'invalid signature: for uri calculated digest is feVHY81U/0kFf7k/9TlIBcJFcyU= but the xml to validate supplies digest LM32hTRe1rIxDWfwEHXfD5hMT9c=' ]

[sourabhlodha]

Hi Team,

I am using java to sign the xml and verify in node but It give me invalid signature. For Reference Please find below the xml file

[ 'invalid signature: for uri calculated digest is feVHY81U/0kFf7k/9TlIBcJFcyU= but the xml to validate supplies digest LM32hTRe1rIxDWfwEHXfD5hMT9c=' ]

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Destination="URL" ID="a0b5df89-0af0-4410-9ceb-fe68b177" IssueInstant="2019-01-24T11:58:27.650Z" Version="2.0">
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  
  <Assertion ID="8dc98ab7-1fba-44f0-bcbd-16dc2aa4d" IssueInstant="2019-01-24T11:58:27.650Z" Version="2.0">
   <Issuer>https://www.opensaml.org/IDP</Issuer> 
    <saml:EncryptedAssertion>
      <xenc:EncryptedData xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <dsig:KeyInfo>
          <xenc:EncryptedKey>
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
            <xenc:CipherData>
              <xenc:CipherValue>Uqq039YJMZ0rcHDhNQ499BiYB6c4A+/ihmVwexS0kT0R0Opg0wAxbzZz8P3+kCBi7fakhyfAPSswMGEfv2fHMAk/yMvUCkqms2NZVBSwHVfXX6B4g0RQY+v/An+eA/m0CG6LuEffc1Uj6D0ybiGebDyeuGLhWQPvjhHgg+Eexx6FJq7</xenc:CipherValue>
            </xenc:CipherData>
          </xenc:EncryptedKey>
        </dsig:KeyInfo>
      </xenc:EncryptedData>
    </saml:EncryptedAssertion>
  </Assertion>
</samlp:Response>

Signed XML

<?xml version="1.0" encoding="UTF-8" standalone="no"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Destination="URL" ID="a0b5df89-0af0-4410-9ceb-fe68b177" IssueInstant="2019-01-24T11:58:27.650Z" Version="2.0">
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  
  <Assertion ID="8dc98ab7-1fba-44f0-bcbd-16dc2aa4d" IssueInstant="2019-01-24T11:58:27.650Z" Version="2.0">
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>7bTHrIbjvshzldmggo68g3dNg3g=</DigestValue></Reference></SignedInfo><SignatureValue>YthlKLyFXoRQ78Lpr1/8sCmtKKvdJk1+sc+qu/n9biE/3sEWENpn2TXBTF7/3vfMxfjPSjwmbyYC&#13;
WrC/2EJBQdyMgmnE8ykzq+/Trwh9lLvKtGTXAQYMWVgbPOIuERSJhWC8IypfDrFtLq6BzNLGaRQP&#13;
HOne2//PkTQQC+5NlnpMujckQFL61sdV8Xt+xxstaYl11bPhl/M5R1pXKzki1gL/D768r9xjLdey&#13;
FdaQtHtUS86QYW0F4HfboOoE8EY+Vl0ThpZgG8Dza1Kr0+SIdR4tRQM8CQi2qWpJXlwfYyuJbdvH&#13;
5KnE2zM0aU9RYIzf7qwgjMl1yzxiWQjBTIR2lA==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>5kS30ZxiHBvgCZ8BFvRSDG61fiioI/69NtFbpcltmFjj87sJ9rBDqT0nulk+aFw0MpnxqpD2mYfd&#13;
2bRDkFt5o/K5UOGvtAyhFuF/BTgCZXe9zPowM2sci7Aoc3AoKl6s7p283W/U6Cf0xWk6AsxMu5LT&#13;
0P0czLz85+IcyS75OA6QhunN/XDcPWMoUIXacZdo3U9ESFHy7l+x3iT26lyk36IZlFemueqt8a2+&#13;
RqHmQ2x4DoEWqkbKo+gNXaWSJT6X+KHuv9VrSu1Iqf/fBxNbZbbeUyNnXyj3dDytjsC+WxM2MwDw&#13;
itFAQNuPU9FSBdRvHeFCruxuSDAJfHFd16fNbw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature><Issuer>https://www.opensaml.org/IDP</Issuer> 
    <saml:EncryptedAssertion>
      <xenc:EncryptedData xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <dsig:KeyInfo>
          <xenc:EncryptedKey>
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
            <xenc:CipherData>
              <xenc:CipherValue>Uqq039YJMZ0rcHDhNQ499BiYB6c4A+/ihmVwexS0kT0R0Opg0wAxbzZz8P3+kCBi7fakhyfAPSswMGEfv2fHMAk/yMvUCkqms2NZVBSwHVfXX6B4g0RQY+v/An+eA/m0CG6LuEffc1Uj6D0ybiGebDyeuGLhWQPvjhHgg+Eexx6FJq7</xenc:CipherValue>
            </xenc:CipherData>
          </xenc:EncryptedKey>
        </dsig:KeyInfo>
      </xenc:EncryptedData>
    </saml:EncryptedAssertion>
  </Assertion>
</samlp:Response>

Java Code

Using xml-sec jar file

Node js
used xml-crypto

Not able to find the issue.Can anyone help in providing the solution.

[fcorneli]

Problem here is that the EnvelopedSignature is not correct. It removes the first direct child signature of the document, while it should remove the signatures in which the transformation itself is defined (hence enveloped signature). Within the implementation, EnvelopedSignature should have notion of its own location within the document.

[LoneRifle]

Thanks for spotting the problem - would you be happy to submit a PR for this? Sorry for the trouble..

[fcorneli]

#174

[LoneRifle]

Published as 1.1.4 - @sourabhlodha could you please give this a try?

[sourabhlodha]

@LoneRifle I already changed in node module.Thanks for help.