go ahead... be a heretic | |
PerlMonks |
Validating XML Signatures / SSL Certificate question (using Net::SAML)by MattP (Novice) |
on Apr 04, 2017 at 19:28 UTC ( [id://1187040]=perlquestion: print w/replies, xml ) | Need Help?? |
MattP has asked for the wisdom of the Perl Monks concerning the following question: Hi Monks! Thanks to help from some of you yesterday I have installed XML::Sig with the hope of being able to validate some XML signatures. I'm not yet having a huge lot of luck with this. I'm actually trying to validate a SAML assertion. I have the Net::SAML2 module installed as well, which seems to have it's own modified version of XML::Sig. The provider of the SAML assertion has my public certificate, and they are successfully sending me assertions - I can read the XML and do what I need to do apart from verifying the signature. The documentation in the Net::SAML2 module says "When using XML::Sig exclusively to verify a signature, no key needs to be specified during initialization given that the public key should be transmitted with the signature." This has confused the people who are sending me the signed XML as they say the whole point is I need to do whatever it is I need to do with it?! with my own key - presumably my private key - in order to validate the signature. I am trying to find out exactly what that is as the module isn't doing any of it by the looks of it. However, I have got as far as getting a certificate out of the signature - as they say it is transmitted with the signature. The certificate that is coming out however is not the same one as I have sent them to use, I'm not sure if it should look identical or not, I have a feeling it should be though. I have also managed to get a public key out of that certificate. There is also a digestValue node in the XML, which should be everything I need to validate the signature. I have then run my $cert = Crypt::OpenSSL::X509->new_from_string($certificate);. This is the $certificate that they have sent me. The particular line of code I can see that checks the validity is:
- at this point I have base64 decoded the signature to $bin_signature, $canonical contains the digestValue. $rsa_pub has already been initialised with the public key that I have got out of the certificate. This verify function consistently returns 0, I am trying to work out why. Knowing very little about certificates I'm not even sure I'm formulating this question very well. If anyone has had any experience with any of this - done any work with decoding XML signatures or SAML processing, I'd be hugely happy to hear from them right now! Many thanks - Matt.
Back to
Seekers of Perl Wisdom
|
|