perl-net-saml2 / perl-xml-sig Goto Github PK
View Code? Open in Web Editor NEWXML::Sig - A Perl toolkit to help sign and verify XML Digital Signatures.
Home Page: https://metacpan.org/pod/XML::Sig
XML::Sig - A Perl toolkit to help sign and verify XML Digital Signatures.
Home Page: https://metacpan.org/pod/XML::Sig
NAME Net::SAML2 - SAML2 bindings and protocol implementation VERSION version 0.82 SYNOPSIS See TUTORIAL.md for implementation documentation and t/12-full-client.t for a pseudo implementation following the tutorial # generate a redirect off to the IdP: my $idp = Net::SAML2::IdP->new($IDP); my $sso_url = $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'); my $authnreq = Net::SAML2::Protocol::AuthnRequest->new( issuer => 'http://localhost:3000/metadata.xml', destination => $sso_url, nameid_format => $idp->format('persistent'), )->as_xml; my $authnreq = Net::SAML2::Protocol::AuthnRequest->new( id => 'NETSAML2_Crypt::OpenSSL::Random::random_pseudo_bytes(16), issuer => $self->{id}, # Service Provider (SP) Entity ID destination => $sso_url, # Identity Provider (IdP) SSO URL provider_name => $provider_name, # Service Provider (SP) Human Readable Name issue_instant => DateTime->now, # Defaults to Current Time ); my $request_id = $authnreq->id; # Store and Compare to InResponseTo # or my $request_id = 'NETSAML2_' . unpack 'H*', Crypt::OpenSSL::Random::random_pseudo_bytes(16); my $authnreq = Net::SAML2::Protocol::AuthnRequest->as_xml( id => $request_id, # Unique Request ID will be returned in response issuer => $self->{id}, # Service Provider (SP) Entity ID destination => $sso_url, # Identity Provider (IdP) SSO URL provider_name => $provider_name, # Service Provider (SP) Human Readable Name issue_instant => DateTime->now, # Defaults to Current Time ); my $redirect = Net::SAML2::Binding::Redirect->new( key => '/path/to/SPsign-nopw-key.pem', url => $sso_url, param => 'SAMLRequest' OR 'SAMLResponse', cert => '/path/to/IdP-cert.pem' ); my $url = $redirect->sign($authnreq); my $ret = $redirect->verify($url); # handle the POST back from the IdP, via the browser: my $post = Net::SAML2::Binding::POST->new; my $ret = $post->handle_response( $saml_response ); if ($ret) { my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml( xml => decode_base64($saml_response), key_file => "SP-Private-Key.pem", # Required for EncryptedAssertions cacert => "IdP-cacert.pem", # Required for EncryptedAssertions ); # ... } DESCRIPTION Support for the Web Browser SSO profile of SAML2. Net::SAML2 correctly perform the SSO process against numerous SAML Identity Providers (IdPs). It has been tested against: Version 0.54 and newer support EncryptedAssertions. No changes required to existing SP applications if EncryptedAssertions are not in use. Auth0 (requires Net::SAML2 >=0.39) Azure (Microsoft Office 365) GSuite (Google) Jump Keycloak MockSAML (https://mocksaml.com/) Mircosoft ADFS Okta OneLogin PingIdentity (requires Net::SAML2 >=0.54) SAMLTEST.ID (requires Net::SAML2 >=0.63) Shibboleth (requires Net::SAML2 >=0.63) SimpleSAMLphp DigiD (requires Net::SAML2 >= 0.63) eHerkenning (requires Net::SAML2 >= 0.73) eIDAS (requires Net::SAML2 >= 0.73) MAJOR CAVEATS SP-side protocol only Requires XML metadata from the IdP AUTHORS * Chris Andrews <[email protected]> * Timothy Legge <[email protected]> COPYRIGHT AND LICENSE This software is copyright (c) 2024 by Venda Ltd, see the CONTRIBUTORS file for others. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
An XML document might contain multiple signatures which might have been used to sign just sub documents within the entire document.
To avoid any possibility of doubt when using XML::Sig, please consider using each signature presented to check each sub document (the xml between an opening tag and its corresponding closing tag) and returning a hash which shows which signatures succeeded against which sub documents?
Such an arrangement would automatically validate SAML documents in which only the assertion was signed without further user action.
Please see the test in the attached zip file:
https://www.samltool.com/validate_response.php claims that the signed.xml is a valid SAML response. However, XML::Sig claims that it is not.
Please tell me which of the two is correct?
Using SHA1 is no longer recommended but the hashing algorithm should be something that can be specified when you are signing the xml.
Version 0.30-TRIAL
my $signed_info_canon = $signed_info_node->toStringC14N(1);
Line 128 in 3df1cff
Hi, I am using this library to verify the SAMLResponse that comes back from IDP. This library is set to use dssig instead of ds hence the verification kept failing. Is it possible to have that updated so we can pass the namespace through instead?
Add support for ecdsa signed xml
JumpCloud SAML Response did not verify because of the namespace on the InclusiveNamespaces tag.
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd"/>
Line 765 in fb99312
This line in XML::Sig:
$SIG{INT} = sub { die "Interrupted\n"; };
overrides global signal handling when the module is loaded. In particular, this interferes with the ability to break a Perl program in the debugger with Ctrl+C without some workarounds. Does this need to be here?
Crypt::OpenSSL::DSA::Signature is a documentation-only module. Meaning, there is no Crypt::OpenSSL::DSA::Signature in 02packages.details.txt.
The module should be capable of signing any ID sections in the XML file
Some applications such as Net::SAML2 expect to sign a fragment of the full XML document so is this is true (1) it will not include the XML Declaration at the beginning of the signed XML. False (0) or undefined returns an XML document starting with the XML Declaration.
Digest in XML file can have embedded new lines as it is base64 encoded. Need to remove the newlines so it can be compared to a base64 digest calculation that does not include newlines
While working on some new behaviour on XML::Sig, I found the following bug in XML::Sig. We cannot verify XML, which has multiple signatures. See multiple-sections.xml.txt. This file can be verified by xmlsec1:
# Run this in the root of the repo.
$ xmlsec1 --verify \
--pubkey-cert-pem t/rsa.cert.pem \
--untrusted-pem t/intermediate.pem
--trusted-pem t/cacert.pem \
--id-attr:ID "Response" \
--id-attr:ID "Assertion" \
multiple-sections.xml.txt
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.