PowerShell驗證SAML簽名的XML

Question

我們最近出現了IdP不信任來自RP/SP的SAML 2.0註銷請求籤名的問題。我們正在尋求替代方法來驗證SAML請求籤名，因爲IdP和samltool.com都抱怨過簽名驗證。以下是我們用來檢查簽名數據的示例答案，可以根據簽名進行驗證。

Answer 1

添加所需類型和定義爲SHA256

Add-Type -AssemblyName System.Security 

# Add SHA-256 per http://stackoverflow.com/questions/30759119/verifying-xml-signature-in-powershell-with-pem-certificate 
Add-Type @' 
     public class RSAPKCS1SHA256SignatureDescription : System.Security.Cryptography.SignatureDescription 
      { 
       public RSAPKCS1SHA256SignatureDescription() 
       { 
        base.KeyAlgorithm = "System.Security.Cryptography.RSACryptoServiceProvider"; 
        base.DigestAlgorithm = "System.Security.Cryptography.SHA256Managed"; 
        base.FormatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureFormatter"; 
        base.DeformatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureDeformatter"; 
       } 

       public override System.Security.Cryptography.AsymmetricSignatureDeformatter CreateDeformatter(System.Security.Cryptography.AsymmetricAlgorithm key) 
       { 
        System.Security.Cryptography.AsymmetricSignatureDeformatter asymmetricSignatureDeformatter = (System.Security.Cryptography.AsymmetricSignatureDeformatter) 
         System.Security.Cryptography.CryptoConfig.CreateFromName(base.DeformatterAlgorithm); 
        asymmetricSignatureDeformatter.SetKey(key); 
        asymmetricSignatureDeformatter.SetHashAlgorithm("SHA256"); 
        return asymmetricSignatureDeformatter; 
       } 
      } 
'@ 
$RSAPKCS1SHA256SignatureDescription = New-Object RSAPKCS1SHA256SignatureDescription 
[System.Security.Cryptography.CryptoConfig]::AddAlgorithm($RSAPKCS1SHA256SignatureDescription.GetType(), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") 

驗證SAML 2.0 HTTP-POST無證書請求包含在請求：

$saml = "insert real saml request here" 

$decoded = [System.Convert]::FromBase64String($saml) 
$stream = [System.IO.MemoryStream]::new($decoded, 0, $decoded.length) 

$xml = New-Object System.Xml.XmlDocument 
$xml.PreserveWhitespace = $true 
$xml.Load($stream) 

$signed = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $xml 
$signed.LoadXml($xml.DocumentElement.Assertion.Signature) 

$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("C:\Users\username\Desktop\idp.cer") 

$keyinfo = [System.Security.Cryptography.Xml.KeyInfo]::new() 
$clause = [System.Security.Cryptography.Xml.KeyInfoX509Data]::new($cert) 
$keyinfo.AddClause($clause) 

$signed.KeyInfo = $keyinfo 

$signed.CheckSignature() 

修改XML所以簽名不能被驗證在上例中：

$xml.Response.Assertion.Subject.NameID.'#text' = 'asdasdasd' 

$signed = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $xml 
$signed.LoadXml($xml.DocumentElement.Assertion.Signature) 

$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("C:\Users\username\Desktop\idp.cer") 

$keyinfo = [System.Security.Cryptography.Xml.KeyInfo]::new() 
$clause = [System.Security.Cryptography.Xml.KeyInfoX509Data]::new($cert) 
$keyinfo.AddClause($clause) 

$signed.KeyInfo = $keyinfo 

$signed.CheckSignature() 

驗證SAML 2.0 HTTP-POST請求與證書包括在請求：

$saml = "insert example saml request here" 
$decoded = [System.Convert]::FromBase64String($saml) 
$stream = [System.IO.MemoryStream]::new($decoded, 0, $decoded.length) 

$xml = New-Object System.Xml.XmlDocument 
$xml.PreserveWhitespace = $true 
$xml.Load($stream) 

$signed = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $xml 
$signed.LoadXml($xml.DocumentElement.Signature) 
$signed.CheckSignature() 

修改XML所以簽名不能在上面的例子中進行驗證：

$xml.LogoutRequest.NameID.'#text' = "dasdasd" 

$signed = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $xml 
$signed.LoadXml($xml.DocumentElement.Signature) 


# Should return false since we modified the data 
$signed.CheckSignature() 

希望這節省了如果他們需要完成相同的任務，則需要其他人。如果您有任何意見和建議，請告訴我。

謝謝！