perl-net-saml2 / perl-xml-sig Goto Github PK

1.0 1.0 2.0 318 KB

XML::Sig - A Perl toolkit to help sign and verify XML Digital Signatures.

Home Page: https://metacpan.org/pod/XML::Sig

Perl 100.00%

dsa dsig ecdsa hmac hmac-signature perl ripemd160 rsa sha xml xmlsec

perl-xml-sig's Introduction

NAME
    Net::SAML2 - SAML2 bindings and protocol implementation

VERSION
    version 0.82

SYNOPSIS
      See TUTORIAL.md for implementation documentation and
      t/12-full-client.t for a pseudo implementation following the tutorial

      # generate a redirect off to the IdP:

            my $idp = Net::SAML2::IdP->new($IDP);
            my $sso_url = $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect');

            my $authnreq = Net::SAML2::Protocol::AuthnRequest->new(
                    issuer        => 'http://localhost:3000/metadata.xml',
                    destination   => $sso_url,
                    nameid_format => $idp->format('persistent'),
            )->as_xml;

            my $authnreq = Net::SAML2::Protocol::AuthnRequest->new(
              id            => 'NETSAML2_Crypt::OpenSSL::Random::random_pseudo_bytes(16),
              issuer        => $self->{id},         # Service Provider (SP) Entity ID
              destination   => $sso_url,            # Identity Provider (IdP) SSO URL
              provider_name => $provider_name,      # Service Provider (SP) Human Readable Name
              issue_instant => DateTime->now,       # Defaults to Current Time
            );

            my $request_id = $authnreq->id; # Store and Compare to InResponseTo

            # or

            my $request_id = 'NETSAML2_' . unpack 'H*', Crypt::OpenSSL::Random::random_pseudo_bytes(16);

            my $authnreq = Net::SAML2::Protocol::AuthnRequest->as_xml(
              id            => $request_id,         # Unique Request ID will be returned in response
              issuer        => $self->{id},         # Service Provider (SP) Entity ID
              destination   => $sso_url,            # Identity Provider (IdP) SSO URL
              provider_name => $provider_name,      # Service Provider (SP) Human Readable Name
              issue_instant => DateTime->now,       # Defaults to Current Time
            );

            my $redirect = Net::SAML2::Binding::Redirect->new(
                    key => '/path/to/SPsign-nopw-key.pem',
                    url => $sso_url,
                    param => 'SAMLRequest' OR 'SAMLResponse',
                    cert => '/path/to/IdP-cert.pem'
            );

            my $url = $redirect->sign($authnreq);

            my $ret = $redirect->verify($url);

      # handle the POST back from the IdP, via the browser:

            my $post = Net::SAML2::Binding::POST->new;
            my $ret = $post->handle_response(
                    $saml_response
            );

            if ($ret) {
                    my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
                            xml         => decode_base64($saml_response),
                            key_file    => "SP-Private-Key.pem",    # Required for EncryptedAssertions
                            cacert      => "IdP-cacert.pem",        # Required for EncryptedAssertions
                    );

                    # ...
            }

DESCRIPTION
    Support for the Web Browser SSO profile of SAML2.

    Net::SAML2 correctly perform the SSO process against numerous SAML
    Identity Providers (IdPs). It has been tested against:

    Version 0.54 and newer support EncryptedAssertions. No changes required
    to existing SP applications if EncryptedAssertions are not in use.

    Auth0 (requires Net::SAML2 >=0.39)
    Azure (Microsoft Office 365)
    GSuite (Google)
    Jump
    Keycloak
    MockSAML (https://mocksaml.com/)
    Mircosoft ADFS
    Okta
    OneLogin
    PingIdentity (requires Net::SAML2 >=0.54)
    SAMLTEST.ID (requires Net::SAML2 >=0.63)
    Shibboleth (requires Net::SAML2 >=0.63)
    SimpleSAMLphp
    DigiD (requires Net::SAML2 >= 0.63)
    eHerkenning (requires Net::SAML2 >= 0.73)
    eIDAS (requires Net::SAML2 >= 0.73)

MAJOR CAVEATS
    SP-side protocol only
    Requires XML metadata from the IdP

AUTHORS
    *   Chris Andrews <[email protected]>

    *   Timothy Legge <[email protected]>

COPYRIGHT AND LICENSE
    This software is copyright (c) 2024 by Venda Ltd, see the CONTRIBUTORS
    file for others.

    This is free software; you can redistribute it and/or modify it under
    the same terms as the Perl 5 programming language system itself.

perl-xml-sig's People

Contributors

Stargazers

Watchers

Forkers

waterkip timlegge

perl-xml-sig's Issues

Every signature against every tag

An XML document might contain multiple signatures which might have been used to sign just sub documents within the entire document.

To avoid any possibility of doubt when using XML::Sig, please consider using each signature presented to check each sub document (the xml between an opening tag and its corresponding closing tag) and returning a hash which shows which signatures succeeded against which sub documents?

Such an arrangement would automatically validate SAML documents in which only the assertion was signed without further user action.

DSA Signed XML should be verifiable via an X509Certificate

XML::Sig disagrees with SamlTool.com

Please see the test in the attached zip file:

test.zip

https://www.samltool.com/validate_response.php claims that the signed.xml is a valid SAML response. However, XML::Sig claims that it is not.

Please tell me which of the two is correct?

Issue verifying XML that includes wide characters

perl-net-saml2/perl-Net-SAML2#49

Inconsistent Canonicalization method

The CanonicalizationMethod at:

perl-XML-Sig/lib/XML/Sig.pm

Line 1636 in a625d48

    
                           <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />

id not correct given the use of $xml->toStringEC14N();

perl-XML-Sig/lib/XML/Sig.pm

Line 340 in a625d48

my $xml_canon = $xml->toStringEC14N();

Allow digest and Signature Hashing Algorithm to be specified

Using SHA1 is no longer recommended but the hashing algorithm should be something that can be specified when you are signing the xml.

Occasional Issues with verifying DSA signatures

There are periodic issues in decoding the following:

perl-XML-Sig/lib/XML/Sig.pm

Line 296 in f867720

$signature = encode_base64( $r . $s, "\n" );

perl-XML-Sig/lib/XML/Sig.pm

Line 810 in f867720

my ($r, $s) = unpack('a20 a20', $bin_signature);

At present I am unsure why the signatures fail periodically. I suspect some leading information gets lost

XML Signed with DSA keys do not validate correctly

Version 0.30-TRIAL

Canonical SignedInfo should be with comments

my $signed_info_canon = $signed_info_node->toStringC14N(1);

perl-XML-Sig/lib/XML/Sig.pm

Line 128 in 3df1cff

my $signed_info_canon = $signed_info_node->toStringC14N(0);

dssig:[Attribute] vs ds:[Attribute]

Hi, I am using this library to verify the SAMLResponse that comes back from IDP. This library is set to use dssig instead of ds hence the verification kept failing. Is it possible to have that updated so we can pass the namespace through instead?

Add support for ECDSA Signed XML

Add support for ecdsa signed xml

Issue verifying xml with namespace on InclusiveNamespaces

JumpCloud SAML Response did not verify because of the namespace on the InclusiveNamespaces tag.

<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd"/>

perl-XML-Sig/lib/XML/Sig.pm

Line 765 in fb99312

my @children = $node->getChildrenByTagName('InclusiveNamespaces');

Do we need to override $SIG{INT} in this module?

This line in XML::Sig:

$SIG{INT} = sub { die "Interrupted\n"; };

overrides global signal handling when the module is loaded. In particular, this interferes with the ability to break a Perl program in the debugger with Ctrl+C without some workarounds. Does this need to be here?

Should not depend on Crypt::OpenSSL::DSA::Signature

Crypt::OpenSSL::DSA::Signature is a documentation-only module. Meaning, there is no Crypt::OpenSSL::DSA::Signature in 02packages.details.txt.

Cannot sign xml with multiple ID references

The module should be capable of signing any ID sections in the XML file

Allow Signatures without returning XML Declaration

Some applications such as Net::SAML2 expect to sign a fragment of the full XML document so is this is true (1) it will not include the XML Declaration at the beginning of the signed XML. False (0) or undefined returns an XML document starting with the XML Declaration.

Digest comparsion foiled by embedded newlines

Digest in XML file can have embedded new lines as it is base64 encoded. Need to remove the newlines so it can be compared to a base64 digest calculation that does not include newlines

Unable to verify XML with multiple Signatures in (different) nodes

While working on some new behaviour on XML::Sig, I found the following bug in XML::Sig. We cannot verify XML, which has multiple signatures. See multiple-sections.xml.txt. This file can be verified by xmlsec1:

# Run this in the root of the repo.
$ xmlsec1 --verify \
  --pubkey-cert-pem t/rsa.cert.pem \
  --untrusted-pem t/intermediate.pem 
  --trusted-pem t/cacert.pem \
  --id-attr:ID "Response" \
  --id-attr:ID "Assertion" \
  multiple-sections.xml.txt
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

Another example of XML::Sig versus samltool.com

Another example of an XML (SAML) signed document that:

SamlTool

claims is valid, but which XML::Sig claims is invalid.

test.pl

perl-net-saml2 / perl-xml-sig Goto Github PK

perl-xml-sig's Introduction

perl-xml-sig's People

Contributors

Stargazers

Watchers

Forkers

perl-xml-sig's Issues

Recommend Projects

Recommend Topics

Recommend Org