using CERT, please help #142

cherchyk · 2016-02-10T16:57:59Z

hi

please help !

I'm trying to implement SSO for service provider app. SAML response is signed and I have problem validating the sign

SAML response:

<Response
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_d56d3654-e682-4e37-970d-f7f38bb28c16" Version="2.0" IssueInstant="2016-02-10T16:30:35.6771714Z" Destination="http://localhost:5000/sso/callback"
    xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://internal.zzz.com/idp
    </Issuer>
    <Signature
        xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#_d56d3654-e682-4e37-970d-f7f38bb28c16">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>2/EjeN6vjAoHSgZkfHX11y1TCvs=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>i3aqTY969f/WsvVjC+7T2r2Ivp/2NaaQtNE45/vdxIfzDv+59Senbo0T4VwLb8KkwG7aUfXxGIOuRQsMyQtSClNjfufhc5E6ZU6oLSh8bbCXG6ZNByLwseg+Isgjfz8/jCBKLnBW3OT8NONI7GXgxnhxWTDBlFcZp1k+Yri8Xek=</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIBqzCCAVmgAwIBAgIQ75yMqTyP76VJxOzdn39HwzAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTEyMDkyNTAxMTE0N1oXDTM5MTIzMTIzNTk1OVowDjEMMAoGA1UEAxMDcmJjMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWWvJacD2TMDG9OGYq5wCUByycLh919Y7ip1R730yVwta9gp0lpJPyZUx37Sgtm5MIP21XsxpZxznVLGfL8qu/Ta0zmcvSHXfMMVzHk0aivG2lLGLQyg5Xch3FtA/kGkZJpeF9L/KpCsS6KZe/9J/fXzEy8d+8JwYkmz7PH3Wl+QIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAHh2IW89kF0STnCraE/wWJYM6roBeocsfxN0PD5nEI4LHWp2DcvUv90mj4XfbhR6s/M6pEq0cEItLlrhifbv838=</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <Status>
        <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </Status>
    <Assertion Version="2.0" ID="_499bb0b8-a04e-415a-bf3c-607917107640" IssueInstant="2016-02-10T16:30:36.0873134Z"
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>https://internal.zzz.com/idp</Issuer>
        <Subject>
            <NameID NameQualifier="https://zzz.exacttarget.com/saml/sp" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">6200005628</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2016-02-10T16:35:36.1576342Z" Recipient="http://localhost:5000/sso/callback" />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2016-02-10T15:40:36.0873134Z" NotOnOrAfter="2016-02-10T17:20:36.0873134Z">
            <AudienceRestriction>
                <Audience>https://zzz.exacttarget.com/saml/sp</Audience>
            </AudienceRestriction>
        </Conditions>
        <AuthnStatement AuthnInstant="2016-02-10T16:30:36.0892691Z">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
        <AttributeStatement>
            <Attribute Name="Lang" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <AttributeValue xsi:type="xsd:string">En</AttributeValue>
            </Attribute>
            <Attribute Name="ReturnedD" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <AttributeValue xsi:type="xsd:string">www1.stezzz.com</AttributeValue>
            </Attribute>
            <Attribute Name="OFMSID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <AttributeValue xsi:type="xsd:string">1200000055</AttributeValue>
            </Attribute>
            <Attribute Name="CenterCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <AttributeValue xsi:type="xsd:string">OCC</AttributeValue>
            </Attribute>
        </AttributeStatement>
    </Assertion>
</Response>

node.js passport setup

var SamlStrategy = require('passport-saml').Strategy;
var xmlCrypto = require('xml-crypto');

module.exports = function (passport, config) {

    passport.serializeUser(function (user, done) {
        done(null, user);
    });

    passport.deserializeUser(function (user, done) {
        done(null, user);
    });


    xmlCrypto.SignedXml.CanonicalizationAlgorithms['http://www.w3.org/TR/2001/REC-xml-c14n-20010315'] = 
        xmlCrypto.SignedXml.CanonicalizationAlgorithms['http://www.w3.org/2001/10/xml-exc-c14n#'];

    var samlStrategyObj = new SamlStrategy(
        {
            path: config.passport.saml.path,
            //protocol: config.passport.saml.protocol,

            entryPoint: config.passport.saml.entryPoint,
            issuer: config.passport.saml.issuer,

            cert: config.passport.saml.cert,
            //signatureAlgorithm: config.passport.saml.signatureAlgorithm,

            identifierFormat: null,
            acceptedClockSkewMs: -1,
            requestIdExpirationPeriodMs: -1

        },
        function (profile, done) {
            return done(null,
                {
                    id: profile.id,
                    email: profile.email,
                    displayName: profile.displayName,
                    firstName: profile.firstName,
                    lastName: profile.lastName,
                    origin: profile
                });
        });

    passport.use(samlStrategyObj);
}

the value in config.passport.saml.cert is

MIIBqzCCAVmgAwIBAgIQ75yMqTyP76VJxOzdn39HwzAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTEyMDkyNTAxMTE0N1oXDTM5MTIzMTIzNTk1OVowDjEMMAoGA1UEAxMDcmJjMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWWvJacD2TMDG9OGYq5wCUByycLh919Y7ip1R730yVwta9gp0lpJPyZUx37Sgtm5MIP21XsxpZxznVLGfL8qu/Ta0zmcvSHXfMMVzHk0aivG2lLGLQyg5Xch3FtA/kGkZJpeF9L/KpCsS6KZe/9J/fXzEy8d+8JwYkmz7PH3Wl+QIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAHh2IW89kF0STnCraE/wWJYM6roBeocsfxN0PD5nEI4LHWp2DcvUv90mj4XfbhR6s/M6pEq0cEItLlrhifbv838=
can some one explain why I'm getting error

Error: Invalid signature
    at c:\\Bohdan\\bohdan-test1\\node_modules\\passport-saml\\lib\\passport-saml\\saml.js:546:12
    at _fulfilled (c:\\Bohdan\\bohdan-test1\\node_modules\\q\\q.js:794:54)
    at Promise.then.Q.nextTick.self.promiseDispatch.done (c:\\Bohdan\\bohdan-test1\\node_modules\\q\\q.js:823:30)
    at Promise.__dirname.Promise.promise.promiseDispatch (c:\\Bohdan\\bohdan-test1\\node_modules\\q\\q.js:756:13)
    at c:\\Bohdan\\bohdan-test1\\node_modules\\q\\q.js:516:49
    at flush (c:\\Bohdan\\bohdan-test1\\node_modules\\q\\q.js:110:17)
    at doNTCallback0 (node.js:430:9)
    at process._tickCallback (node.js:359:13)

The text was updated successfully, but these errors were encountered:

cherchyk · 2016-02-11T04:08:04Z

validating Signature is not working algorithm, the one that is implemented in xml-crypto but result is the same

signature is not valid

I generated signature using another

<Signature
        xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#_d1ad632b-ea2d-49ca-afa6-4905ebcf213b">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>SKPqCOyo5IUr6bD9lQdV3KjzDfo=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>EMbb7A02bFlQxUVsB0dFkHySFtm7Eg+8oe+4H2dnESeImBQgNuwRLs+If6nTHotEPNVaFTIctXY2tKkI+j2XzKyD8VC9aHTRgX2gHcNjv6OYsc0qeDysHC4LSgAcgixfXaXXHrwo8NWluhgarlWMOVqBcTcZnemTA8U0BtiP/Wk=</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIBqzCCAVmgAwIBAgIQ75yMqTyP76VJxOzdn39HwzAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTEyMDkyNTAxMTE0N1oXDTM5MTIzMTIzNTk1OVowDjEMMAoGA1UEAxMDcmJjMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWWvJacD2TMDG9OGYq5wCUByycLh919Y7ip1R730yVwta9gp0lpJPyZUx37Sgtm5MIP21XsxpZxznVLGfL8qu/Ta0zmcvSHXfMMVzHk0aivG2lLGLQyg5Xch3FtA/kGkZJpeF9L/KpCsS6KZe/9J/fXzEy8d+8JwYkmz7PH3Wl+QIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAHh2IW89kF0STnCraE/wWJYM6roBeocsfxN0PD5nEI4LHWp2DcvUv90mj4XfbhR6s/M6pEq0cEItLlrhifbv838=</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>

tilleps · 2017-01-26T00:14:49Z

If anybody is still having the same issues, try stripping the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" and put the cert string into one line.

There is a pull request for this to be in the documentation:
#133

markstos · 2017-10-09T19:55:09Z

The related PR #133 was merged. Closing this.

markstos closed this as completed Oct 9, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

using CERT, please help #142

using CERT, please help #142

cherchyk commented Feb 10, 2016

cherchyk commented Feb 11, 2016

tilleps commented Jan 26, 2017

markstos commented Oct 9, 2017

using CERT, please help #142

using CERT, please help #142

Comments

cherchyk commented Feb 10, 2016

cherchyk commented Feb 11, 2016

tilleps commented Jan 26, 2017

markstos commented Oct 9, 2017