CODEWITHSUNDEEP
c#saml
ricksmt
ricksmt

Reputation: 899

Verify signature on SAML assertion

I have two signatures, one on the response (which verifies) and one on the nested SAML assertion (which does not). This is the condensed code I'm working with:

foreach (XmlElement node in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
{// Verify this Signature block
    SignedXml signedXml = new SignedXml(node.ParentNode as XmlElement);
    signedXml.LoadXml(node);
    KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();

    // Verify certificate
    X509Certificate2 cert = x509Data.Certificates[0] as X509Certificate2;
    log.Info(string.Format("Cert s/n: {0}", cert.SerialNumber));
    VerifyX509Chain(cert);// Custom method

    // Check for approval
    X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection collection = store.Certificates.Find(X509FindType.FindBySerialNumber, cert.SerialNumber, true);
    Debug.Assert(collection.Count == 1);// Standing in for brevity

    // Verify signature
    signedXml.CheckSignature(cert, true);
}

For completeness, here's an outline of the XML:

<samlp2:Response Destination="http://www.testhabaGoba.com" ID="ResponseId_934151edfe060ceec3067670c2f0f1ea" IssueInstant="2013-09-24T14:33:29.507Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        ...
    </ds:Signature>
    ...
    <saml2:Assertion ID="SamlAssertion-05fd8af7f2c9972e69cdbca612d3f3b8" IssueInstant="2013-09-24T14:33:29.496Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ...
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            ...
        </ds:Signature>
        ...
    </saml2:Assertion>
</samlp2:Response>

I've also tried with just the assertion signed, and that fails as well. What am I doing wrong? Why does CheckSignature always fail on the SAML assertion?

Edit Turns out the one with just the assertion signed is Java-generated (OpenSAML) and has more hoops to jump through. Please advise.

Upvotes: 4

Views: 12590

Answers (3)

Nathan Baulch
Nathan Baulch

Reputation: 20693

I'm not sure why but it looks like SignedXml can only validate signatures in the root document element. The fastest way I've found to create a new XmlDocument from an existing XmlElement fragment is using the ImportNode method.

Your updated validation code would look something like:

foreach (XmlElement item in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
{
    var node = item;
    if (node.ParentNode != xmlDoc.DocumentElement)
    {
        var doc = new XmlDocument();
        var parentNode = doc.ImportNode(item.ParentNode, true);
        doc.AppendChild(parentNode);
        node = (XmlElement) parentNode.SelectSingleNode("*[local-name()='Signature']");
    }
    var signedXml = new SignedXml((XmlElement) node.ParentNode);
    signedXml.LoadXml(node);
    //TODO: validate
}

This is about twice as fast as re-parsing OuterXml as others have suggested based on my tests using an 8kB SAML response document.

Upvotes: 1

Adi Sembiring
Adi Sembiring

Reputation: 5936

This code verifies SAML response using Ultimate saml (http://www.componentpro.com/saml.net/). It helps verify nested SAML assertion signature inside a response. 

XmlDocument xmlDocument = new XmlDocument(); 
xmlDocument.Load(samlResponseXmlToVerify); 

XmlDocument xmlDocumentMetadata = new XmlDocument(); 
xmlDocumentMetadata.Load(samlMetadataXmlToExtractCertData); 

// Load the SAML response from the XML document. 
Response samlResponse = new Response(xmlDocument.DocumentElement); 

// Is it signed?  
if (samlResponse.IsSigned()) 
{ 
    // Validate the SAML response with the certificate.  
    if (!samlResponse.Validate(xmlDocumentMetadata.DocumentElement)) 
    { 
        throw new ApplicationException("SAML response signature is not valid."); 
    } 
}

See this online example code for more details: http://www.componentpro.com/doc/saml/ComponentPro.Saml.SignableSamlObject.Validate().htm

Upvotes: 3

ricksmt
ricksmt

Reputation: 899

I found this answer which references another answer (by the same guy) and sums to the following: The implementation is quirky and the Signature block must be a child of the DocumentElement. Found this article which also solved the problem in a better way.

Modified Code

foreach (XmlElement node in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
{// Verify this Signature block
    // *** BEGIN: ADDED CODE ***
    XmlDocument doc = new XmlDocument();
    doc.LoadXml(node.ParentNode.OuterXml);
    XmlElement signature = doc.SelectSingleNode("//*[local-name()='Signature']") as XmlElement;
    // This variable ^^^ is the same as node, just in doc instead of xmlDoc (important distinction)
    // *** END: ADDED CODE ***

    // Setup
    SignedXml signedXml = new SignedXml(node.ParentNode as XmlElement);
    signedXml.LoadXml(node);
    KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();

    // Verify certificate
    ...

Unfortunately this still doesn't account for Java-generated SAML. Something more intricate and even less documented is required to account for that. I received a new Java-generated SAML token that works with the given code. The one I was using must have been defective.

Upvotes: 1

Related Questions