We have been investigating a problem with SARoNGS and Shibboleth that is similar, but not identical, to the XML signature problems covered in an earlier posting.
As in that earlier case, we are being sent a lump of XML within which is:
- some data,
- a certificate
- a digital signature for the data generated from the key matching the certificate.
We suspected that the XML had been mangled - but needed to prove it.
After much fiddling and searching, we dug up a useful one-line command to check the signature without needing the whole of Shibboleth.
First, catch your assertion. This is left as an exercise for the reader.
Next, verify the signature by running:
xmlsec1 verify --id-attr:AssertionID Assertion shibdata.xmlWhere shibdata.xml here is a file containing the assertion.
An explaination... ignoring namespaces, the digital signature consists of a
<Reference URI="#_39e459384b39f1ddce64e11c58155abc">The URI is meant to point you at the bit of XML that has actually been signed. The code expects to find an attribute
ID="_39e459384b39f1ddce64e11c58155abc"attached to that element.
In this case there is no such attribute. There is, however, an AssertionID attribute with exactly that value.
Which is why we need that odd looking --id-attr option. It explicitly tells the program to use AssertionID within a Assertion element when searching for the signature.
Posts
No comments:
Post a Comment