Interaction problem between SimpleSAMLphp message + pyXMLSecurity verify()

[spaetow]

Ok, this might be just something stupid that I am doing, but I'd appreciate your help with this.

I'm trying to verify the signature of a SAML2 message. Find attached two files, one being the actual debug output of a SimpleSAMLphp attribute authority instance with the message (but not the SOAP tags), the other being the output on the service provider end as captured by cURL with the correct syntax to generate the message.

Now, when I use pyXMLSecurity's xmlsec.verify() with the AA certificate (which I happen to have as a file), I see the following:

DEBUG:root:Found signedinfo <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_7bb54ec7a8a59f971b1b995206ce6a344600051f63"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>mTRj5GCV7+jP7HKCHYk+paTfxas=</ds:DigestValue></ds:Reference></ds:SignedInfo>
DEBUG:root:Looking for #_7bb54ec7a8a59f971b1b995206ce6a344600051f63 using id attribute 'ID'
DEBUG:root:using hash algorithm sha1
DEBUG:root:computed sha1 digest mTRj5GCV7+jP7HKCHYk+paTfxas= for ref #_7bb54ec7a8a59f971b1b995206ce6a344600051f63
DEBUG:root:found sha1 digest mTRj5GCV7+jP7HKCHYk+paTfxas= for ref #_7bb54ec7a8a59f971b1b995206ce6a344600051f63
DEBUG:root:transform http://www.w3.org/2001/10/xml-exc-c14n# on <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_7bb54ec7a8a59f971b1b995206ce6a344600051f63"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>mTRj5GCV7+jP7HKCHYk+paTfxas=</ds:DigestValue></ds:Reference></ds:SignedInfo>
DEBUG:root:SignedInfo C14N: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7bb54ec7a8a59f971b1b995206ce6a344600051f63"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>mTRj5GCV7+jP7HKCHYk+paTfxas=</ds:DigestValue></ds:Reference></ds:SignedInfo>
DEBUG:root:SignedInfo digest: c94rVY2u5+eFvrZEXJnxZQzKHQw=
ERROR:root:Failed to validate <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_7bb54ec7a8a59f971b1b995206ce6a344600051f63"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>mTRj5GCV7+jP7HKCHYk+paTfxas=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dLtV7jF5PgeGjfMTbnshfzD1g2qPdKPZNzfCEzlfPrMx8ZZsqUQJNIVoqKx6Vqi8iJIdoezJwtz8XOmXO5vkZe1aNVVC3hptPGbNJbUwU8Q8exhHwlc9w6u+nHqeh9EtQgMThv3c1PxxBpZ9o2HsqU/PFADuP/JrwdLdAS3BSeGNp9YpUu0FswjpFQn5t2pwNMvkZzhMdzsa/KV0JtAuBlUo8dseFU0hgKnPlXn821C7cS0Lc28DU5H4Xjgwyfd7ymOswwbm5IteZyGlq5gUP3YHODxl3RAEp0cKL7DPhmDe1BUAD68WhVq5bUs1mQdYwKogSLP0aHmuGGaHjDPt185PVcjRnKbMyplIdFZzE3c+ttSSYOP1/PApt0Y3uJS85rn53Kipk/z07ZvYe8sE4+OdtTeWNVtvAR41tc7p56Csc5wa1wUhARnSv6NwVhwM1aySkZu11BGtqSy7lEvHQsHBb8U3VTacDogD9CtyGsiQi+qLqVSTrFT/tKf697PKsKWOJkSrcP51v/OjB/XqEN6fN45YMuIK8P8T8iBlOtcfV4Hlq0lST4gGSw4OP/ds2xCXBsBYJLkMoIIwzX9tgVLhFmqDWCvzqZ/6/WTvYwI6p6HhmM0+xpou/OmBqHDlZ5kUk3qthjmhWXEPdXSknZ7W6zMDpN2tpxDC3eJLVSM=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFLzCCAxegAwIBAgIJAMszSeMjDJ4CMA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNVBAMMI2NvbWFuYWdlLmVkdXRlYW1zLXBsYXlwZW4udGkuamEubmV0MB4XDTE4MDUxNTE1NDc1NFoXDTI4MDUxNDE1NDc1NFowLjEsMCoGA1UEAwwjY29tYW5hZ2UuZWR1dGVhbXMtcGxheXBlbi50aS5qYS5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDIDKmsP1QAs4EcySN9CFEC3PkzXcIF6wUNsZ6IBpAGQzGdwmabEI53P6cnoAlcVQN4PCY1O15V1W7dKrEDBMchEksss1LjzrajhBreIVJRDxzPs4L4RQTC83z2tvjLlA15MH0rqOtOfv9Ql2KOeNuShDXS4fZl4mI2lOWIVn9FI/H0rpBnY/IupwLMsp0yEDyppU3EGa9xDigS9KP6e51BjVOk/s9GJz4TW/zUukLW4jR5AEY2Yitxi2h8HMArMj0HWIfdIptXWrVfv63FMJonaZ9LQr7Ye6mEKGlQTYLD+pjEoJPEwbqmLwg8Tn5tjAfs7m1KgTd6TAPh6QxpYtVsTXvHVfP3qie+je4oNDzhkzjdhJr7eutkgBJiorkuSGjwvsaywMS27EHdCfI57HsuOuTsmCKJaI3FOLyqXDLwq8LO20YdVGUTvcs7rhW/oWQYiNWCk/EhW5iNbs0XbwyMpuPVH5TDOPNHeIUdQE2v+cfU1Fs+P5cHz1PhOD117k5EzEKM6ZZXfrZI71qnEDe0mWbyIY13OjDNS9T0YNMG+l1zsukG8TTiad0pI0X9OaFzZuvsN51nZWuTvoI3JUJMckF3f2fnlWm55uLiLKf7KtJkO2anSyCcHtzEDuFInV22x/P3HVKQhDqqrs2HX+Z3z996R117nai/cPkcQAJ/gwIDAQABo1AwTjAdBgNVHQ4EFgQUpWMBNlgCeXz0mJSu+ee0VgRavjYwHwYDVR0jBBgwFoAUpWMBNlgCeXz0mJSu+ee0VgRavjYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAouf3R/1z7mk2tnhkBsb5vv3tKt3XXJcGjKPMK/gaY1YTNj61pVudPswXBWLoNTn6yKBBy5uhm7mRX5rcuq+gfpdXOqZXxZoNXGx5qkd5A7zJkbLfW5TgD+sp9Ln+5KgtjN3wt6JkgZlKspd0jcsuH0og4BXlAEHtLIG6IOC2Arby+8vy8mfYB2JMtcHnwcn2WaixzuBmuGxovpzwN+xE9Yt6rFnizYWtQs40vubxpvJRToymUEd26jWvLhpG9B6U/oeFZtOHUX/ebhsBnkouPOvPTJm8cM6hiIb2ExeNh4IfP3KT7zIeOTWR/aQ4z1v6Jcn763Xj5EHYpRTiyWOLvslmAgr2k0HraZDWwfDX+Lifxz5iuXGZs1Jmxu6NCiTkqOIioIKZLA9R8KJ/r2Oc5j//lAXWWcpaqtogn0ObAmfr4g1rT/Da8YGsuou821i5Wa7IlkuSP+hLqve0XxyDRi2YH39yp0x28hisvrq4kAD343dN7QPemJ5VJXJ6pMTNza6wXe8L1VWDqYzDowSrmG/lmhn2Z3bTx3Xfwbw/c1ynRfrbBtdo9MKyGfQnn4xT8VQn4lp1i9uyJoURoLSazCN5y21qYuGInSxE/Irz36HaZXKiwD2snH+fDPJGIq057VayDKtgOoaKKXYiVNUSxu7qtMlPUacUoeoAZwRQv1g=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature> using sig digest sha1 and cm http://www.w3.org/2001/10/xml-exc-c14n#

From what I can see, the digest is correctly calculated (I have a separate issue with the PySAML2 SOAP class that seems to mess that up), but it then fails to work out whether the signature block itself is correct. Shibboleth has no problem with this message (with the cURL version certainly given that it uses libcurl-openssl to do its calls).

Can someone enlighten me?

ssphp-debug-_7bb54ec7a8a59f971b1b995206ce6a344600051f63.txt
xmldoc-_7bb54ec7a8a59f971b1b995206ce6a344600051f63.txt

This is pySAML2 4.6.2 and pyXMLSecurity 0.18.