[xmlsec] xmlsec signing saml response with Reference URI

Wed May 20 19:28:54 PDT 2009

 > func=xmlSecTransformInputURIOpen:.... :subj=opencallback:error=7:
 > io function failed:uri=1234; ...

Looks like you are trying to open file "1234" :)

Aleksey

Cook, Sean D (Genworth) wrote:
> Hello!  I am relatively new to all of this and would appreciate any help 
> you can provide.  I am trying to sign the following response and get an 
> error related to the Reference URI.  Can you point me in the right 
> direction as to what I am doing wrong?
> 
>  
> 
> Command:
> 
>  
> 
> /apps/xmlsec/bin/xmlsec1 sign --store-signatures --store-references 
> --privkey-pem keys/private.key,keys/hewitt.pem --id-attr:ID 1234 
> --trusted-pem keys/hewitt.pem --output 
> saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml.out 
> saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml
> 
>  
> 
> The error that I receive is:
> 
>  
> 
> /apps/xmlsec/bin/xmlsec1 sign --store-signatures --store-references 
> --privkey-pem keys/private.key,keys/hewitt.pem --id-attr:ID 1234 
> --trusted-pem keys/hewitt.pem --output 
> saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml.out 
> saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml
> 
> func=xmlSecTransformInputURIOpen:file=io.c:line=423:obj=input-uri:subj=opencallback:error=7:io 
> function failed:uri=1234;errno=2
> 
> func=xmlSecTransformCtxUriExecute:file=transforms.c:line=1135:obj=unknown:subj=xmlSecTransformInputURIOpen:error=1:xmlsec 
> library function failed:uri=1234
> 
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1280:obj=unknown:subj=xmlSecTransformCtxUriExecute:error=1:xmlsec 
> library function failed:
> 
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 
> library function failed:
> 
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 
> library function failed:node=Reference
> 
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 
> library function failed:
> 
> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec 
> library function failed:
> 
> Error: signature failed
> 
> = SIGNATURE CONTEXT
> 
> == Status: unknown
> 
> == flags: 0x0000000e
> 
> == flags2: 0x00000000
> 
> == Key Info Read Ctx:
> 
> = KEY INFO READ CONTEXT
> 
> == flags: 0x00000000
> 
> == flags2: 0x00000000
> 
> == enabled key data: all
> 
> == RetrievalMethod level (cur/max): 0/1
> 
> == TRANSFORMS CTX (status=0)
> 
> == flags: 0x00000000
> 
> == flags2: 0x00000000
> 
> == enabled transforms: all
> 
> === uri: NULL
> 
> === uri xpointer expr: NULL
> 
> == EncryptedKey level (cur/max): 0/1
> 
> === KeyReq:
> 
> ==== keyId: NULL
> 
> ==== keyType: 0x00000000
> 
> ==== keyUsage: 0xffffffff
> 
> ==== keyBitsSize: 0
> 
> === list size: 0
> 
> == Key Info Write Ctx:
> 
> = KEY INFO WRITE CONTEXT
> 
> == flags: 0x00000000
> 
> == flags2: 0x00000000
> 
> == enabled key data: all
> 
> == RetrievalMethod level (cur/max): 0/1
> 
> == TRANSFORMS CTX (status=0)
> 
> == flags: 0x00000000
> 
> == flags2: 0x00000000
> 
> == enabled transforms: all
> 
> === uri: NULL
> 
> === uri xpointer expr: NULL
> 
> == EncryptedKey level (cur/max): 0/1
> 
> === KeyReq:
> 
> ==== keyId: NULL
> 
> ==== keyType: 0x00000001
> 
> ==== keyUsage: 0xffffffff
> 
> ==== keyBitsSize: 0
> 
> === list size: 0
> 
> == Signature Transform Ctx:
> 
> == TRANSFORMS CTX (status=0)
> 
> == flags: 0x00000000
> 
> == flags2: 0x00000000
> 
> == enabled transforms: all
> 
> === uri: NULL
> 
> === uri xpointer expr: NULL
> 
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> 
> === Transform: membuf-transform (href=NULL)
> 
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> 
> == Signature Method:
> 
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> 
> == SignedInfo References List:
> 
> === list size: 1
> 
> = REFERENCE CALCULATION CONTEXT
> 
> == Status: unknown
> 
> == URI: "1234"
> 
> == Reference Transform Ctx:
> 
> == TRANSFORMS CTX (status=0)
> 
> == flags: 0x00000000
> 
> == flags2: 0x00000000
> 
> == enabled transforms: all
> 
> === uri: 1234
> 
> === uri xpointer expr: NULL
> 
> === Transform: input-uri (href=NULL)
> 
> === Transform: xml-parser (href=NULL)
> 
> === Transform: enveloped-signature 
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> 
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
> 
> === Transform: membuf-transform (href=NULL)
> 
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> 
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> 
> == Digest Method:
> 
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> 
> == Manifest References List:
> 
> === list size: 0
> 
>  
> 
>  
> 
> This is the SAML Response: 
> 
>  
> 
> <?xml version="1.0" encoding="UTF-8"?>
> 
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> ID="eangjhbokpbelnnlhopofglhhjmblhnahlhbd
> 
> ipo" Version="2.0" IssueInstant="2009-05-21T01:56:51Z" 
> Destination="https://two.qsse.hewitt.com/federation/C
> 
> onsumer/metaAlias/sp">
> 
>     <saml:Issuer 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">dev.genworth.com:saml2.0</saml:Issuer>
> 
>     <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> 
>           <samlp:StatusCode 
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> Value="urn:oasis:names:tc:SAM
> 
> L:2.0:status:Success"></samlp:StatusCode>
> 
>     </samlp:Status>
> 
>     <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
> Version="2.0" ID="1234" IssueInstant=
> 
> "2009-05-21T01:56:51Z">
> 
>         <saml:Issuer>dev.genworth.com:saml2.0</saml:Issuer>
> 
>  
> 
>         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
>             <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
>             <CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns="http://www.w3
> 
> .org/2000/09/xmldsig#"/>
> 
>             <SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" 
> xmlns="http://www.w3.org
> 
> /2000/09/xmldsig#"/>
> 
>  
> 
>             <Reference URI="1234" 
> xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
>                 <Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
>                     <Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" 
> xmlns="http
> 
> ://www.w3.org/2000/09/xmldsig#"/>
> 
>                     <Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" 
> xmlns="http://www.w3.org/
> 
> 2000/09/xmldsig#"/>
> 
>                 </Transforms>
> 
>  
> 
>                 <DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
> xmlns="http://www.w3.org/20
> 
> 00/09/xmldsig#"/>
> 
>                 <DigestValue 
> xmlns="http://www.w3.org/2000/09/xmldsig#"></DigestValue>
> 
>             </Reference>
> 
>         </SignedInfo>
> 
>  
> 
>         <SignatureValue 
> xmlns="http://www.w3.org/2000/09/xmldsig#"></SignatureValue>
> 
>  
> 
>             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
>                 <X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
>                     <X509Certificate 
> xmlns="http://www.w3.org/2000/09/xmldsig#"></X509Certificate>
> 
>                 </X509Data>
> 
>             </KeyInfo>
> 
>     </Signature>
> 
>  
> 
>  
> 
>  
> 
>             <saml:Subject>
> 
>                 <saml:NameID NameQualifier="dev.genworth.com:saml2.0" 
> SPNameQualifier="qc.hewitt.com:saml2.0
> 
> " 
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">0000</saml:NameID>
> 
>                     <saml:SubjectConfirmation 
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> 
>                         <saml:SubjectConfirmationData 
> NotOnOrAfter="2009-05-21T01:57:51Z" Recipient="https:/
> 
> /was6-tba-dv.hewitt.com/federation/Consumer/metaAlias/sp" >
> 
>                         </saml:SubjectConfirmationData>
> 
>                     </saml:SubjectConfirmation>
> 
>             </saml:Subject>
> 
>            <saml:Conditions NotBefore="2009-05-21T01:55:51Z" 
> NotOnOrAfter="2009-05-21T01:57:51Z">
> 
>                 <saml:AudienceRestriction>
> 
>                     <saml:Audience>qc.hewitt.com:saml2.0</saml:Audience>
> 
>                 </saml:AudienceRestriction>
> 
>             </saml:Conditions>
> 
>             <saml:AuthnStatement AuthnInstant="2009-05-21T01:56:51Z" 
> SessionIndex="ibcepapgopfdgalnjipfpnfgj
> 
> mimfiknjmbinbpl">
> 
>             <saml:AuthnContext>
> 
>             
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</sa
> 
> ml:AuthnContextClassRef>
> 
>                 </saml:AuthnContext></saml:AuthnStatement>
> 
>                 <saml:AttributeStatement>
> 
>                     <saml:Attribute Name="uid">
> 
>                         <saml:AttributeValue 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">326001093</s
> 
> aml:AttributeValue>
> 
>                     </saml:Attribute>
> 
>                     <saml:Attribute Name="clientId">
> 
>                         <saml:AttributeValue 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">10557</saml:
> 
> AttributeValue>
> 
>                     </saml:Attribute>
> 
>                 </saml:AttributeStatement>
> 
>         </saml:Assertion>
> 
> </samlp:Response>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec