<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>OK, that changes the output, but it is still not validating:<div><br></div><div><div><div>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=249:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match</div><div><br></div><div>FAIL</div><div><br></div><div>SignedInfo References (ok/all): 0/1</div><div><br></div><div>Manifests References (ok/all): 0/0</div><div><br></div><div>Error: failed to verify file "/tmp/test-new.xml"</div></div><div><br></div><div><br></div><div>I have generated SAML response moment before invoking command with --id-attr that you provided, so the response itself was still valid (not obsolete).</div><div><br></div><div>Artur</div><div><br></div><div>> Subject: Re: [xmlsec] xmlsec returns error when trying to validate SAML response<br>> To: artur513@outlook.com; xmlsec@aleksey.com<br>> From: aleksey@aleksey.com<br>> Date: Wed, 2 Mar 2016 07:58:51 -0800<br>> <br>> It should be<br>> <br>> --id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:Response<br>> <br>> Aleksey<br>> <br>> On 3/2/16 1:24 AM, Artur Rychlewicz wrote:<br>> > Yes, i have tried this, but it didn't help at all.<br>> > <br>> > Commands (judging from printed stack trace, they're equivalent):<br>> > xmlsec1 --verify --id-attr:ID saml2p:Response test.xml<br>> > xmlsec1 --verify test.xml<br>> > <br>> > XML file (trimmed, but you'll get the idea):<br>> > <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"<br>> > ID="uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453"><br>> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><br>> > <ds:SignedInfo><br>> > <ds:CanonicalizationMethod<br>> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><br>> > <ds:SignatureMethod<br>> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><br>> > <ds:Reference URI="#uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453"><br>> > <ds:Transforms><br>> > <ds:Transform<br>> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><br>> > <ds:Transform<br>> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><br>> > </ds:Transforms><br>> > <ds:DigestMethod<br>> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><br>> > <br>> > <ds:DigestValue>lAcsILQxRk4LvbSfREkypyI6gMc=</ds:DigestValue><br>> > </ds:Reference><br>> > </ds:SignedInfo><br>> > <ds:SignatureValue>gT/SeC..bjrQ==</ds:SignatureValue><br>> > <ds:KeyInfo><br>> > <ds:X509Data><br>> > <ds:X509Certificate>MII..A==</ds:X509Certificate><br>> > </ds:X509Data><br>> > ..<br>> > </ds:KeyInfo><br>> > </ds:Signature><br>> > <br>> > According to FAQ, I should have declare name of ID element, but in my<br>> > case it is "ID". And yet, it still does display the error. Following the<br>> > FAQ, point 3.4 states that I am probably using Visa 3-D files, but<br>> > again, that is not an option here.<br>> > <br>> > It's highly likely that I just do not understand *how* to use xmlsec1<br>> > and doing it plain wrong. That said, please take a look and check where<br>> > am I wrong.<br>> > <br>> > Artur<br>> > <br>> >> Subject: Re: [xmlsec] xmlsec returns error when trying to validate<br>> > SAML response<br>> >> To: artur513@outlook.com; xmlsec@aleksey.com<br>> >> From: aleksey@aleksey.com<br>> >> Date: Tue, 1 Mar 2016 09:30:18 -0800<br>> >><br>> >> FAQ, section 3.2 (if I recall correctly).<br>> >><br>> >> Aleksey<br>> >><br>> >> On 3/1/16 8:57 AM, Artur Rychlewicz wrote:<br>> >> ><br>> >> ><br>> >> > Hello,<br>> >> ><br>> >> > I've been trying to use xmlsec1 to validate signed XML response<br>> >> > containing SAML data.<br>> >> ><br>> >> > When I execute:<br>> >> ><br>> >> > xmlsec1 --verify test.xml<br>> >> ><br>> >> > I receive following stack trace:<br>> >> ><br>> >> ><br>> > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2<br>> >> > library function<br>> >> > failed:expr=xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc'))<br>> >> ><br>> > func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec<br>> >> > library function failed:<br>> >> ><br>> > func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec<br>> >> > library function failed:<br>> >> ><br>> > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec<br>> >> > library function failed:<br>> >> ><br>> > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec<br>> >> > library function failed:transform=xpointer<br>> >> ><br>> > func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec<br>> >> > library function failed:<br>> >> ><br>> > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec<br>> >> > library function failed:<br>> >> ><br>> > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec<br>> >> > library function failed:node=Reference<br>> >> ><br>> > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec<br>> >> > library function failed:<br>> >> ><br>> > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec<br>> >> > library function failed:<br>> >> > Error: signature failed<br>> >> > ERROR<br>> >> > SignedInfo References (ok/all): 0/1<br>> >> > Manifests References (ok/all): 0/0<br>> >> > Error: failed to verify file "test.xml"<br>> >> ><br>> >> > I do not know how XML signatures work, but I presume that the ID was<br>> >> > taken from <saml2p:Response> tag which contains ID with value of<br>> >> > "uuid-73c06e86-88d2-4204-91f4-3d484bc782cc". <saml2p:Response> element<br>> >> > contains <ds:Signature> element which in turn contains <ds:Reference><br>> >> > with parameter URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc".<br>> >> ><br>> >> > Since I do not need this value/data, I'd like to check signature of<br>> >> > <saml2:Assertion> element which also contains it's own<br>> > <ds:Signature> value.<br>> >> ><br>> >> > That said, I'd like to ask you for instruction how to validate element I<br>> >> > need. Thank you in advance.<br>> >> ><br>> >> > Best regards,<br>> >> > Artur Rychlewicz<br>> >> ><br>> >> ><br>> >> > _______________________________________________<br>> >> > xmlsec mailing list<br>> >> > xmlsec@aleksey.com<br>> >> > http://www.aleksey.com/mailman/listinfo/xmlsec<br>> >> ><br>> > <br>> > <br>> > _______________________________________________<br>> > xmlsec mailing list<br>> > xmlsec@aleksey.com<br>> > http://www.aleksey.com/mailman/listinfo/xmlsec<br>> > <br></div></div> </div></body>
</html>