In the future, it is best to use xmlsec mailing list. You might want to read the spec (https://www.w3.org/TR/xmldsig-core/) and in particular regarding your question, you will need to understand the c14n process (https://www.w3.org/TR/2001/REC-xml-c14n-20010315 and https://www.w3.org/TR/xml-exc-c14n/).
You might also want to try --store-references option for xmlsec1 command line tool to view the exact dump of what was signed. Best, Aleksey On 5/23/17 4:38 AM, Hans Kessock wrote: > I’ve got a linux box using xmlsec to validate SAML assertion that are > returned to it (it being the service provider in this scenario) and > everything works GREAT. I validate Ping IDP response, my own custom IDP > responses (because that test IDP uses xmlsec to sign assertions) – > everything works very well. > > > > I’ve now got an administrator tool I need to create that is as small and > dependency free as possible – that also needs to be able to produce > signed assertions. > > > > My problem is that I’ve tried to reproduce the digest value hash > produced by xmlsec when signing and I’ve never been able to do so. I’ve > read so much stuff about xml digital signatures and SAML 2.0 by now that > my eyes are crossed. > > My next step was to look through the xmlsec code to see how it was you > produce a signed xml doc; however, ironically, it’s so well written and > extensible (as an execution buffer) that I can’t figure out exactly what > it does! Lol. > > > > If you’ve the time and patience, I wanted to present a piece of Xml > below and ask you – what exactly does xmlsec do with it if I tell it to > sign a specific ID? > > > > If I sign the following Xml (apologies for the form – I wanted to show > it exactly as I pass it to xmlsec) and specify: --id-attr:ID Assertion > > > > <samlp:Response xmlns:saml = "urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > Destination="https://mastereng-enrollment.in.ionicsecurity.com/keyspace/C7DV/sp/55d34e208e66393e53551b79/default/saml"; > ID="r4aaaa888-6607-4d06-bd00-b6e31386f497" > InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428" > IssueInstant="2017-05-23T11:08:51Z" > Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><samlp:Status><samlp:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > ID="a3452e5ef-74cb-4559-8236-5a4994a73f9c" > IssueInstant="2017-05-23T11:08:51Z" > Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><saml:Subject><saml:NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" > SPNameQualifier="">email</saml:NameID><saml:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData > InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428" > NotOnOrAfter="2017-05-23T11:23:51Z" > Recipient="https://mastereng-enrollment.in.ionicsecurity.com/keyspace/C7DV/sp/55d34e208e66393e53551b79/default/saml";></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions > NotBefore="2017-05-23T11:08:51Z" > NotOnOrAfter="2017-05-23T11:23:51Z"><saml:AudienceRestriction><saml:Audience>ionic</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement > AuthnInstant="authnstatement_instant" > SessionIndex="r4aaaa888-6607-4d06-bd00-b6e31386f497" > SessionNotOnOrAfter="2017-05-23T11:23:51Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute > Name="email" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue > xsi:type="xs:string">[email protected]</saml:AttributeValue></saml:Attribute><saml:Attribute > Name="upn" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue > xsi:type="xs:string">[email protected]</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference > URI="#a3452e5ef-74cb-4559-8236-5a4994a73f9c"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue></ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue/><ds:KeyInfo><ds:KeyValue/></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response> > > > > I get the following from xmlsec (which is accepted by my xmlsec backend > of course): > > > > <?xml version="1.0"?> > > <samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > Destination="https://mastereng-enrollment.in.ionicsecurity.com/keyspace/C7DV/sp/55d34e208e66393e53551b79/default/saml"; > ID="r4aaaa888-6607-4d06-bd00-b6e31386f497" > InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428" > IssueInstant="2017-05-23T11:08:51Z" > Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><samlp:Status><samlp:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > ID="a3452e5ef-74cb-4559-8236-5a4994a73f9c" > IssueInstant="2017-05-23T11:08:51Z" > Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><saml:Subject><saml:NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" > SPNameQualifier="">email</saml:NameID><saml:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData > InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428" > NotOnOrAfter="2017-05-23T11:23:51Z" > Recipient="https://mastereng-enrollment.in.ionicsecurity.com/keyspace/C7DV/sp/55d34e208e66393e53551b79/default/saml"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions > NotBefore="2017-05-23T11:08:51Z" > NotOnOrAfter="2017-05-23T11:23:51Z"><saml:AudienceRestriction><saml:Audience>ionic</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement > AuthnInstant="authnstatement_instant" > SessionIndex="r4aaaa888-6607-4d06-bd00-b6e31386f497" > SessionNotOnOrAfter="2017-05-23T11:23:51Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute > Name="email" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue > xsi:type="xs:string">[email protected]</saml:AttributeValue></saml:Attribute><saml:Attribute > Name="upn" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue > xsi:type="xs:string">[email protected]</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference > URI="#a3452e5ef-74cb-4559-8236-5a4994a73f9c"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>vZsVj16MJpcpg34UlutAHAcHqrE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>weFHX1LPALmbCcy756YzdEDnqyPXI/URZsvFA5KE50a2L07hDcDkNSfe9FLcwRTm > > wjecs2eJNFAvlPR1QqHtjLlCaI/QUeSPyhOkCvVsrCaQWBH9AbmQRMR1VzEm5nEa > > sXOyF8hsp/sdsW2zGpuJxOfFg/q3tksuJzbOR7cF5GBscEfZRZNmuuI/fJ8p62Lf > > 4dN9dGFSMFzd3nhQ3tpWTi9XZAwD6qJ+15QF7gMsXx1q0tZnj3DClMf+QX4Qh/xt > > 5mhSKvEii8ognd+mJxRLc90pzRdojzQdGIgB2gboP6jWHsGFy+DfPyTFQQ0YO0R2 > > 6rQ7u1MIvRjD9bliSNCEaEh/rtPLfcqGwDQF3wyYjiBF7ZmscWOu+k3YeqNYRWu6 > > Bh0SCUzeAtlRjB8lmhjWj7iwaXtEqIFX2B/B/W9ToLqrtBHTtPMgIKI4UwA/+dJh > > ZFJef0dJ7RmZmIAWYAn7XctKT4oSPBydTHLifZuSyf5fxtNnmo0bu2NtlIv7NdP4 > > o1xh6AAy+zleXsR4MAyJTYX2KurSh1FffIhbxkmNjfR9cq8xcR49xbuSMn3yoPDD > > HxDCmby5D1Nrh6dUb1/9haTeulEfT+eCncgJ/2oWHs89rh813X0kuoWXZwv+4umU > > weNuVA7z90sFklZ+qfANfNH5QiAWwsZfCgkIE4Y3alU=</ds:SignatureValue><ds:KeyInfo><ds:KeyValue> > > <ds:RSAKeyValue> > > <ds:Modulus> > > zlZSZixErcVurJ9puM+51AU8xqu5dvZUpnvV51ozaxmE7cK3SZV5mWS6GdWjz9ix > > fgWxFLcGOEVM/VOAV9MYjsHsIrktZ3zY7qYAEvEIqgCv1++cuI9ChholYHy0Z4r/ > > +LXniSLGUV/GAecPeYndof+igQTNgK+kNqT8ohcsO9VptvqZtETg25GyiK/vIsK3 > > 5n3h8CLdj6y7hPfYPYZJKjAGbTZ0GrvUV5q5fuNHoBUnl0+D6snfJfEHj/vVtU2O > > 1dhkktoPO0jyOWHyVpLgTT4Yyk2cFgkyyIdO9MDyOLPepxgg4hWS9gIuPBZAZcw1 > > 8bPNqenLMyD3h2nz+nvi1towBq6OD7FPJSkNMzhn2rjfXfVoh03N93cvQekRjU/5 > > In7H8nfQEo2zqxa1EYSEoEscqOcHT8f4NzQUD0j/7PXIfWiqPh048qSbCJifj9vW > > WnmXdFN3Bt/ThceqXnuIHCCVT4JSEJYLd+FO/ktZngh2p/eTJS2iQrd5Yvpw6RwR > > oSYlSexwwJFa0c2P/iIRO/daaE0Mx6rSPGDthmyR1ue//KCrh/V8JYjDifUVMwOt > > VH1z8K6Qot438tPh25itOo2EAu9fzYXMcoLOlYQSxpwprtfpgMa/gWyXtDusFd5t > > TDGMu8Jt4gti6C8LCO90/8dJ8anMiPT8PuL763yKgis= > > </ds:Modulus> > > <ds:Exponent> > > AQAB > > </ds:Exponent> > > </ds:RSAKeyValue> > > </ds:KeyValue></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response> > > > > What I am wondering is – how precisely did > <ds:DigestValue>vZsVj16MJpcpg34UlutAHAcHqrE=</ds:DigestValue> get computed? > > > > One thing I was surprised by when I started using xmlsec was that I had > to seed the assertion with extra xml before signing such as: > > > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <ds:Reference URI="#@reference_uri"> > > <ds:Transforms> > > > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > <ds:DigestValue></ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue/> > > <ds:KeyInfo> > > <ds:KeyValue/> > > </ds:KeyInfo> > > </ds:Signature> > > > > When trying to compute my own digest hash (which I could never get to > match xmlsec’s) – is this Xml supposed to be taken into account? > > > > Sorry, I’m just trying to figure out how to produce a signed assertion > that my xmlsec driven backend will accept. Following all of the > examples and guidelines I could find have failed. > > > > Much appreciated, > > > > Hans > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
