1. 首页
  2. 问答
  3. 找不到为什么SAMLMessageSignature.Verify返回false

找不到为什么SAMLMessageSignature.Verify返回false

2015-02-06 70 views
0

我已经使用其默认凭证(与安装程序捆绑在一起的证书)将Shibboleth设置为IdP。我认为它使用idp-signing.crt证书来签署SAML响应。使用LowLevelAPI ShibbolethSP示例项目,只要我注释“验证响应的签名”代码,我就可以通过Shibboleth IdP进行登录。我确信我在Global.asax.cs中的Application_Start中添加了SHA-256 XML签名支持。消息签名验证始终返回false,甚至当我的IDP-signing.crt文件复制到示例目录和加载,作为一个X509Certificate2对象,通过在:找不到为什么SAMLMessageSignature.Verify返回false

bool retVal = SAMLMessageSignature.Verify(samlResponseXml, x509Certificate); // is false

甚至返回false当我传中没有第二个PARAM,使用包含在签名中的关键信息进行验证:

bool retVal = SAMLMessageSignature.Verify(samlResponseXml); // is false

我想不通为什么这个验证失败的原因。这里是(通过FOXE格式化但其他不变)是从Shibboleth的回发一个SAML响应:

<?xml version="1.0" encoding="UTF-8"?> 
<saml2p:Response Destination="http://localhost:65231/SAML/AssertionConsumerService.aspx" ID="_b69dae7dd40119cff94ece076e338e82" InResponseTo="_031b0667-d6e5-4845-add1-f82748afe0e6" IssueInstant="2015-02-06T14:07:47.193Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:3380/idp/shibboleth</saml2:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
      <ds:Reference URI="#_b69dae7dd40119cff94ece076e338e82"> 
       <ds:Transforms> 
        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
       </ds:Transforms> 
       <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
       <ds:DigestValue>kL7hYIdYRk+x27VboYeYmIzOSfokmY8iPfucnFzI5Nk=</ds:DigestValue> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue> 
V/bRv+kjvXcTOQs3d2TjyB4d0fjW5xSl5/8RJzCf1K988DsUWVqZEswxo4iqPVsjQgkelppbcnPa 
9UTjLJLIQLg6ztXrfaXYE6iHZcYw58upBcnTXgNGuKazvLm6j2wxBtm5RNe8I4vO0YtDvV3GNf6X 
qVICZlhp7VC0bNiCMr7zVXcw0E4ZfCSJt3Tph9MGKK6KrSXzVSpsyagtvBnmDx2CpI+O0hW92ekk 
CjjkPcvY0lfl3rYdN/xpUqsJgc6HfhnBeU+y+RgEyb0eLuN/aZBOfiWMSAtMkJhcaoESwBtlaFg/ 
m46jdarT6ZDGfU9J4JnOzkAHlr8nMlEKcEzD8g== 
</ds:SignatureValue> 
     <ds:KeyInfo> 
      <ds:X509Data> 
       <ds:X509Certificate>MIIDIDCCAgigAwIBAgIVANgMuf9G9xkZYBghdEkxjLMPwHJhMA0GCSqGSIb3DQEBCwUAMBgxFjAU 
BgNVBAMMDWlzYW1zLXdyay0wNjAwHhcNMTUwMjA0MTU0MjQ1WhcNMzUwMjA0MTU0MjQ1WjAYMRYw 
FAYDVQQDDA1pc2Ftcy13cmstMDYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3l+ 
c0OfVj6Qex2Rwd+katoP9BLsrur/aR19mfepT5E2E/2TDWkl+dY87O4eS/J/NKTftS0MeL8qhoZB 
Hf3y/zetOayoqhW5eCsrWwsY4HuVBhBBctuv0xdBmQPUP8Avmdr83Ps0xvCu2661aAz5SRA1SOlP 
QbE/STLnDoFORhaoVAFHUq0zIscjCwUFrhHvEQZQWMTeaDCZdSP6jFmZ6SCWJCvjq7FIz5KbPh5p 
IBhaWUVIoGEg3gwGKEt25sZ6y7RSFnqEzWgJhUoHE8HgL4inGulTIeeESxztQqdRK7lkTz1VwwO/ 
zulQdwcw1xWQc6JOMDh9wqJxcMQOZ2OlgQIDAQABo2EwXzAdBgNVHQ4EFgQUDAZa8uahYPYMrzbv 
P8+PRP47IzEwPgYDVR0RBDcwNYINaXNhbXMtd3JrLTA2MIYkaHR0cHM6Ly9pc2Ftcy13cmstMDYw 
L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQCLh6w9di9jggroTxCsX30eqVv+DSfG 
vOy1Ajj9ZFbXz5N7lhnwiLnWkiC4sx9Ls4cObj9AmGCAw/G2VOv2DRfRujFt0QTRfervmT1dJADv 
m2RsV4vq13Kbj5fh6ThCzTMU+XsRc6dY2KRiDMrR3ofdqIl90U4J4NeyFYvIwEKHSDrnLM2Fp6tu 
pWso0hDDSszuIKlhTue0kKXLpiJMEvc06mCqA8XZCCj26D6DdTNUI24puTfUELWXSMflD2/lg0/w 
L1k/5kVbgT4vqVci6Sz9ggi8mge2zjRtx4JkHIjXc20e43oRPh7LF/2wQVqiobmZQYzvMi5TPY1x 
w0oA4g5A</ds:X509Certificate> 
      </ds:X509Data> 
     </ds:KeyInfo> 
    </ds:Signature> 
    <saml2p:Status> 
     <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> 
    </saml2p:Status> 
    <saml2:Assertion ID="_9d0be4db6f36fbd7026dc1efd7dfc224" IssueInstant="2015-02-06T14:07:47.193Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> 
     <saml2:Issuer>http://localhost:3380/idp/shibboleth</saml2:Issuer> 
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
      <ds:SignedInfo> 
       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
       <ds:Reference URI="#_9d0be4db6f36fbd7026dc1efd7dfc224"> 
        <ds:Transforms> 
         <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        </ds:Transforms> 
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
        <ds:DigestValue>hR6KDOh+st3yunebqeUz4aqHMin/5rc6gHrkIwgypLc=</ds:DigestValue> 
       </ds:Reference> 
      </ds:SignedInfo> 
      <ds:SignatureValue> 
V9BB0UEBqsBGsiUHbVH8mw8sG52pLI6ec/lGMCqeNGqTUYF8HwOPpjkViJ/Pz91HRFIgRoPlVqHy 
dRGMAJFpYvakOh/vB1+GP3T0Jh20gF8I7JfzOfMwuF8A5ryEdoxB6JQp0AR6mEXi88RPFfWrAmB1 
G/mTt6Q94uW0lrqfiyphp49K6HNhRvyIOCOLWtthBdnMQPLlCh6NAMaJAh+2dzx2CjeT4P58H9FP 
ANJQxB+JR3J2cum5XVn+Rrrx6fiL640I514G0dDu2bi4InXMGH/mKXVCLQX4w/1g0fGv/icrdY9H 
734JhawjfY/+NfO4Fj3+E6Yx3+k8ytku0qUZkw== 
</ds:SignatureValue> 
      <ds:KeyInfo> 
       <ds:X509Data> 
        <ds:X509Certificate>MIIDIDCCAgigAwIBAgIVANgMuf9G9xkZYBghdEkxjLMPwHJhMA0GCSqGSIb3DQEBCwUAMBgxFjAU 
BgNVBAMMDWlzYW1zLXdyay0wNjAwHhcNMTUwMjA0MTU0MjQ1WhcNMzUwMjA0MTU0MjQ1WjAYMRYw 
FAYDVQQDDA1pc2Ftcy13cmstMDYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3l+ 
c0OfVj6Qex2Rwd+katoP9BLsrur/aR19mfepT5E2E/2TDWkl+dY87O4eS/J/NKTftS0MeL8qhoZB 
Hf3y/zetOayoqhW5eCsrWwsY4HuVBhBBctuv0xdBmQPUP8Avmdr83Ps0xvCu2661aAz5SRA1SOlP 
QbE/STLnDoFORhaoVAFHUq0zIscjCwUFrhHvEQZQWMTeaDCZdSP6jFmZ6SCWJCvjq7FIz5KbPh5p 
IBhaWUVIoGEg3gwGKEt25sZ6y7RSFnqEzWgJhUoHE8HgL4inGulTIeeESxztQqdRK7lkTz1VwwO/ 
zulQdwcw1xWQc6JOMDh9wqJxcMQOZ2OlgQIDAQABo2EwXzAdBgNVHQ4EFgQUDAZa8uahYPYMrzbv 
P8+PRP47IzEwPgYDVR0RBDcwNYINaXNhbXMtd3JrLTA2MIYkaHR0cHM6Ly9pc2Ftcy13cmstMDYw 
L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQCLh6w9di9jggroTxCsX30eqVv+DSfG 
vOy1Ajj9ZFbXz5N7lhnwiLnWkiC4sx9Ls4cObj9AmGCAw/G2VOv2DRfRujFt0QTRfervmT1dJADv 
m2RsV4vq13Kbj5fh6ThCzTMU+XsRc6dY2KRiDMrR3ofdqIl90U4J4NeyFYvIwEKHSDrnLM2Fp6tu 
pWso0hDDSszuIKlhTue0kKXLpiJMEvc06mCqA8XZCCj26D6DdTNUI24puTfUELWXSMflD2/lg0/w 
L1k/5kVbgT4vqVci6Sz9ggi8mge2zjRtx4JkHIjXc20e43oRPh7LF/2wQVqiobmZQYzvMi5TPY1x 
w0oA4g5A</ds:X509Certificate> 
       </ds:X509Data> 
      </ds:KeyInfo> 
     </ds:Signature> 
     <saml2:Subject> 
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://localhost:3380/idp/shibboleth" SPNameQualifier="http://localhost:65231/SAML/metadata.xml">AAdzZWNyZXQxpeMWTEyWX1tgYmk7ixdbi775mfBFBHikiub8dsf7HLwD2Xo5yPhD2HL21GF3Hle9oYEQCMFJ3R2dxZ8y22FknvLoGmDZ++VdymaQB0WpEaMzy3Ox9g8X6ALYMdZWedk78uCbpSvjpqdCM4Lhi13VdAQqvAs=</saml2:NameID> 
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
       <saml2:SubjectConfirmationData Address="127.0.0.1" InResponseTo="_031b0667-d6e5-4845-add1-f82748afe0e6" NotOnOrAfter="2015-02-06T14:12:47.236Z" Recipient="http://localhost:65231/SAML/AssertionConsumerService.aspx"/> 
      </saml2:SubjectConfirmation> 
     </saml2:Subject> 
     <saml2:Conditions NotBefore="2015-02-06T14:07:47.193Z" NotOnOrAfter="2015-02-06T14:12:47.193Z"> 
      <saml2:AudienceRestriction> 
       <saml2:Audience>http://localhost:65231/SAML/metadata.xml</saml2:Audience> 
      </saml2:AudienceRestriction> 
     </saml2:Conditions> 
     <saml2:AuthnStatement AuthnInstant="2015-02-06T14:07:47.057Z" SessionIndex="_267b5fd351054d45e5961e83427483fe"> 
      <saml2:SubjectLocality Address="127.0.0.1"/> 
      <saml2:AuthnContext> 
       <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> 
      </saml2:AuthnContext> 
     </saml2:AuthnStatement> 
     <saml2:AttributeStatement> 
      <saml2:Attribute FriendlyName="username" Name="urn:ecolint.ch:attribute-def:username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 
       <saml2:AttributeValue>Jeremy.Morton</saml2:AttributeValue> 
      </saml2:Attribute> 
     </saml2:AttributeStatement> 
    </saml2:Assertion> 
</saml2p:Response>

谁能告诉我,为什么验证方法可能总是返回false?

来源

2015-02-06 Jez

+1

把字面('response.xml')并使用'xmlsec1 verify -id-attr:ID“检查外部签名urn:oasis:names:tc:SAML:2.0:protocol:Response”--pubkey-cert- pem idp-signing.crt response.xml“以确保您使用的是正确的证书 – 2015-02-06 17:38:08

回答

0

来自Testshib的断言被加密。 我使用组件空间的低级别api。我们是许多客户端的SP,并支持众多的IDP

SAMLResponse类有三个方法用于测试idP中的断言。

首先我尝试.GetAssertions()。 如果那不返回断言,我尝试.GetSignedAssertion(证书)。 如果这没有返回断言,我尝试.GetEncryptedAssertions() 最后总是我得到Testshib的断言。 然后,如果您使用的是X509Certificate2,则在加载pfx文件时,必须使用X509KeyStorageFlags.Exportable创建该对象。如果不是,私钥将始终为空。

我做这样的事情:

var key = pfxCertificate.PrivateKey; 

    if (key==null) 
    { 
     throw new NullReferenceException("pfx private key is null"); 
    } 

    foreach (var encryptedAssertion in encryptedAssertions) 
    { 
     assertions.Add(encryptedAssertion.Decrypt(key, null)); 
    } 

    if (assertions.Count > 0) 
    { 
     samlAssertion = assertions[0]; 
    }

最后,如果你改变你的SP元数据证书,必须重新上传,以Testshib他们的注册标签。加密的断言使用您的证书进行加密。所以,你用你的私钥解密。如果这与上传到Testshib的内容不匹配,它将永远不会解密。 确保您的SP元数据的文件名是世界上独一无二的,像 CrazyLikelyUniqueInTheWorld2939596.xml否则,别人会覆盖上Testshib您的SP测试元数据,如果你的名字像spmetadata.xml

来源

2016-02-09 16:38:45

相关问题

 相关问题