Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

WsFed metadata with signature fails

See original GitHub issue

Hi, i am trying to write an WsFed module for IdentityServer4. When i generate a signature for metadata it’s looks like this:

<Signature 
    xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <Reference Id="#_025c157c-682e-41a2-940a-b91355a21322">
            <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <DigestValue>3Spz8gPqLLOpO8Tnh8YyDraxb8uJY60W+B+Hp7I5Ab0=</DigestValue>
        </Reference>
    </SignedInfo>
    <SignatureValue>
        DB9ObXQTDYRBi+eBEuyx5Vt2VMHNipWqOtUUlQvPU5A88T0IXfzOTyaY9zMRiOEQa5cK8tZkU3sY1hmh2nXcHL5qYyLj70+HloyRwys+up+qYYBWDJ9a36YgHHXkd5yDCKSktfklga2XQawvZr2duFP8926zudcqb1bN4R5ASeog9IiDlQ1ICEdIMUh45Sw5eILsoN0vwLrKUJV3s85UXRbl2nfyBDhLAweQ6AIp1NRu/OBAohR2Aw1ldJ55BAjzm4D+T9tFh8bFy/KWFOVajDzlp/+LeYX4dYU8cEFCDrK0jKQ27UBItdg8wcxQefiaj85thIBrF6Lr5NjsQCpkBw==
    </SignatureValue>
    <KeyInfo>
        <X509Data>
            <X509Certificate>
                MIIDBTCCAfGgAwIBAgIQNQb+T2ncIrNA6cKvUA1GWTAJBgUrDgMCHQUAMBIxEDAOBgNVBAMTB0RldlJvb3QwHhcNMTAwMTIwMjIwMDAwWhcNMjAwMTIwMjIwMDAwWjAVMRMwEQYDVQQDEwppZHNydjN0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqnTksBdxOiOlsmRNd+mMS2M3o1IDpK4uAr0T4/YqO3zYHAGAWTwsq4ms+NWynqY5HaB4EThNxuq2GWC5JKpO1YirOrwS97B5x9LJyHXPsdJcSikEI9BxOkl6WLQ0UzPxHdYTLpR4/O+0ILAlXw8NU4+jB4AP8Sn9YGYJ5w0fLw5YmWioXeWvocz1wHrZdJPxS8XnqHXwMUozVzQj+x6daOv5FmrHU1r9/bbp0a1GLv4BbTtSh4kMyz1hXylho0EvPg5p9YIKStbNAW9eNWvv5R8HN7PPei21AsUqxekK0oW9jnEdHewckToX7x5zULWKwwZIksll0XnVczVgy7fCFwIDAQABo1wwWjATBgNVHSUEDDAKBggrBgEFBQcDATBDBgNVHQEEPDA6gBDSFgDaV+Q2d2191r6A38tBoRQwEjEQMA4GA1UEAxMHRGV2Um9vdIIQLFk7exPNg41NRNaeNu0I9jAJBgUrDgMCHQUAA4IBAQBUnMSZxY5xosMEW6Mz4WEAjNoNv2QvqNmk23RMZGMgr516ROeWS5D3RlTNyU8FkstNCC4maDM3E0Bi4bbzW3AwrpbluqtcyMN3Pivqdxx+zKWKiORJqqLIvN8CT1fVPxxXb/e9GOdaR8eXSmB0PgNUhM4IjgNkwBbvWC9F/lzvwjlQgciR7d4GfXPYsE1vf8tmdQaY8/PtdAkExmbrb9MihdggSoGXlELrPA91Yce+fiRcKY3rQlNWVd4DOoJ/cPXsXwry8pWjNCo5JD8Q+RQ5yZEy7YPoifwemLhTdsBz3hlZr28oCGJ3kbnpW0xGvQb3VHSTVVbeei0CfXoW6iz1
            </X509Certificate>
        </X509Data>
    </KeyInfo>
</Signature>

The reference element has an “Id” but no “URI” attribute serialised.

When i try to consume the metadata with OWIN WsFederation module i get this error:

Unable to resolve the '' URI in the signature to compute the digest.

Is it a bug and do i need “Id” attribute at all or just the “URI” attribute by WsFed specification?

Thank you

Issue Analytics

State:
Created 6 years ago
Comments:11 (11 by maintainers)

Top GitHub Comments

2reactions

brentschmaltzcommented, Oct 20, 2017

@AndersAbel we agree here there is no wrapping attack in this case - enveloped over entire xml. Still, we are changing this code to require an id or uri match by default. We are also going to fix the creation to add the 'uri to ensure back-compat with System.IdentityModel. When multiple references are involved, such as full blown WS-Security, care must be taken to ensure substitution attacks are mitigated.

0reactions

AndersAbelcommented, Oct 20, 2017

Being helpful in what you accept is usually good, but when it comes to security being strict can provide defence in depth.

XML Signature wrapping attacks are based on tricking a program to believe that data is protected by a signature, when it is in fact not. The Wilson enveloped signature reader assumes that the containing element is the signed data, which is always true for SAML2 scenarios. So verifying the signature’s reference isn’t necessary. But as an defence in depth and extra precaution I would still do it.

Top Results From Across the Web

WS Federation metadata is not signed

The purpose of a cryptographic signature is to ensure that the contents have not been tampered with (and that's why WS-Fed responses are...

IDX10501: Signature validation failed. Azure SSO WS- ...

I'm having trouble finding many examples of WS-Federation with Azure. Unfortunately OpenId Connect is not an option for us (we already had that ......

Error AADSTS500083: Unable to verify token signature. No ...

The IdP digital certificate including the public key for verification of the the signed token should be working fine.

SAML Signature/Encryption Certificate Change - Metadata ...

AD FS has a cool feature where a new signing/encryption certificate can be imported as secondary before the original (primary) expires. Thus all ......

How to Correct Microsoft IdP SAML Metadata for Nexus ...

This is a known issue with Microsoft IdPs generating non-standard SAML metadata. To correct this, amend the metadata by removing the sections ...