[xmlsec] verify message

Aleksey Sanin aleksey at aleksey.com
Fri Feb 1 09:32:25 PST 2008


Look at the FAQ

http://www.aleksey.com/xmlsec/faq.html

Aleksey

Ulrich Wisser wrote:
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I desperatly try to verify a xml message I receive. Unfortunately it doesn't contain a xml:id attribute but rather uses ResponseID. Any ideas what I have to do to verify the message?
> 
> This is my result 
> 
> user at ulrich:~# xmlsec1 --verify --pubkey-cert-pem /etc/shibboleth/idp.crt --id-attr ResponseID response.xml
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07'))
> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 0/1
> Manifests References (ok/all): 0/0
> Error: failed to verify file "response.xml"
> 
> If I change the message and add a xml:id attribute with the same value as ResponseID I don't get any library failures but of course the message will not verify.
> 
> Is there any command line option to make xmlsec1 use ResponseID?
> 
> Please find my message below.
> 
> Med vänlig hälsning
> 
> Ulrich 
> 
> - -- 
> Ulrich Wisser
> utvecklare
> .SE (Stiftelsen för Internetinfrastruktur)
> Ringvägen 100, Box 7399, 103 91 Stockholm
> Tel: 08-4523558, mobil: 0732-745900
> 
> 
> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-02-01T08:27:49.382Z" MajorVersion="1" MinorVersion="1" Recipient="http://domainmanager/start/acs" ResponseID="_e2dd66488f8d6ae7d23d17e0aa8e3c07"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#_e2dd66488f8d6ae7d23d17e0aa8e3c07">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw sam
> l samlp typens #default xsd xsi"/></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>ErWp2Ove+0tBFJ63jWo1GPPWJOI=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO
> QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku
> 7fnL/8xOQynT0OYXkJo=
> </ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>
> MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw
> EAYDVQQHEwlTdG9ja2hvbG0xNTAzBgNVBAoTLC5TRSAoVGhlIEludGVybmV0IEluZnJhc3RydWN0
> dXJlIEZvdW5kYXRpb24pMRYwFAYDVQQDEw1pZHAuZG5zc2VjLnNlMB4XDTA3MDYyNjExMjE1NloX
> DTA3MDcyNjExMjE1NlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAcTCVN0b2NraG9sbTE1MDMGA1UE
> ChMsLlNFIChUaGUgSW50ZXJuZXQgSW5mcmFzdHJ1Y3R1cmUgRm91bmRhdGlvbikxFjAUBgNVBAMT
> DWlkcC5kbnNzZWMuc2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOSsqRE2m82D6ho3jcxh
> RjMYq7JArN4aHl5Zroi9K97rgsDiwU6vsoaYrlbXSQLLeuDJX79hu8kf3BKN/6n5YmX8UogBTauz
> a/7XOx/cMWDiwL79gwO4d4uOJ+hCHyL9CsWKN0Si3e2dkt0248lCaul+70qzq8TEgdA0Tr0o4xvZ
> AgMBAAGjgdUwgdIwHQYDVR0OBBYEFA8hU9S9CBwom4OVGFPUD/GIgseeMIGiBgNVHSMEgZowgZeA
> FA8hU9S9CBwom4OVGFPUD/GIgseeoXSkcjBwMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2to
> b2xtMTUwMwYDVQQKEywuU0UgKFRoZSBJbnRlcm5ldCBJbmZyYXN0cnVjdHVyZSBGb3VuZGF0aW9u
> KTEWMBQGA1UEAxMNaWRwLmRuc3NlYy5zZYIJAKqjIMJ8jZisMAwGA1UdEwQFMAMBAf8wDQYJKoZI
> hvcNAQEFBQADgYEAjTW5LM0rVCehN6hL+6nSI4V+WiLUpk3iGs5TK7Qi5VHD3uxSGY2ykKAMTVGh
> JakPzIuLFb5LLdkoMTkMUPmhYb0JWMDciMlHvNmZMdVPupKLanSAPoiUxvOMZ6SWNpcgcLdyHzk9
> 6m0qdfNoa1sta4OfV7Go4I3Ag3EwCp8U32s=
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_ac6db8b49b31f7796079b
> 8988e1b3e7b" IssueInstant="2008-02-01T08:27:49.381Z" Issuer="https://idp.dnssec.se/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-01T08:27:49.
> 381Z" NotOnOrAfter="2008-02-01T08:32:49.381Z"><AudienceRestrictionCondition><Audience>urn:uuid:97820956-1fc3-4a8a-a10b-ae13bceea8f8</Audience><Audience>http://domainmanager
> /</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-02-01T08:27:49.381Z" AuthenticationMethod="urn:oasis:names:tc:S
> AML:1.0:am:X509-PKI"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML1.1:nameid-format:emailAddress" NameQualifier="https://idp.dnssec.se/shibboleth">u.wisser at publi
> sher.de</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
> IPAddress="172.18.24.50"/></AuthenticationStatement></Assertion></Response>
>  
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
> 
> iQA/AwUBR6M8wS9yrDO0wHQwEQIKFwCg/neIUVr8/InLP83887UqvKplJ6gAoNBx
> M6rVJ5fQEhJtMO5ckn/XhBQC
> =HSLn
> -----END PGP SIGNATURE-----
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list