How to verify an XML signature in an iOS application?

Question

I've been tossed into the world of XML digital signatures with an iOS project I'm working on; I need to verify the digital signature of a SAML assertion.

I've been reading a lot about validating XML signatures, and I think I get the basics about how it signs the digest with the private key and I can verify it with the public key (which should be in the included x509 certificate) so I can be certain of the SAML token's source.

I found a C libray, xmlsec, that looks like it has a lot of the code I need for verifying the signature and have been working on trying to implement that. However, I haven't been able to figure it out. From what I understand, I'm pretty sure I would have to compile the library in with my code. I've copied the source into my project, but I get errors during compile about things not being defined.

Before I spend countless hours heading down that path, I figured I would reach out to the community and see if anyone has had any experience verifying an xml digital signature and whether they could give insight on implementing that in an iOS project.

For what it's worth, here's a chunk of the SAML assertion I'm getting from the single sign-on service:

<?xml version="1.0" encoding="UTF-16"?>
<saml:Assertion ID="oQ2YZuHBspA_f91HM8o3.o6ZZla" IssueInstant="2011-05-06T00:51:40.733Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Issuer>[...]</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#oQ2YZuHBspA_f91HM8o3.o6ZZla">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>zj4pCHBNMln+28Jq/v1YIScfiuw=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>[...]</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>MIIDVjCCAj6gAwIBAgIGAS67wkWCMA0GCSqGSIb3[...]7bgf</ds:X509Certificate>
        </ds:X509Data>
        <ds:KeyValue>
            <ds:RSAKeyValue>
                <ds:Modulus>[...]</ds:Modulus>
                <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
        </ds:KeyValue>
    </ds:KeyInfo>
</ds:Signature>

Answer 1

Compiling xmlsec for iPhone is a bit tricky but can be done.

First of all, some general considerations:

1. xmlsec is a GNU project using the GNU build system; building one such project amounts to running a script (configure) and then executing make. configure will create a Makefile tailored for your exact system configuration and will allow you to choose which options of xmlsec to include or not in you build;

2. xmlsec has several dependencies from other libraries: libssl, libcrypto (part of openssl), libxslt, libxml2, libz, and libiconv. Only libxml2 and libz are available in the iPhone SDK and you will need to have all of the others available on your system and already compiled. Those libraries are all GNU projects that you can compile by applying the same approach as the one I describe later for xmlsec. One note: libxslt. Apple includes libxslt in the iPhone SDK, but does not make the .h available, so you are not allowed to link to libxslt.dylib which comes with the iPhone SDK and you will have to compile it on your own.

3. importing the source files from xmlsec into an iPhone project is difficult unless you know which files are proper to xmlsec and which are simple dependencies (xmlsec source tree includes openssl, gnutls, etc that are not certainly necessary to be there), but above all because you cannot control which optional features of xmlsec you would like to include (or exclude) in your build, like configure does for you;

4. the approach I preferred is, therefore, properly using configure so as to produce an iPhone-specific Makefile, and then build a static library (since you are not allowed to use external dylib on iPhone);

The steps, concretely, to compile xmlsec for iPhone are:

0 - install and compile all the dependencies; if you cannot find them already ported for iPhone, you can apply (recursively) this same approach to them;

1 - cd to libxmlsec root and execute the command:

CFLAGS=" -arch armv6 -std=c99 -isysroot /Volumes/ext/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.2.sdk" CC="/Volumes/ext/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc-4.2" ./configure --host=arm-apple-darwin10 --disable-shared --disable-crypto-dl --with-libxml=<path_to_where_libxml_is> --with-libxslt=<path_to_where_libxslt_is> --with-openssl=<path_to_where_openssl_is>

in the command above, I am assuming that libxml headers and executables will be found by the compiler since they are part of the SDK. Otherwise include them also.

2 - configure will produce a lot of output and, if everything goes right, you will be able to execute the command:

make

3 - this should run finely to completion and produce your output file: src/.libs/libxmlsec1.a that you can link in your iPhone project (together with all the rest of depended upon libraries).

Finally, a tutorial about compiling openSSL for iPhone.