[xmlsec] unable to dereference URI
Jeffrey Jin (jefjin)
jefjin at cisco.com
Wed Jul 31 18:40:39 PDT 2013
Hi Aleksey,
Thanks for your quick replay. You mean I need to change attribute URI to
ID? Like this:
"<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
If my understanding is correct, there has two issues coming:
1) it's saml response from ci, I need to change the URI to ID when I
receive the response
2) when I change URI to ID, yes, below error is gone, but I got error:
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unk
nown:error=12:invalid data:data and digest do not match
RESULT: Signature is INVALID
I can make sure I use the correct public key to verify, it should be
VALID. I'm worry about changing URI to ID whether has problem. I check the
URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and
URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a node-set
containing the element with ID attribute value
's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource
containing the signature. XML Signature (and its applications) modify this
node-set to include the element plus all descendants including namespaces
and attributes -- but not comments.
-Jeffrey
On 8/1/13 2:00 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>You need to define ID attribute to the element where it is specified,
>not to the Reference element where it is used
>
>Aleksey
>
>On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote:
>> Hi xmlsec team,
>>
>> I use xmlsec library to verify signature whether correct. But when saml
>> response include "<ds:Reference
>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>> I got the error:
>>
>>
>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPt
>>rEval:error=5:libxml2 library function
>>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308'))
>>
>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xm
>>lSecXPathDataExecute:error=1:xmlsec library function failed:
>>
>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=
>>xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>>
>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpoint
>>er:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
>>
>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown
>>:subj=xmlSecTransformPushXml:error=1:xmlsec library function
>>failed:transform=xpointer
>>
>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:su
>>bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
>>
>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unkno
>>wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
>>failed:
>>
>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unkno
>>wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
>>function failed:node=Reference
>>
>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknow
>>n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
>>function failed:
>>
>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecD
>>SigCtxSigantureProcessNode:error=1:xmlsec library function failed:
>> Error: signature verification failed
>>
>>
>> I found the answer of similar issue from
>>http://www.aleksey.com/xmlsec/faq.html
>>
>> So I add the DTD:
>>
>> <!DOCTYPE test [
>> <!ATTLIST ds:Reference URI ID #IMPLIED>
>> ]>
>>
>> But it doesn't work. Someone can help me out.
>>
>> Thanks in advance.
>>
>>
>> -Jeffrey
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
More information about the xmlsec
mailing list