[xmlsec] Verifing signature of SAML XML artifacts that has an ID attribute in it, but I think I should ignore it

Aleksey Sanin aleksey at aleksey.com
Fri May 25 08:24:59 PDT 2007


The following xmlsec utility command gets the reference correctly
though the signature verification fails since I don't have correct
keys:

$xmlsec1 --verify \
          --store-references \
          --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion \
          artifact.xml

Take a look at the xmlsec utility source code under debugger
and do the same in your program.

Aleksey

Aleksey Sanin wrote:
> Send me the document you are trying to sign/verify
> 
> Aleksey
> 
> James Olsen wrote:
>> Hello Aleksey,
>>
>>>>  nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), 
>>>> "Assertion", xmlSecDSigNs );
>>
>> AS> You need to pass *saml* namespace URI.
>>
>> As obvious as that may seem, I appreciate your answer because it
>> wasn't obvious to me at the time (looking back at it now it amazes me
>> that I didn't realize that on my own). I am now using the
>> 'urn:oasis:names:tc:SAML:2.0:assertion' namespace and xmlSecFindNode
>> found the node. Thank you!
>>
>> The node I used I passed to RegisterID was:
>>
>>  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
>> Version="2.0"
>>   ID="id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-" 
>> IssueInstant="2007-04-24T20:07:36Z">
>>
>> and I used the attribute name "ID". I assume it is "ID" because that
>> is the name/case of the attribute in the Assertion element.
>>
>> Here is the snippet of code:
>>
>>  nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), 
>> "Assertion", "urn:oasis:names:tc:SAML:2.0:assertion" );
>>  if ( nodeReference == NULL ) {
>>     fprintf(stderr, "Error: reference node not found in passed-in 
>> string n=%s ns=%s\n", "Assertion", 
>> "urn:oasis:names:tc:SAML:2.0:assertion");
>>     // eventually they won't be hard coded, but variables, which is
>>     // why it's set up as a fprintf for now
>>     goto done;
>>   }
>>   RegisterID( nodeReference, "ID" );
>>
>> Unfortunately it seems to be the wrong node (or I've implemented
>> things incorrectly). The xmlSecFindNode returned the node, I passed
>> that to RegisterID which returned a success response (at least on the
>> first test run of the program, subsequent test runs return
>> "id already registered" response from RegisterID) but I'm still
>> getting this error:
>>
>> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 
>> library function 
>> failed:expr=xpointer(id('id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-'))
>>
>> That's the same ID string that is identified in the 'dsig:Reference'
>> element's URI attribute: '#id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-'.
>>
>> I know this could easily be considered beyond xmlsec, and I am greatly
>> appreciative of the assistance I've received so far. Please know that
>> any advice anyone can give is tremendously appreciated.
>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list