in the certificate)

Now, if I try to verify the signed metadata with "samlsign",
everything goes well. On the contrary, if I try the same process with
xmlsec1, the signature verification fails due to the presence of
multiple <KeyName> elements.

I tried to generate a new signer certificate with
subjectAlternativeName set only to "DNS:<FQDN>" or "URI:<ENTITY_ID>".
The resulting signed metadata (signed with samlsign) has only one
<KeyName> and the verification with xmlsec1 goes well.

What's wrong?

Bests,

   Paolo

--
PAOLO SMIRAGLIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: XML signature with samlsign and xmlsec1

Peter Schober
* Paolo Smiraglia <[hidden email]> [2018-06-29 09:47]:
> Now, if I try to verify the signed metadata with "samlsign",
> everything goes well. On the contrary, if I try the same process
> with xmlsec1, the signature verification fails due to the presence
> of multiple <KeyName> elements.

Since this is not the list for xmlsec1 what is it you're asking here?
Whether what samlsign did is technically correct?

How are you calling xmlsec1? E.g.

$ xmlsec1 --verify --id-attr:ID \
  urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor \
  --trusted-pem $CERT --pubkey-cert-pem $CERT $XML

Does XmlSecTool verify the signature? Does the Shib IDP or SP?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: XML signature with samlsign and xmlsec1

Paolo Smiraglia-2
On Fri, 29 Jun 2018 at 10:57, Peter Schober <[hidden email]> wrote:
>
> Since this is not the list for xmlsec1 what is it you're asking here?

Because my trouble with xmlsec1 is related to samlsign, which is (in
my understanding) a shibboleth affiliated tool.

Anyway, as I wrote in the post script, sorry for possible OT.

> Whether what samlsign did is technically correct?

I hope yes...

> How are you calling xmlsec1? E.g.
>
> $ xmlsec1 --verify --id-attr:ID \
>   urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor \
>   --trusted-pem $CERT --pubkey-cert-pem $CERT $XML

$ xmlsec1 --verify --id-attr:ID
urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor
--pubkey-cert-pem cert.pem metadata.xml
func=xmlSecKeyDataNameXmlRead:file=keyinfo.c:line=723:obj=key-name:subj=key
name is already specified:error=41:invalid key data:
func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=114:obj=key-name:subj=xmlSecKeyDataXmlRead:error=1:xmlsec
library function failed:node=KeyName
func=xmlSecKeysMngrGetKey:file=keys.c:line=1349:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec
library function failed:node=KeyInfo
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "metadata.xml"

> Does XmlSecTool verify the signature? Does the Shib IDP or SP?

$ ./xmlsectool.sh --verifySignature --inFile metadata.xml --certificate cert.pem
INFO  XMLSecTool - Reading XML document from file 'metadata.xml'
INFO  XMLSecTool - XML document parsed and is well-formed.
INFO  XMLSecTool - XML document signature verified.

$ samlsign -c ./cert.pem -f metadata.xml
$ echo $?
0

Since samlsign and xmlsectool validates, it seems to be an xmlsec1
problem. Thanks for the hints...


--
PAOLO SMIRAGLIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: XML signature with samlsign and xmlsec1

Paolo Smiraglia-2
On Fri, 29 Jun 2018 at 11:48, Paolo Smiraglia <[hidden email]> wrote:
> Since samlsign and xmlsectool validates, it seems to be an xmlsec1
> problem. Thanks for the hints...

Not so exact... I signed with xmlsectool and validated with xmlsec1.
Everything is gone well.


--
PAOLO SMIRAGLIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: XML signature with samlsign and xmlsec1

Paolo Smiraglia-2
> On Fri, 29 Jun 2018 at 11:48, Paolo Smiraglia <[hidden email]> wrote:
> > Since samlsign and xmlsectool validates, it seems to be an xmlsec1
> > problem. Thanks for the hints...

FYI, https://www.aleksey.com/pipermail/xmlsec/2018/010260.html

--
PAOLO SMIRAGLIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]