[xmlsec] Verifing signature of SAML XML artifacts that has an
ID attribute in it, but I think I should ignore it
Aleksey Sanin
aleksey at aleksey.com
Fri May 25 08:24:59 PDT 2007
The following xmlsec utility command gets the reference correctly
though the signature verification fails since I don't have correct
keys:
$xmlsec1 --verify \
--store-references \
--id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion \
artifact.xml
Take a look at the xmlsec utility source code under debugger
and do the same in your program.
Aleksey
Aleksey Sanin wrote:
> Send me the document you are trying to sign/verify
>
> Aleksey
>
> James Olsen wrote:
>> Hello Aleksey,
>>
>>>> nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc),
>>>> "Assertion", xmlSecDSigNs );
>>
>> AS> You need to pass *saml* namespace URI.
>>
>> As obvious as that may seem, I appreciate your answer because it
>> wasn't obvious to me at the time (looking back at it now it amazes me
>> that I didn't realize that on my own). I am now using the
>> 'urn:oasis:names:tc:SAML:2.0:assertion' namespace and xmlSecFindNode
>> found the node. Thank you!
>>
>> The node I used I passed to RegisterID was:
>>
>> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> Version="2.0"
>> ID="id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-"
>> IssueInstant="2007-04-24T20:07:36Z">
>>
>> and I used the attribute name "ID". I assume it is "ID" because that
>> is the name/case of the attribute in the Assertion element.
>>
>> Here is the snippet of code:
>>
>> nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc),
>> "Assertion", "urn:oasis:names:tc:SAML:2.0:assertion" );
>> if ( nodeReference == NULL ) {
>> fprintf(stderr, "Error: reference node not found in passed-in
>> string n=%s ns=%s\n", "Assertion",
>> "urn:oasis:names:tc:SAML:2.0:assertion");
>> // eventually they won't be hard coded, but variables, which is
>> // why it's set up as a fprintf for now
>> goto done;
>> }
>> RegisterID( nodeReference, "ID" );
>>
>> Unfortunately it seems to be the wrong node (or I've implemented
>> things incorrectly). The xmlSecFindNode returned the node, I passed
>> that to RegisterID which returned a success response (at least on the
>> first test run of the program, subsequent test runs return
>> "id already registered" response from RegisterID) but I'm still
>> getting this error:
>>
>> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
>> library function
>> failed:expr=xpointer(id('id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-'))
>>
>> That's the same ID string that is identified in the 'dsig:Reference'
>> element's URI attribute: '#id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-'.
>>
>> I know this could easily be considered beyond xmlsec, and I am greatly
>> appreciative of the assistance I've received so far. Please know that
>> any advice anyone can give is tremendously appreciated.
>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list