无法弄清楚为什么SAMLMessageSignature.Verify返回false

时间:2015-02-06 14:06:22

标签: c# saml-2.0 shibboleth component-space

我已将Shibboleth设置为IdP,使用其默认凭据(与安装程序捆绑在一起的证书)。我认为它使用idp-signing.crt证书来签署SAML响应。使用LowLevelAPI ShibbolethSP示例项目,只要我注释掉了#34;验证响应的签名"码。我确保在Global.asax.cs,Application_Start中添加了SHA-256 XML签名支持。消息签名验证总是返回false,即使我将idp-signing.crt文件复制到示例目录并将其作为X509Certificate2对象加载,并将其传递到:

bool retVal = SAMLMessageSignature.Verify(samlResponseXml, x509Certificate);  // is false

当我没有传递第二个参数时,甚至返回false,使用签名中包含的密钥信息来执行验证:

bool retVal = SAMLMessageSignature.Verify(samlResponseXml);  // is false

我无法弄清楚此验证失败的原因。以下是从Shibboleth发回的SAML响应(由FOXE格式化,但未更改):

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="http://localhost:65231/SAML/AssertionConsumerService.aspx" ID="_b69dae7dd40119cff94ece076e338e82" InResponseTo="_031b0667-d6e5-4845-add1-f82748afe0e6" IssueInstant="2015-02-06T14:07:47.193Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:3380/idp/shibboleth</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_b69dae7dd40119cff94ece076e338e82">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>kL7hYIdYRk+x27VboYeYmIzOSfokmY8iPfucnFzI5Nk=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
V/bRv+kjvXcTOQs3d2TjyB4d0fjW5xSl5/8RJzCf1K988DsUWVqZEswxo4iqPVsjQgkelppbcnPa
9UTjLJLIQLg6ztXrfaXYE6iHZcYw58upBcnTXgNGuKazvLm6j2wxBtm5RNe8I4vO0YtDvV3GNf6X
qVICZlhp7VC0bNiCMr7zVXcw0E4ZfCSJt3Tph9MGKK6KrSXzVSpsyagtvBnmDx2CpI+O0hW92ekk
CjjkPcvY0lfl3rYdN/xpUqsJgc6HfhnBeU+y+RgEyb0eLuN/aZBOfiWMSAtMkJhcaoESwBtlaFg/
m46jdarT6ZDGfU9J4JnOzkAHlr8nMlEKcEzD8g==
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDIDCCAgigAwIBAgIVANgMuf9G9xkZYBghdEkxjLMPwHJhMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDWlzYW1zLXdyay0wNjAwHhcNMTUwMjA0MTU0MjQ1WhcNMzUwMjA0MTU0MjQ1WjAYMRYw
FAYDVQQDDA1pc2Ftcy13cmstMDYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3l+
c0OfVj6Qex2Rwd+katoP9BLsrur/aR19mfepT5E2E/2TDWkl+dY87O4eS/J/NKTftS0MeL8qhoZB
Hf3y/zetOayoqhW5eCsrWwsY4HuVBhBBctuv0xdBmQPUP8Avmdr83Ps0xvCu2661aAz5SRA1SOlP
QbE/STLnDoFORhaoVAFHUq0zIscjCwUFrhHvEQZQWMTeaDCZdSP6jFmZ6SCWJCvjq7FIz5KbPh5p
IBhaWUVIoGEg3gwGKEt25sZ6y7RSFnqEzWgJhUoHE8HgL4inGulTIeeESxztQqdRK7lkTz1VwwO/
zulQdwcw1xWQc6JOMDh9wqJxcMQOZ2OlgQIDAQABo2EwXzAdBgNVHQ4EFgQUDAZa8uahYPYMrzbv
P8+PRP47IzEwPgYDVR0RBDcwNYINaXNhbXMtd3JrLTA2MIYkaHR0cHM6Ly9pc2Ftcy13cmstMDYw
L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQCLh6w9di9jggroTxCsX30eqVv+DSfG
vOy1Ajj9ZFbXz5N7lhnwiLnWkiC4sx9Ls4cObj9AmGCAw/G2VOv2DRfRujFt0QTRfervmT1dJADv
m2RsV4vq13Kbj5fh6ThCzTMU+XsRc6dY2KRiDMrR3ofdqIl90U4J4NeyFYvIwEKHSDrnLM2Fp6tu
pWso0hDDSszuIKlhTue0kKXLpiJMEvc06mCqA8XZCCj26D6DdTNUI24puTfUELWXSMflD2/lg0/w
L1k/5kVbgT4vqVci6Sz9ggi8mge2zjRtx4JkHIjXc20e43oRPh7LF/2wQVqiobmZQYzvMi5TPY1x
w0oA4g5A</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="_9d0be4db6f36fbd7026dc1efd7dfc224" IssueInstant="2015-02-06T14:07:47.193Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer>http://localhost:3380/idp/shibboleth</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#_9d0be4db6f36fbd7026dc1efd7dfc224">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>hR6KDOh+st3yunebqeUz4aqHMin/5rc6gHrkIwgypLc=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
V9BB0UEBqsBGsiUHbVH8mw8sG52pLI6ec/lGMCqeNGqTUYF8HwOPpjkViJ/Pz91HRFIgRoPlVqHy
dRGMAJFpYvakOh/vB1+GP3T0Jh20gF8I7JfzOfMwuF8A5ryEdoxB6JQp0AR6mEXi88RPFfWrAmB1
G/mTt6Q94uW0lrqfiyphp49K6HNhRvyIOCOLWtthBdnMQPLlCh6NAMaJAh+2dzx2CjeT4P58H9FP
ANJQxB+JR3J2cum5XVn+Rrrx6fiL640I514G0dDu2bi4InXMGH/mKXVCLQX4w/1g0fGv/icrdY9H
734JhawjfY/+NfO4Fj3+E6Yx3+k8ytku0qUZkw==
</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDIDCCAgigAwIBAgIVANgMuf9G9xkZYBghdEkxjLMPwHJhMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDWlzYW1zLXdyay0wNjAwHhcNMTUwMjA0MTU0MjQ1WhcNMzUwMjA0MTU0MjQ1WjAYMRYw
FAYDVQQDDA1pc2Ftcy13cmstMDYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3l+
c0OfVj6Qex2Rwd+katoP9BLsrur/aR19mfepT5E2E/2TDWkl+dY87O4eS/J/NKTftS0MeL8qhoZB
Hf3y/zetOayoqhW5eCsrWwsY4HuVBhBBctuv0xdBmQPUP8Avmdr83Ps0xvCu2661aAz5SRA1SOlP
QbE/STLnDoFORhaoVAFHUq0zIscjCwUFrhHvEQZQWMTeaDCZdSP6jFmZ6SCWJCvjq7FIz5KbPh5p
IBhaWUVIoGEg3gwGKEt25sZ6y7RSFnqEzWgJhUoHE8HgL4inGulTIeeESxztQqdRK7lkTz1VwwO/
zulQdwcw1xWQc6JOMDh9wqJxcMQOZ2OlgQIDAQABo2EwXzAdBgNVHQ4EFgQUDAZa8uahYPYMrzbv
P8+PRP47IzEwPgYDVR0RBDcwNYINaXNhbXMtd3JrLTA2MIYkaHR0cHM6Ly9pc2Ftcy13cmstMDYw
L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQCLh6w9di9jggroTxCsX30eqVv+DSfG
vOy1Ajj9ZFbXz5N7lhnwiLnWkiC4sx9Ls4cObj9AmGCAw/G2VOv2DRfRujFt0QTRfervmT1dJADv
m2RsV4vq13Kbj5fh6ThCzTMU+XsRc6dY2KRiDMrR3ofdqIl90U4J4NeyFYvIwEKHSDrnLM2Fp6tu
pWso0hDDSszuIKlhTue0kKXLpiJMEvc06mCqA8XZCCj26D6DdTNUI24puTfUELWXSMflD2/lg0/w
L1k/5kVbgT4vqVci6Sz9ggi8mge2zjRtx4JkHIjXc20e43oRPh7LF/2wQVqiobmZQYzvMi5TPY1x
w0oA4g5A</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://localhost:3380/idp/shibboleth" SPNameQualifier="http://localhost:65231/SAML/metadata.xml">AAdzZWNyZXQxpeMWTEyWX1tgYmk7ixdbi775mfBFBHikiub8dsf7HLwD2Xo5yPhD2HL21GF3Hle9oYEQCMFJ3R2dxZ8y22FknvLoGmDZ++VdymaQB0WpEaMzy3Ox9g8X6ALYMdZWedk78uCbpSvjpqdCM4Lhi13VdAQqvAs=</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData Address="127.0.0.1" InResponseTo="_031b0667-d6e5-4845-add1-f82748afe0e6" NotOnOrAfter="2015-02-06T14:12:47.236Z" Recipient="http://localhost:65231/SAML/AssertionConsumerService.aspx"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2015-02-06T14:07:47.193Z" NotOnOrAfter="2015-02-06T14:12:47.193Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>http://localhost:65231/SAML/metadata.xml</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2015-02-06T14:07:47.057Z" SessionIndex="_267b5fd351054d45e5961e83427483fe">
            <saml2:SubjectLocality Address="127.0.0.1"/>
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute FriendlyName="username" Name="urn:ecolint.ch:attribute-def:username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml2:AttributeValue>Jeremy.Morton</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

有谁能告诉我为什么验证方法可能总是返回false?

1 个答案:

答案 0 :(得分:0)

来自Testshib的断言已加密。 我使用组件空间的低级api。我们是许多客户的SP,并支持众多idP的

SAMLResponse类有三个方法我用来测试idP中的断言。

首先我尝试.GetAssertions()。 如果没有返回断言,我会尝试.GetSignedAssertion(证书)。 如果那不能返回断言,我试试.GetEncryptedAssertions() 最后一个是我得到Testshib断言的地方。 然后,如果您使用的是X509Certificate2,则在加载pfx文件时,必须使用X509KeyStorageFlags.Exportable创建该对象。如果不是,私钥将始终为空。

我这样做:

    var key = pfxCertificate.PrivateKey;

    if (key==null)
    {
        throw new NullReferenceException("pfx private key is null");
    }

    foreach (var encryptedAssertion in encryptedAssertions)
    {
        assertions.Add(encryptedAssertion.Decrypt(key, null));
    }

    if (assertions.Count > 0)
    {
        samlAssertion = assertions[0];
    }

最后,如果您更改了SP元数据证书,则必须在注册选项卡上将其再次上传到Testshib。加密的断言使用您的证书进行加密。因此,您使用私钥进行解密。如果这与上传到Testshib的内容不匹配,则永远不会解密。 确保您的SP元数据的文件名在世界上是唯一的,例如 CrazyLikelyUniqueInTheWorld2939596.xml 否则,如果您将其命名为spmetadata.xml,则其他人将覆盖Testshib上的SP测试元数据

相关问题
最新问题