Auth0 as SAML 2.0 IdP with signing asserts

jaakkos · September 4, 2018, 5:32pm

I am trying to configure Auth0 to check that login request SAML 2.0 request is signed correctly.
Using Addon: SAML2 Web App with the following signCert configuration:

{
   ...
  "signatureAlgorithm": "rsa-sha256",
  "digestAlgorithm": "sha256",
  "signResponse": true,
  "signingCert": "-----BEGIN PUBLIC KEY-----\nMIIBIzANBgkq . . .hkiG9w0==\n-----END PUBLIC KEY-----\n"
  ...
}

Getting error


"description": "PEM_read_bio_PUBKEY failed",

Does anyone have experience with working configuration?

James.Morrison · June 4, 2019, 4:18pm

Hey there @jaakkos, I apologize for the delay in response.

While investigating this it appears that a large number of people found success leveraging this function below for the conversation. Please let me know if this helps you or if you are still running into the challenge. Thanks!

function convertCertificate (cert) {
    //Certificate must be in this specific format or else the function won't accept it
    var beginCert = "-----BEGIN CERTIFICATE-----";
    var endCert = "-----END CERTIFICATE-----";

    cert = cert.replace("\n", "");
    cert = cert.replace(beginCert, "");
    cert = cert.replace(endCert, "");

    var result = beginCert;
    while (cert.length > 0) {

        if (cert.length > 64) {
            result += "\n" + cert.substring(0, 64);
            cert = cert.substring(64, cert.length);
        }
        else {
            result += "\n" + cert;
            cert = "";
        }
    }

    if (result[result.length ] != "\n")
        result += "\n";
    result += endCert + "\n";
    return result;
}

github.com/auth0/node-jsonwebtoken

Error in Verify(): PEM_read_bio_PUBKEY

opened 04:41PM - 16 Mar 15 UTC

closed 02:20PM - 16 Feb 16 UTC

paulxtiseo

question

On OSX 10.10.2, Node v0.12.0 and jsonwebtoken v4.1.0 Using jsonwebtoken to crea…te my own RS256-signed tokens in the ActionHero framework. Loaded the public key with `api.auth.publicKey = fs.readFileSync(path.join(__dirname, '../', api.config.auth.publicKey));`. I am able encode, but not decode. When calling `require('jsonwebtoken').verify(token,, api.auth.publicKey)` I get a `PEM_read_bio_PUBKEY failed` error. Seems to be in the JWS library, judging from the stack trace. Full error trace (in an ActionHero flavor): ``` 2015-03-16 11:09:31 - error: ! uncaught error from action: action:status 2015-03-16 11:09:31 - error: ! connection details: 2015-03-16 11:09:31 - error: ! action: "status" 2015-03-16 11:09:31 - error: ! remoteIP: "127.0.0.1" 2015-03-16 11:09:31 - error: ! type: "web" 2015-03-16 11:09:31 - error: ! params: {"action":"status","apiVersion":1} 2015-03-16 11:09:31 - error: ! Error: PEM_read_bio_PUBKEY failed 2015-03-16 11:09:31 - error: ! at Error (native) 2015-03-16 11:09:31 - error: ! at Verify.verify (crypto.js:356:23) 2015-03-16 11:09:31 - error: ! at Object.verify (/project/Documents/Repositories/server/node_modules/jsonwebtoken/node_modules/jws/node_modules/jwa/index.js:65:21) 2015-03-16 11:09:31 - error: ! at Object.jwsVerify [as verify] (/project/Documents/Repositories/server/node_modules/jsonwebtoken/node_modules/jws/lib/verify-stream.js:68:15) 2015-03-16 11:09:31 - error: ! at Object.module.exports.verify (/project/Documents/Repositories/server/node_modules/jsonwebtoken/index.js:113:17) 2015-03-16 11:09:31 - error: ! at Object.api.auth.isAuthenticated (/project/Documents/Repositories/server/initializers/1500_auth.js:38:18) 2015-03-16 11:09:31 - error: ! at /project/Documents/Repositories/server/initializers/1500_auth.js:50:22 2015-03-16 11:09:31 - error: ! at /project/Documents/Repositories/server/node_modules/actionhero/initializers/actionProcessor.js:135:15 2015-03-16 11:09:31 - error: ! at /project/Documents/Repositories/server/node_modules/actionhero/node_modules/async/lib/async.js:610:21 2015-03-16 11:09:31 - error: ! at /project/Documents/Repositories/server/node_modules/actionhero/node_modules/async ```

github.com/node-saml/passport-saml

Error: PEM_read_bio_PUBKEY failed

opened 06:37PM - 11 Jan 17 UTC

closed 01:37PM - 23 Jan 17 UTC

louis-sanna

We have an error when our AssertionConsumerServiceURL is called by an indentity …provider using Azure AD (it works fine for our other clients, not sure whether or not it's linked to Azure). ``` Error: PEM_read_bio_PUBKEY failed at Error (native) at Verify.verify (crypto.js:311:23) at RSASHA256.verifySignature (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:137:24) at SignedXml.validateSignatureValue (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:273:20) at SignedXml.checkSignature (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:261:13) at SAML.validateSignature (/home/git/backend/node_modules/passport-saml/lib/passport-saml/saml.js:498:14) at /home/git/backend/node_modules/passport-saml/lib/passport-saml/saml.js:545:17 at _fulfilled (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:794:54) at self.promiseDispatch.done (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:823:30) at Promise.promise.promiseDispatch (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:756:13) at /home/git/backend/node_modules/passport-saml/node_modules/q/q.js:516:49 at flush (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:110:17) at _combinedTickCallback (internal/process/next_tick.js:67:7) at process._tickDomainCallback (internal/process/next_tick.js:122:9) ``` The error is thrown by xml-crypto in the function "verify-signature" ``` var crypto = require("crypto"); var verifySignature = function(str, key, signatureValue) { var verifier = crypto.createVerify("RSA-SHA256"); verifier.update(str); var res = verifier.verify(key, signatureValue, 'base64'); return res }; ``` I was able to reproduce the error with the arguments passed: ``` var str = '<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_55ead485-2e18-4a0d-996e-8c1e42ffa49c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>nj39d54JP9LU4xUgqUa5uzJ7W/xzDAzXadgUy37Yunk=</ds:DigestValue></ds:Reference></ds:SignedInfo>'; var key = '-----BEGIN CERTIFICATE-----\n' + 'MxXh1Tdvj9Wx5VOV4WVunP81al6yvYwRph5F1CPgKRA=\n' + '-----END CERTIFICATE-----\n'; var signatureValue = 'QhszIs1jyIQ/b+4kuAxoKNqmU2zk1Gwlzdc0N4V54pkrv+gPwautZMLZEcQCFq9Qt6Xb5oKZHA43OwQfy0kBO1Fy88XlpDu9D5o23pzddZh3x9p0OSjTLA6ycSUYftCKPoTRtIq1AJ9QcmahISPPWA89Vp5hpw2gwuyQsZYXVep8PZJFdlXf+jh35KJq0WOH+4UVRWHoYU5THHE9H7rKqlXzEma+jb78KWF/aNltRFS2yW0UT3bsYE0CKiJp/MokNB51IztwZYqueGBD2A2IcFF+PAq4cnwSzqIZ5sXCVWUSm6lQupyxA67nIA/asJ//WbYozCePSQKFaBNVJEz1Pg=='; ``` Any idea how to fix it?

James.Morrison · June 14, 2019, 4:18pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SAML Assertion signature is invalid Help saml , saml2	4	7957	August 31, 2021
SAML Error: "SAML Response not signed" Knowledge Articles	1	623	January 26, 2024
Auth0 as IdP: Is it possible to sign both the response and assertion? Help connections , saml-enterprise-connection	2	813	October 26, 2023
How can I test a SAML SP implementation with Postman? Help saml , auth0-configuration , postman	10	30657	March 2, 2018
Help with "SAML Signature check errors: invalid signature: for uri" Help connections , saml-enterprise-connection	2	1368	February 16, 2023

Auth0 as SAML 2.0 IdP with signing asserts

Related Topics