为了使 SAML 正常工作,我需要了解有关 XML 签名的哪些信息?
在工作中,我们有一个 Web 应用程序,我们需要使用经 SAML 验证的单点登录与另一家公司的 Web 应用程序进行交互。我们的网络应用程序是用 PHP 编写的,显然与其他公司使用的语言选择无关。尽管如此,我需要编写一个简单的 API,其他公司可以通过 SAML 请求向其发送 SOAP 请求,并生成回 SAML 响应。我从头开始编写它有以下三个原因:1)即使我想要一个,但用 PHP 编写的 SAML 交互似乎并没有太多选择,2)它限制了添加另一个第三方组件所涉及的开销,并且3)从头开始创建事物通常会让我有更好的理解,并使我更有能力适应事物将来如果需要的话。
不管怎样,我对 SAML、SOAP 和 XML 标准总体来说还很陌生,所以我一直在自学。我已经为我们的目的准备了非常完整的 API,但有一个例外,即另一家公司指定我们的响应需要使用证书进行数字签名(并且我们收到的请求也将同样进行数字签名)。因此,我一直试图弄清楚如何处理/生成 XML 签名,但说实话,这有点令人困惑,因为 W3C 规范并不是很容易阅读。
断言第 5.4.8 节OASIS 安全标记语言 (SAML) V1.1 文档的协议(该文档是我一直在讨论的,因为另一家公司表示他们将使用 v1.1)包含一个签名响应的示例包含一个签名的断言,我将在此处包含该断言以供参考:
<Response IssueInstant="2003-04-17T00:46:02Z" MajorVersion="1" MinorVersion="1"
Recipient="www.opensaml.org" ResponseID="_c7055387-af61-4fce-8b98-e2927324b306"
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_c7055387-af61-4fce-8b98-e2927324b306">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default saml samlp ds xsd xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>TCDVSuG6grhyHbzhQFWFzGrxIPE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>x/GyPbzmFEe85pGD3c1aXG4Vspb9V9jGCjwcRCKrtwPS6vdVNCcY5rHaFPYWkf+5EIYcPzx+pX1h43SmwviCqXRjRtMANWbHLhWAptaK1ywS7gFgsD01qjyen3CP+m3Dw6vKhaq1ed10BYyrIzb4KkHO4ahNyBVXbJwqv5pUaE4=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTA1VT ... 8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1y1GPdiowMNTrEG8cCx3w/w==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<Status><StatusCode Value="samlp:Success"/></Status>
<Assertion AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
IssueInstant="2003-04-17T00:46:02Z" Issuer="www.opensaml.org"
MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
<AudienceRestrictionCondition>
<Audience>http://www.opensaml.org</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement AuthenticationInstant="2003-04-17T00:46:00Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
<SubjectLocality IPAddress="127.0.0.1"/>
</AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default saml samlp ds xsd xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Kclet6XcaOgOWXM4gty6/UNdviI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hq4zk+ZknjggCQgZm7ea8fI79gJEsRy3E8LHDpYXWQIgZpkJN9CMLG8ENR4Nrw+n7iyzixBvKXX8P53BTCT4VghPBWhFTSt9tHWu/AtJfOTh6qaAsNdeCyG86jmtp3TDMWuL/cBUj2OtBZOQMFn7jQ9YB7k1Iz3RqVL+wNmeWI4=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTA1VT ... 8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1y1GPdiowMNTrEG8cCx3w/w==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
</Response>
那么我如何生成这样的东西?如果我收到这样的信息,我该如何验证它?另外,任何人都可以提供
顺便说一句,如果这有帮助的话,它在 SAML 1.1 规范的其他地方说,SAML 实现应该仅使用“独占规范化”方法 (Excl-C14N),并且应该仅使用“包络变换”。我仍然不完全确定这意味着什么。
At work we have a web app that we'll need to interface with another company's web app using Single Sign On validated by SAML. Our web apps are written in PHP, and it's obviously irrelevant what language choice the other company is using. Nonetheless, I've needed to write a simple API that this other company can send SOAP requests to with SAML requests, and generate back a SAML response. I've been writing it from scratch for three reasons: 1) there don't really seem to be many options for SAML interactions written in PHP even if I wanted one, 2) it limits the overhead that would be involved with adding another third-party component, and 3) creating things from scratch usually leaves me with a significantly better understanding and makes me much more capable to adapt the thing in the future if needed.
Anyways, I'm fairly new to SAML, SOAP, and XML standards in general, so I've kind of been teaching myself as I go. I've got the API pretty much complete for our purposes, with the one exception that the other company has specified that our response will be required to be digitally signed with a certificate (and the request we receive will similarly be digitally signed). So I've been trying to figure out how to process/generate the XML signatures, but honestly it's all a bit confusing as W3C specs aren't exactly light reading.
Section 5.4.8 of the Assertions and Protocol for the OASIS Security Markup Language (SAML) V1.1 document (the document I've been going off, as the other company said they'll be using v1.1) includes an example of a signed response containing a signed assertion, which I'm going to include here to reference:
<Response IssueInstant="2003-04-17T00:46:02Z" MajorVersion="1" MinorVersion="1"
Recipient="www.opensaml.org" ResponseID="_c7055387-af61-4fce-8b98-e2927324b306"
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_c7055387-af61-4fce-8b98-e2927324b306">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default saml samlp ds xsd xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>TCDVSuG6grhyHbzhQFWFzGrxIPE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>x/GyPbzmFEe85pGD3c1aXG4Vspb9V9jGCjwcRCKrtwPS6vdVNCcY5rHaFPYWkf+5EIYcPzx+pX1h43SmwviCqXRjRtMANWbHLhWAptaK1ywS7gFgsD01qjyen3CP+m3Dw6vKhaq1ed10BYyrIzb4KkHO4ahNyBVXbJwqv5pUaE4=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTA1VT ... 8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1y1GPdiowMNTrEG8cCx3w/w==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<Status><StatusCode Value="samlp:Success"/></Status>
<Assertion AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
IssueInstant="2003-04-17T00:46:02Z" Issuer="www.opensaml.org"
MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
<AudienceRestrictionCondition>
<Audience>http://www.opensaml.org</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement AuthenticationInstant="2003-04-17T00:46:00Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
<SubjectLocality IPAddress="127.0.0.1"/>
</AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default saml samlp ds xsd xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Kclet6XcaOgOWXM4gty6/UNdviI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hq4zk+ZknjggCQgZm7ea8fI79gJEsRy3E8LHDpYXWQIgZpkJN9CMLG8ENR4Nrw+n7iyzixBvKXX8P53BTCT4VghPBWhFTSt9tHWu/AtJfOTh6qaAsNdeCyG86jmtp3TDMWuL/cBUj2OtBZOQMFn7jQ9YB7k1Iz3RqVL+wNmeWI4=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTA1VT ... 8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1y1GPdiowMNTrEG8cCx3w/w==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
</Response>
So how do I generate something like this? And if I receive something like this, how do I validate it? Also, can anyone offer just a basic conceptual overview of what the <ds:Signature> tags are here? It seems there are two <ds:Signature> tags, one in the main <Response> and one in the <Assertion>, each containing their own <ds:DigestValue>, <ds:SignatureValue>, and <ds:X509Certificate> (and each distinct). How are these generated? Any light you can shed on this will be much appreciated. Tutorials or code examples would be even more appreciated! But at this point, if you can just get me on the right track, that's all I'm really asking for. Right now it all still seems like a big black box to me.
By the way, if this helps, it says elsewhere in the SAML 1.1 spec that SAML implementations should use the "Exclusive Canonicalization" method only (Excl-C14N) and should use the "enveloped transform" only. I'm still not completely sure what that means.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您非常熟悉 XML,那么处理 XML 签名实际上并不是太困难,但是有很多细节必须绝对正确,否则事情就不起作用,所以我可能不会尝试在此编写自己的实现情况(我确实部分实现过一次,但那是为了不同的特殊目的,而且无论如何它不是一个完整的实现)。
不管怎样,我对 SAML 不太了解,但我确实了解 XML 和 XML 签名,所以也许我可以通过尝试回答您的问题来为您提供一些帮助。
Signature元素是指在其SignedInfo子元素中已进行数字签名的 XML 文档的特定部分。其Reference子元素(我认为在形成要签名的字节时可能有许多Reference元素被连接起来,但我不再确定)点通过URI属性访问内容。Transform元素描述了在对所引用的内容进行散列之前对其执行的转换;您需要查看规范以了解如何定义转换算法。DigestMethod元素提供了应用于作为这些转换算法结果的字节的哈希算法(请注意,其中之一始终是将 XML 转换为字节的规范化),并且DigestValue< /code> 给出该摘要算法的结果。实际签名位于
SignatureValue元素中,通过应用CanonicalizationMethod元素的规范化来生成字节,然后使用SignatureMethod对这些字节进行签名>。KeyInfo元素告诉您如何查找要使用的密钥。规范化在上面出现过几次,它只是将 XML 文档转换为字节的一种方法,以便“等效”XML 文档生成相同的字节序列。这在数字签名中是必需的,因为算法对字节起作用,而 XML 可以通过许多中介,这些中介可能会破坏原始字节,但会保留等效性。不同的情况需要不同的规范化方法:如果从文档中提取元素并将其放入其他文档中,则需要排除不需要的命名空间定义的独占规范化,但在其他情况下可能无法正常工作,因此您需要包容性规范化,这就是保留所有范围内的名称空间。
这只是基础知识。如何生成 XML 签名有许多不同的选项,如果您想实现一个有效的验证器,则需要考虑所有这些选项。由于您总体上对 XML 不太熟悉,因此我将重复我的建议,即使用已经存在的内容。实现规范是一种有趣的学习经历,但如果实现已经可用,通常会浪费时间。
有 W3C 的关于签名的文档。
Processing XML signatures is not really too difficult, if you are very familiar with XML, but there are a lot of details that have to be absolutely right or things don't work, so I probably wouldn't try writing my own implementation in this situation (I did implement it partially once, but that was for a different and special purpose, and anyway it wasn't a complete implementation).
Anyway, I don't know much about SAML, but I do know about XML and XML Signatures, so maybe I can get you some of the way by trying to answer your questions.
A
Signatureelement refers to a specific piece of an XML document that has been digitally signed, in itsSignedInfochild element. TheReferencechild element of that (I think there can be manyReferenceelements that get concatenated when forming the bytes to be signed but I don't remember for sure anymore) points to the content through theURIattribute. TheTransformelements describe transformations performed on the referred-to content prior to hashing it; you will need to look at the specifications to figure out how the transformation algorithms are defined. TheDigestMethodelement gives the hash algorithm to apply to the bytes that are the result of these transformation algorithms (note that one of them is always canonicalization that converts XML into bytes), and theDigestValuegives the result of that digest algorithm.The actual signature is in the
SignatureValueelement, and is produced by applying theCanonicalizationMethodelement's canonicalization to produce the bytes and then signing these bytes with theSignatureMethod. TheKeyInfoelement tells you how to find the key to use.Canonicalization, which appears a couple of times above, is simply a way to convert an XML document into bytes so that "equivalent" XML documents produce the same sequence of bytes. This is required in a digital signature because the algorithms work on bytes and XML can pass through a number of intermediaries that probably will disrupt the original bytes but will retain the equivalence. And different canonicalization methods are needed for different situations: if elements are extracted from documents and placed into others, you need exclusive canonicalization that strips away unneeded namespace definitions, but in other cases that might not work correctly, so you need inclusive canonicalization instead, which preserves all in-scope namespaces.
This is just the basics. There are a number of different options in how to produce an XML signature, and if you want to implement a working verifier, you need to consider all of them. Since you are new to XML in general, I'll just repeat my advice of using something that already exists. It's an interesting learning experience to implement a specification, but often it's a waste of time if implementations are already available.
There is the W3C's documentation about signatures.
SimpleSAML 中的 xmlseclibs.php 中有一个示例。它依赖 openssl 模块来进行加密。
我会诚实地使用该库或桥接 java/tomcat,只是因为可能会出现需要调试的互操作问题,
There's an example in xmlseclibs.php in SimpleSAML. It relies on the openssl module to do the crypto.
I would honestly use that lib or bridge to java/tomcat, just because interop issues might come up that would need to potentially be debugged,
您可以查看此 Java 库来签署 SAML 请求示例 https://github.com /jrowny/java-saml
要验证签名,您需要安装 SAML 跟踪器插件 https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
您可以使用工具https://www.samltool.com/validate_logout_req.php 验证或签署请求 https://www.samltool.com/sign_logout_req.php
You can have a look on this Java lib to sign the SAML request example https://github.com/jrowny/java-saml
To validate the signature you need to install SAML tracer addon https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
You can use tool https://www.samltool.com/validate_logout_req.php to vaalidate or sign the request https://www.samltool.com/sign_logout_req.php