Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signature validation failed. Everything seems right, though. #166

Closed
fingermark opened this issue Oct 24, 2016 · 26 comments
Closed

Signature validation failed. Everything seems right, though. #166

fingermark opened this issue Oct 24, 2016 · 26 comments

Comments

@fingermark
Copy link

fingermark commented Oct 24, 2016

I upgrade to MacOS the other day and revisisted an old project. I now get "Signature validation failed." I tried upgrading to the 2.2.0 release, but get the same thing. Do you all see anything wrong with this?

All values printed from variables defined in validate_node_sign

Cert

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

validatecert

False

signature_node

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id631044246120230029603131"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>...</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>...</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>

Node verification error:

('verifying failed with return value', -1)

Signature validation failed. SAML Response rejected

xmldsig.c:871(xmlSecDSigCtxProcessKeyInfoNode) errno=45
xmldsig.c:565(xmlSecDSigCtxProcessSignatureNode) subject=xmlSecDSigCtxProcessKeyInfoNode
xmldsig.c:366(xmlSecDSigCtxVerify) subject=xmlSecDSigCtxSignatureProcessNode
@fingermark
Copy link
Author

#define XMLSEC_ERRORS_R_KEY_NOT_FOUND 45

@pitbulk
Copy link
Contributor

pitbulk commented Oct 25, 2016

Try to use xmlsec directly:

xmlsec --verify --X509-skip-strict-checks --id-attr:ID Assertion --id-attr:ID Response  --trusted-pem cert.crt response.xml

or

xmlsec1 --verify -id-attr:ID Assertion --id-attr:ID Response --trusted-pem cert.crt  response.xml

Also check if https://www.samltool.com/validate_response.php is able to validate your response.

@fingermark
Copy link
Author

@pitbulk thanks a lot for the reply. Both xmlsec and samltool's have successfully validated the XML using that cert.

I'm using:

  • libxmlsec1: stable 1.2.20
  • dm.xmlsec.binding==1.3.2
  • lxml==3.6.4

Just really confused

@pitbulk
Copy link
Contributor

pitbulk commented Oct 25, 2016

It should be some issue with the lxml and libxmlsec lib. I need to spend time and investigate but right now kinda bussy with other issues on the other toolkits.

@fingermark
Copy link
Author

fingermark commented Oct 25, 2016

@pitbulk this is really weird. I don't know enough about python to understand what's going on. If I simplify the example, it fails with the same error. But, once I comment out the parseString import, it succeeds.

from defusedxml.lxml import tostring, fromstring
from os.path import basename, dirname, join

# !!!!!!!!!!!!!!!!!!!!
# Uncomment this line and it fails
# !!!!!!!!!!!!!!!!!!!!
#from defusedxml.minidom import parseString

import dm.xmlsec.binding as xmlsec

xml = """<insert xml>"""

pem = """-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----"""

def print_xmlsec_errors(filename, line, func, error_object, error_subject, reason, msg):
    """
    Auxiliary method. It overrides the default xmlsec debug message.
    """

    info = []
    if error_object != "unknown":
        info.append("obj=" + error_object)
    if error_subject != "unknown":
        info.append("subject=" + error_subject)
    if msg.strip():
        info.append("msg=" + msg)
    if reason != 1:
        info.append("errno=%d" % reason)
    if info:
        print "xmlsec1 -- %s:%d(%s)" % (filename, line, func), " ".join(info)

def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False):
    try:
        xmlsec.initialize()
        xmlsec.set_error_callback(print_xmlsec_errors)

        xmlsec.addIDs(elem, ["ID"])

        print "--- Signature Node ---"
        print tostring(signature_node)
        print "+++ Signature Node +++"

        #file_name = "/Users/fingermark/cacert.pem"

        dsig_ctx = xmlsec.DSigCtx()
        #signKey = xmlsec.Key.load(file_name, xmlsec.KeyDataFormatCertPem, None)
        signKey = xmlsec.Key.loadMemory(pem, xmlsec.KeyDataFormatCertPem)
        #signKey.name = basename(file_name)
        dsig_ctx.signKey = signKey
        print "signKey.name: %s" % signKey.name

        dsig_ctx.setEnabledKeyData([xmlsec.KeyDataX509])
        dsig_ctx.verify(signature_node)

        print "verified"

        return True
    except Exception as err:
        print "Node verification error:"
        print err.__str__()
        return False

if __name__ == "__main__":
    elem = fromstring(xml)
    node = elem.find(".//{%s}Signature" % xmlsec.DSigNs)
    print validate_node_sign(node, elem)

@pitbulk
Copy link
Contributor

pitbulk commented Oct 25, 2016

that really weird.

@fingermark
Copy link
Author

fingermark commented Oct 25, 2016

Yeah, the same code works on my linux server.

And

#from defusedxml.minidom import parseString # <-- does not work
from xml.dom.minidom import parseString # <-- works just fine

@pitbulk
Copy link
Contributor

pitbulk commented Nov 2, 2016

have you tried python3-saml? It does not use defusedxml

@rmharris157
Copy link

Hi. I'm having a similar issue with trying to setup python-saml (also tried python3-saml) to work with ADFS 2.0 and no matter what I try I can't seem to get past the Signature Validation Failed--the assertion is coming back as auth sucessful, but python-saml refuses to accept the x509 cert (or fingerprint) for the response. Does the system work with self-signed certs? I've tried the validation tools online and the returned document is valid.

I think I've tried everything, but I'm not convinced that I'm not doing something boneheaded. Should I create another issue thread or can I contact your directly so as not spam the list? Thanks!

@pitbulk
Copy link
Contributor

pitbulk commented Nov 29, 2016

python-saml works with self-signed certs.

have you tried what @fingermark suggested? replacing

from defusedxml.minidom import parseString

by

from xml.dom.minidom import parseString

If you want, mail directly to me the base64 encoded SAMLResponse message, so I will be able to debug and see what is happening.

@rmharris157
Copy link

rmharris157 commented Nov 29, 2016 via email

@pitbulk
Copy link
Contributor

pitbulk commented Nov 29, 2016

@rmharris157 can you provide the base64 encoded version rather than in plain text?
(I want the original SAMLResponse, to avoid any possible issue of copy&pasting, since a simple extra space will invalidate the signature validation process)

@rmharris157
Copy link

rmharris157 commented Nov 29, 2016 via email

@pitbulk
Copy link
Contributor

pitbulk commented Dec 17, 2016

Hi @rmharris157

sorry for the delay.

I was able to validate directly your response using the followed test:

  1. I added your response to tests/data/responses/issue164.xml.base64
  2. I edited tests/src/Onelogin/saml2_tests/utils_test.py and in the last test method (testValidateSign) added:
        issue164_xml = b64decode(self.file_contents(join(self.data_path, 'responses', 'issue164.xml.base64')))
        cert164 = OneLogin_Saml2_Utils.format_cert("""MIIC5jCCAc6gAwIBAgIQW2JGfKOyL7hHZu4anVus0jANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwHhcNMTYxMTI4MDYwNDQ4WhcNMTcxMTI4MDYwNDQ4WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrM3zghAs4QfHBQe6sX+QzaHtoi8CrEDDqxMFnYnRkgJjwYL88GfYkmYkDhkMvlQZnZnwBGJ4enH6v4fawixIaxj93RradnYRfk/NNQyF9zrpuKxL4DR1g3Yugs1uiqM2MB+9b6MaXR8j1XStakZy3g/oZjIFV0qT2BBd3EKrFFJ7Y1Zx4K3cSbRYqISTHG5ZkHMt11SfjmF+ZunIYNygcP81ibvs5AAq7ZZxqxdsjamhdnUjBYApOOluTzw1kcIraw8nJ3whu8PcEK931LpenQW2E6P5D/f31rVXNsHMfi/8BQYfV7+cLu3RZ0Ob7SnO2Vc1bE56a1QP3cvyjuJC3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJQACvfjjiKw3WFGlam0b1UTJwqKKYTnABoUdZ6pFmm23/6MsBuIM+xPTiqwPOB2wy+ZJlU1T3CJuzQ+ENjoXf5IC9WhoZ9K4WFKvTYqbYK2T7iiLNX+oVtI8rArAS1+JvOTAAcIMQjuDe4o8YdX8Y2OtjX19xB0WpRNnIk2rajKkwuMg/NKW+5xSII9IGz8tlG/YT7Q17gGn73joJkujOCwWwBew2NtGBRshao0Tkd2fLRCBESNPSm8nsqJVNOu+uoAfKoigh/2e+xFIyaoCTMy5RmBNpYKl/scx3SxmsU44hlJAcX/QD8ScWRepWWDgwo5Fza2pEcCJ3BBwejw0s=""")
        self.assertTrue(OneLogin_Saml2_Utils.validate_sign(issue164_xml, cert164))

I also tested validating the whole response, and worked:

  1. I edited tests/src/Onelogin/saml2_tests/response_test.py and in the test method (testIsValidSign) added:
        settings164data = self.loadSettingsJSON()
        settings164data['strict'] = False
        settings164data['idp']['entityId'] = 'http://winsrv.arbitraria.org/adfs/services/trust'
        settings164data['idp']['x509cert'] = """MIIC5jCCAc6gAwIBAgIQW2JGfKOyL7hHZu4anVus0jANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwHhcNMTYxMTI4MDYwNDQ4WhcNMTcxMTI4MDYwNDQ4WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrM3zghAs4QfHBQe6sX+QzaHtoi8CrEDDqxMFnYnRkgJjwYL88GfYkmYkDhkMvlQZnZnwBGJ4enH6v4fawixIaxj93RradnYRfk/NNQyF9zrpuKxL4DR1g3Yugs1uiqM2MB+9b6MaXR8j1XStakZy3g/oZjIFV0qT2BBd3EKrFFJ7Y1Zx4K3cSbRYqISTHG5ZkHMt11SfjmF+ZunIYNygcP81ibvs5AAq7ZZxqxdsjamhdnUjBYApOOluTzw1kcIraw8nJ3whu8PcEK931LpenQW2E6P5D/f31rVXNsHMfi/8BQYfV7+cLu3RZ0Ob7SnO2Vc1bE56a1QP3cvyjuJC3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJQACvfjjiKw3WFGlam0b1UTJwqKKYTnABoUdZ6pFmm23/6MsBuIM+xPTiqwPOB2wy+ZJlU1T3CJuzQ+ENjoXf5IC9WhoZ9K4WFKvTYqbYK2T7iiLNX+oVtI8rArAS1+JvOTAAcIMQjuDe4o8YdX8Y2OtjX19xB0WpRNnIk2rajKkwuMg/NKW+5xSII9IGz8tlG/YT7Q17gGn73joJkujOCwWwBew2NtGBRshao0Tkd2fLRCBESNPSm8nsqJVNOu+uoAfKoigh/2e+xFIyaoCTMy5RmBNpYKl/scx3SxmsU44hlJAcX/QD8ScWRepWWDgwo5Fza2pEcCJ3BBwejw0s="""
        settings164data['sp']['entityId'] = 'urn:mascot:arbitraria.org'
        settings164data['sp']['assertionConsumerService']['url'] = 'https://mascot.arbitraria.org/?acs'

        settings164 = OneLogin_Saml2_Settings(settings164data)
        issue164_xml = self.file_contents(join(self.data_path, 'responses', 'issue164.xml.base64'))
        response_164 = OneLogin_Saml2_Response(settings164, issue164_xml)
        request_data = {
            'http_host': 'mascot.arbitraria.org',
            'script_name': '?acs'
        }
         self.assertTrue(response_164.is_valid(request_data))

I will keep investigating. but the toolkit is able to validate that response

@RD1991
Copy link

RD1991 commented Feb 10, 2017

Same issue,

Raw response :
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0\r\nYzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6\r\nbmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJSNGU4YzJhZmM2ZjAy\r\nZjRiOWM4MzQ4YzY5NzFmY2ZiN2Y2MmYxMDkzZSIgVmVyc2lvbj0iMi4wIiBJ\r\nc3N1ZUluc3RhbnQ9IjIwMTctMDItMTBUMTM6MDg6MzlaIiBEZXN0aW5hdGlv\r\nbj0iaHR0cHM6Ly8yMDMuMTA5LjEwMS40Njo1MDAwLz9hY3MiIEluUmVzcG9u\r\nc2VUbz0iT05FTE9HSU5fNzM4NDZiZjU0NmJjYTE5ZmE3NTk4M2ZkNDJlN2U5\r\nMGM0NGE2Mjg2NiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2lu\r\nLmNvbS9zYW1sL21ldGFkYXRhLzYyNjE3Mjwvc2FtbDpJc3N1ZXI+PHNhbWxw\r\nOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5h\r\nbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0\r\ndXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1l\r\nczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnhzPSJodHRwOi8vd3d3\r\nLnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3\r\nLnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4w\r\nIiBJRD0icGZ4MjI1ODdiMTYtNTA4OC05YjUwLTU5ZjQtMjliMmY3NGFkZDQx\r\nIiBJc3N1ZUluc3RhbnQ9IjIwMTctMDItMTBUMTM6MDg6MzlaIj48c2FtbDpJ\r\nc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEv\r\nNjI2MTcyPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJo\r\ndHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVk\r\nSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0\r\ndHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpT\r\naWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8y\r\nMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0i\r\nI3BmeDIyNTg3YjE2LTUwODgtOWI1MC01OWY0LTI5YjJmNzRhZGQ0MSI+PGRz\r\nOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93\r\nd3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJl\r\nIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3Jn\r\nLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6\r\nRGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAw\r\nMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+ZGVieVI1Rjlw\r\ncVhrZGdFRWhkU3JLMnN6RHVFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZl\r\ncmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5TR3dy\r\nOTNzWHM5T3RHeTFJaUF2ZGFTMm5GOSt1Q3lkU1JiVGwrTmRpcGk5bUtLb2JS\r\nc21uYm1ncHp1YWNYVHlWdGFqZFBrdEhFNFBLaTNadFhlYVBldmc4OU1PblJB\r\nUUNZM0p0bmFZejFoYmVCMEtDRzM4cnBvamhmeG9nbElqWUhkallqT3VQSlhj\r\nbmNMcDh4Nm9VbE5XSU5wVWR2RjkvcUZCUEd0SUhTbkZpQThmcE1zNHJFWGJP\r\nUE1tWDhtam9PZnFsbEtGNmN6N21oeWlRenQyNlN0SXFZWUxrSEdycGhlNWpP\r\nZDcvWFU4SG44K0F1NU8zK2RhbjZEZXdUNU1kTWl6STBPcWlEa3NsZmdzQ20w\r\nc2thVElqKzRQdHcxZGZtU0IwcmFEWklxdG5qbVVZL2pBOTZ5c0RLa2FXTXZV\r\nMWZQekxBZTFmV1NnczVETmxrVnFmdEE9PTwvZHM6U2lnbmF0dXJlVmFsdWU+\r\nPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+\r\nTUlJRUdqQ0NBd0tnQXdJQkFnSVVZZ3p4eTNuRWhyRkxmT1k4KzY2cUU1Sk1H\r\nR0l3RFFZSktvWklodmNOQVFFRkJRQXdXVEVMTUFrR0ExVUVCaE1DVlZNeEVU\r\nQVBCZ05WQkFvTUNFeHZZM1Z5YVhSNU1SVXdFd1lEVlFRTERBeFBibVZNYjJk\r\ncGJpQkpaRkF4SURBZUJnTlZCQU1NRjA5dVpVeHZaMmx1SUVGalkyOTFiblFn\r\nTVRBd05qWTNNQjRYRFRFM01ESXdPVEEyTURFMU9Wb1hEVEl5TURJeE1EQTJN\r\nREUxT1Zvd1dURUxNQWtHQTFVRUJoTUNWVk14RVRBUEJnTlZCQW9NQ0V4dlkz\r\nVnlhWFI1TVJVd0V3WURWUVFMREF4UGJtVk1iMmRwYmlCSlpGQXhJREFlQmdO\r\nVkJBTU1GMDl1WlV4dloybHVJRUZqWTI5MWJuUWdNVEF3TmpZM01JSUJJakFO\r\nQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdDlaMDZUcUUy\r\nVXVyWDVKSE92dDBHWnlLOHRtZlRSVXRMNUc3cVg3dWd6YWFrdXZZMkpZL3ln\r\nNGhnZmVXdmRocVhhUm9SdXZoeFk1U2RoaVhVRWYwOU5pZHFjeTdVcEtGdkxn\r\nNitud1FteWxYQktnZlNGN20wWTZuRUhzakF1bms4OUZ6elJnV0QxTjlwN1or\r\nNWZGOHhLWlhVWlBkU3draGliWlp4QmFaTVJVRHg4Z1c0WklpbzZreS9zZEpL\r\nWlYraXhNTmViWDBmUlpKcHNxSkZWZVpTUEtpSWZ6TzVUWWV5YVJtb3g3a05S\r\nMkxVTS9ScGtHQVpNRUtMZjZ5SG1jNnNOQlp3VGJTOEdxRitoOXBYVUM4V0hj\r\nVWg2cElpUzZhbzlBbnZSdy80NGpPMzRpZFBnQ1N3OUhBRGV2RlFPN2c1MXJZ\r\naFMzOTY1UjloeDlsWVRKdlVRSURBUUFCbzRIWk1JSFdNQXdHQTFVZEV3RUIv\r\nd1FDTUFBd0hRWURWUjBPQkJZRUZMdHBGVkRmNGkwL252ZWN4OE4rRThVVjVB\r\ndXNNSUdXQmdOVkhTTUVnWTR3Z1l1QUZMdHBGVkRmNGkwL252ZWN4OE4rRThV\r\nVjVBdXNvVjJrV3pCWk1Rc3dDUVlEVlFRR0V3SlZVekVSTUE4R0ExVUVDZ3dJ\r\nVEc5amRYSnBkSGt4RlRBVEJnTlZCQXNNREU5dVpVeHZaMmx1SUVsa1VERWdN\r\nQjRHQTFVRUF3d1hUMjVsVEc5bmFXNGdRV05qYjNWdWRDQXhNREEyTmplQ0ZH\r\nSU04Y3Q1eElheFMzem1QUHV1cWhPU1RCaGlNQTRHQTFVZER3RUIvd1FFQXdJ\r\nSGdEQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFmVHZ6OUMrVWcrRnBBVGRS\r\nN2VLaFY0TUJDNnppVWRaYkE3cTlidFB6aGx3REp5TUdZb3RobENQTlZIeUlV\r\nSnN2SkpFbG5rRXl1eUN4Z0RaVkVGR2UyeWlPMFRaNUoxckUxVWdpeGpsazdm\r\nTmNXazhvaFFNL1MvV2JCMkxZK2Q3N1FRYmVaSXprcURGaWFsa1NicytxSitx\r\nWTdrMm9iTktWZXZncVdlZURsNTVYK2ZkNS9BVEpiOUh4Q3JWM2djbWRwdDZq\r\nYklqamIzR3VmOFcyTlVOUTdmNXdtQ2RaZTRrMXFhcDNidnBGb3VRTEQrU3BV\r\nLzB0cnpyUTROdzJDbHlVRXVBL1JtcHFzbXNmUXRYZ0FrZjFsczZJckViLysx\r\nMDlCdytZT3BDM1B3TzlXbzJlTVlhNkdVVmJZWUxWbVdSdUVHOHdlVmp5TFh1\r\nMWEydkorVmZzVlE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURh\r\ndGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+\r\nPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6\r\nMS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5yYWplc2hAY29kaXRh\r\ndGlvbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRp\r\nb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVh\r\ncmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0\r\nZXI9IjIwMTctMDItMTBUMTM6MTE6MzlaIiBSZWNpcGllbnQ9Imh0dHBzOi8v\r\nMjAzLjEwOS4xMDEuNDY6NTAwMC8/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxP\r\nR0lOXzczODQ2YmY1NDZiY2ExOWZhNzU5ODNmZDQyZTdlOTBjNDRhNjI4NjYi\r\nLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48\r\nc2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0wMi0xMFQxMzowNToz\r\nOVoiIE5vdE9uT3JBZnRlcj0iMjAxNy0wMi0xMFQxMzoxMTozOVoiPjxzYW1s\r\nOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly8y\r\nMDMuMTA5LjEwMS40Njo1MDAwL21ldGFkYXRhLzwvc2FtbDpBdWRpZW5jZT48\r\nL3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48\r\nc2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDItMTBU\r\nMTM6MDg6MzhaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE3LTAyLTExVDEz\r\nOjA4OjM5WiIgU2Vzc2lvbkluZGV4PSJfNjg4MTlhZTAtZDFhMi0wMTM0LTYz\r\nZGEtMDJhMjY5YjNkMjhiIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0\r\naG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4w\r\nOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6\r\nQXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3Nh\r\nbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjxz\r\nYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6\r\nU0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJVc2VyLmVt\r\nYWlsIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93\r\nd3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0i\r\neHM6c3RyaW5nIj5yYWplc2hAY29kaXRhdGlvbi5jb208L3NhbWw6QXR0cmli\r\ndXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFt\r\nZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1l\r\nLWZvcm1hdDpiYXNpYyIgTmFtZT0ibWVtYmVyT2YiPjxzYW1sOkF0dHJpYnV0\r\nZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxT\r\nY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciLz48L3NhbWw6\r\nQXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2Fz\r\naXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBO\r\nYW1lPSJQZXJzb25JbW11dGFibGVJRCI+PHNhbWw6QXR0cmlidXRlVmFsdWUg\r\neG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1p\r\nbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1\r\ndGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1l\r\nczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9IlVz\r\nZXIuTGFzdE5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0i\r\naHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhz\r\naTp0eXBlPSJ4czpzdHJpbmciPkRhcmFrPC9zYW1sOkF0dHJpYnV0ZVZhbHVl\r\nPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9\r\nInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6\r\nYmFzaWMiIE5hbWU9IlVzZXIuRmlyc3ROYW1lIj48c2FtbDpBdHRyaWJ1dGVW\r\nYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2No\r\nZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5SYWplc2g8L3Nh\r\nbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0\r\ncmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNw\r\nb25zZT4KCg==

SAML decoded response :

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R4e8c2afc6f02f4b9c8348c6971fcfb7f62f1093e" Version="2.0" IssueInstant="2017-02-10T13:08:39Z" Destination="https://203.109.101.46:5000/?acs" InResponseTo="ONELOGIN_73846bf546bca19fa75983fd42e7e90c44a62866">saml:Issuerhttps://app.onelogin.com/saml/metadata/626172</saml:Issuer>samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx22587b16-5088-9b50-59f4-29b2f74add41" IssueInstant="2017-02-10T13:08:39Z">saml:Issuerhttps://app.onelogin.com/saml/metadata/626172</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ds:SignedInfo<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx22587b16-5088-9b50-59f4-29b2f74add41">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>ds:DigestValuedebyR5F9pqXkdgEEhdSrK2szDuE=</ds:DigestValue></ds:Reference></ds:SignedInfo>ds:SignatureValueSGwr93sXs9OtGy1IiAvdaS2nF9+uCydSRbTl+Ndipi9mKKobRsmnbmgpzuacXTyVtajdPktHE4PKi3ZtXeaPevg89MOnRAQCY3JtnaYz1hbeB0KCG38rpojhfxoglIjYHdjYjOuPJXcncLp8x6oUlNWINpUdvF9/qFBPGtIHSnFiA8fpMs4rEXbOPMmX8mjoOfqllKF6cz7mhyiQzt26StIqYYLkHGrphe5jOd7/XU8Hn8+Au5O3+dan6DewT5MdMizI0OqiDkslfgsCm0skaTIj+4Ptw1dfmSB0raDZIqtnjmUY/jA96ysDKkaWMvU1fPzLAe1fWSgs5DNlkVqftA==</ds:SignatureValue>ds:KeyInfods:X509Datads:X509CertificateMIIEGjCCAwKgAwIBAgIUYgzxy3nEhrFLfOY8+66qE5JMGGIwDQYJKoZIhvcNAQEFBQAwWTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCExvY3VyaXR5MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTAwNjY3MB4XDTE3MDIwOTA2MDE1OVoXDTIyMDIxMDA2MDE1OVowWTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCExvY3VyaXR5MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTAwNjY3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9Z06TqE2UurX5JHOvt0GZyK8tmfTRUtL5G7qX7ugzaakuvY2JY/yg4hgfeWvdhqXaRoRuvhxY5SdhiXUEf09Nidqcy7UpKFvLg6+nwQmylXBKgfSF7m0Y6nEHsjAunk89FzzRgWD1N9p7Z+5fF8xKZXUZPdSwkhibZZxBaZMRUDx8gW4ZIio6ky/sdJKZV+ixMNebX0fRZJpsqJFVeZSPKiIfzO5TYeyaRmox7kNR2LUM/RpkGAZMEKLf6yHmc6sNBZwTbS8GqF+h9pXUC8WHcUh6pIiS6ao9AnvRw/44jO34idPgCSw9HADevFQO7g51rYhS3965R9hx9lYTJvUQIDAQABo4HZMIHWMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLtpFVDf4i0/nvecx8N+E8UV5AusMIGWBgNVHSMEgY4wgYuAFLtpFVDf4i0/nvecx8N+E8UV5AusoV2kWzBZMQswCQYDVQQGEwJVUzERMA8GA1UECgwITG9jdXJpdHkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMDA2NjeCFGIM8ct5xIaxS3zmPPuuqhOSTBhiMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAfTvz9C+Ug+FpATdR7eKhV4MBC6ziUdZbA7q9btPzhlwDJyMGYothlCPNVHyIUJsvJJElnkEyuyCxgDZVEFGe2yiO0TZ5J1rE1Ugixjlk7fNcWk8ohQM/S/WbB2LY+d77QQbeZIzkqDFialkSbs+qJ+qY7k2obNKVevgqWeeDl55X+fd5/ATJb9HxCrV3gcmdpt6jbIjjb3Guf8W2NUNQ7f5wmCdZe4k1qap3bvpFouQLD+SpU/0trzrQ4Nw2ClyUEuA/RmpqsmsfQtXgAkf1ls6IrEb/+109Bw+YOpC3PwO9Wo2eMYa6GUVbYYLVmWRuEG8weVjyLXu1a2vJ+VfsVQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>saml:Subject<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">emailid</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2017-02-10T13:11:39Z" Recipient="https://203.109.101.46:5000/?acs" InResponseTo="ONELOGIN_73846bf546bca19fa75983fd42e7e90c44a62866"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-02-10T13:05:39Z" NotOnOrAfter="2017-02-10T13:11:39Z">saml:AudienceRestrictionsaml:Audiencehttps://203.109.101.46:5000/metadata/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2017-02-10T13:08:38Z" SessionNotOnOrAfter="2017-02-11T13:08:39Z" SessionIndex="_68819ae0-d1a2-0134-63da-02a269b3d28b">saml:AuthnContextsaml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>saml:AttributeStatement<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.email"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">emailid</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="memberOf"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="PersonImmutableID"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.LastName"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">LastName</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.FirstName"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Name</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

@RD1991
Copy link

RD1991 commented Feb 10, 2017

In saml2/response.py

            if has_signed_assertion and not OneLogin_Saml2_Utils.validate_sign(document_check_assertion, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH):

an exception is raised from this if condition.

@travelton
Copy link

travelton commented Feb 17, 2017

I'm having the same issue described here.

from defusedxml.lxml import tostring, fromstring
from os.path import basename, dirname, join

from defusedxml.minidom import parseString

import dm.xmlsec.binding as xmlsec

xml = """XML"""

pem = """CERT"""


xmlsec1 -- xmldsig.c:871(xmlSecDSigCtxProcessKeyInfoNode) errno=45
xmlsec1 -- xmldsig.c:565(xmlSecDSigCtxProcessSignatureNode) subject=xmlSecDSigCtxProcessKeyInfoNode
xmlsec1 -- xmldsig.c:366(xmlSecDSigCtxVerify) subject=xmlSecDSigCtxSignatureProcessNode
Node verification error:
('verifying failed with return value', -1)
False
from defusedxml.lxml import tostring, fromstring
from os.path import basename, dirname, join

# Comment this line out...
# from defusedxml.minidom import parseString

import dm.xmlsec.binding as xmlsec

xml = """XML"""

pem = """CERT"""

verified
True

https://www.samltool.com/validate_response.php also validates just fine.

In utils.py, if I comment out

# from defusedxml.minidom import parseString

Signature validation still fails...

Signature validation failed. SAML Response rejected

Python: 2.7.10
OS: MacOS 10.12.2

$ pip freeze
defusedxml==0.4.1
dm.xmlsec.binding==1.3.2
Flask==0.10.1
isodate==0.5.4
itsdangerous==0.24
Jinja2==2.9.5
lxml==3.7.2
MarkupSafe==0.23
pudb==2017.1
Pygments==2.2.0
python-saml==2.2.1
urwid==1.3.1
Werkzeug==0.11.15

I will attempt to test on Linux tomorrow, and report back. Yup, works fine on Linux. This must be an OSX issue. Not sure how to debug from here. Any ideas?

@edufelipe
Copy link

@travelton I'm having the same issue here on OSX. Ever found a workaround?

@travelton
Copy link

@edufelipe Nope. I set up a free micro AWS Linux server for testing.

@edufelipe
Copy link

@travelton I did! All I had to do was update libxmlsec1 to version 1.2.4. It automatically started working on Mac :)

@chelexey
Copy link

I've got the same issue.
Doesn't work on MacOS (Sierra) and fails with an error:

Signature validation failed. SAML Response rejected

/onelogin/saml2/utils.py:

def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False):
....
        try:
            dsig_ctx.verify(signature_node)  # fails here
        except Exception as err:

Libs: python-saml v.2.2.3 and libxmlsec1 v.1.2.20 (installed with brew).

BUT signature validation (same project with the same settings, no changes) works well on Ubuntu.

@edufelipe
Copy link

@chelexey: brew installs a broken version of libxmlsec1. You have to manually update it to version 1.2.4 and everything starts working as expected :)

@chelexey
Copy link

@edufelipe Do you mean I have to downgrade with brew? Can you share the solution how you did that (it seems there is no packages except of 1.2.20)? Thanks in advance.

@chelexey
Copy link

I've fixed an issue with libxmlsec1 and signature verification in MacOS (i.e. "Signature validation failed. SAML Response rejected") this way :

  1. Prepare brew libs:
  • brew uninstall libxmlsec1 --force (remove libxmlsec1 v.1.2.20, it's broken)
  • brew install libxml2 openssl (check these libs also present)
  1. Download xmlsec and compile/install from sources https://www.aleksey.com/xmlsec/download.html . The latest stable XML Security Library version is 1.2.24 and it works like a charm:

Prepare environment:
NB: openssl formula is keg-only, which means it was not symlinked into /usr/local

  • add it in your PATH, run in Terminal:
    echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile
  • For compilers to find openssl you need to set:
    export LDFLAGS=-L/usr/local/opt/openssl/lib
    export CPPFLAGS=-I/usr/local/opt/openssl/include

Install xmlsec:

  • gunzip -c xmlsec1-xxx.tar.gz | tar xvf -
  • cd xmlsec1-xxxx
  • ./configure
  • make
  • make install

And that's all.

@pitbulk pitbulk closed this as completed Dec 17, 2017
@jerkyrs
Copy link

jerkyrs commented Jun 5, 2018

I know this is a dead thread but for anyone who does see an error on a python 2.7 environment with python-saml to overcome it you can try this

ARCHFLAGS='-arch x86_64' pip install python-saml

Specifically this occurs on python 2.7 Centos 7 x86_64 with error

cannot import name DSigNs

Relates to #30

@poojated
Copy link

after adding prefix in saml xml doc i am getting signature validation failed error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants