xml-crypto icon indicating copy to clipboard operation
xml-crypto copied to clipboard
verified publisher icon yaronn

Mismatch SignatureValue compared to samltool

Open sweetodev opened this issue 6 years ago • 1 comments

xml-crypto is not generating the correct value for the SignatureValue for the signature. I've verified by feeding the same XML repeatedly to xml-crypto and there's a mismatch in the output.

The SignatureValue value from samltool works with SP but the one xml-crypto generates doesn't.

DigestValue is correct and matches the one from samltool though.

return new Promise(function (resolve, reject) {

    let SignedXml = require('xml-crypto').SignedXml;
    var sig = new SignedXml();

    sig.signingKey = require('fs').readFileSync(self.privateKey);
    sig.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
    sig.signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";

    sig.addReference("//*[local-name()='Response']",
        [
            "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
            "http://www.w3.org/2001/10/xml-exc-c14n#"
        ],
        "http://www.w3.org/2000/09/xmldsig#sha1"
    );

    sig.keyInfoProvider = new (function () {
        this.getKeyInfo = function () {
            return `<ds:X509Data><ds:X509Certificate>${self.getPublicKey()}</ds:X509Certificate></ds:X509Data>`
        }
    });

    sig.computeSignature(xml, {
        prefix: 'ds',
        location: { reference: "//*[local-name(.)='Issuer']", action: "after" } // place the signature after the Issuer
    });

    resolve(sig.getSignedXml());
});

xml signature

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#pfx238f2615-2267-6ee6-efa9-24dd82d85764">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>6okYcbSa3y18LSbOBJTMMWN7/Rs=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
        ULNmpuKwXwHwqUMybbwnupC/y9WZohGBx9Y.....NQVwpNC+sBc6etPhSq5BVw==
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>
                MIIDuDCCAqACCQD.......Zsb3JpZGExDuJ/M7+/P+enkq9Vx0thQHUaI+ndr1gpZE=
            </ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>

sweetodev avatar Nov 15 '19 06:11 sweetodev

@sweetodev , this certainly sounds like something we'd like to address. Could you please create a PR with a test suite that replicates the problem, including notes about how you signed things over at SAML Tool? That would really help everyone in getting to the bottom of this as you aren't the first person to report having difficulty getting signatures to match.

cjbarth avatar May 29 '23 21:05 cjbarth