cannot validate signature on Response: Could not verify certificate against trusted certs #341

andypeng2015 · 2021-03-26T06:06:25Z

Hi, I am using version v0.4.5, i got redirected on /saml/acs where my request returns with a forbidden code, and this error happens intermittent, below is the IDP metadata and IDP response,

based on the call stack below, the roots certs come from IDP metadata and cert in the response matches, so I compared the cert, it matches so it should NOT throw error

https://github.com/crewjam/saml/blob/v0.4.5/service_provider.go#L817
https://github.com/crewjam/saml/blob/v0.4.5/service_provider.go#L897
https://github.com/russellhaering/goxmldsig/blob/3541f5e554eefd0d2ef501e27544650d62bf5d22/validate.go#L460

not sure if it's the same as #167, @gourlaa could you pls advise?

@crewjam appreciate if you can take a look, the issue disappear after restarting the app but it comes back once in a while

IDP metadata

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://sso.xxx.com/saml-idp/xxx/metadata/">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>C1</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>C1</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.xxx.com/saml-idp/xxx/logout/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.xxx.com/saml-idp/xxx/logout/"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.xxx.com/saml-idp/xxx/login/"/>

    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.xxx.com/saml-idp/xxx/login/"/>

  </md:IDPSSODescriptor>

</md:EntityDescriptor>

IDP response

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://api.xxx.com/saml/acs" ID="_ee1c1c4ee1a7458e8c027f174c42869d" InResponseTo="id-9532f46d81be47c034fd078a8e853f97bff349b0" IssueInstant="2021-03-26T01:02:29Z" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.xxx.com/saml-idp/xxx/metadata/</saml:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
         <ds:Reference URI="#_ee1c1c4ee1a7458e8c027f174c42869d">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>MmQoS2xJ4GXG9I</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>eKfUIa+HUbCISqhk3ZXD71</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>C1</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dc7f5bbb1afe45c8bd18a1b60ba7de2c" IssueInstant="2021-03-26T01:02:29Z" Version="2.0">
      <saml:Issuer>http://sso.xxx.com/saml-idp/xxx/metadata/</saml:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_dc7f5bbb1afe45c8bd18a1b60ba7de2c">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
               <ds:DigestValue>0y0EA54Evec</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>ijbpbqKULn1ibfePkLk5HZ3pfDsLcemrjXiKvYosRTWM9wnsm4d9</ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>C1</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml:Subject>
         <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" SPNameQualifier="https://api.xxx.com/saml/metadata">user</saml:NameID>
         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="id-9532f46d81be47c034fd078a8e853f97bff349b0" NotOnOrAfter="2021-03-26T01:17:29Z" Recipient="https://api.xxx.com/saml/acs" />
         </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="2021-03-26T00:47:29Z" NotOnOrAfter="2021-03-26T01:17:29Z">
         <saml:AudienceRestriction>
            <saml:Audience>https://api.xxx.com/saml/metadata</saml:Audience>
         </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="2021-03-26T01:02:29Z" SessionIndex="kuvBUJH5nJUiI2X1oT">
         <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement>
         <saml:Attribute Name="email">
            <saml:AttributeValue>user@xxx.com</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="Authentication_status">
            <saml:AttributeValue>password only</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response>

agis · 2023-04-12T08:09:47Z

Seeing the same issue. Did you get to the bottom of this?

sslankesh · 2023-06-28T11:43:04Z

I am also facing the same issue. Is there any update on this?

ghost · 2024-01-19T02:14:59Z

I'm experiencing the same issue. Any solutions provided?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cannot validate signature on Response: Could not verify certificate against trusted certs #341

cannot validate signature on Response: Could not verify certificate against trusted certs #341

andypeng2015 commented Mar 26, 2021

agis commented Apr 12, 2023

sslankesh commented Jun 28, 2023

ghost commented Jan 19, 2024

cannot validate signature on Response: Could not verify certificate against trusted certs #341

cannot validate signature on Response: Could not verify certificate against trusted certs #341

Comments

andypeng2015 commented Mar 26, 2021

agis commented Apr 12, 2023

sslankesh commented Jun 28, 2023

ghost commented Jan 19, 2024