Response/Assertion: firmare anche la Response

[alranel]

Le regole tecniche SPID prevedono che l'elemento Assertion debba essere firmato, e che l'elemento Response possa opzionalmente essere firmato.

Al momento il testenv2 firma solo l'elemento Assertion, ma credo che dovremmo firmare entrambi gli elementi per consentire agli sviluppatori di testare bene le proprie implementazioni rispetto a tutti i punti delle regole tecniche.

Questo è un esempio di asserzione rilasciata al momento dal testenv2:

<?xml version="1.0" encoding="UTF-8"?>
<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://localhost:3000/spid-sso" ID="id-0POTj0OEZQNiLj32n" InResponseTo="28af4fe5a2923bd47d5d01ea07a255b5" IssueInstant="2018-07-12T14:37:14Z" Version="2.0">
	<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
		http://localhost:8088
	</ns1:Issuer>
	<ns0:Status>
		<ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
	</ns0:Status>
	<ns1:Assertion ID="id-3zYI399s6b6HRkY1P" IssueInstant="2018-07-12T14:37:14Z" Version="2.0">
		<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
			http://localhost:8088
		</ns1:Issuer>
		<ns2:Signature Id="Signature2">
			<ns2:SignedInfo>
				<ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
				<ns2:Reference URI="#id-3zYI399s6b6HRkY1P">
					<ns2:Transforms>
						<ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
					</ns2:Transforms>
					<ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
					<ns2:DigestValue>
						AeE/vSir+5D8l/2DQKftc61zi3gb/vD2w8TF2N/vegaBNeb1+d5bHlMg9zc2jww2 7v1XSgyeJLcNnrsca7J9lw==
					</ns2:DigestValue>
				</ns2:Reference>
			</ns2:SignedInfo>
			<ns2:SignatureValue>
				PE0Fz8uu3zQyeJXniwa1w752ljszciVWEby92AZA0SneiXppoMJ4EjyCf6Ogp5ch 6Un3w1WRe16xpPg51w8R7i7XhKoCi2c6okCYb8dx6wrGoQeyX1Rs7qhu7CtHyMgL 68zQCtZTLowUWl5ILSqpenZbw3hGZLbQqP3tt1/nqgnForoIrcX3CJezsBmkwKwF 6KRTLsexzqqaVNllbaMZ+7Mx0/uBXFFeBBnXbzlI0A9nuxTwnw1GFtLWI6ggWhlR FMtEzaRoRbq5/SPvAtN0z6CJWT76wuf4tJGfepautok9qnGuD1CzGqGS1Db/Yduq hfi3nzTf/4hLDzq7cJmfEA==
			</ns2:SignatureValue>
			<ns2:KeyInfo>
				<ns2:X509Data>
					<ns2:X509Certificate>
						MIICtDCCAZwCCQDQQ+FCxgMN6jANBgkqhkiG9w0BAQsFADAcMQswCQYDVQQGEwJJVDENMAsGA1UEBwwEUm9tYTAeFw0xODA2MjYxMDM5MzBaFw0xOTA2MjYxMDM5MzBaMBwxCzAJBgNVBAYTAklUMQ0wCwYDVQQHDARSb21hMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAudciVxyXnPvTt2r8+3wE9DsibXu9fZwHjji0rOE7FJj8fm/2rE0/GfDNyymGv7LHx9vKO8p1Ot4cl0ou/bR70PtJW9tM2ssyWPmHQXmBX84FB/IuuOitABEtc3/HsWOyAA23XanCGpv6j6CW8TRjO+bi7nQnW3y/rLuCoTkBihH4QGA0bkg8he56BSa3sAPnyO3VLavlYv3yYCQDqR+r2UM1f8gNPTlE5UIQzOYPXv1w/YrrFhEx7xUYPh1J2e4J6xRRbZqzvB74QF0t0A0XueCITXLuVQ5eQ1rIWFAL1nwMqWvep+3HvDpq0K8nzGFjnut6ElfyyhPp8+/H0zBOkQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBw4mfH+WtR/etTVWK1Jy9DXWxAazFViQcVBualTuleRSHZjCv/nyv4YbyFlTNarDI+LF+iG2rCABxgY40L6FpN9Gnsa5wijuKs0E6ZAvJ/rYfrYkE8wd0y8Z23VeoXD/m8OhwcysMtyM10GxZUtEBnpXDAhAFFDyAACfxAQy+/5u1u5dI0189AFk2EcqcSuA9pQWbzhswlQaSQFBU1nabIU2SwDPfHMwLFVrJdH09RuMSKM4IBNzCiLj5KgqepdFO3+8e0ewiwo8imhTYaTDR3ZXQaTNQt99fhT/LOMUcCR4hH14Cn72X7xTPK7hTz4p1D3uXfKT/o1qiql2PAjfl8
					</ns2:X509Certificate>
				</ns2:X509Data>
			</ns2:KeyInfo>
		</ns2:Signature>
		<ns1:Subject>
			<ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://localhost:8088" SPNameQualifier="https://localhost/">
				0447bf80a151b7cd8ce9e8cf605b560dce6d0d2c0b0f112a89f0ea1c90b36c37
			</ns1:NameID>
			<ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<ns1:SubjectConfirmationData InResponseTo="28af4fe5a2923bd47d5d01ea07a255b5" NotOnOrAfter="2018-07-12T15:37:14Z" Recipient="http://localhost:3000/spid-sso" />
			</ns1:SubjectConfirmation>
		</ns1:Subject>
		<ns1:Conditions NotBefore="2018-07-12T14:37:14Z" NotOnOrAfter="2018-07-12T15:37:14Z">
			<ns1:AudienceRestriction>
				<ns1:Audience>
					https://localhost/
				</ns1:Audience>
			</ns1:AudienceRestriction>
		</ns1:Conditions>
		<ns1:AuthnStatement AuthnInstant="2018-07-12T14:37:14Z" SessionIndex="id-66lDkmZaeR6EOj9Au">
			<ns1:AuthnContext>
				<ns1:AuthnContextClassRef>
					https://www.spid.gov.it/SpidL1
				</ns1:AuthnContextClassRef>
				<ns1:AuthenticatingAuthority>
					https://www.spid.gov.it/SpidL1
				</ns1:AuthenticatingAuthority>
			</ns1:AuthnContext>
		</ns1:AuthnStatement>
		<ns1:AttributeStatement>
			<ns1:Attribute FriendlyName="name" Name="urn:mace:dir:attribute-def:name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">
					Mario
				</ns1:AttributeValue>
			</ns1:Attribute>
			<ns1:Attribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">
					RSOMRO70M20H501X
				</ns1:AttributeValue>
			</ns1:Attribute>
			<ns1:Attribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">
					Rossi
				</ns1:AttributeValue>
			</ns1:Attribute>
		</ns1:AttributeStatement>
	</ns1:Assertion>
</ns0:Response>

[alranel]

Come discusso di recente, nelle risposte custom dovremmo prevedere la possibilità di generare sia la Response firmata sia quella non firmata.

[fmarco]

@alranel aggiunta la possibilità tramite opzioni nel form di login per le risposte custom