Saml2SecurityTokenHandler 是否支持使用 SHA256 签名的 SAML2 断言?
Does Saml2SecurityTokenHandler support SAML2 assertions signed using SHA256?
TL;DR: 谁能找到验证时Saml2SecurityTokenHandler支持签名算法的权威机构?
我正在使用 Saml2SecurityTokenHandler 来验证来自我的 IdP 的 SAML 断言。
作为参考,我使用的是用 SHA256 签名的示例断言,发现 here
<Assertion ID="_de9f29bd-52ca-4237-95c1-eb53f70fe8e5" IssueInstant="2012-11-06T00:45:30.593Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>ADatum</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_de9f29bd-52ca-4237-95c1-eb53f70fe8e5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>+6OWUn1dFIUJQ6FQ25zgmZvg8zPzfcjnj4ujUvgfmEQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>O85ytS9fcAhOk/0K25SndyBUbNLrx6J+tv+Uht+HZZ4CzsqjVBU1FpkXjDG03HqZ7xEu3+rMnsyxefDq6Xftw1E926QsG/oPM/afWfbR5dLucjsVaNzXCXzZu+jBmp5KkAv/vv1Es67KnPMr/RDeCVFy9eyxJka6dd8h8RTlatg=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIICGjCCAYOgAwIBAgIQeJe5qR+4T6VJNZYtWjhErzANBgkqhkiG9w0BAQQFADAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwHhcNMTExMDEwMDcwMDAwWhcNNDExMjMxMDcwMDAwWjAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKjtrnJ+bduREosQ9+SH1ocI13wlxStLi8y5heGPo5UBcuf0hYRq4PvjwEY2twebP6iwxjwGqhu224UDUfPWMhQBOh+NFnv9GHAh+W4jFJxvTCcyXTkZRFqgAYRjMvyxzNeHVqn4AJ/ddKGf1fMVCuKhPYteHy2yNacXujucPP6/AgMBAAGjVTBTMFEGA1UdAQRKMEiAEFD3/7uhGcI2nSHZqB0bN66hIjAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGWCEHiXuakfuE+lSTWWLVo4RK8wDQYJKoZIhvcNAQEEBQADgYEAkgxktVU5e8TVoigsDRm4qyw6gM/kie3e6dFM0T1BFoQV0PW9W9yKPiP72eTi+331tLFnwDxz5RJLABctAO71plwtREd0k3E0Jsju+Web+u8YcCD43aViQXgXRrY5ghDGwpFRcaNa1PnYY5nk3DYfyZZdz1L+fb30VDiugdf7dBI=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>ADatum</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2012-11-06T00:45:31.905Z" NotOnOrAfter="9999-12-31T23:59:59.999Z">
<AudienceRestriction>
<Audience>https://accesscontrol.adatum.com</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/spf/2012/03/claims/tenantname">
<AttributeValue>Fabrikam</AttributeValue>
</Attribute>
</AttributeStatement>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>SSU</AttributeValue>
</Attribute>
</AttributeStatement>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>accesscontrol@adaum.com</AttributeValue>
</Attribute>
</AttributeStatement>
我有以下代码试图验证这个签名
//All that matters now is to validate the token and get the claims
var validationParameters = new TokenValidationParameters();
validationParameters.ValidIssuer = options.Issuer;
validationParameters.ValidAudience = options.Audience;
validationParameters.IssuerSigningToken = new X509SecurityToken(options.SigningCertificate);
validationParameters.ValidateLifetime = validateLifetime;
validationParameters.TokenReplayCache = options.ReplayRepository;
EnsureCanonicalForm(response, assertion);
SecurityTokenHandlerCollection coll = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers();
SecurityToken tokenOut;
var retVal = coll.ValidateToken(assertion.OuterXml, validationParameters, out tokenOut);
options.SigningCertificate就是你在XML中看到的以MII...开头的证书。 assertion.OuterXml就是上面XML的全部内容。
我原以为 SAML2SecurityTokenHandler 可以处理 SHA256,但此代码在 ValidateToken() 上失败并出现错误
The signature verification failed.
我知道代码适用于 SHA1,使用相同的代码和不同的断言样本。
我无法在文档中找到任何关于 the handler or the token itself, but at least one of the specs 的签名算法的提及,因为 XML 签名哈希确实调用了 SHA256。
谁能找到这个class支持签名算法的权威来源?
Saml2SecurityTokenHandler 在验证签名时没有正确处理空格。在大多数情况下,这无关紧要,因为断言很少被漂亮地打印出来。但是这个是。所以我想这就是问题所在。
对于我创建的 SAML 库,我们完全跳过了处理程序中的签名验证,而是基于 SignedXml 自行验证,这更可靠(尽管您需要记得自己检查引用).
TL;DR: 谁能找到验证时Saml2SecurityTokenHandler支持签名算法的权威机构?
我正在使用 Saml2SecurityTokenHandler 来验证来自我的 IdP 的 SAML 断言。
作为参考,我使用的是用 SHA256 签名的示例断言,发现 here
<Assertion ID="_de9f29bd-52ca-4237-95c1-eb53f70fe8e5" IssueInstant="2012-11-06T00:45:30.593Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>ADatum</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_de9f29bd-52ca-4237-95c1-eb53f70fe8e5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>+6OWUn1dFIUJQ6FQ25zgmZvg8zPzfcjnj4ujUvgfmEQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>O85ytS9fcAhOk/0K25SndyBUbNLrx6J+tv+Uht+HZZ4CzsqjVBU1FpkXjDG03HqZ7xEu3+rMnsyxefDq6Xftw1E926QsG/oPM/afWfbR5dLucjsVaNzXCXzZu+jBmp5KkAv/vv1Es67KnPMr/RDeCVFy9eyxJka6dd8h8RTlatg=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIICGjCCAYOgAwIBAgIQeJe5qR+4T6VJNZYtWjhErzANBgkqhkiG9w0BAQQFADAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwHhcNMTExMDEwMDcwMDAwWhcNNDExMjMxMDcwMDAwWjAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKjtrnJ+bduREosQ9+SH1ocI13wlxStLi8y5heGPo5UBcuf0hYRq4PvjwEY2twebP6iwxjwGqhu224UDUfPWMhQBOh+NFnv9GHAh+W4jFJxvTCcyXTkZRFqgAYRjMvyxzNeHVqn4AJ/ddKGf1fMVCuKhPYteHy2yNacXujucPP6/AgMBAAGjVTBTMFEGA1UdAQRKMEiAEFD3/7uhGcI2nSHZqB0bN66hIjAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGWCEHiXuakfuE+lSTWWLVo4RK8wDQYJKoZIhvcNAQEEBQADgYEAkgxktVU5e8TVoigsDRm4qyw6gM/kie3e6dFM0T1BFoQV0PW9W9yKPiP72eTi+331tLFnwDxz5RJLABctAO71plwtREd0k3E0Jsju+Web+u8YcCD43aViQXgXRrY5ghDGwpFRcaNa1PnYY5nk3DYfyZZdz1L+fb30VDiugdf7dBI=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>ADatum</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2012-11-06T00:45:31.905Z" NotOnOrAfter="9999-12-31T23:59:59.999Z">
<AudienceRestriction>
<Audience>https://accesscontrol.adatum.com</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/spf/2012/03/claims/tenantname">
<AttributeValue>Fabrikam</AttributeValue>
</Attribute>
</AttributeStatement>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>SSU</AttributeValue>
</Attribute>
</AttributeStatement>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>accesscontrol@adaum.com</AttributeValue>
</Attribute>
</AttributeStatement>
我有以下代码试图验证这个签名
//All that matters now is to validate the token and get the claims
var validationParameters = new TokenValidationParameters();
validationParameters.ValidIssuer = options.Issuer;
validationParameters.ValidAudience = options.Audience;
validationParameters.IssuerSigningToken = new X509SecurityToken(options.SigningCertificate);
validationParameters.ValidateLifetime = validateLifetime;
validationParameters.TokenReplayCache = options.ReplayRepository;
EnsureCanonicalForm(response, assertion);
SecurityTokenHandlerCollection coll = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers();
SecurityToken tokenOut;
var retVal = coll.ValidateToken(assertion.OuterXml, validationParameters, out tokenOut);
options.SigningCertificate就是你在XML中看到的以MII...开头的证书。 assertion.OuterXml就是上面XML的全部内容。
我原以为 SAML2SecurityTokenHandler 可以处理 SHA256,但此代码在 ValidateToken() 上失败并出现错误
The signature verification failed.
我知道代码适用于 SHA1,使用相同的代码和不同的断言样本。
我无法在文档中找到任何关于 the handler or the token itself, but at least one of the specs 的签名算法的提及,因为 XML 签名哈希确实调用了 SHA256。
谁能找到这个class支持签名算法的权威来源?
Saml2SecurityTokenHandler 在验证签名时没有正确处理空格。在大多数情况下,这无关紧要,因为断言很少被漂亮地打印出来。但是这个是。所以我想这就是问题所在。
对于我创建的 SAML 库,我们完全跳过了处理程序中的签名验证,而是基于 SignedXml 自行验证,这更可靠(尽管您需要记得自己检查引用).