使用Python/M2Crypto的SAML签名验证 [英] SAML signature verification using Python/M2Crypto
问题描述
我正在尝试使用M2Crypto来验证django/python应用程序中从我的SSO/SAML提供程序返回的XML响应中包含的签名,但是我似乎无法使其正常工作.
I'm attempting to use M2Crypto to verify a signature contained in an XML response returned from my SSO/SAML provider in my django/python app, but I can't seem to get it to work.
我的XML响应看起来类似于第二个示例这里.
My XML response looks sort of like the second example here.
ETA:和这是我实际XML的粘贴框.
ETA: And here's a pastebin of my actual XML.
我正在使用类似这样的代码来尝试验证:
I'm using some code like this to attempt the verification:
def verify_signature(signed_info, cert, signature):
from M2Crypto import EVP, RSA, X509
x509 = X509.load_cert_string(base64.decodestring(cert), X509.FORMAT_DER)
pubkey = x509.get_pubkey().get_rsa()
verify_EVP = EVP.PKey()
verify_EVP.assign_rsa(pubkey)
verify_EVP.reset_context(md='sha1')
verify_EVP.verify_init()
verify_EVP.verify_update(signature.decode('base64'))
result = verify_EVP.verify_final(signed_info)
return result
我可以从响应中成功获取NameID,并且我知道我已经成功加载了证书,因为我可以从中取出颁发者等.
I can successfully get the NameID from the response, and I know I'm successfully loading the certificate, because I can pull the issuer, etc. out of it.
但是,对于签名,我尝试对传入的XML进行哈希处理,对各种片段进行编码/不编码,并为signed_info
参数(SignedInfo标记,Response标记,整个过程),而我尝试使用ElementTree/ ElementC14N.py 来确保XML完全规范化,正如Transform所暗示的那样,但是我没有得到积极的结果.
As for the signature, though, I've tried hashing the passed in XML, encoding/not encoding various pieces, and passing in various bits of XML for the signed_info
parameter (the SignedInfo tag, the Response tag, the whole thing), and I've tried using ElementTree/ElementC14N.py to ensure the XML is exclusively canonicalized, as the Transform implies should be done, but I'm not getting a positive result.
我在这里想念什么?我是否要针对错误的XML进行验证?我的验证技术出了什么问题?
What am I missing here? Am I trying to validate against the wrong XML? Something wrong with my verification technique?
推荐答案
您是如此亲密!您应该传递给verify_updatesigned_info,然后传递给verify_final传递签名.
You were so close! You should pass to verify_update the signed_info, and then to verify_final pass the signature.
在验证签名之前,您需要确保正确签名了您的signed_info.
You do need to make sure that your signed_info is correctly canonicalized before verifying the signature.
这是正确的方法:
def verify_signature(signed_info, cert, signature):
from M2Crypto import EVP, RSA, X509
x509 = X509.load_cert_string(base64.decodestring(cert), X509.FORMAT_DER)
pubkey = x509.get_pubkey().get_rsa()
verify_EVP = EVP.PKey()
verify_EVP.assign_rsa(pubkey)
verify_EVP.reset_context(md='sha1')
verify_EVP.verify_init()
verify_EVP.verify_update(signed_info)
result = verify_EVP.verify_final(signature.decode('base64'))
return result
这篇关于使用Python/M2Crypto的SAML签名验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!