add_sign tampering with the xml, resulting in invalid signature

[RamezIssac]

Good day dear,
I'm implementing HTTP-POST which is requiring enveloped signatures.

I implemented your hint on the php repo (and here on other issues) using add_sign
But, indeed add_sign do tamper with the resulting xml (as in #148 ).
I reviewed your commit 5e08bb2 , it certainly look way better at solving the issue but unfortunately it still yields an invalid signature from the idp.

On a side note: If i sign the xml request on the onelogin site online tools, i get through and have no errors.

How can i help resolving this issue ?

Thank you.

[pitbulk]

@RamezIssac have you tried to validate the generated XML with the validate_sign method?

Also, try to use python3-saml and see if it also give you the same issue.

[RamezIssac]

@pitbulk Thank you for the quick reply
The validate_sign is returning False (on parameter validate_cert = True or False)
Here is a complete transcript of the flow

saml_settings = OneLogin_Saml2_Settings(custom_base_path=settings.SAML_FOLDER, sp_validation_only=True)
security = saml_settings.get_security_data()  #
authn_req = authn_request.OneLogin_Saml2_Authn_Request(saml_settings, force_authn=True,
                                                       is_passive=False,
                                                       set_nameid_policy=False)

auth_req_xml = authn_req.get_xml()

key = saml_settings.get_sp_key()
cert = saml_settings.get_sp_cert()
signatureAlgorithm = security['signatureAlgorithm']
xmlAlgorithm = security['digestAlgorithm']

signed_xml = OneLogin_Saml2_Utils.add_sign(auth_req_xml, key, cert, sign_algorithm=signatureAlgorithm)
print(OneLogin_Saml2_Utils.validate_sign(signed_xml, cert, key, signatureAlgorithm, validatecert=True))

`

I'll test wtih Python3 and get back to you.

[RamezIssac]

Same behavior on Python3-saml , validate_sign return False.
Adding sign via same procedure as above.

[RamezIssac]

Hello again ,
Can you please share with your findings / insights ?

Were this bug re-produce-able on your end ?
What do you think we should investigate ? Any further ideas?

Thank you in advance.

[pitbulk]

The method OneLogin_Saml2_Utils.validate_sign by default only supports validate signatures of Message or Assertion if no xpath parameter provided. So the use you do on your script will get always a False value on validation due in the XML there is no Response or Assertion element.

You may modify the use of validate_sign as follows.

Replace:

OneLogin_Saml2_Utils.validate_sign(signed_xml, cert, key, signatureAlgorithm, validatecert=False)

by

OneLogin_Saml2_Utils.validate_sign(signed_xml, cert, key, signatureAlgorithm, validatecert=False, xpath='/samlp:AuthnRequest/ds:Signature')

[RamezIssac]

Thank you for the reply and for the guide on how to use validate_sign validating authn_request.

Unfortunately,
I'm afraid validate_sign is still not returning True for the signed xml via add_sign while it is returning True when passed the "correctly signed xml" from onelogin online tools.

[pitbulk]

It worked for me with the code on master

[RamezIssac]

Ok can you please share the code you use to add the signature to the authn_request please ?

[pitbulk]

The same script code that you shared but with the changes I provided

[RamezIssac]

Ok, This is embracing.
While i was writing the test case to send it as a proof, Falses "magically" turned to Trues and idp is happy, No clear explanation. (just maybe *.pyc files messed with me.. )
And indeed works on master after the commit 5e08bb2

Thank you indeed for your help and time. Closing issue.