0

我有以下 SAML v2 XML。签名验证失败,因为断言节点中有两个 ID 属性。值错误,referenceURI 指向的ID值在Id属性中。示例如下。

<?xml version="1.0"?>
<samlp:Response ID="gbfgoeahcoefemndehmcoeepmpdckdingbafamcb" IssueInstant="2017-08-23T04:44:36Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion ID="fmcpoegiimapenheggdpjojncbljphgcnoalogap" Id="pfx1af01d88-2006-0901-3fa4-c54a400fad3c" IssueInstant="2017-08-23T04:44:36Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>example.com</Issuer>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">foo@example.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2017-08-23T04:54:36Z" Recipient="https://www.example.com/saml/endpoint"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2017-08-23T04:39:36Z" NotOnOrAfter="2017-08-23T04:54:36Z">
            <AudienceRestriction>
                <Audience>https://www.example.com</Audience>
            </AudienceRestriction>
        </Conditions>
        <AuthnStatement AuthnInstant="2017-08-23T04:44:36Z">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
                <AuthenticatingAuthority>foobarbaz</AuthenticatingAuthority>
            </AuthnContext>
        </AuthnStatement>
        <AttributeStatement>
            <Attribute Name="random">
                <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">foo@example.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#pfx1af01d88-2006-0901-3fa4-c54a400fad3c">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>P4pZAc2fLYvaf92FrVGdgYKcBww=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>tdzLY9Gem64Va9urGwqwvP3G6TjEtEy6Ely+8/D7RQuAFAiy6jcX4bsUwh7zhzoV+Thg8hhjzXBpqSSmDnBhsl6GSMAnAvAelF/eDlQk0+/wH+USYBTD8gvzvxZiB5GU8EgF7F5lLzzof+YrAQ0Zg/TSewdkiNJFLvXSI1Kw5E7lmlTgFv75Myn7kdgFs115JjrIfLcuMePlw20I51CHQK/Fy4S+nqQsJEzT8nYZ0AM6iTUo8zOduLN7DpHn0yK2HNnKXFzCT6o9CGxtcOe+xxo4rL71YFiiGTxh/tk0qWELOeEk3MM4DPyO1qIJ3UNxqX22VGLVmSwTsa/9DKKhcA==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIID9DCCAtwCCQCOW98TM3+UkTANBgkqhkiG9w0BAQUFADCBuzELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREwDwYDVQQHDAhZb2tvaGFtYTEeMBwGA1UECgwVRlVKSVNPRlQgSU5DT1JQT1JBVEVEMSYwJAYDVQQLDB1JbmZvcm1hdGlvbiBTeXN0ZW0gRGVwYXJ0bWVudDEcMBoGA1UEAwwTZHNpZy5hdXRoLmZzaS5jby5qcDEgMB4GCSqGSIb3DQEJARYRbmV0d29ya0Bmc2kuY28uanAwHhcNMTEwNzA1MDUwMzQzWhcNMjUwMzEzMDUwMzQzWjCBuzELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREwDwYDVQQHDAhZb2tvaGFtYTEeMBwGA1UECgwVRlVKSVNPRlQgSU5DT1JQT1JBVEVEMSYwJAYDVQQLDB1JbmZvcm1hdGlvbiBTeXN0ZW0gRGVwYXJ0bWVudDEcMBoGA1UEAwwTZHNpZy5hdXRoLmZzaS5jby5qcDEgMB4GCSqGSIb3DQEJARYRbmV0d29ya0Bmc2kuY28uanAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxnlGqyqFwM0KJ5q8boYVXFcUvFSNytBn/ek8hydCXVkKBp9XYccJMJ9Ntz7uplQO7bmD80q72Sdz8rPiVwgrncq03rgV4M9viyDZYkeqT20ZefKoOJ+a9k6/79vQQ7Zy7FUzsJiysrD6slseeBup4Jc1M0TYpxaQ6aoEOVq8MFz0NFMWGLADKfQwlQHZQEJO0jIzvXsm5q0aDL26TJ2q9DOsqktNYH5zjn0jx/+EHF7Qv+1G3L6Vwf91KRgf/K3xnimyx7/8mpnIbMfYEY5bC1Er4rWNyILOIn4Sim0ooKHPa4SIU9hQGlg6wGemzcJ6OME3qDCGvuxaN77PwuTMpAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAK5DMpCmlWgH2yHG+JtgHkZkn65tKuvgkijkUktdSZXdnEfJ7bYwwrLF/cSL3n317ZwRqsUux5ems7Ryzr2zoRnnexxpEMvjbVTC27nWTs+Z25DFVyDZt3+sc4pxGnq25rAjpu+U5GegM/stZPeM2bCp/hZODLinK8r0d7e5YszPbsAxJkEts6O3C30ivWTixpEa36exJTbTPTYkZ3/6sHvJECmUKd0es0yLB4yPylLbrq8Pky2YlcmvqfTU1uDGVzLq4f20j7iEPROMEf9kpcT+usW/gvjy9/lB9aa6uAlFwPXq0KViJzSixHEly8edKZ5zk3j7rqs6n5me4XUdjEM=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
    </Assertion>
</samlp:Response>

我们可以看到有两个ID。我正在使用 OpenSAML v3,它给出了加密签名验证失败。我尝试了各种方法,例如(.setID assertion "pfx1af01d88-2006-0901-3fa4-c54a400fad3c")在签名验证之前设置,但都失败了。

我的主要代码在 Clojure 中。我也在 Groovy 中进行原型设计。请参阅 groovy 脚本。

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
db = dbf.newDocumentBuilder();
ByteArrayInputStream bis = new ByteArrayInputStream(xml.getBytes());
doc = db.parse(bis);
nl = doc.getElementsByTagName("ds:Signature");

DOMValidateContext ctx = new DOMValidateContext(key, nl.item(0));
println nl.item(0).getParentNode().toString()
ctx.setIdAttributeNS((Element) nl.item(0).getParentNode(), null, "Id");

XMLSignatureFactory sigF = XMLSignatureFactory.getInstance("DOM");
XMLSignature xmlSignature = sigF.unmarshalXMLSignature(ctx);

println xmlSignature.validate(ctx)  // returns false

此验证在使用 C# 时成功,但在 Java 中不起作用。请帮忙。

4

1 回答 1

0

我进行了手动 XML-DSIG 验证。

于 2017-08-29T03:41:47.127 回答