Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re^7: Validating XML Signatures / SSL Certificate question (using Net::SAML)

by hippo (Bishop)
on Sep 08, 2017 at 10:18 UTC ( [id://1198922]=note: print w/replies, xml ) Need Help??


in reply to Re^6: Validating XML Signatures / SSL Certificate question (using Net::SAML)
in thread Validating XML Signatures / SSL Certificate question (using Net::SAML)

Which one of these tests actually verifies the signature I'm not sure, nor why there are these two tests, I don't suppose you have any idea?

The former test verifies that the signature is a valid signature of the dataset by the equivalent private key, so this is the attribution part of the verification if you like. However, since what has actually been signed isn't normally the full SAML request but rather a digest of it you then need the latter test to confirm that the digest is in fact valid for the full SAML request too.

If the signature test fails, then either the digest has been monkeyed with or the wrong (impostor?) key has been used. If the signature test passes but the digest fails then someone has amended the XML payload after the signature has been made (or copied a valid signature from some other frame, etc.). Only if both tests pass can you be sure that the entire SAML message is valid.

Don't forget to check the timestamps too if you are rolling it yourself.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1198922]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2024-03-29 00:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found