0

I am trying to verify the signature in an encrypted XML. I've been doing tests with 3 different tools:

  1. Online tool (https://www.samltool.com/validate_response.php)
  2. Using ComponentPro library (commercial library)
  3. Using my own .NET method (using SignedXml.CheckSignature())

I'm getting an error in the online tool saying "No private key available, check settings". Using the ComponentPro library I'm getting the exception saying "SAML response signature is not valid." And using my own .NET method I get a FALSE (means that did not pass the verification).

I don't know whats wrong, but 100% should pass the Signature Verification since I created the file and I signed it.

Here is the encrypted XML file:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                Version="2.0"
                ID="lzmixH9GVTlmhl.bh9SE2Tbh4pd"
                IssueInstant="2019-09-27T04:32:25.462Z"
                Destination="https://test.com/test.aspx"
                >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml.test.com</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#lzmixH9GVTlmhl.bh9SE2Tbh4pd">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>L+bZKOA140pqnrM9sdsdaluyEUJ/ysdasgi/J35I9w=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
Ak/tpWmr/CQ0+9TNzACXl1e7GSgLKeqZGUKZo/X2XMcevAycQxbamu7uxnAu8Co42KaOjyDjrgoL
4Q7b/xxj52XorPBLeJWQ0N47Wj0u4bjLOsk14Ms5RpYRFWne4LptAZmmaATOdJ7Ow81QJo6Wslc8
NZcgYKbL/Ehtf7L0EqCSJv9vHGUtkOSCujYfxZoXcpkOXdSV6xniFyaM6w5iSiwQrlT2MFub3kr7
jHFOvFtNCOVt0ytArlDJBhGPWwc/c7hnGAbwocDfcsZoT6Mp4rWFW244n7Vt52GRGDu/20FcZkDq
LGaPiJ+5Os6ClBjjVo3muMwAs4UZM/d5m50cxg==
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
MIIGozCCBYugAwIBAgIQCUgVxSRU1R1zZphfEYcK6TANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVEaWdpQ2VydCBHbG9iYWwgQ0Eg
RzIwHhcNMTkwNzA5MDAwMDAwWhcNMjEwNzA5MTIwMDAwWjB0MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMISWxsaW5vaXMxFTATBgNVBAcTDExpbmNvbG5zaGlyZTEdMBsGA1UEChMUQWxpZ2h0IFNvbHV0
aW9ucyBMTEMxHDAaBgNVBAMTE3Nzby1iLnFjLmFsaWdodC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCAUWfbp9WRqxBbv89TqqtxoQ0651p8N6znIWlRSgnThYLZVTRAT3Ynz1Kg
aqywiDxEMm7ZD9smueiGQtz/qDL4WxKVXTuwMEDravneur8Kq2ixJvko6/055Ov7Gy/phVpAozKY
+i5wKv2faYUWLJgIugc68xSiHd8ytlNC3pHorcCpQbMg4hkxnqwYx22BQ8NkeBTmxtVD2vuQGnMw
cFXmaJl09zoIleAMUFYNkg345Lfh86N2jWyPQbBY1n0/x3ZE91HIWDefRQy49gvzNdhqR7mZttBd
qfde6AGdRcpV4iw5uGLxq9g/T5S55vstFLwm29E26MyiwrQg23PsgRcVAgMBAAGjggNfMIIDWzAf
BgNVHSMEGDAWgBQkbist0GqSUVElaQGqmkemiedAIDAdBgNVHQ4EFgQUrWiNv08hgdA4N1VN+6VU
TCYYgnUwHgYDVR0RBBcwFYITc3NvLWIucWMuYWxpZ2h0LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wNaAzoDGGL2h0dHA6Ly9jcmwz
LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBRzIuY3JsMDWgM6Axhi9odHRwOi8vY3JsNC5k
aWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxDQUcyLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwB
ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjB0
BggrBgEFBQcBAQRoMGYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA+Bggr
BgEFBQcwAoYyaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsQ0FHMi5j
cnQwCQYDVR0TBAIwADCCAYAGCisGAQQB1nkCBAIEggFwBIIBbAFqAHYApLkJkLQYWBSHuxOizGdw
Cjw1mAT5G9+443fNDsgN3BAAAAFr1GyZvwAABAMARzBFAiEA+qXbGRszOLquhwYoLwLlBLzB/+GL
duRDCMZNZaxLfn8CIDgvflKTmGf2kJaF/lGZ20xY5l2eaH5UXpWNipDha9VUAHcAh3W/51l8+IxD
mV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFr1GyaDAAABAMASDBGAiEAwt6IzERMF9JRFqtIumTU
8vioEfsuHwxnRkv+I22dzuQCIQC+Pgt3GLZrS5mC+BAKBKYSi8fLEyOpGJnWlgF9sY7GXwB3AESU
ZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABa9RsmRQAAAQDAEgwRgIhAOWU47qQPFaw
SWRxYld1mqxHMzm5Qa8mL6unCgWOnWqyAiEAmXnxcBDxYpy5BiFGwrm9+WGD2VJA9UoOtYK7RmbU
zdIwDQYJKoZIhvcNAQELBQADggEBABKtQCxqFe1Up9HUWxageZmo1SDMrstI+bXPLwLGEwe2MrQn
NRX3bbg0J24v4dSlUNtbLqr3JELUKVsU05V+Ih29Ohgb/gtBRiQqI0JdEEMmy88cZmYOLe7eNZW2
3gv90d5sk6rOUtKCViK4hiYmVo44TDCn2q2XyZN6CyGVwKebqpZGFaXwsOO4gvKWTbEfSvHw+ZOL
+4ognkcC/9mDft4l0lz7REwK9BdBE/glpGrhMta+wJPQXQGgZKMZ9pJTi7aoMrHYsuzBlx5/SFYw
XbbqreLf1isW9UVhHFL92SVz4sv5i4KAH2YqT9wCCrbTk5II4x53iOEgzB0gIQU7EPQ=
</ds:X509Certificate>
            </ds:X509Data>
            <ds:KeyValue>
                <ds:RSAKeyValue>
                    <ds:Modulus>
gFFn26fVkasQW7/PU6qrcaENOudafDes5yFpUUoJ04WC2VU0QE92J89SoGqssIg8RDJu2Q/bJrno
hkLc/6gy+FsSlV07sDBA62r53rq/CqtosSb5KOv9OeTr+xsv6YVaQKMymPoucCr9n2mFFiyYCLoH
OvMUoh3fMrZTQt6R6K3AqUGzIOIZMZ6sGMdtgUPDZHgU5sbVQ9r7kBpzMHBV5miZdPc6CJXgDFBW
DZIN+OS34fOjdo1sj0GwWNZ9P8d2RPdRyFg3n0UMuPYL8zXYake5mbbQXan3XugBnUXKVeIsObhi
8avYP0+Uueb7LRS8JtvRNujMosK0INtz7IEXFQ==
</ds:Modulus>
                    <ds:Exponent>AQAB</ds:Exponent>
                </ds:RSAKeyValue>
            </ds:KeyValue>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                            Type="http://www.w3.org/2001/04/xmlenc#Element"
                            >
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey>
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
                    <xenc:CipherData>
                        <xenc:CipherValue>SUFqblQImc6ulrhGwTfEDBWrXtwBATx/cLL+hIJNedoufMAxUYq6KAaUkZzJw9TzO+bK5BsZpyus
BnRzjoZt01x4rQTegp+3FpucZTaqpkXdrhj2mIs/rKk7lvYccECcu/FzEdd0IX+nYkvPSO/+hGKq
AwdBBN/b0u8itObreSo=</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>S0d/LkP6FxvxLkrWes1tNbK6nys0tRVunqK7Xg+/o24RfI7JDxCOXB7dq0KzTNZHdIJ6dFZTE4tz
Y4OWbJ1GJrKeEcpHFJLV4LxyKmc09bxQFe0AOR6QLT2AHd0NAJPlX8X6ty49Tki6OkB5rYSwf+6C
8+1GotX2Z9zIUA7+IcjAwbmmLw35Ty9xV1xNgywR4XlX7mTp+sKKpoRy51gX6OtOSeZotJGO6tVV
x/RIj+nw4gObuMHL7yR+63PLG5MgPPtLPZOPUQD3IN14z0AAL81BbTOv4G46xU6lLXEfKYpjQlw7
y/yFUGMrJX2NZ3qTjPDzZle97WSxFWp7f2M4Zxn3buCaV441Feei/XpDyyBLzgu+p6peypFSWP3w
JA1T+68OfMnAdqn9Mf+C1OIebHavLNUQdGBPb+Glfwu+ueY9tLMPCZpTyWgWL+CWZAPdi87tmPpL
LQ/ISIShLhTIxme8NVj4yVrcCg92NGoJnlwKuAG29NsLkXgl+5/kOOilIFSZloNLQRSsGoxfsbiH
0PsQ6CcMyRABWAlNP6ePHJ7UeOqICDlTHccnsTeckxND2nDhLRsLtbkqgRR05A6jaYgFUqPzPhHm
mrrl3mJqFTNuzKHkoOQHMoI+QYXVvEkGVAdod4dVSYF3CNz50msHg664WX/KcdXCMihzR2YP06+s
G3Yt/aO3og92p5kCMrnkZdthvt5kyT2lxBRyKkdLdGvGp6p8QzTP7fd1V0ffmol/fqvUqI2cv8ey
c6HbRd8lb6UDA9ISwIUdlbJC3OpKcLsiHtlgGYVHt/KIcNfdfByfxmD6w5IntCeWIhBB0BuPOzxM
DA1VUB97HbRiPAZZCaODN1IQ1ZGTvFqwK7QWLtsye+1cHJz1HCVXMAOuCywKzOtZQq04SyR9kKBS
qVgJGJeEvWdopLSmhhDT/nqeFJM/O0b+gnKoqsLBQfCusOhKvy5FZuWqkvBBiRzAke1JhQlm2ama
XnORpBQisxX/iIUy62KdMZpHqTs+hwJbLIJn4HDyDJY6JHJ5dk+EE9IW8EJCH8omRfRQvECgIoRu
RVDKtjp2q4h3iOqEmTP0E3RnuQze2WB6uZKS9uTxc5th7MiQ+HnMjupHQjE/Smwlekj00PVxDiCJ
vEjY6lBYzymwoXZ6dJfZ1DOP4N0z5je1vhm0e9HLxq8X0MgM0eOj9AGwCM2iVQB5W5TlH4afOAaG
BNHZ2vyaSSRfR2ZUP6gIxxt0h6q277XCzcFU3MpBfEeAwiw8FBliG+vZUQ4s044ciW4ar8DgBzhJ
LR/cJkHeZw58SRhgM18iXCdmCRks62om+WAZom0yiRKBDdggTwuiWk16pPiDDzbcNfbaKcHG3fAm
/zvbKPLjxKHOuyu+mYQOixz9Emx33BTdg7upMPn/RtFi7JPrC9CTLwzyUy83tVqxRF13/L3Gosrp
s8i6HgGHrgexmyEv4k4bf/Ga4X6ii8em2FgSK5bLMxnrYr206A==</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAssertion>
</samlp:Response>

And here is the .cer

-----BEGIN CERTIFICATE-----
MIIGozCCBYugAwIBAgIQCUgVxSRU1R1zZphfEYcK6TANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVEaWdpQ2VydCBHbG9iYWwgQ0Eg
RzIwHhcNMTkwNzA5MDAwMDAwWhcNMjEwNzA5MTIwMDAwWjB0MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMISWxsaW5vaXMxFTATBgNVBAcTDExpbmNvbG5zaGlyZTEdMBsGA1UEChMUQWxpZ2h0IFNvbHV0
aW9ucyBMTEMxHDAaBgNVBAMTE3Nzby1iLnFjLmFsaWdodC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCAUWfbp9WRqxBbv89TqqtxoQ0651p8N6znIWlRSgnThYLZVTRAT3Ynz1Kg
aqywiDxEMm7ZD9smueiGQtz/qDL4WxKVXTuwMEDravneur8Kq2ixJvko6/055Ov7Gy/phVpAozKY
+i5wKv2faYUWLJgIugc68xSiHd8ytlNC3pHorcCpQbMg4hkxnqwYx22BQ8NkeBTmxtVD2vuQGnMw
cFXmaJl09zoIleAMUFYNkg345Lfh86N2jWyPQbBY1n0/x3ZE91HIWDefRQy49gvzNdhqR7mZttBd
qfde6AGdRcpV4iw5uGLxq9g/T5S55vstFLwm29E26MyiwrQg23PsgRcVAgMBAAGjggNfMIIDWzAf
BgNVHSMEGDAWgBQkbist0GqSUVElaQGqmkemiedAIDAdBgNVHQ4EFgQUrWiNv08hgdA4N1VN+6VU
TCYYgnUwHgYDVR0RBBcwFYITc3NvLWIucWMuYWxpZ2h0LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wNaAzoDGGL2h0dHA6Ly9jcmwz
LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBRzIuY3JsMDWgM6Axhi9odHRwOi8vY3JsNC5k
aWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxDQUcyLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwB
ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjB0
BggrBgEFBQcBAQRoMGYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA+Bggr
BgEFBQcwAoYyaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsQ0FHMi5j
cnQwCQYDVR0TBAIwADCCAYAGCisGAQQB1nkCBAIEggFwBIIBbAFqAHYApLkJkLQYWBSHuxOizGdw
Cjw1mAT5G9+443fNDsgN3BAAAAFr1GyZvwAABAMARzBFAiEA+qXbGRszOLquhwYoLwLlBLzB/+GL
duRDCMZNZaxLfn8CIDgvflKTmGf2kJaF/lGZ20xY5l2eaH5UXpWNipDha9VUAHcAh3W/51l8+IxD
mV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFr1GyaDAAABAMASDBGAiEAwt6IzERMF9JRFqtIumTU
8vioEfsuHwxnRkv+I22dzuQCIQC+Pgt3GLZrS5mC+BAKBKYSi8fLEyOpGJnWlgF9sY7GXwB3AESU
ZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABa9RsmRQAAAQDAEgwRgIhAOWU47qQPFaw
SWRxYld1mqxHMzm5Qa8mL6unCgWOnWqyAiEAmXnxcBDxYpy5BiFGwrm9+WGD2VJA9UoOtYK7RmbU
zdIwDQYJKoZIhvcNAQELBQADggEBABKtQCxqFe1Up9HUWxageZmo1SDMrstI+bXPLwLGEwe2MrQn
NRX3bbg0J24v4dSlUNtbLqr3JELUKVsU05V+Ih29Ohgb/gtBRiQqI0JdEEMmy88cZmYOLe7eNZW2
3gv90d5sk6rOUtKCViK4hiYmVo44TDCn2q2XyZN6CyGVwKebqpZGFaXwsOO4gvKWTbEfSvHw+ZOL
+4ognkcC/9mDft4l0lz7REwK9BdBE/glpGrhMta+wJPQXQGgZKMZ9pJTi7aoMrHYsuzBlx5/SFYw
XbbqreLf1isW9UVhHFL92SVz4sv5i4KAH2YqT9wCCrbTk5II4x53iOEgzB0gIQU7EPQ=
-----END CERTIFICATE-----
jorge
  • 11
  • 6
  • No. I'm using three different tools to verify the signature. Please, before post any comment about duplications, read the question. Thanks @demo7up – jorge Sep 27 '19 at 15:54
  • Did you even read the link I posted? – demo7up Sep 27 '19 at 16:01
  • Possible Duplicate of https://stackoverflow.com/questions/23394654/signing-a-xml-document-with-x509-certificate – demo7up Sep 27 '19 at 16:01
  • Yes, sure. My question is not only about my own method. It's also about samltool (the online one) and about the commercial library. These methods shouldn't have errors, since are commercial. Thats why I'm asking. – jorge Sep 27 '19 at 16:08
  • 1
    No tool is perfect. The tools should support SAML response signing and SAML Assertion signing. Potentially you need to tell the commercial library that response signing is being done as this is not declared in the SAML meta data files, but has to be agreed upon 'out-of-band'. – Bernhard Thalmayr Sep 27 '19 at 21:51
  • @jorge You keep asking the same question...encryption in SAML is one of the hardest things to get right, even for a "commercial" tool (`samltool.com` is professionally written but it's not commercial, you don't pay for service). If you bought ComponentSpace license, give them a shout, they should be able to help you. – identigral Sep 29 '19 at 23:08
  • FWIW, please see cheated.by.safabyte.net which shows Component Pro likely represents the latest incarnation of stolen SAML software. TY – iokevins Apr 17 '20 at 17:45

0 Answers0