Mismatch SignatureValue compared to samltool

[sweetodev]

xml-crypto is not generating the correct value for the SignatureValue for the signature. I've verified by feeding the same XML repeatedly to xml-crypto and there's a mismatch in the output.

The SignatureValue value from samltool works with SP but the one xml-crypto generates doesn't.

DigestValue is correct and matches the one from samltool though.

return new Promise(function (resolve, reject) {

    let SignedXml = require('xml-crypto').SignedXml;
    var sig = new SignedXml();

    sig.signingKey = require('fs').readFileSync(self.privateKey);
    sig.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
    sig.signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";

    sig.addReference("//*[local-name()='Response']",
        [
            "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
            "http://www.w3.org/2001/10/xml-exc-c14n#"
        ],
        "http://www.w3.org/2000/09/xmldsig#sha1"
    );

    sig.keyInfoProvider = new (function () {
        this.getKeyInfo = function () {
            return `<ds:X509Data><ds:X509Certificate>${self.getPublicKey()}</ds:X509Certificate></ds:X509Data>`
        }
    });

    sig.computeSignature(xml, {
        prefix: 'ds',
        location: { reference: "//*[local-name(.)='Issuer']", action: "after" } // place the signature after the Issuer
    });

    resolve(sig.getSignedXml());
});

xml signature

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#pfx238f2615-2267-6ee6-efa9-24dd82d85764">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>6okYcbSa3y18LSbOBJTMMWN7/Rs=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
        ULNmpuKwXwHwqUMybbwnupC/y9WZohGBx9Y.....NQVwpNC+sBc6etPhSq5BVw==
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>
                MIIDuDCCAqACCQD.......Zsb3JpZGExDuJ/M7+/P+enkq9Vx0thQHUaI+ndr1gpZE=
            </ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>

[cjbarth]

@sweetodev , this certainly sounds like something we'd like to address. Could you please create a PR with a test suite that replicates the problem, including notes about how you signed things over at SAML Tool? That would really help everyone in getting to the bottom of this as you aren't the first person to report having difficulty getting signatures to match.