SAML 未能验证签名

【问题标题】:SAML failed to verify signatureSAML 未能验证签名
【发布时间】:2021-12-18 03:19:06
【问题描述】:

我正在使用PySaml2 来实现一个 SAML 服务提供者。

当我收到有效负载 (base64 SAMLResponse) 时,我的服务器无法接受它并出现错误 SignatureError('Failed to verify signature')

失败的部分是对 XMLSec 库的调用:xmlsec1 --verify --enabled-reference-uris empty,same-doc --enabled-key-data raw-x509-cert --pubkey-cert-pem /path/to/cert.pem --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion --node-id ... --output /path/to/out.xml /path/to/payload.xml

但是,我使用的是 IdP 发送给我的证书,我可以在传递给上述调用的 cert.pem 中看到它确实是传递给 xmlsec1 的正确证书(与有效载荷本身)。

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d9e74668-c20d-43ea-9952-fb129adec5c2" Version="2.0" IssueInstant="2021-11-02T15:10:46.745Z" Destination="..." InResponseTo="_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4">
    <saml:Issuer>...</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d3f5b2cb-b7d8-4844-9c0f-46e83ba6a7df" Version="2.0" IssueInstant="2021-11-02T15:10:46.745Z">
        <saml:Issuer>...</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#_d3f5b2cb-b7d8-4844-9c0f-46e83ba6a7df">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>...</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>...</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>... Here the certificate base64 ...</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">lui@gmail.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2021-11-02T15:15:46.745Z" Recipient="..." InResponseTo="_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2021-11-02T15:10:46.745Z" NotOnOrAfter="2021-11-02T15:15:46.745Z">
            <saml:AudienceRestriction>
                <saml:Audience>...</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AttributeStatement>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">lui@gmail.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Luis</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Lui</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Luis Lui</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">431b0975-c262-4a9c-ab6c-95297efadedb</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

可能出了什么问题?

编辑:下面是收到的 base64 编码的 XML 有效负载:

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfYjdiMjA4NDktYjA4Yi00MmYyLTliYTYtZjdlZDNjN2ZkZGUxIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMS0xMS0xNVQxMjo0NTo1NS4yMjNaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hcGkuZGV2LmZvb2RsZXMuY28vYXBpL2F1dGgvc2FtbDIvYWNzL21vbmJ1aWxkaW5nLyIgSW5SZXNwb25zZVRvPSJfNDYwNmNjMWY0MjdmYTk4MWU2ZmZkNjUzZWU4ZDY5NzJmYzVjZTM5OGM0Ij48c2FtbDpJc3N1ZXI+V2l0Y288L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iI19iN2IyMDg0OS1iMDhiLTQyZjItOWJhNi1mN2VkM2M3ZmRkZTEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPjxkczpEaWdlc3RWYWx1ZT5URXlOVkdLTndCeHpMSzRzcExBL043bndCMjdlL09HZnN2YkpZalpqSUlNPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5YejRKWktTSjBrZzY2UmhESnlJb1Q2WG9qVjRDSXRSbmp3eS85eHhTL0l5cHNxNWhiaExaSkFNWEtyTlJCT245YnNOcDVIS3JLcUprSldKeUJGdS8xUy9RNE14VGhXTlV0QnpIdUs3eHlLdjI3L2VUQ1lWS1hEYS8zT2FJZTNxait5M05ESEFzS1I3SC8zU29iNnZjUS93dlNCbjdlaFdXT0prRmJDM3IxZWhLakoxaE1mRGgwdWlkVGRDOFJKblZlbWluWU42TEFkck9Bb2dtdHJXOWhsRWhWcHl3MnNqUEF5NWJhc3A3TS9uU1BhclhpbnJOb1dJMlgrSURZK2dVY3JqL0dCeHBISDk0TGowQkZaNWhEZDQ3em85SmRNSG5kOGNzc2xXLzlQbCtXOUNZVkJRR1NvQUtRY1laVDdBaWlORnlyanpjRHBaNG1oZDNHZUJReDNsSGxjMGtqTU9OYnFHMGZTVFY3TzZxcXk5cFVPQkdxZm9ZZzBSY1lrbC90R01lbFBPcXNIbUNqUU44TE1BZXZaTmozK2NkbjMyYVhFaExmcjE5Q1VCUE5CUHFGR3NmVVNyQllGTWQwWGFJY2FyWFFvSEJ1N01PZlhDYUFDUW5wN3pLTjF5WVZpcDBxWGZ2SksrUm52T1hyaXN3V0lJU0o2bVRhZ1RkNmJmV1FxOXA3NW1pMVl4NUVuSGlnNEtZNkNLU3YxY2s4M2kzMFJ4ZUNyLzRmRzk5V1NNSnRKRTNHUmwwanYzZEE4UFJEeGhOYUxmN2d1K2t1cjkyQ3grWTM5TU1ocS9QTTc4Skk5c0lVbXE5SklVM0FyN2Jnd1ZzNXhSZUZjTktmMDQxNDh6RWtDOHB0azhFazRyaWJGUUJSd1N5UUZtY3E2RXJDeE54RVRZSmNmST08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ3ekNDQTZ1Z0F3SUJBZ0lVTS9XS1U0VDJHZzlRRFVJRDJScTRVWVhOeVE0d0RRWUpLb1pJaHZjTkFRRUxCUUF3Y1RFTE1Ba0dBMVVFQmhNQ1JsSXhEakFNQmdOVkJBY01CVkJoY21sek1SUXdFZ1lEVlFRS0RBdE5iMjVDZFdsc1pHbHVaekVZTUJZR0ExVUVBd3dQYlc5dVluVnBiR1JwYm1jdVkyOXRNU0l3SUFZSktvWklodmNOQVFrQkZoTmtaWFpBYlc5dVluVnBiR1JwYm1jdVkyOXRNQjRYRFRJeE1EUXlNekUxTVRNMU4xb1hEVFF4TURReE9ERTFNVE0xTjFvd2NURUxNQWtHQTFVRUJoTUNSbEl4RGpBTUJnTlZCQWNNQlZCaGNtbHpNUlF3RWdZRFZRUUtEQXROYjI1Q2RXbHNaR2x1WnpFWU1CWUdBMVVFQXd3UGJXOXVZblZwYkdScGJtY3VZMjl0TVNJd0lBWUpLb1pJaHZjTkFRa0JGaE5rWlhaQWJXOXVZblZwYkdScGJtY3VZMjl0TUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF3eFY3TFRiMlQ3a0VlUm1tREIwaUd1cDR2SjI4Uy9DQ2NQVkJpRHNTSWxiVDVFZXBSSzdOTmtWbW9oOW1lWk5CVGdHUkc0QklCMG9BTFU1SXo3Zm8wY1c1YjlpRlJJN0ZNMlhGSDc4ZFlnRUV1NlBmN04vSVBLc1dTVVZkdFVHYlNSaGZESWlUYVB5ZTJ5TmszSW8ybjFhNjZOQjBIMkMrUmFKd0lZMG5Vd3dMYTBCRWtWbG54QUFtaGd6Ums3MnNKZU1aeWtWZmZENXZjNm4vMkhuVFFBVENEQzQweXQ1SkZyN1lxRFM5Y01tcFg1d0NVU2JVTUdBS2ROVU9KTzNKYXV6b2hEcVRNazNncDVVKytwSjdGS0Q2MTBCQU90cDlBM1prS2ptSkRMNGhKeU5UbnVqMEIxWEF6Q09aR3pXQ1ZwWEdNckNqaU9PT2MvRmlPWE9GYVI5d3habmdqUjlQZDhEY3B6RnpjK2tVMTBydGJ3VENuYm9TSDI5UG83YjhDVXh5TTBSUTBQVm13RWh2TlNOWTNhVEZBV1NlUWRtVkNOajZSKy9SV3YzaG8yOTkzekU2V21RSDQ0YW54OVM3QzBvMFFFcEVRZzMyMmFqYS8vcUc5WjJWREtwQlF3ZlBacFB3QTc5OTgrZ2JTNnRuK2szQ2RnU3NZc2owY28xN3llYVl6ejRyLyt2dTN1UFNKSnl0dUU5eWM5RDgvc2xJZ1ZtUFcrdWhUNjFMaFlrbU5scXZEN2FKRkkwK1pqbFNCQUtCTVY5R0prRDZLZFM2VHVML1ZkRE1kL290RmR2VW05RFF4TmpYV2VISzBHOEhxWlZSWVVDcUJIdTRlbTdXdVpQcFV2Q091RTdpS2lSdWZQMjdLZU1mVHdPb1FvaElsYVdFZS9PSnR0OENBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGRTBFOEJLY0lQT2wyU0pnWjVaY3ZqOVNTTmJDTUI4R0ExVWRJd1FZTUJhQUZFMEU4QktjSVBPbDJTSmdaNVpjdmo5U1NOYkNNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBRFBpTnBXS1lzRWx3K1lXV3gwMDcxMnRKV0xDT2JSSXloWFFGbVdvMmRadUdGSnhMbys0WURraWJlZU1HNjJSNkZHTDF0aVBIZ2Z5aW1WOWNYa3BzZkZEK0prMkw5MDVTL2F2N2JBNm54MU1RQTN0WkxQUm9PcFRKZ2w4bklqcW51ei9lOTc1eVBUeThmRmtMaFBoMmROQmJqRWFCTHpDVmZVNWpLaG9DdU13eDlJT2JvZUgrRWpGWjRNeGV5SGQxMVBFbjlZejFIYmQ4SmtCdC9DV2RHa28yYWtWZFRqU2Y0WTZjUjhUbHdwc3YyVFYwQnFDZUlyQW5XTURTanFTRlEvZGxiMy9sRG1SV2U2bVZYVkNTQk5OeUNDcUlxeDhlTjVwdFA1aHZhbk1UU0lCcUVCVGMyQVVRb0dsUm5lNWpJdEFiOHQ3T0VuMWJVQ0Z0NFIwUDBpRzR3Z2t5YUZlTktVOHloSUJ5MzRmRCszTk5BeDkyTTBEcCs4ek1LUE9WSnFsM3lwbUJJM1JISVpKcHBrRlp4UGl0Zi9sMUJ5MWx4cUxmMFhwdGNDbElaSWZNVVVyZFRQZnc1OUNYT0twNHNZa0hjQVpJQnI1QnJUa0JHbW1weDQxZmwxOFpIenFKVXBUaFNWUERZQnN4TXhGYzFrQlVDeWhWdXFpN0J3eFF5VzF0QjJSUEkwaldRL21IdzV4QWtuMmZkdGZ5L0ZET3ZvRWF3dnRsd1ZxTnJEY2JueXdTcDdJaURNWGJETlI1UnlNaGdUMW1wNG4zWnhtMXRkZmRaeTM3SXhhRVNtRkdQQlZQOVdTVGx4UU1GM0ZHYU9YMExxU2hpRjh1dGRGeS90STdsWmp6SGk0WWpiM3dQYnNRcEoxU1RybVY2d24weFNJYUR0REdYTUE8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzY5OTUyMzViLWIzZmMtNDI4NS04M2E1LTUzZTAxNzcxYjUxOSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjEtMTEtMTVUMTI6NDU6NTUuMjIzWiI+PHNhbWw6SXNzdWVyPldpdGNvPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+bWFuYWdlckBzdGFya2luZHVzdHJpZXN0ZXN0LmNvbTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMS0xMS0xNVQxMjo1MDo1NS4yMjNaIiBSZWNpcGllbnQ9InVuZGVmaW5lZCIgSW5SZXNwb25zZVRvPSJfNDYwNmNjMWY0MjdmYTk4MWU2ZmZkNjUzZWU4ZDY5NzJmYzVjZTM5OGM0Ii8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjEtMTEtMTVUMTI6NDU6NTUuMjIzWiIgTm90T25PckFmdGVyPSIyMDIxLTExLTE1VDEyOjUwOjU1LjIyM1oiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+dW5kZWZpbmVkPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hbmFnZXJAc3RhcmtpbmR1c3RyaWVzdGVzdC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZ2l2ZW5uYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkFudGhvbnk8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvc3VybmFtZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5TdGFyazwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkFudGhvbnkgU3Rhcms8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+NDMxYjA5NzUtYzI2Mi00YTljLWFiNmMtOTUyOTdlZmFkZWRiPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+

【问题讨论】:

    标签: python xml saml saml-2.0 xml-signature


    【解决方案1】:

    这很难调试,因为您发布的 XML 不包含证书、摘要并且已修改。

    XML 在发布到网站时可能很难检查。修改后是不可能的。请从测试系统生成另一个文件并再次发送。在附加之前先对其进行 Base64 编码也很好。

    您也可以尝试 --trusted-pem /path/to/cert.pem 选项

    更新:

    使用新的 base64

    使用https://samltool.io/ 表明响应已签名而不是断言,因此以下将起作用:

    xmlsec1 --verify --trusted-pem cert.pem --enabled-reference-uris empty,same-doc --enabled-key-data raw-x509-cert --pubkey-cert-pem cert.pem - -id-attr:ID 响应 --output out.xml tmp.xml

    这也适用于 XML::Sig 和 https://tools.chilkat.io/xmlDsigVerify.cshtml

    我没有使用 PySaml2,所以它可能有错误,但如果没有,它现在应该使用正确的证书来验证

    【讨论】:

    • 对。我将 base64 XML 附加到我的帖子中。
    • 感谢我使用tools.chilkat.io/xmlDsigVerify.cshtml 和 XML::Sig 检查的 base64,而且摘要和签名都不匹配。您是否可以在浏览器中安装 Saml 解码器。从中获取base64,以防浏览器收到它后修改它
    • 我在我的帖子中更新了下面的 base 64 为一个新的,它是服务器接收到的实际有效负载。使用这个工具dotnetsnip.com/online-saml-signature-validator-tool,它被接受(前一个不是),但它仍然被你的工具和我的库拒绝。你知道这可能是什么原因吗?
    • 这似乎可以用 XML::Sig 验证:参考摘要:TEyNVGKNwBxzLK4spLA/N7nwB27e/OGfsvbJYjZjIIM= 计算摘要:TEyNVGKNwBxzLK4spLA/N7nwB27e/OGfsvbJYjZjIIM= xmlsec 不验证它所以我晚上 - 可能我为 xmlsec1 使用了不正确的选项
    • 这行得通 - 您试图验证未签名的断言的签名。响应已签名:xmlsec1 --verify --trusted-pem cert.pem --enabled-reference-uris empty,same-doc --pubkey-cert-pem cert.pem --id-attr:ID Response --output out.xml tm p.xml
    猜你喜欢
    • 1970-01-01
    • 2016-01-14
    • 2013-10-28
    • 2014-02-08
    • 2016-07-09
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode