signedxml
signedxml copied to clipboard
moov-io
unable to find refereced xml
An attempt to sign the following response fails with unable to find refereced xml.
Relevant code follows:
func getSigningKey(fp string) (*rsa.PrivateKey, error) {
fileContent, err := ioutil.ReadFile(fp)
if err != nil {
return nil, err
}
block, _ := pem.Decode(fileContent)
if block == nil || block.Type != "RSA PRIVATE KEY" {
return nil, fmt.Errorf("failed to decode PEM block containing RSA PRIVATE KEY")
}
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
return key, nil
}
...
// XML Signing
signingKey, err := getSigningKey("assets/idp/azure_ad_app_signing_pkcs1_key.pem")
if err != nil {
t.Fatalf("error parsing signing key: %s", err)
}
signer, err := signedxml.NewSigner(authRequestPayloadPlain.String())
if err != nil {
t.Fatalf("error initializing XML signer: %s", err)
}
signedAuthRequestPayloadPlain, err := signer.Sign(signingKey)
if err != nil {
t.Fatalf("error signing XML doc: %s", err)
}
<samlp:Response ID="_9eefb041-27fe-4014-bf4b-932cd5f7f5d5" Version="2.0" IssueInstant="2020-04-21T04:44:24.286Z" Destination="https://127.0.0.1:3443/saml" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/1b9e886b-8ff2-4378-b6c8-6771259a5f51/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="_7298c1f7-4411-4bc6-b8e4-77622e935418" IssueInstant="2020-04-21T04:44:23.125Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/1b9e886b-8ff2-4378-b6c8-6771259a5f51/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_0369ee56-8152-4f92-b8c3-e1481fe74300">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>asdf</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>asdf</SignatureValue>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2020-04-21T05:44:28.208Z" Recipient="https://127.0.0.1:3443/saml"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2020-04-21T04:39:28.099Z" NotOnOrAfter="2020-04-21T05:44:28.208Z">
<AudienceRestriction>
<Audience>urn:caddy:mygatekeeper</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>1b9e886b-8ff2-4378-b6c8-6771259a5f51</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>158d7011-cfd7-41b8-b456-8a8264ac5a04</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>Greenberg, Paul</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/1b9e886b-8ff2-4378-b6c8-6771259a5f51/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>AzureAD_Editor</AttributeValue>
<AttributeValue>AzureAD_Viewer</AttributeValue>
<AttributeValue>AzureAD_Administrator</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>Paul</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>Greenberg</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
<Attribute Name="http://claims.contoso.com/SAML/Attributes/RoleSessionName">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
<Attribute Name="http://claims.contoso.com/SAML/Attributes/Role">
<AttributeValue>AzureAD_Editor</AttributeValue>
<AttributeValue>AzureAD_Viewer</AttributeValue>
<AttributeValue>AzureAD_Administrator</AttributeValue>
</Attribute>
<Attribute Name="http://claims.contoso.com/SAML/Attributes/MaxSessionDuration">
<AttributeValue>3600</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-04-21T05:44:28.358Z" SessionIndex="_7298c1f7-4411-4bc6-b8e4-77622e935418">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
It looks like the issue is with the sample XML you provided. There isn't an ID anywhere in the document that matches the Reference URI (_0369ee56-8152-4f92-b8c3-e1481fe74300).
@ma314smith , thank you! :+1: I found an open PR and thought it was relevant, but never got back to it :-(
