Comments (22)
yaronn
commented on July 28, 2024
Hi
Check this out:
http://webservices20.blogspot.co.il/2013/06/validating-windows-mobile-app-store.html
try to add the ignoreWhiteSpace flag.
from xml-crypto.
tamasflamich
commented on July 28, 2024
Thank you for the quick response!
Sadly that was not enough. However I found the appropriate unit test (it was commented out though) and tuned my code based on it. I had to include xmldom-fork-fixed instead of xmldom.
Now the validation works flawlessly.
Thanks a lot!
from xml-crypto.
whirp
commented on July 28, 2024
I have the same problem with node.js , but with the example code from yaronn and the original key client.pem and certificate client_public.pem (from Example i mean) that's work!!.
Would you like to tell me the openssl command to generate these key and certificate with the correct digest? I see the xml-crypto module add by default the Id="_0" and .
This is my messagge error:
[ 'invalid signature: for uri #_0 calculated digest is hIflRJ+pZue4ex+iYTJ7eBMuIKM= but the xml to validate supplies digest dSA638MD80Znh+XZ5wvYOO6mQZo=' ]
signature not valid
Thank
from xml-crypto.
yaronn
commented on July 28, 2024
the error indicates a digest issue. this means the error is not related to keys but to calculation of xml digest. this may be related to white spaces in the xml (see #43). the sample unit test used to use a for of xmldom (xmldom-fork-fixed) and now just removes manually white spaces. can you check in that direction (manually remove spaces or use xmldom-fork-fixed)?
from xml-crypto.
whirp
commented on July 28, 2024
ok thanks, now using the ignoreWhiteSpace is working. (I've proved with example https://github.com/yaronn/xml-crypto/tree/master/example adding some white space on the generate xml )
This is my code for validates the xml :
var select = require('xml-crypto').xpath
, dom = require('xmldom-fork-fixed').DOMParser
, SignedXml = require('xml-crypto').SignedXml
, FileKeyInfo = require('xml-crypto').FileKeyInfo
, fs = require('fs');
function validateXml(xml, key){
var doc = new dom({ignoreWhiteSpace: true}).parseFromString(xml);
xml = doc.firstChild.toString();
var signature = select(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]
console.log(signature);
var sig = new SignedXml();
sig.keyInfoProvider = new FileKeyInfo(key);
sig.loadSignature(signature.toString());
var res = sig.checkSignature(xml);
if (!res) console.log(sig.validationErrors);
return res;
}
var signedXml = fs.readFileSync("./signed.xml").toString()
console.log("validating signature...")
//validate an xml document
if (validateXml(signedXml, "./fd.crt"))
console.log("signature is valid")
else
console.log("signature not valid")from xml-crypto.
whirp
commented on July 28, 2024
Another problem , I have to attach Xml signature to an existing xml SAML.
But the ignoreWhiteSpace of xmldom-fork-fixed seems to not work, and i catch the same old error :
[ 'invalid signature: for uri #_0 calculated digest is pj3uKFLHkDjtGylhhmUdISufD4M= but the xml to validate supplies digest fSOT8kVoflrI6dcjZTidMnNKx30=' ]
What's wrong with it?
Here the xml after ignoreWhiteSpace
<?xml version="1.0"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://111.111.11.1111:8000" Id="_0"><SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDrzCCApegAwIBAgIJAKvU9k8+fs5uMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV
BAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwE
TWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlz
Y2FsaS5pdDAeFw0xNTAzMDIxNTA1NDVaFw0xNjAzMDExNTA1NDVaMG4xCzAJBgNV
BAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwE
TWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlz
Y2FsaS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmrPSdtgQ72
Xdac/8rg1QyRESSMuDrs9Fuy+7cOJ13aYuiEnqSA1mMFJ29ELrA7BeNg7seLaUBt
B0FJqlZnLoy+sqLwOVCgqO24wxJbnUsaWqAQu9Ao0mFgz784dcs0x6MiQ9E8EjDI
ICrxA8wEe+aqkRGc5GH8TG5A0arEeno9LuPYQKhU33t5o7eU4E7lEw658dau5hlk
5Uye7o16mbMd7hak8Z+AazcO1oFDiXaDjexOP2L6TvbCKMBgUa5ZevKpy2Sr0QgA
Rc5MU/5TznjnUCEXNuoVMwzHqeIa8VO8OWGSkVlj/eY73pj1C98lD/pH1osdkIDD
fZaZRn7469kCAwEAAaNQME4wHQYDVR0OBBYEFIOo56J1khErXQKTsrt6PBwz1g1D
MB8GA1UdIwQYMBaAFIOo56J1khErXQKTsrt6PBwz1g1DMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAC/ZkZXCqmbmtFki/4lJV6pa0TNeiCdSgis+pnle
DhuLWbJNbvXjebXuXmipS7erhSHwyIZ4JBei6kUGw/o6Wkn3W+snQNm+5e0arFjQ
gg1BTdvef2m61FXqenApH7S5dN3ssNcuDoF0kCmkVZLMYJhcWHSaaF9qgcyYQH0s
DO4+pH7ndT95R5XEfX1HepwfSYqc5oK+ISpwGQdIxchm3KKhr1BMW4i9OlIGCd75
tQr2VVZnlSkKfS6zuFAHpn7ffJrS15OnucImnebJSXnTVeKzVI1/mkO0HJYkOQUM
SMqzbZNYpXJxYM9DBwl5UETFbzeV7ua57K+XfVvpiqWiTGw=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></KeyDescriptor><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://111.111.11.111:8000/saml/callback"/></SPSSODescriptor><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>fSOT8kVoflrI6dcjZTidMnNKx30=</DigestValue></Reference></SignedInfo><SignatureValue>EFw27wT4EbzkAG8khi1AUJqtT306lE10u3roQOaP8p5BKKWHeORVRJO2VgsnVkG5ltupzzhzuYkujCoydp2FWGyev5Ma4IuS4j223vfdddesivkKeChEPbtwru5eHYqzlS+WFsRVnV9lYXI1wi6Y+v+VdmvFGEhcPBPpkMJQWjc=</SignatureValue></Signature></EntityDescriptor>This little change on js
var doc = new dom({ignoreWhiteSpace: true}).parseFromString(xml);
xml = doc.toString();from xml-crypto.
yaronn
commented on July 28, 2024
this flag is not supported by xmldom.
either use require('xmldom-fork-fixed') (install it first) or strip the whitespace manually:
xml = xml.replace(/>\s*</g, '><');
from xml-crypto.
yaronn
commented on July 28, 2024
btw do you also verify a signature that originates from a Microsoft .Net / Windows Store signature?
trying to understand if this originates from this issue or not:
http://webservices20.blogspot.co.il/2013/06/validating-windows-mobile-app-store.html
from xml-crypto.
whirp
commented on July 28, 2024
I'm using your fork yet (https://www.npmjs.com/package/xmldom-fork-fixed - https://github.com/yaronn/xmldom).
But it seems not work with my existing xml .
from xml-crypto.
yaronn
commented on July 28, 2024
Do you mean that the following produce different digests?
- use xmldom-fork-fixed with ignoreWhiteSpace: true
- using regular xmldom but manually stripping white space
from xml-crypto.
whirp
commented on July 28, 2024
The 1. solution works with basic xml (like example https://github.com/yaronn/xml-crypto/tree/master/example) but not with my xml SAML
The 2. solution doesn't work with my xml SAML, i don't prove with example code, but it's irrilevant
from xml-crypto.
yaronn
commented on July 28, 2024
previously you wrote "without white space is working". so when you manually remove white space it is working, but xmldom-fork-fixed as well as option #2 do not strip the white space correctly?
from xml-crypto.
whirp
commented on July 28, 2024
I/ve corrected my first post in discussion.
Your fork with ignoreWhiteSpace is working for me only on a basic xml <library><book> etc.
When i prove on a more complex xml doesn't work, neither with manual remove white space of course.
There is something else wrong in my XML ( maybe the carriage return ??) :
<?xml version="1.0"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://111.111.11.1111:8000" Id="_0"><SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDrzCCApegAwIBAgIJAKvU9k8+fs5uMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV
BAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwE
TWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlz
Y2FsaS5pdDAeFw0xNTAzMDIxNTA1NDVaFw0xNjAzMDExNTA1NDVaMG4xCzAJBgNV
BAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwE
TWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlz
Y2FsaS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmrPSdtgQ72
Xdac/8rg1QyRESSMuDrs9Fuy+7cOJ13aYuiEnqSA1mMFJ29ELrA7BeNg7seLaUBt
B0FJqlZnLoy+sqLwOVCgqO24wxJbnUsaWqAQu9Ao0mFgz784dcs0x6MiQ9E8EjDI
ICrxA8wEe+aqkRGc5GH8TG5A0arEeno9LuPYQKhU33t5o7eU4E7lEw658dau5hlk
5Uye7o16mbMd7hak8Z+AazcO1oFDiXaDjexOP2L6TvbCKMBgUa5ZevKpy2Sr0QgA
Rc5MU/5TznjnUCEXNuoVMwzHqeIa8VO8OWGSkVlj/eY73pj1C98lD/pH1osdkIDD
fZaZRn7469kCAwEAAaNQME4wHQYDVR0OBBYEFIOo56J1khErXQKTsrt6PBwz1g1D
MB8GA1UdIwQYMBaAFIOo56J1khErXQKTsrt6PBwz1g1DMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAC/ZkZXCqmbmtFki/4lJV6pa0TNeiCdSgis+pnle
DhuLWbJNbvXjebXuXmipS7erhSHwyIZ4JBei6kUGw/o6Wkn3W+snQNm+5e0arFjQ
gg1BTdvef2m61FXqenApH7S5dN3ssNcuDoF0kCmkVZLMYJhcWHSaaF9qgcyYQH0s
DO4+pH7ndT95R5XEfX1HepwfSYqc5oK+ISpwGQdIxchm3KKhr1BMW4i9OlIGCd75
tQr2VVZnlSkKfS6zuFAHpn7ffJrS15OnucImnebJSXnTVeKzVI1/mkO0HJYkOQUM
SMqzbZNYpXJxYM9DBwl5UETFbzeV7ua57K+XfVvpiqWiTGw=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></KeyDescriptor><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://111.111.11.111:8000/saml/callback"/></SPSSODescriptor><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>fSOT8kVoflrI6dcjZTidMnNKx30=</DigestValue></Reference></SignedInfo><SignatureValue>EFw27wT4EbzkAG8khi1AUJqtT306lE10u3roQOaP8p5BKKWHeORVRJO2VgsnVkG5ltupzzhzuYkujCoydp2FWGyev5Ma4IuS4j223vfdddesivkKeChEPbtwru5eHYqzlS+WFsRVnV9lYXI1wi6Y+v+VdmvFGEhcPBPpkMJQWjc=</SignatureValue></Signature></EntityDescriptor>from xml-crypto.
yaronn
commented on July 28, 2024
can you try to manually remove all the CR (in particular the base64 is broken to a few lines) and check if that works?
also I want to make sure we have a clear baseline for comparison. can you sign the xml with nodejs (xml-crypto)? the result should be the same digest (if you use the same key as original signature also the same signature value but not critical). this will be easier to debug / compare. also the signature appears inside the signed element (the one with id 0). usually the signature would have to have an "enveloped" transportation element which I do not see here. so when you sign the xml with node you should remove the signature element before that.
from xml-crypto.
whirp
commented on July 28, 2024
I've found the problem.
I always use the reference signature to the root element and this don't work.
Now i've proved to set reference for the first child and the sig.checkSignature(xml); return ok.
But this isn't what i want for my SAML implementation, I Have to find another solution to set reference on EntityDescriptor (root elem)
This is the code for add the signature, i've commented the reference to root element and add it to first child indeed.
var SignedXml = require('xml-crypto').SignedXml , fs = require('fs');
var xml = fs.readFileSync("./metadataSP.xml").toString();
var sig = new SignedXml();
//sig.addReference("//*[local-name(.)='EntityDescriptor']") ;
sig.addReference("//*[local-name(.)='SPSSODescriptor']") ;
sig.signingKey = fs.readFileSync("./signer.key");
sig.computeSignature(xml);
fs.writeFileSync("signed.xml", sig.getSignedXml());This is for validate the signature
var select = require('xml-crypto').xpath
, dom = require('xmldom-fork-fixed').DOMParser
, SignedXml = require('xml-crypto').SignedXml
, FileKeyInfo = require('xml-crypto').FileKeyInfo
, fs = require('fs');
function validateXml(xml, key){
var doc = new dom({ignoreWhiteSpace: true}).parseFromString(xml);
xml = doc.toString();
console.log(xml);
var signature = select(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]
var sig = new SignedXml();
sig.keyInfoProvider = new FileKeyInfo(key);
sig.loadSignature(signature.toString());
var res = sig.checkSignature(xml);
if (!res) console.log(sig.validationErrors);
return res;
}
var signedXml = fs.readFileSync("./signed.xml").toString()
console.log("validating signature...")
//validate an xml document
if (validateXml(signedXml, "./fd.crt"))
console.log("signature is valid")
else
console.log("signature not valid")This is the xml (validate OK)
The Id="_0" is now on SPSSODescriptor
<?xml version="1.0"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://111.111.11.111:8000"><SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" Id="_0"><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDrzCCApegAwIBAgIJAKvU9k8+fs5uMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwETWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlzY2FsaS5pdDAeFw0xNTAzMDIxNTA1NDVaFw0xNjAzMDExNTA1NDVaMG4xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwETWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlzY2FsaS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmrPSdtgQ72Xdac/8rg1QyRESSMuDrs9Fuy+7cOJ13aYuiEnqSA1mMFJ29ELrA7BeNg7seLaUBtB0FJqlZnLoy+sqLwOVCgqO24wxJbnUsaWqAQu9Ao0mFgz784dcs0x6MiQ9E8EjDIICrxA8wEe+aqkRGc5GH8TG5A0arEeno9LuPYQKhU33t5o7eU4E7lEw658dau5hlk5Uye7o16mbMd7hak8Z+AazcO1oFDiXaDjexOP2L6TvbCKMBgUa5ZevKpy2Sr0QgARc5MU/5TznjnUCEXNuoVMwzHqeIa8VO8OWGSkVlj/eY73pj1C98lD/pH1osdkIDDfZaZRn7469kCAwEAAaNQME4wHQYDVR0OBBYEFIOo56J1khErXQKTsrt6PBwz1g1DMB8GA1UdIwQYMBaAFIOo56J1khErXQKTsrt6PBwz1g1DMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC/ZkZXCqmbmtFki/4lJV6pa0TNeiCdSgis+pnleDhuLWbJNbvXjebXuXmipS7erhSHwyIZ4JBei6kUGw/o6Wkn3W+snQNm+5e0arFjQgg1BTdvef2m61FXqenApH7S5dN3ssNcuDoF0kCmkVZLMYJhcWHSaaF9qgcyYQH0sDO4+pH7ndT95R5XEfX1HepwfSYqc5oK+ISpwGQdIxchm3KKhr1BMW4i9OlIGCd75tQr2VVZnlSkKfS6zuFAHpn7ffJrS15OnucImnebJSXnTVeKzVI1/mkO0HJYkOQUMSMqzbZNYpXJxYM9DBwl5UETFbzeV7ua57K+XfVvpiqWiTGw=</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></KeyDescriptor><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://111.111.11.111:8000/saml/callback"/></SPSSODescriptor><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>VycvcgQoTvLSh5cfVmTyohmM8DE=</DigestValue></Reference></SignedInfo><SignatureValue>I9kdkjMYCI6P6J2tMgv2kyOTy8nIoJBYcVczN/XgOshMUudFoYVu8rsNLKgZ54g/1PTM9RdF4+Uxvz1uwKFYUJaVUPg3MxRUjH/TFecQ9Upfqp8DDcbAFD6BjIKwPMaG1gS70p9dKuGGnCB9Ijk5RERLGasuyN+tqo3YsMBiM80=</SignatureValue></Signature></EntityDescriptor>from xml-crypto.
yaronn
commented on July 28, 2024
if you want the validator to ignore the signature element (which I assume
is why the validation fails) you should add this transformation to the
signature reference:
http://www.w3.org/2000/09/xmldsig#enveloped-signature
On Thu, Mar 26, 2015 at 2:40 PM, whirp [email protected] wrote:
I've found the problem.
I ever use the reference signature to the root element and this don't work.
Now i've proved to set reference for the first child and the
sig.checkSignature(xml); return ok.But this isn't what i want for my SAML implementation, I Have to find
another solution to set reference on EntityDescriptor (root elem)This is the code for add the signature, i've commented the reference to
root element and add it to first child indeed.var SignedXml = require('xml-crypto').SignedXml , fs = require('fs');var xml = fs.readFileSync("./metadataSP.xml").toString();var sig = new SignedXml();//sig.addReference("//[local-name(.)='EntityDescriptor']") ;
sig.addReference("//[local-name(.)='SPSSODescriptor']") ;
sig.signingKey = fs.readFileSync("./signer.key");
sig.computeSignature(xml);
fs.writeFileSync("signed.xml", sig.getSignedXml());This is for validate the signature
var select = require('xml-crypto').xpath
, dom = require('xmldom-fork-fixed').DOMParser
, SignedXml = require('xml-crypto').SignedXml
, FileKeyInfo = require('xml-crypto').FileKeyInfo
, fs = require('fs');function validateXml(xml, key){
var doc = new dom({ignoreWhiteSpace: true}).parseFromString(xml);
xml = doc.toString();
console.log(xml);
var signature = select(doc, "//[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]
var sig = new SignedXml();
sig.keyInfoProvider = new FileKeyInfo(key);
sig.loadSignature(signature.toString());
var res = sig.checkSignature(xml);
if (!res) console.log(sig.validationErrors);
return res;}var signedXml = fs.readFileSync("./signed.xml").toString()console.log("validating signature...")
//validate an xml documentif (validateXml(signedXml, "./fd.crt"))
console.log("signature is valid")else
console.log("signature not valid")This is the xml (validate OK)
ds:KeyInfods:X509Datads:X509CertificateMIIDrzCCApegAwIBAgIJAKvU9k8+fs5uMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwETWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlzY2FsaS5pdDAeFw0xNTAzMDIxNTA1NDVaFw0xNjAzMDExNTA1NDVaMG4xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwETWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlzY2FsaS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmrPSdtgQ72Xdac/8rg1QyRESSMuDrs9Fuy+7cOJ13aYuiEnqSA1mMFJ29ELrA7BeNg7seLaUBtB0FJqlZnLoy+sqLwOVCgqO24wxJbnUsaWqAQu9Ao0mFgz784dcs0x6MiQ9E8EjDIICrxA8wEe+a
The Id="_0" is now on SPSSODescriptorqkRGc5GH
8TG5A0arEeno9LuPYQKhU33t5o7eU4E7lEw658dau5hlk5Uye7o16mbMd7hak8Z+AazcO1oFDiXaDjexOP2L6TvbCKMBgUa5ZevKpy2Sr0QgARc5MU/5TznjnUCEXNuoVMwzHqeIa8VO8OWGSkVlj/eY73pj1C98lD/pH1osdkIDDfZaZRn7469kCAwEAAaNQME4wHQYDVR0OBBYEFIOo56J1khErXQKTsrt6PBwz1g1DMB8GA1UdIwQYMBaAFIOo56J1khErXQKTsrt6PBwz1g1DMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC/ZkZXCqmbmtFki/4lJV6pa0TNeiCdSgis+pnleDhuLWbJNbvXjebXuXmipS7erhSHwyIZ4JBei6kUGw/o6Wkn3W+snQNm+5e0arFjQgg1BTdvef2m61FXqenApH7S5dN3ssNcuDoF0kCmkVZLMYJhcWHSaaF9qgcyYQH0sDO4+pH7ndT95R5XEfX1HepwfSYqc5oK+ISpwGQdIxchm3KKhr1BMW4i9OlIGCd75tQr2VVZnlSkKfS6zuFAHpn7ffJrS15OnucImnebJSXnTVeKzVI1/mkO0HJYkOQUMSMqzbZNYpXJxYM9DBwl5UETFbzeV7ua57K+XfVvpiqWiTGw=/ds:X509Certificate/ds:X509Data/ds:KeyInfo</Key
Descript
or>urn:oasis:names:tc:SAML:2.0:nameid-format:transientVycvcgQoTvLSh5cfVmTyohmM8DE=I9kdkjMYCI6P6J2tMgv2kyOTy8nIoJBYcVczN/XgOshMUudFoYVu8rsNLKgZ54g/1PTM9RdF4+Uxvz1uwKFYUJaVUPg3MxRUjH/TFecQ9Upfqp8DDcbAFD6BjIKwPM
aG1gS70p
9dKuGGnCB9Ijk5RERLGasuyN+tqo3YsMBiM80=—
Reply to this email directly or view it on GitHub
#23 (comment).
I'm on Twitter (@YaronNaveh http://twitter.com/#!/YaronNaveh)
from xml-crypto.
whirp
commented on July 28, 2024
The trasformation enveloped-signature doesn't work :
[ 'invalid signature: for uri #_0 calculated digest is xqA7t3ncIEdfHn1qGfEU8FmAuA4= but the xml t o validate supplies digest vobw10J3FU8DFcrAZnfVcVlrV3Y=' ]
signature not valid
My code to generate xml :
var SignedXml = require('xml-crypto').SignedXml , fs = require('fs');
var xml = fs.readFileSync("./metadataSP.xml").toString();
var sig = new SignedXml();
SignedXml.CanonicalizationAlgorithms["myTrasform"] = MyTransformation;
sig.addReference("//*[local-name(.)='EntityDescriptor']",["myTrasform"]) ;
sig.signingKey = fs.readFileSync("./signer.key");
sig.computeSignature(xml);
fs.writeFileSync("signed.xml", sig.getSignedXml());
function MyTransformation() {
/*given a node (from the xmldom module) return its canonical representation (as string)*/
this.process = function(node) {
//you should apply your transformation before returning
return node.toString();
}
this.getAlgorithmName = function() {
return "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
}
}The xml That doesn't contain white space neither CR:
<?xml version="1.0"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://111.111.11.111:8000" Id="_0"><SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDrzCCApegAwIBAgIJAKvU9k8+fs5uMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwETWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlzY2FsaS5pdDAeFw0xNTAzMDIxNTA1NDVaFw0xNjAzMDExNTA1NDVaMG4xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwETWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlzY2FsaS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmrPSdtgQ72Xdac/8rg1QyRESSMuDrs9Fuy+7cOJ13aYuiEnqSA1mMFJ29ELrA7BeNg7seLaUBtB0FJqlZnLoy+sqLwOVCgqO24wxJbnUsaWqAQu9Ao0mFgz784dcs0x6MiQ9E8EjDIICrxA8wEe+aqkRGc5GH8TG5A0arEeno9LuPYQKhU33t5o7eU4E7lEw658dau5hlk5Uye7o16mbMd7hak8Z+AazcO1oFDiXaDjexOP2L6TvbCKMBgUa5ZevKpy2Sr0QgARc5MU/5TznjnUCEXNuoVMwzHqeIa8VO8OWGSkVlj/eY73pj1C98lD/pH1osdkIDDfZaZRn7469kCAwEAAaNQME4wHQYDVR0OBBYEFIOo56J1khErXQKTsrt6PBwz1g1DMB8GA1UdIwQYMBaAFIOo56J1khErXQKTsrt6PBwz1g1DMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC/ZkZXCqmbmtFki/4lJV6pa0TNeiCdSgis+pnleDhuLWbJNbvXjebXuXmipS7erhSHwyIZ4JBei6kUGw/o6Wkn3W+snQNm+5e0arFjQgg1BTdvef2m61FXqenApH7S5dN3ssNcuDoF0kCmkVZLMYJhcWHSaaF9qgcyYQH0sDO4+pH7ndT95R5XEfX1HepwfSYqc5oK+ISpwGQdIxchm3KKhr1BMW4i9OlIGCd75tQr2VVZnlSkKfS6zuFAHpn7ffJrS15OnucImnebJSXnTVeKzVI1/mkO0HJYkOQUMSMqzbZNYpXJxYM9DBwl5UETFbzeV7ua57K+XfVvpiqWiTGw=</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></KeyDescriptor><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://111.111.11.111:8000/saml/callback"/></SPSSODescriptor><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_0"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>vobw10J3FU8DFcrAZnfVcVlrV3Y=</DigestValue></Reference></SignedInfo><SignatureValue>sFZNTVVWz2OjKrfu+6uXuLkzrYrbqiLDIQCrQ7OTifB3NM3pD0CbyGLbnVPlUUtp20f+SofBT93qyi6c7rVDCzQW6BLbzjB0x9DMPmp9OMVFWX8F/sPdiUnXJTBJeje1wD0amE4EunVfYwB+AL3PmZ35qrQpW1cCg8GRfQ3g0i4=</SignatureValue></Signature></EntityDescriptor>
My validation code :
var select = require('xml-crypto').xpath
, dom = require('xmldom-fork-fixed').DOMParser
, SignedXml = require('xml-crypto').SignedXml
, FileKeyInfo = require('xml-crypto').FileKeyInfo
, fs = require('fs');
function validateXml(xml, key){
var doc = new dom({ignoreWhiteSpace: true}).parseFromString(xml);
xml = doc.toString();
console.log(xml);
fs.writeFileSync("signed_bad.xml", xml);
var signature = select(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]
//console.log(signature);
var sig = new SignedXml();
sig.keyInfoProvider = new FileKeyInfo(key);
sig.loadSignature(signature.toString());
var res = sig.checkSignature(xml);
if (!res) console.log(sig.validationErrors);
return res;
}
var signedXml = fs.readFileSync("./signed.xml").toString()
console.log("validating signature...")
//validate an xml document
if (validateXml(signedXml, "./fd.crt"))
console.log("signature is valid")
else
console.log("signature not valid")from xml-crypto.
yaronn
commented on July 28, 2024
hi @whirp
let me understand your use case: are you signing an xml, verifying a signature, or both?
after you sign the root, you want to put the signature as its child?
in the validation you want to pass the full root (with signature inside it)? you mentioned it is working if you manually pull the signature out (or was it signing/verifying a childs node?) - is it an acceptable workaround for now?
from xml-crypto.
whirp
commented on July 28, 2024
Im signing an xml saml and verifying the signature (both).
I've to put signature only in the root elem (EntityDescriptor)
It's working only when i put signature on first child (but this is not my scenario), it's not working with signature on root elem(EntityDescriptor) and this is what i want.
from xml-crypto.
yaronn
commented on July 28, 2024
when you sign please use this code:
sig.addReference("//*[local-name(.)='EntityDescriptor']", ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"], "http://www.w3.org/2000/09/xmldsig#sha1", "", "", "", true)
let me know how it goes
from xml-crypto.
whirp
commented on July 28, 2024
Finally works!!!
I understand that if i have to add signature to the entire xml document the <Reference URI="">
<?xml version="1.0"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://111.111.11.111:8000"><SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDrzCCApegAwIBAgIJAKvU9k8+fs5uMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwETWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlzY2FsaS5pdDAeFw0xNTAzMDIxNTA1NDVaFw0xNjAzMDExNTA1NDVaMG4xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTENMAsGA1UECgwETWFuYTEQMA4GA1UEAwwHd2hpcnA3ODEfMB0GCSqGSIb3DQEJARYQd2hpcnBAdGlzY2FsaS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmrPSdtgQ72Xdac/8rg1QyRESSMuDrs9Fuy+7cOJ13aYuiEnqSA1mMFJ29ELrA7BeNg7seLaUBtB0FJqlZnLoy+sqLwOVCgqO24wxJbnUsaWqAQu9Ao0mFgz784dcs0x6MiQ9E8EjDIICrxA8wEe+aqkRGc5GH8TG5A0arEeno9LuPYQKhU33t5o7eU4E7lEw658dau5hlk5Uye7o16mbMd7hak8Z+AazcO1oFDiXaDjexOP2L6TvbCKMBgUa5ZevKpy2Sr0QgARc5MU/5TznjnUCEXNuoVMwzHqeIa8VO8OWGSkVlj/eY73pj1C98lD/pH1osdkIDDfZaZRn7469kCAwEAAaNQME4wHQYDVR0OBBYEFIOo56J1khErXQKTsrt6PBwz1g1DMB8GA1UdIwQYMBaAFIOo56J1khErXQKTsrt6PBwz1g1DMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC/ZkZXCqmbmtFki/4lJV6pa0TNeiCdSgis+pnleDhuLWbJNbvXjebXuXmipS7erhSHwyIZ4JBei6kUGw/o6Wkn3W+snQNm+5e0arFjQgg1BTdvef2m61FXqenApH7S5dN3ssNcuDoF0kCmkVZLMYJhcWHSaaF9qgcyYQH0sDO4+pH7ndT95R5XEfX1HepwfSYqc5oK+ISpwGQdIxchm3KKhr1BMW4i9OlIGCd75tQr2VVZnlSkKfS6zuFAHpn7ffJrS15OnucImnebJSXnTVeKzVI1/mkO0HJYkOQUMSMqzbZNYpXJxYM9DBwl5UETFbzeV7ua57K+XfVvpiqWiTGw=</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></KeyDescriptor><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://111.111.11.111:8000/saml/callback"/></SPSSODescriptor><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>I5O1ubUSi+2JKxiTPMGPsRwyWNw=</DigestValue></Reference></SignedInfo><SignatureValue>ZfQsqxtaZZdgKpg4SLUmXfU1CfD0Zr0pIsI0lLP5s6HYFq5ZKeO/prsHSSY54Y3DM3oFlz7MymgTtBqaHT0+IlEiMYi4KWEghcHl/ySLZ+TuohxwITRSap8qmAvtLvWOTREjMf7URPYB9QWMAVwWtiX2h3arNI6/75zIBiA1AbY=</SignatureValue></Signature></EntityDescriptor>thank you so much for your help @yaronn
from xml-crypto.
yaronn
commented on July 28, 2024
great to hear that!
from xml-crypto.
Related Issues (20)
- A Proposal for Moving Forward HOT 1
- refactor: deprecate `SignedXml.signingKey` in favor of `SignedXml.publicKey` and `SignedXml.privateKey` HOT 1
- `xpath` dependency "problem" HOT 10
- [ENHANCEMENT]: Signature compliant to http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 HOT 5
- [ENHANCEMENT]: Export `C14nCanonicalization`, `ExclusiveCanonicalization` HOT 1
- [ENHANCEMENT]: Remove files, folders not needed on the release HOT 2
- Add Reference for the KeyInfo node
- [BUG]: keyInfo usage HOT 4
- invalid signature: for uri calculated digest is '*' but the xml to validate supplies digest '*' HOT 9
- Issue with Signature Verification When 'Transforms' Tag is Absent in 'Reference' Element HOT 5
- How to sign a SAML assertion? HOT 1
- Potentially unsafe default impl for `getKeyInfo()` HOT 2
- [BUG?]: duplicate reference in signature HOT 6
- The declared digest does not match the actual calculated digest HOT 3
- Bug/Outdated README: unclear whether signatureAlgorithm required or not HOT 2
- [ENHANCEMENT]: AddObject to SignedXml instance HOT 4
- [ENHANCEMENT]: wssecurity - getCertFromKeyInfo not possible HOT 1
- [ENHANCEMENT]: Improve experience of adding a `Reference` to the `Signature`.
- [ENHANCEMENT]: Making the signature wrap the content that it's signing HOT 4
- digest is invalid because the computed digest differs from the digest in the XML HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xml-crypto.