Auth0 as SAML 2.0 IdP with signing asserts

James.Morrison · June 4, 2019, 4:18pm

Hey there @jaakkos, I apologize for the delay in response.

While investigating this it appears that a large number of people found success leveraging this function below for the conversation. Please let me know if this helps you or if you are still running into the challenge. Thanks!

function convertCertificate (cert) {
    //Certificate must be in this specific format or else the function won't accept it
    var beginCert = "-----BEGIN CERTIFICATE-----";
    var endCert = "-----END CERTIFICATE-----";

    cert = cert.replace("\n", "");
    cert = cert.replace(beginCert, "");
    cert = cert.replace(endCert, "");

    var result = beginCert;
    while (cert.length > 0) {

        if (cert.length > 64) {
            result += "\n" + cert.substring(0, 64);
            cert = cert.substring(64, cert.length);
        }
        else {
            result += "\n" + cert;
            cert = "";
        }
    }

    if (result[result.length ] != "\n")
        result += "\n";
    result += endCert + "\n";
    return result;
}

github.com/auth0/node-jsonwebtoken

Error in Verify(): PEM_read_bio_PUBKEY

opened 04:41PM - 16 Mar 15 UTC

closed 02:20PM - 16 Feb 16 UTC

paulxtiseo

question

On OSX 10.10.2, Node v0.12.0 and jsonwebtoken v4.1.0 Using jsonwebtoken to crea…te my own RS256-signed tokens in the ActionHero framework. Loaded the public key with `api.auth.publicKey = fs.readFileSync(path.join(__dirname, '../', api.config.auth.publicKey));`. I am able encode, but not decode. When calling `require('jsonwebtoken').verify(token,, api.auth.publicKey)` I get a `PEM_read_bio_PUBKEY failed` error. Seems to be in the JWS library, judging from the stack trace. Full error trace (in an ActionHero flavor): ``` 2015-03-16 11:09:31 - error: ! uncaught error from action: action:status 2015-03-16 11:09:31 - error: ! connection details: 2015-03-16 11:09:31 - error: ! action: "status" 2015-03-16 11:09:31 - error: ! remoteIP: "127.0.0.1" 2015-03-16 11:09:31 - error: ! type: "web" 2015-03-16 11:09:31 - error: ! params: {"action":"status","apiVersion":1} 2015-03-16 11:09:31 - error: ! Error: PEM_read_bio_PUBKEY failed 2015-03-16 11:09:31 - error: ! at Error (native) 2015-03-16 11:09:31 - error: ! at Verify.verify (crypto.js:356:23) 2015-03-16 11:09:31 - error: ! at Object.verify (/project/Documents/Repositories/server/node_modules/jsonwebtoken/node_modules/jws/node_modules/jwa/index.js:65:21) 2015-03-16 11:09:31 - error: ! at Object.jwsVerify [as verify] (/project/Documents/Repositories/server/node_modules/jsonwebtoken/node_modules/jws/lib/verify-stream.js:68:15) 2015-03-16 11:09:31 - error: ! at Object.module.exports.verify (/project/Documents/Repositories/server/node_modules/jsonwebtoken/index.js:113:17) 2015-03-16 11:09:31 - error: ! at Object.api.auth.isAuthenticated (/project/Documents/Repositories/server/initializers/1500_auth.js:38:18) 2015-03-16 11:09:31 - error: ! at /project/Documents/Repositories/server/initializers/1500_auth.js:50:22 2015-03-16 11:09:31 - error: ! at /project/Documents/Repositories/server/node_modules/actionhero/initializers/actionProcessor.js:135:15 2015-03-16 11:09:31 - error: ! at /project/Documents/Repositories/server/node_modules/actionhero/node_modules/async/lib/async.js:610:21 2015-03-16 11:09:31 - error: ! at /project/Documents/Repositories/server/node_modules/actionhero/node_modules/async ```

github.com/node-saml/passport-saml

Error: PEM_read_bio_PUBKEY failed

opened 06:37PM - 11 Jan 17 UTC

closed 01:37PM - 23 Jan 17 UTC

louis-sanna

We have an error when our AssertionConsumerServiceURL is called by an indentity …provider using Azure AD (it works fine for our other clients, not sure whether or not it's linked to Azure). ``` Error: PEM_read_bio_PUBKEY failed at Error (native) at Verify.verify (crypto.js:311:23) at RSASHA256.verifySignature (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:137:24) at SignedXml.validateSignatureValue (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:273:20) at SignedXml.checkSignature (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:261:13) at SAML.validateSignature (/home/git/backend/node_modules/passport-saml/lib/passport-saml/saml.js:498:14) at /home/git/backend/node_modules/passport-saml/lib/passport-saml/saml.js:545:17 at _fulfilled (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:794:54) at self.promiseDispatch.done (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:823:30) at Promise.promise.promiseDispatch (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:756:13) at /home/git/backend/node_modules/passport-saml/node_modules/q/q.js:516:49 at flush (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:110:17) at _combinedTickCallback (internal/process/next_tick.js:67:7) at process._tickDomainCallback (internal/process/next_tick.js:122:9) ``` The error is thrown by xml-crypto in the function "verify-signature" ``` var crypto = require("crypto"); var verifySignature = function(str, key, signatureValue) { var verifier = crypto.createVerify("RSA-SHA256"); verifier.update(str); var res = verifier.verify(key, signatureValue, 'base64'); return res }; ``` I was able to reproduce the error with the arguments passed: ``` var str = '<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_55ead485-2e18-4a0d-996e-8c1e42ffa49c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>nj39d54JP9LU4xUgqUa5uzJ7W/xzDAzXadgUy37Yunk=</ds:DigestValue></ds:Reference></ds:SignedInfo>'; var key = '-----BEGIN CERTIFICATE-----\n' + 'MxXh1Tdvj9Wx5VOV4WVunP81al6yvYwRph5F1CPgKRA=\n' + '-----END CERTIFICATE-----\n'; var signatureValue = 'QhszIs1jyIQ/b+4kuAxoKNqmU2zk1Gwlzdc0N4V54pkrv+gPwautZMLZEcQCFq9Qt6Xb5oKZHA43OwQfy0kBO1Fy88XlpDu9D5o23pzddZh3x9p0OSjTLA6ycSUYftCKPoTRtIq1AJ9QcmahISPPWA89Vp5hpw2gwuyQsZYXVep8PZJFdlXf+jh35KJq0WOH+4UVRWHoYU5THHE9H7rKqlXzEma+jb78KWF/aNltRFS2yW0UT3bsYE0CKiJp/MokNB51IztwZYqueGBD2A2IcFF+PAq4cnwSzqIZ5sXCVWUSm6lQupyxA67nIA/asJ//WbYozCePSQKFaBNVJEz1Pg=='; ``` Any idea how to fix it?

Topic		Replies	Views
How do I set up a SAML 2.0 addon that validates signed requests? Get Help saml , clients	2	3677	March 2, 2018
Auth0 not validating SAML 2.0 message signature Get Help saml	1	4214	December 20, 2019
SAML Assertion signature is invalid Get Help saml , saml2	4	9156	August 31, 2021
SAML Error: "SAML Response not signed" Knowledge Articles	1	753	January 26, 2024
Auth0 as IdP: Is it possible to sign both the response and assertion? Get Help connections , saml-enterprise-connection	2	858	October 26, 2023

Auth0 as SAML 2.0 IdP with signing asserts

Related topics