'格式错误的参考元素'检查SAML签名

时间:2017-08-03 15:40:55

标签: c# saml

到目前为止,我对签名的XML几乎没有经验,现在我已经遇到了这个例外。 .Net代码几乎是你在每个相关问题中找到的,所以我假设问题是XML本身。从我在这里读到的内容中,某些元素(?)中的冒号可能存在​​问题,我可能需要扩展SignedXml类(https://stackoverflow.com/a/41723450/1228836),但我不知道是否会这样做&#39这真的是问题所在。

private static void ValidateSamlString(String samlString)
    {
        XmlDocument xmlDoc = new XmlDocument();
        xmlDoc.LoadXml(samlString); 

            XmlNodeList nodeList = xmlDoc.SelectNodes("//*[local-name()='Signature']");

            foreach (XmlNode node in nodeList)
            {
                XmlDocument doc = new XmlDocument();
                doc.LoadXml(node.ParentNode.OuterXml);
                XmlElement signature = doc.SelectSingleNode("//*[local-name()='Signature']") as XmlElement;

                SignedXml signedXml = new SignedXml(doc);
                signedXml.LoadXml(signature);
                KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();

                X509Certificate2 cert = x509Data.Certificates[0] as X509Certificate2;

                X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
                store.Open(OpenFlags.ReadOnly);

                bool isVerified = signedXml.CheckSignature(cert, true); // EXCEPTION HERE!!!!

                Console.WriteLine("Verified: {0}", isVerified);
            }
    }

整个XML:

<t:RequestSecurityTokenResponse Context="https://www.example.com/" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-08-03T13:27:40.285Z</wsu:Created>
    <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-08-03T17:27:40.285Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
        <Address>https://www.example.com/dev</Address>
    </EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
    <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_7696ff3c-9291-4391-92a2-ed4255bde0ee" Issuer="http://www.latvija.lv/sts" IssueInstant="2017-08-03T13:27:40.285Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
        <saml:Conditions NotBefore="2017-08-03T13:27:40.285Z" NotOnOrAfter="2017-08-03T17:27:40.285Z">
            <saml:AudienceRestrictionCondition>
                <saml:Audience>https://www.example.com/dev</saml:Audience>
            </saml:AudienceRestrictionCondition>
        </saml:Conditions>
        <saml:AttributeStatement>
            <saml:Subject>
                <saml:NameIdentifier Format="urn:ivis:100001:name.id-viss">PK:11111111111</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="https://ivis.eps.gov.lv/test.sts/1.1" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>11111111111</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="https://ivis.eps.gov.lv/test.sts/1.1" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>John</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="https://ivis.eps.gov.lv/test.sts/1.1" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <saml:AttributeValue>Doe</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
        <saml:AuthenticationStatement AuthenticationMethod="urn:ivis:100001:am-idp40-wif" AuthenticationInstant="2017-08-03T13:27:40.082Z">
            <saml:Subject>
                <saml:NameIdentifier Format="urn:ivis:100001:name.id-viss">PK:11111111111</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:SubjectLocality IPAddress="87.255.255.255" />
        </saml:AuthenticationStatement>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#_7696ff3c-9291-4391-92a2-ed4255bde0ee">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>Oh+ibZRKLu3KtfKd7dSJ8m9GR84=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>W/uSsu0SzPHATCtXQzT8FgYNeelvBM+oRtqHH6wQcW2n2i84/kv9cqqylf5pBwps0oxhhr7KvOACu4w+gvR1KDCKvN2alu9/BglisqGoK48IjdjJ1Fi9P4OSyk/MRZrEXu13F9qAIYcklhdYH3Rpb7t3bLBNimQVpoWRqqWH7wC28WIAF/GincVCS0GMaLwYDSunqg6r8I12XWTvGKgz6/z+vyMUgltSCNfKpHg+FOLTH+Ze1/RO3GAv+6wSkyRbWoWMM9FyI/mIefCAMkGi/2ZC4Zw4KGzmRzk+S+ekdkbdOQAHt9XONW0Fqn9LL7/1kbEuZzY93kJFGYwWgA05KA==</ds:SignatureValue>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIF8TCCBNmgAwIBAgIKTaumsgACAAACOzANBgkqhkiG9w0BAQsFADBCMRMwEQYKCZImiZPyLGQBGRYDaW50MRQwEgYKCZImiZPyLGQBGRYEdmlzczEVMBMGA1UEAxMMVklTUyBSb290IENBMB4XDTE3MDEyNDA3NDE1MVoXDTQxMDMzMTA5MzcyNFowgYkxCzAJBgNVBAYTAkxWMQ0wCwYDVQQIEwRSaWdhMQ0wCwYDVQQHEwRSSUdBMQ0wCwYDVQQKEwRWUkFBMQ4wDAYDVQQLEwVWUElTRDEXMBUGA1UEAwwOVklTUy5MVlAuU1RTXzIxJDAiBgkqhkiG9w0BCQEWFWNpc3UuaGVscEB2cmFhLmdvdi5sdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAQefdkzkZKm/EjpQf/+H1bnE+6i8N5eBWL2fgwciHP8V1Vy8C5mLtLzeCa0Y/JoY1o0heN0F8OsNPmU5KiYyQu2uGW51y9ItLJHGLzrCRS23iC+lQqRCxMFs57ACRmNDU5PagzzTO4BAQ0nsHE5XFfdtFeK9840KMUvNHScgw7lb6JvOFDbZVLXFR7g7JVVXBYksy9bnDYw/iG/wrdw/HwvDeW94Y99s1ZXl8LIk0JPXTBgYmkOCi2XWMO5dLGmvK4Kwz+1bB8tKijNhQpcLcGqpZ/yeg2E0z5HM7256pZ+qAuh2ax7POAj01CmqDGQ1vUOcMrBv4I1UAvuyzBAP8CAwEAAaOCAp8wggKbMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQU6zKtWDORxPazuCN0UxhZG9N16qAwHwYDVR0jBBgwFoAU5AKmo6l+36r4MSf1WLaxAsDWMM8wggEOBgNVHR8EggEFMIIBATCB/qCB+6CB+IaBtWxkYXA6Ly8vQ049VklTUyUyMFJvb3QlMjBDQSgyKSxDTj1EQzEwMCxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz12aXNzLERDPWludD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGPmh0dHA6Ly9hdXNtYXRlc3Q4LnZyYWEuZ292Lmx2L1ZJU1MuQ1JML1ZJU1MlMjBSb290JTIwQ0EoMikuY3JsMIIBEgYIKwYBBQUHAQEEggEEMIIBADCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8vL0NOPVZJU1MlMjBSb290JTIwQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9dmlzcyxEQz1pbnQ/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9hdXNtYXRlc3Q4LnZyYWEuZ292Lmx2L1ZJU1MuQ1JML1ZJU1NfVklTUyUyMFJvb3QlMjBDQSgyKS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAdQcO6+N/vzhkl9mb0bR9EacwMdqf0TpXrIsig8eNqtjlS5vwAWcUkeE+ICVAfCrSwD+ZCL/Bu/d3mxA9/pFsCi8lFovwv8sDYooqtxXkZZTGIVMjlL+xB55+xO6MZHCMBSgXPiHJVFmq4EY3v9+uZVbDU55P4KbpaMHcnQgIj65uuElo+ZKsQ+6PERuq+GEbTz1U5lruNDbLSxniIHx5A5hoUD+zHWaqvM7MaxLvqk4dlWYE1Im/QHVthU7R/OtTD4rIRVK4xOJvQaxU22L4XW4pU/5nP7Mxd9P3HzmNWVTz71h6HIY6yR4d3mKyEwFFqcvPd0A6Wwz1nQoJuF/7EA==</X509Certificate>
                </X509Data>
            </KeyInfo>
        </ds:Signature>
    </saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>

我得到的例外是:

System.Security.Cryptography.CryptographicException: Malformed reference element.
 at System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList)
 at System.Security.Cryptography.Xml.SignedXml.CheckDigestedReferences()
 at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
 at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)

0 个答案:

没有答案