Verify SAML Signature

Question

Verify SAML Signature

I have two signatures: one on the answer (which validates) and one on the SAML nested statement (which is not the case). This is the compressed code I'm working with:

foreach (XmlElement node in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
{// Verify this Signature block
    SignedXml signedXml = new SignedXml(node.ParentNode as XmlElement);
    signedXml.LoadXml(node);
    KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();

    // Verify certificate
    X509Certificate2 cert = x509Data.Certificates[0] as X509Certificate2;
    log.Info(string.Format("Cert s/n: {0}", cert.SerialNumber));
    VerifyX509Chain(cert);// Custom method

    // Check for approval
    X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection collection = store.Certificates.Find(X509FindType.FindBySerialNumber, cert.SerialNumber, true);
    Debug.Assert(collection.Count == 1);// Standing in for brevity

    // Verify signature
    signedXml.CheckSignature(cert, true);
}

For completeness, an XML schema is provided here:

<samlp2:Response Destination="http://www.testhabaGoba.com" ID="ResponseId_934151edfe060ceec3067670c2f0f1ea" IssueInstant="2013-09-24T14:33:29.507Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        ...
    </ds:Signature>
    ...
    <saml2:Assertion ID="SamlAssertion-05fd8af7f2c9972e69cdbca612d3f3b8" IssueInstant="2013-09-24T14:33:29.496Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ...
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            ...
        </ds:Signature>
        ...
    </saml2:Assertion>
</samlp2:Response>

I also tried only with a signed statement, and that also fails. What am I doing wrong? Why does CheckSignature always fail in SAML approval?

Edit It turns out the one with which the just-signed statement is Java-generated (OpenSAML) and has more hoops to go through. Please inform.

+4

c # saml

ricksmt Aug 19 '14 at 22:40

source share

3 answers

SAML, Ultimate saml (http://www.componentpro.com/saml.net/). SAML .

XmlDocument xmlDocument = new XmlDocument(); 
xmlDocument.Load(samlResponseXmlToVerify); 

XmlDocument xmlDocumentMetadata = new XmlDocument(); 
xmlDocumentMetadata.Load(samlMetadataXmlToExtractCertData); 

// Load the SAML response from the XML document. 
Response samlResponse = new Response(xmlDocument.DocumentElement); 

// Is it signed?  
if (samlResponse.IsSigned()) 
{ 
    // Validate the SAML response with the certificate.  
    if (!samlResponse.Validate(xmlDocumentMetadata.DocumentElement)) 
    { 
        throw new ApplicationException("SAML response signature is not valid."); 
    } 
}

: http://www.componentpro.com/doc/saml/ComponentPro.Saml.SignableSamlObject.Validate().htm

+1

Adi Sembiring 11 . '15 10:19

, , , SignedXml . , XmlDocument XmlElement, ImportNode.

:

foreach (XmlElement item in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
{
    var node = item;
    if (node.ParentNode != xmlDoc.DocumentElement)
    {
        var doc = new XmlDocument();
        var parentNode = doc.ImportNode(item.ParentNode, true);
        doc.AppendChild(parentNode);
        node = (XmlElement) parentNode.SelectSingleNode("*[local-name()='Signature']");
    }
    var signedXml = new SignedXml((XmlElement) node.ParentNode);
    signedXml.LoadXml(node);
    //TODO: validate
}

This is about twice as fast as re-parsing OuterXml, as others suggested, based on my tests using an 8KL SAML response document.

0

Nathan baulch Oct 26 '15 at 0:50

source share

ricksmt · Accepted Answer · 2014-08-21T22:15:51+0000

~~, ( ) : .net , DocumentElement.~~ .

foreach (XmlElement node in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
{// Verify this Signature block
    // *** BEGIN: ADDED CODE ***
    XmlDocument doc = new XmlDocument();
    doc.LoadXml(node.ParentNode.OuterXml);
    XmlElement signature = doc.SelectSingleNode("//*[local-name()='Signature']") as XmlElement;
    // This variable ^^^ is the same as node, just in doc instead of xmlDoc (important distinction)
    // *** END: ADDED CODE ***

    // Setup
    SignedXml signedXml = new SignedXml(node.ParentNode as XmlElement);
    signedXml.LoadXml(node);
    KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();

    // Verify certificate
    ...

~~, Java- SAML. - .~~ SAML, Java, . , , .

Verify SAML Signature

More articles: