作者:可爱de小蜗牛 | 来源:互联网 | 2023-05-25 07:49
我遇到了验证SAML 2.0 Assertion XML签名的问题.我正在使用simpleSAMLphp项目中的SAML2库,而后者又使用PHP xmlseclibs
库来签名XML并验证签名.
我收到了我的合作伙伴的以下断言:
uat.test.com/saml2.0mFKEIdw+cEielORqscbHuAJhI58=kEZHloxYJVqDg8oxLNpl+sbJYhv9r7yYU5yQi71gCNm/Cdtj9/P2LR5cnopKZZu+7j3PVimeZoir6RTTrdVKTLkp+PmvOmTlLH/LVtntQZ68TaUxUd3BvtQiKuJ8KFwWPmQ+W3RIKv4ySAsy6PUiWPcr8eIYpIiUA6rxCuSEpdA=MIICczCCAdygAwIBAgIEdWfFczANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQIEwJNQTEQMA4GA1UEBxMHTm9yd29vZDEPMA0GA1UEChMGTWVyY2VyMRswGQYDVQQLExJNZXJjZXIgSFIgU2VydmljZXMxJTAjBgNVBAMTHE1lcmNlciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcwNjI5MDI1NTQxWhcNMTcwNzI5MDQwMDAwWjB2MQswCQYDVQQIEwJNQTEQMA4GA1UEBxMHTm9yd29vZDEPMA0GA1UEChMGTWVyY2VyMRswGQYDVQQLExJNZXJjZXIgSFIgU2VydmljZXMxJzAlBgNVBAMTHk1lcmNlciBIdW1hbiBSZXNvdXJjZSBTZXJ2aWNlczCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAm9KNx7UmRbWwJ0gmIV9sZzMDH4uz+o6ZmOxVRLvrO0Yzc9Qsc+7f+jIEGsVpbeaj5zx+4c8g46QqGam/Ap+4peewduVAN7GwK8UrmveASQH1Y/byTVGhyndfEtHfauresYpNDbgCn/iq/cXNapuFaTB4U0MPtz8Bqds1871hNasCAwEAAaMQMA4wDAYDVR0PBAUDAwf/gDANBgkqhkiG9w0BAQUFAAOBgQBR5wV43k1XcIM7z24SBvpEDWgEawXZ3TjTI9/54v/ZAdzXAiYfLKVV+hiyum+QP9jezDUH+Wz2bqzjlxOSU7HvUn4MwN+88a1hvSXpPxsp7y4d7juVt66aip/9NuSWbNqUPdhgK/KvMHrZpksCoxUJG2+Q1Jz7aNiBQvOnRRPdTg==000786320test.com:saml2.0urn:oasis:names:tc:SAML:2.0:ac:classes:Passwordinvalidemail@invalid.comDianeTest0206278945000786320
签名元素请求独占的C14N规范化.该xmlseclibs
库库canonicalizes此如下:
uat.test.com/saml2.0000786320test.com:saml2.0urn:oasis:names:tc:SAML:2.0:ac:classes:Passwordinvalidemail@invalid.comDianeTest0206278945000786320
然而,我的伙伴实际签署的元素是这样的:
uat.test.com/saml2.0000786320test.com:saml2.0urn:oasis:names:tc:SAML:2.0:ac:classes:Passwordinvalidemail@invalid.comDianeTest0206278945000786320
几乎相同,但没有xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
命名空间.该xsi
命名空间中的签名变换元素中提到:
由于签名中的SHA1摘要与在元素上计算的摘要xmlseclibs不匹配,因此SAML身份验证失败.
所以我想知道谁在这里是正确的 - 是否必须包含xsi命名空间(即使此命名空间中没有元素),因为它包含在InclusiveNamespaces中,或者如果不xmlseclibs
包含,为什么包含该命名空间呢?C14N规范化?