[xmlsec] XML Signatures in SAML Land - Fingerprint-only Verification Possible?
Paul Hinze
paul.t.hinze at gmail.com
Thu Feb 14 17:08:32 PST 2013
Wonderful, thanks Aleksey. This looks promising. I'll dig into this and see
if I can make it work.
Paul
On Thu, Feb 14, 2013 at 6:57 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Take a look at this function. I think it might help with some of the
> issues you are having:
>
> https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html
>
> On the xmlsec-openssl side, you need to understand the
> xmlSecOpenSSLX509FindCert() function. In particular, I believe you
> need to make sure that ski search (last if block) works with you certs.
>
> Does it make sense?
>
>
>
> Aleksey
>
> On 2/14/13 4:41 PM, Paul Hinze wrote:
> > Hello Aleksey et al,
> >
> > Thanks for all your work on XMLSec, and apologies in advance for the
> > long mail.
> >
> > I'm working on a library in Ruby that uses ruby-ffi to interop with
> XMLSec.
> >
> > The goal is to implement a sufficient subset of XMLSec functionality to
> > allow it to serve as a valid backend for the ruby-saml library, which
> > currently uses its own home-grown implementation of XML security
> > standards. I believe that will allow ruby-saml to handle XML security
> > considerations more "correctly" as well as provide the opportunity to
> > have ruby-saml support signing, encrypting and decrypting (which it
> > currently does not).
> >
> > I've got a basic framework up and running with a few passing tests, but
> > now that I'm trying to exercise my code with a sample of real world SAML
> > requests, I'm running into trouble with xmlSecDSigCtxVerify (with
> > OpenSSL for crypto) refusing to verify signatures for which it cannot
> > build a proper CA chain.
> >
> > As far as I understand it, the de facto trust model for SAML
> > integrations is to check the fingerprint of the signing certificate
> > against a pre-shared fingerprint stored by the consumer when the trust
> > relationship is established. Provided the fingerprint matches that of
> > the signing cert, and provided the XML signature is verified against
> > that cert, everything is assumed to be peachy.
> >
> > Now, I'm aware that this trust model may be flawed, and I'm also aware
> > that this model goes against the grain of the "web of trust" concept
> > that OpenSSL is built on.
> >
> > My question is whether it's technically feasible to utilize XMLSec to
> > support this model. Essentially I need to be able to verify signatures
> > for which the cert may be self-signed, or for which the CA cert is not
> > immediately available.
> >
> > My current working strategy is to extract the cert from the XML document
> > in question and load it into the keys manager that will be used for the
> > verification.
> >
> > Here's the code that successfully passes tests against a self-signed
> > cert I generated:
> >
> >
> https://github.com/instructure/xml_security/blob/0e3cbc30da1558ad2ffa541482014727d088a153/lib/xml_security/signature_verifier.rb
> >
> > Here is the test cert for which this code works:
> >
> > https://gist.github.com/phinze/745c4b224dde8e0053fb
> >
> > Now as I attempted to integrate with ruby-saml, I ran into a set of
> > requests in the ruby-saml tests signed with the following key:
> >
> > https://gist.github.com/phinze/fdce716947bc6128d6e6
> >
> > Verifying those signatures with the same code yields an error here:
> >
> > x509vfy.c:360 (xmlSecOpenSSLX509StoreVerify) - x509-store
> > X509_verify_cert 4 subj={{redacted}};err=20;msg=unable to get local
> > issuer certificate
> >
> > My understanding is that the x509v3 extensions on the latter cert
> > prevent it from acting as a CA for itself.
> >
> > I've tried sticking XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS on
> > the keyInfoReadCtx flags of the digital signature context, but that only
> > yields a different error:
> >
> > keys.c:1370 (xmlSecKeysMngrGetKey) - xmlSecKeysMngrFindKey 1
> >
> > From reading archives it seems like this flag disables the extraction of
> > the certificate from the XML, which I'm guessing is what's happening in
> > this case.
> >
> > I'm also running into trouble with certs issued by a valid CA for which
> > I do not have the CA cert in the context where my code is running, since
> > the prior versions of the application relied only on a pre-shared
> > fingerprint.
> >
> > So, is there a way for me to pull this off? Or do I need to look
> > elsewhere for code that can achieve the behavior I'm looking to model?
> >
> > Thanks so much for your time,
> >
> > Paul
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130214/07dd55bc/attachment-0001.html>
More information about the xmlsec
mailing list