<html><body><p><font face="Arial">Hello,</font><br><font face="Arial">I've spent a few days trying to verify a signature in the SAML response.</font><br><font face="Arial">If I run a command line xmlsec1 - I can verify the signature fine:</font><br><br><b><font face="Arial">xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion --trusted-pem myCert.pem samlResponse.xml</font></b><br><br><font face="Arial">Verifying a signature of the same saml using xmlsec api (code similar to verify4.c example) gives these errors:</font><br><br><b><font face="Arial">func=xmlSecTransformIdListFindByHref:file=transforms.c:line=2239:obj=unknown:subj=xmlSecPtrListCheckId(list, xmlSecTransformIdListId):error=100:assertion:</font></b><br><b><font face="Arial">func=xmlSecTransformNodeRead:file=transforms.c:line=1315:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec library function failed:href=</font></b><a href="http://www.w3.org/2001/10/xml-exc-c14n#"><b><font face="Arial">http://www.w3.org/2001/10/xml-exc-c14n#</font></b></a><br><b><font face="Arial">func=xmlSecTransformCtxNodeRead:file=transforms.c:line=596:obj=CanonicalizationMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed:</font></b><br><b><font face="Arial">func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=623:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function failed:node=CanonicalizationMethod</font></b><br><b><font face="Arial">func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:</font></b><br><b><font face="Arial">func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed:</font></b><br><br><font face="Arial">I tried updating xmlsec1 version from 1.2.20 (openssl) to 1.2.29 (openssl) - but it did not help. Still getting the same exception stack.</font><br><br><br><font face="Arial">I generated dump:</font><br><br><font face="Arial">= VERIFICATION CONTEXT</font><br><font face="Arial">== Status: unknown</font><br><font face="Arial">== flags: 0x00000000</font><br><font face="Arial">== flags2: 0x00000000</font><br><font face="Arial">== Key Info Read Ctx:</font><br><font face="Arial">= KEY INFO READ CONTEXT</font><br><font face="Arial">== flags: 0x00000000</font><br><font face="Arial">== flags2: 0x00000000</font><br><font face="Arial">== enabled key data: all</font><br><font face="Arial">== RetrievalMethod level (cur/max): 0/1</font><br><font face="Arial">== TRANSFORMS CTX (status=0)</font><br><font face="Arial">== flags: 0x00000000</font><br><font face="Arial">== flags2: 0x00000000</font><br><font face="Arial">== enabled transforms: all</font><br><font face="Arial">=== uri: NULL</font><br><font face="Arial">=== uri xpointer expr: NULL</font><br><font face="Arial">== EncryptedKey level (cur/max): 0/1</font><br><font face="Arial">=== KeyReq:</font><br><font face="Arial">==== keyId: NULL</font><br><font face="Arial">==== keyType: 0x00000000</font><br><font face="Arial">==== keyUsage: 0xffffffff</font><br><font face="Arial">==== keyBitsSize: 0</font><br><font face="Arial">=== list size: 0</font><br><font face="Arial">== Key Info Write Ctx:</font><br><font face="Arial">= KEY INFO WRITE CONTEXT</font><br><font face="Arial">== flags: 0x00000000</font><br><font face="Arial">== flags2: 0x00000000</font><br><font face="Arial">== enabled key data: all</font><br><font face="Arial">== RetrievalMethod level (cur/max): 0/1</font><br><font face="Arial">== TRANSFORMS CTX (status=0)</font><br><font face="Arial">== flags: 0x00000000</font><br><font face="Arial">== flags2: 0x00000000</font><br><font face="Arial">== enabled transforms: all</font><br><font face="Arial">=== uri: NULL</font><br><font face="Arial">=== uri xpointer expr: NULL</font><br><font face="Arial">== EncryptedKey level (cur/max): 0/1</font><br><font face="Arial">=== KeyReq:</font><br><font face="Arial">==== keyId: NULL</font><br><font face="Arial">==== keyType: 0x00000001</font><br><font face="Arial">==== keyUsage: 0xffffffff</font><br><font face="Arial">==== keyBitsSize: 0</font><br><font face="Arial">=== list size: 0</font><br><font face="Arial">== Signature Transform Ctx:</font><br><font face="Arial">== TRANSFORMS CTX (status=0)</font><br><font face="Arial">== flags: 0x00000000</font><br><font face="Arial">== flags2: 0x00000000</font><br><font face="Arial">== enabled transforms: all</font><br><font face="Arial">=== uri: NULL</font><br><font face="Arial">=== uri xpointer expr: NULL</font><br><font face="Arial">== SignedInfo References List:</font><br><font face="Arial">=== list size: 0</font><br><font face="Arial">== Manifest References List:</font><br><font face="Arial">=== list size: 0</font><br><font face="Arial">= REFERENCE VERIFICATION CONTEXT</font><br><font face="Arial">== Status: unknown</font><br><font face="Arial">== Reference Transform Ctx:</font><br><font face="Arial">== TRANSFORMS CTX (status=0)</font><br><font face="Arial">== flags: 0x00000000</font><br><font face="Arial">== flags2: 0x00000000</font><br><font face="Arial">== enabled transforms: all</font><br><font face="Arial">=== uri: NULL</font><br><font face="Arial">=== uri xpointer expr: NULL</font><br><br><b><font face="Arial">An example signature in the SAML:</font></b><br><br><font face="Arial"> <ds:Signature xmlns:ds="</font><a href="http://www.w3.org/2000/09/xmldsig#"><font face="Arial">http://www.w3.org/2000/09/xmldsig#</font></a><font face="Arial">"></font><br><font face="Arial"> <ds:SignedInfo></font><br><font face="Arial"> <ds:CanonicalizationMethod Algorithm="</font><a href="http://www.w3.org/2001/10/xml-exc-c14n#"><font face="Arial">http://www.w3.org/2001/10/xml-exc-c14n#</font></a><font face="Arial">" /></font><br><font face="Arial"> <ds:SignatureMethod Algorithm="</font><a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"><font face="Arial">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</font></a><font face="Arial">" /></font><br><font face="Arial"> <ds:Reference URI="#_17ba951-d40a-4fa6-83e9-405v11ab6d01"></font><br><font face="Arial"> <ds:Transforms></font><br><font face="Arial"> <ds:Transform Algorithm="</font><a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"><font face="Arial">http://www.w3.org/2000/09/xmldsig#enveloped-signature</font></a><font face="Arial">" /></font><br><font face="Arial"> <ds:Transform Algorithm="</font><a href="http://www.w3.org/2001/10/xml-exc-c14n#"><font face="Arial">http://www.w3.org/2001/10/xml-exc-c14n#</font></a><font face="Arial">" /></font><br><font face="Arial"> </ds:Transforms></font><br><font face="Arial"> <ds:DigestMethod Algorithm="</font><a href="http://www.w3.org/2001/04/xmlenc#sha256"><font face="Arial">http://www.w3.org/2001/04/xmlenc#sha256</font></a><font face="Arial">" /></font><br><font face="Arial"> <ds:DigestValue>......</ds:DigestValue></font><br><font face="Arial"> </ds:Reference></font><br><font face="Arial"> </ds:SignedInfo></font><br><font face="Arial"> <ds:SignatureValue>ZqbHJI9GUOXV8gfKGHjaHY8iTXJiQd...</ds:SignatureValue></font><br><font face="Arial"> <KeyInfo xmlns="</font><a href="http://www.w3.org/2000/09/xmldsig#"><font face="Arial">http://www.w3.org/2000/09/xmldsig#</font></a><font face="Arial">"></font><br><font face="Arial"> <ds:X509Data></font><br><font face="Arial"> <ds:X509Certificate>....</ds:X509Certificate></font><br><font face="Arial"> </ds:X509Data></font><br><font face="Arial"> </KeyInfo></font><br><font face="Arial"> </ds:Signature></font><br><BR>
</body></html>