Thank you Hippo for your response.
As you have probably worked out, I'm pretty new to this sort of thing, it turns out I sent them my key in order that they can check my signatures from my SAML requests - just haven't got to that bit yet.
So I now understand that they have signed this with their *private* key, and I can do (whatever it is I need to do) by using their public key which is sent as part of the SAML assertion, and I don't need any of my own keys for this. Is that correct? :p
I have noticed that the XML::Sig module supplied with Net::SAML2 is wildly different from the standalone, thanks. I have been debugging with this, printing out all the bits as I go.
I can see that it's calling my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($cert->pubkey) - and the public key in $cert->pubkey looks like a perfectly good public key to me - starting with the text -----BEGIN RSA PUBLIC KEY----, ending with the END - etc.
Then it calls if ($rsa_pub->verify( $canonical, $bin_signature )) {
$bin_signature is a base 64 decoded version of the signature node. $canonical appears to be the value of the "digestValue" node. This is also base64 encoded and I am told it is actually a binary value, but the module doesn't b64 decode this - I don't know if it should or not.
Either way, trying b64 decoded and the regular $canonical value, the response from this verify command is consistently false.
Does any of this mean anything to you?!
Thanks,
Matt
In reply to Re^2: Validating XML Signatures / SSL Certificate question (using Net::SAML)
by MattP
in thread Validating XML Signatures / SSL Certificate question (using Net::SAML)
by MattP
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |