6

我在验证 SAML 2.0 断言 XML 的签名时遇到了问题。我正在使用来自 simpleSAMLphp 项目的 SAML2 库,而该项目又使用 PHPxmlseclibs库来签署 XML 并验证签名。

我收到来自我的合作伙伴的以下断言:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_c43265fe-8cd5-410f-b63d-dac9f266d4c9" IssueInstant="2015-01-23T17:46:28.456Z"><saml:Issuer>uat.test.com/saml2.0</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_c43265fe-8cd5-410f-b63d-dac9f266d4c9"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>mFKEIdw+cEielORqscbHuAJhI58=</DigestValue></Reference></SignedInfo><SignatureValue>kEZHloxYJVqDg8oxLNpl+sbJYhv9r7yYU5yQi71gCNm/Cdtj9/P2LR5cnopKZZu+7j3PVimeZoir6RTTrdVKTLkp+PmvOmTlLH/LVtntQZ68TaUxUd3BvtQiKuJ8KFwWPmQ+W3RIKv4ySAsy6PUiWPcr8eIYpIiUA6rxCuSEpdA=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIICczCCAdygAwIBAgIEdWfFczANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQIEwJNQTEQMA4GA1UEBxMHTm9yd29vZDEPMA0GA1UEChMGTWVyY2VyMRswGQYDVQQLExJNZXJjZXIgSFIgU2VydmljZXMxJTAjBgNVBAMTHE1lcmNlciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcwNjI5MDI1NTQxWhcNMTcwNzI5MDQwMDAwWjB2MQswCQYDVQQIEwJNQTEQMA4GA1UEBxMHTm9yd29vZDEPMA0GA1UEChMGTWVyY2VyMRswGQYDVQQLExJNZXJjZXIgSFIgU2VydmljZXMxJzAlBgNVBAMTHk1lcmNlciBIdW1hbiBSZXNvdXJjZSBTZXJ2aWNlczCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAm9KNx7UmRbWwJ0gmIV9sZzMDH4uz+o6ZmOxVRLvrO0Yzc9Qsc+7f+jIEGsVpbeaj5zx+4c8g46QqGam/Ap+4peewduVAN7GwK8UrmveASQH1Y/byTVGhyndfEtHfauresYpNDbgCn/iq/cXNapuFaTB4U0MPtz8Bqds1871hNasCAwEAAaMQMA4wDAYDVR0PBAUDAwf/gDANBgkqhkiG9w0BAQUFAAOBgQBR5wV43k1XcIM7z24SBvpEDWgEawXZ3TjTI9/54v/ZAdzXAiYfLKVV+hiyum+QP9jezDUH+Wz2bqzjlxOSU7HvUn4MwN+88a1hvSXpPxsp7y4d7juVt66aip/9NuSWbNqUPdhgK/KvMHrZpksCoxUJG2+Q1Jz7aNiBQvONRRPdTg==</X509Certificate></X509Data></KeyInfo></Signature><saml:Subject><saml:NameID>000786320</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-01-23T17:51:28.471Z" Recipient="https://test.com/sso"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-01-23T17:41:28.456Z" NotOnOrAfter="2015-01-23T17:51:28.456Z"><saml:AudienceRestriction><saml:Audience>test.com:saml2.0</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-01-23T17:46:28.456Z" SessionIndex="SI-8bd89651-62da-4b7d-9a54-04eb2eb90784"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"><saml:AttributeValue>invalidemail@invalid.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="firstName"><saml:AttributeValue>Diane</saml:AttributeValue></saml:Attribute><saml:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="lastname"><saml:AttributeValue>Test</saml:AttributeValue></saml:Attribute><saml:Attribute Name="zipCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="zipCode"><saml:AttributeValue>02062</saml:AttributeValue></saml:Attribute><saml:Attribute Name="businessUnit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="businessUnit"><saml:AttributeValue>78945</saml:AttributeValue></saml:Attribute><saml:Attribute Name="employeeID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="employeeID"><saml:AttributeValue>000786320</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

签名元素请求独占 C14N 规范化。库库将其xmlseclibs规范化如下:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_c43265fe-8cd5-410f-b63d-dac9f266d4c9" IssueInstant="2015-01-23T17:46:28.456Z" Version="2.0"><saml:Issuer>uat.test.com/saml2.0</saml:Issuer><saml:Subject><saml:NameID>000786320</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-01-23T17:51:28.471Z" Recipient="https://test.com/sso"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-01-23T17:41:28.456Z" NotOnOrAfter="2015-01-23T17:51:28.456Z"><saml:AudienceRestriction><saml:Audience>test.com:saml2.0</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-01-23T17:46:28.456Z" SessionIndex="SI-8bd89651-62da-4b7d-9a54-04eb2eb90784"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>invalidemail@invalid.com</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="firstName" Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>Diane</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="lastname" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>Test</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="zipCode" Name="zipCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>02062</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="businessUnit" Name="businessUnit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>78945</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="employeeID" Name="employeeID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>000786320</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

然而,我的伴侣实际签署的元素是:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c43265fe-8cd5-410f-b63d-dac9f266d4c9" IssueInstant="2015-01-23T17:46:28.456Z" Version="2.0"><saml:Issuer>uat.test.com/saml2.0</saml:Issuer><saml:Subject><saml:NameID>000786320</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-01-23T17:51:28.471Z" Recipient="https://test.com/sso"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-01-23T17:41:28.456Z" NotOnOrAfter="2015-01-23T17:51:28.456Z"><saml:AudienceRestriction><saml:Audience>test.com:saml2.0</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-01-23T17:46:28.456Z" SessionIndex="SI-8bd89651-62da-4b7d-9a54-04eb2eb90784"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>invalidemail@invalid.com</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="firstName" Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>Diane</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="lastname" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>Test</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="zipCode" Name="zipCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>02062</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="businessUnit" Name="businessUnit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>78945</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="employeeID" Name="employeeID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>000786320</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

几乎相同,但是没有xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"命名空间。命名空间在xsi签名 Transform 元素中提到:<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/></Transform>

由于签名中的 SHA1 摘要与在元素上计算的摘要 xmlseclibs 不匹配,因此 SAML 身份验证失败。

所以我想知道这里谁是正确的——是否必须包含 xsi 命名空间(即使此命名空间中没有元素),因为它包含在 InclusiveNamespaces 中,或者如果不是,为什么在xmlseclibs其中包含该命名空间C14N 规范化?

4

1 回答 1

3

实际上,一些进一步的调试表明问题出在 SAML2 库中的一个错误(它是 smipleSAMLphp 项目的一部分:https ://github.com/simplesamlphp/saml2 )。

解密元素 SAML2 库时,会执行以下操作:

    $xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" '.
                 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' .
        $decrypted .
        '</root>';
    $newDoc = new DOMDocument();

(见https://github.com/simplesamlphp/saml2/blob/master/src/SAML2/Utils.php第 494 行)

这是一种解决方法,以防在仅对文档的一个子集进行序列化以进行加密时会出现一些孤立元素。不幸的是,这会创建一个额外的命名空间,如果包含在 InclusiveNamespaces PrefixList 中xsi,它将显示在未来的规范化中。xsi

将其更改为:

    $xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'.
        $decrypted .
        '</root>';
    $newDoc = new DOMDocument();

实际上在我的情况下可以解决问题。然而,这只是快速破解,并不理想,因为它可能会为不同的实现引入一些其他错误。我想需要与 simpleSAMLphp 库的创建者合作,以找到更优雅的长期解决方案。

于 2015-01-26T08:34:51.350 回答