Hi Monks!

Thanks to help from some of you yesterday I have installed XML::Sig with the hope of being able to validate some XML signatures. I'm not yet having a huge lot of luck with this. I'm actually trying to validate a SAML assertion. I have the Net::SAML2 module installed as well, which seems to have it's own modified version of XML::Sig. The provider of the SAML assertion has my public certificate, and they are successfully sending me assertions - I can read the XML and do what I need to do apart from verifying the signature.

The documentation in the Net::SAML2 module says "When using XML::Sig exclusively to verify a signature, no key needs to be specified during initialization given that the public key should be transmitted with the signature." This has confused the people who are sending me the signed XML as they say the whole point is I need to do whatever it is I need to do with it?! with my own key - presumably my private key - in order to validate the signature.

I am trying to find out exactly what that is as the module isn't doing any of it by the looks of it.

However, I have got as far as getting a certificate out of the signature - as they say it is transmitted with the signature. The certificate that is coming out however is not the same one as I have sent them to use, I'm not sure if it should look identical or not, I have a feeling it should be though. I have also managed to get a public key out of that certificate. There is also a digestValue node in the XML, which should be everything I need to validate the signature.

I have then run my $cert = Crypt::OpenSSL::X509->new_from_string($certificate);. This is the $certificate that they have sent me. The particular line of code I can see that checks the validity is:

if ($rsa_pub->verify( $canonical,  $bin_signature )) {

[download]

- at this point I have base64 decoded the signature to $bin_signature, $canonical contains the digestValue. $rsa_pub has already been initialised with the public key that I have got out of the certificate.

This verify function consistently returns 0, I am trying to work out why. Knowing very little about certificates I'm not even sure I'm formulating this question very well.

If anyone has had any experience with any of this - done any work with decoding XML signatures or SAML processing, I'd be hugely happy to hear from them right now!

Many thanks - Matt.

In reply to Validating XML Signatures / SSL Certificate question (using Net::SAML) by MattP

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.