在NodeJS中对SAML2请求进行数字签名 [英] Digitally Sign a SAML2 Request in NodeJS
问题描述
我有以下SAML请求,需要进行数字签名:
I have the following SAML request that I want to digitally sign:
<samlp:AuthnRequest Version="2.0" ID="_9FE393FB-1C9C-4EDD-86A5-1AE9F2192A60" IssueInstant="2014-10-22T11:22:56.676Z" Destination="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>http://app.localhost</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>
我使用以下依赖于nodejs的coffeescript代码 xmlbuilder 和 xmlcrypto 模块:
I use the following coffeescript code which relies on the nodejs xmlbuilder and xmlcrypto modules:
request = @xmlbuilder.create
'samlp:AuthnRequest':
'@xmlns:samlp':'urn:oasis:names:tc:SAML:2.0:protocol'
'@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion'
'@Version': '2.0'
'@ID': requestId
'@IssueInstant': (new Date()).toISOString()
'@Destination': idpUrl
'saml:Issuer': '@@spEntityId'
,null
,headless: true
request.comment 'insert-signature-here'
request.element 'samlp:NameIDPolicy':
'@AllowCreate': 'true'
saml = request.end()
@fs.readFile "certs/my-cert.pem", (err, certificate)=>
return next @errorService.readFileError certFilePath, err if err?
signer = new @xmlcrypto.SignedXml()
signer.signingKey = certificate
signer.addReference "//*[local-name(.)='AuthnRequest']", ['http://www.w3.org/2000/09/xmldsig#enveloped-signature']
signer.keyInfoProvider = new =>
getKeyInfo: (key)=>
public_key = /-----BEGIN CERTIFICATE-----([^-]*)-----END CERTIFICATE-----/g.exec(key)[1].replace /[\r\n|\n]/g, ''
"<X509Data><X509Certificate>#{public_key}</X509Certificate></X509Data>"
signer.computeSignature saml
signature = signer.getSignatureXml()
signed = saml.replace '<!-- insert-signature-here -->', signature
console.log signed
哪个会生成以下经过数字签名的SAML请求:
Which generates the following digitally signed SAML request:
<samlp:AuthnRequest Version="2.0" ID="_5FEB2162-F4D0-4900-BC28-F2940188E45B" IssueInstant="2014-10-28T13:07:14.007Z" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>http://app.localhost9de83841</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_5FEB2162-F4D0-4900-BC28-F2940188E45B">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>47MSlH9IpJf8vs37T3DnhZMZ7mo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>T0Uw...KZkm00A==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDg...OgMMxZ</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>
这似乎是有效的。
但是,当我使用 SSOCircle 进行测试时和 TestShib 都报告摘要值不匹配。
However when I test this with SSOCircle and TestShib they both report that the digest value does not match.
我使用的证书是带有未加密私钥的自签名证书(pem)。
The certificate I am using is a self-signed certificate (pem) with an unencrypted private key.
我已经仔细检查过,以确保sp-metadata中提供的公钥是从用于对SAML进行数字签名的同一pem文件中提取的。
I have double checked to categorically ensure that the public key supplied in the sp-metadata was taken from the same pem file used to digitally sign the SAML.
是否需要加密私钥?
如果没有,那么您能否建议签名检查失败的原因?
If not then can you suggest why the signature check should fail?
谢谢。
推荐答案
私钥不应加密。您可以使用此在线工具 https://www.samltool.com/validate_logout_req.php 来验证您的签名。如果未通过,则表示您的签名创建方式错误
Private key should not be encrypted. You can use this online tool https://www.samltool.com/validate_logout_req.php validating your signature. If it does not pass means your signature created in a wrong way
这篇关于在NodeJS中对SAML2请求进行数字签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
