[xmlsec] xmlsec signing saml response with Reference URI
Cook, Sean D (Genworth)
Sean.Cook at genworth.com
Thu May 21 01:54:06 PDT 2009
Sorry... I have been fighting this for a while... that should have
contained URI="#1234" which produces the following:
rivkey-pem keys/private.key,keys/hewitt.pem --id-attr:ID 1234
--trusted-pem keys/hewitt.pem --output
saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml.out
saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml |grep io |
grep failed
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXP
trEval:error=5:libxml2 library function failed:expr=xpointer(id('1234'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=x
mlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj
=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpoin
ter:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknow
n:subj=xmlSecTransformPushXml:error=1:xmlsec library function
failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:s
ubj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unkn
own:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unkn
own:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unkno
wn:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDS
igCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
Error: failed to sign file
"saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml"
[root at dev-hqss hewitt]# /apps/xmlsec/bin/xmlsec1 sign --store-signatures
--store-references --privkey-pem keys/private.key,keys/hewitt.pem
--id-attr:ID 1234 --trusted-pem keys/hewitt.pem --output
saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml.out
saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXP
trEval:error=5:libxml2 library function failed:expr=xpointer(id('1234'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=x
mlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj
=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpoin
ter:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknow
n:subj=xmlSecTransformPushXml:error=1:xmlsec library function
failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:s
ubj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unkn
own:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unkn
own:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unkno
wn:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDS
igCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
= SIGNATURE CONTEXT
== Status: unknown
== flags: 0x0000000e
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000000
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: membuf-transform (href=NULL)
=== Transform: rsa-sha1
(href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Method:
=== Transform: rsa-sha1
(href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== SignedInfo References List:
=== list size: 1
= REFERENCE CALCULATION CONTEXT
== Status: unknown
== URI: "#1234"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=1)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #1234
=== Transform: xpointer
(href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
Error: failed to sign file
"saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml"
-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com]
Sent: Wednesday, May 20, 2009 10:29 PM
To: Cook, Sean D (Genworth)
Cc: xmlsec at aleksey.com
Subject: Re: [xmlsec] xmlsec signing saml response with Reference URI
> func=xmlSecTransformInputURIOpen:.... :subj=opencallback:error=7:
> io function failed:uri=1234; ...
Looks like you are trying to open file "1234" :)
Aleksey
Cook, Sean D (Genworth) wrote:
> Hello! I am relatively new to all of this and would appreciate any
help
> you can provide. I am trying to sign the following response and get
an
> error related to the Reference URI. Can you point me in the right
> direction as to what I am doing wrong?
>
>
>
> Command:
>
>
>
> /apps/xmlsec/bin/xmlsec1 sign --store-signatures --store-references
> --privkey-pem keys/private.key,keys/hewitt.pem --id-attr:ID 1234
> --trusted-pem keys/hewitt.pem --output
> saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml.out
> saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml
>
>
>
> The error that I receive is:
>
>
>
> /apps/xmlsec/bin/xmlsec1 sign --store-signatures --store-references
> --privkey-pem keys/private.key,keys/hewitt.pem --id-attr:ID 1234
> --trusted-pem keys/hewitt.pem --output
> saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml.out
> saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml
>
>
func=xmlSecTransformInputURIOpen:file=io.c:line=423:obj=input-uri:subj=o
pencallback:error=7:io
> function failed:uri=1234;errno=2
>
>
func=xmlSecTransformCtxUriExecute:file=transforms.c:line=1135:obj=unknow
n:subj=xmlSecTransformInputURIOpen:error=1:xmlsec
> library function failed:uri=1234
>
>
func=xmlSecTransformCtxExecute:file=transforms.c:line=1280:obj=unknown:s
ubj=xmlSecTransformCtxUriExecute:error=1:xmlsec
> library function failed:
>
>
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unkn
own:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> library function failed:
>
>
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unkn
own:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> library function failed:node=Reference
>
>
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unkno
wn:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:
>
>
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDS
igCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
>
> Error: signature failed
>
> = SIGNATURE CONTEXT
>
> == Status: unknown
>
> == flags: 0x0000000e
>
> == flags2: 0x00000000
>
> == Key Info Read Ctx:
>
> = KEY INFO READ CONTEXT
>
> == flags: 0x00000000
>
> == flags2: 0x00000000
>
> == enabled key data: all
>
> == RetrievalMethod level (cur/max): 0/1
>
> == TRANSFORMS CTX (status=0)
>
> == flags: 0x00000000
>
> == flags2: 0x00000000
>
> == enabled transforms: all
>
> === uri: NULL
>
> === uri xpointer expr: NULL
>
> == EncryptedKey level (cur/max): 0/1
>
> === KeyReq:
>
> ==== keyId: NULL
>
> ==== keyType: 0x00000000
>
> ==== keyUsage: 0xffffffff
>
> ==== keyBitsSize: 0
>
> === list size: 0
>
> == Key Info Write Ctx:
>
> = KEY INFO WRITE CONTEXT
>
> == flags: 0x00000000
>
> == flags2: 0x00000000
>
> == enabled key data: all
>
> == RetrievalMethod level (cur/max): 0/1
>
> == TRANSFORMS CTX (status=0)
>
> == flags: 0x00000000
>
> == flags2: 0x00000000
>
> == enabled transforms: all
>
> === uri: NULL
>
> === uri xpointer expr: NULL
>
> == EncryptedKey level (cur/max): 0/1
>
> === KeyReq:
>
> ==== keyId: NULL
>
> ==== keyType: 0x00000001
>
> ==== keyUsage: 0xffffffff
>
> ==== keyBitsSize: 0
>
> === list size: 0
>
> == Signature Transform Ctx:
>
> == TRANSFORMS CTX (status=0)
>
> == flags: 0x00000000
>
> == flags2: 0x00000000
>
> == enabled transforms: all
>
> === uri: NULL
>
> === uri xpointer expr: NULL
>
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>
> === Transform: membuf-transform (href=NULL)
>
> === Transform: rsa-sha1
(href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>
> == Signature Method:
>
> === Transform: rsa-sha1
(href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>
> == SignedInfo References List:
>
> === list size: 1
>
> = REFERENCE CALCULATION CONTEXT
>
> == Status: unknown
>
> == URI: "1234"
>
> == Reference Transform Ctx:
>
> == TRANSFORMS CTX (status=0)
>
> == flags: 0x00000000
>
> == flags2: 0x00000000
>
> == enabled transforms: all
>
> === uri: 1234
>
> === uri xpointer expr: NULL
>
> === Transform: input-uri (href=NULL)
>
> === Transform: xml-parser (href=NULL)
>
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>
> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>
> === Transform: membuf-transform (href=NULL)
>
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>
> == Digest Method:
>
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>
> == Manifest References List:
>
> === list size: 0
>
>
>
>
>
> This is the SAML Response:
>
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="eangjhbokpbelnnlhopofglhhjmblhnahlhbd
>
> ipo" Version="2.0" IssueInstant="2009-05-21T01:56:51Z"
> Destination="https://two.qsse.hewitt.com/federation/C
>
> onsumer/metaAlias/sp">
>
> <saml:Issuer
>
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">dev.genworth.com:saml
2.0</saml:Issuer>
>
> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
>
> <samlp:StatusCode
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Value="urn:oasis:names:tc:SAM
>
> L:2.0:status:Success"></samlp:StatusCode>
>
> </samlp:Status>
>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> Version="2.0" ID="1234" IssueInstant=
>
> "2009-05-21T01:56:51Z">
>
> <saml:Issuer>dev.genworth.com:saml2.0</saml:Issuer>
>
>
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns="http://www.w3
>
> .org/2000/09/xmldsig#"/>
>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
> xmlns="http://www.w3.org
>
> /2000/09/xmldsig#"/>
>
>
>
> <Reference URI="1234"
> xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <Transforms
xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> xmlns="http
>
> ://www.w3.org/2000/09/xmldsig#"/>
>
> <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns="http://www.w3.org/
>
> 2000/09/xmldsig#"/>
>
> </Transforms>
>
>
>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
> xmlns="http://www.w3.org/20
>
> 00/09/xmldsig#"/>
>
> <DigestValue
> xmlns="http://www.w3.org/2000/09/xmldsig#"></DigestValue>
>
> </Reference>
>
> </SignedInfo>
>
>
>
> <SignatureValue
> xmlns="http://www.w3.org/2000/09/xmldsig#"></SignatureValue>
>
>
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <X509Certificate
> xmlns="http://www.w3.org/2000/09/xmldsig#"></X509Certificate>
>
> </X509Data>
>
> </KeyInfo>
>
> </Signature>
>
>
>
>
>
>
>
> <saml:Subject>
>
> <saml:NameID NameQualifier="dev.genworth.com:saml2.0"
> SPNameQualifier="qc.hewitt.com:saml2.0
>
> "
>
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">0000</saml:
NameID>
>
> <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>
> <saml:SubjectConfirmationData
> NotOnOrAfter="2009-05-21T01:57:51Z" Recipient="https:/
>
> /was6-tba-dv.hewitt.com/federation/Consumer/metaAlias/sp" >
>
> </saml:SubjectConfirmationData>
>
> </saml:SubjectConfirmation>
>
> </saml:Subject>
>
> <saml:Conditions NotBefore="2009-05-21T01:55:51Z"
> NotOnOrAfter="2009-05-21T01:57:51Z">
>
> <saml:AudienceRestriction>
>
>
<saml:Audience>qc.hewitt.com:saml2.0</saml:Audience>
>
> </saml:AudienceRestriction>
>
> </saml:Conditions>
>
> <saml:AuthnStatement AuthnInstant="2009-05-21T01:56:51Z"
> SessionIndex="ibcepapgopfdgalnjipfpnfgj
>
> mimfiknjmbinbpl">
>
> <saml:AuthnContext>
>
>
>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwo
rdProtectedTransport</sa
>
> ml:AuthnContextClassRef>
>
> </saml:AuthnContext></saml:AuthnStatement>
>
> <saml:AttributeStatement>
>
> <saml:Attribute Name="uid">
>
> <saml:AttributeValue
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">326001093</s
>
> aml:AttributeValue>
>
> </saml:Attribute>
>
> <saml:Attribute Name="clientId">
>
> <saml:AttributeValue
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">10557</saml:
>
> AttributeValue>
>
> </saml:Attribute>
>
> </saml:AttributeStatement>
>
> </saml:Assertion>
>
> </samlp:Response>
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list