[xmlsec] unable to dereference URI

Jeffrey Jin (jefjin) jefjin at cisco.com
Thu Aug 1 00:28:46 PDT 2013


Hi Aleksey,

I found something:
failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308'))
refers to the element in the target document, with the id value of
"s29c0153b613859ac1c788536d2a924d65e643b308".

 But my saml response :
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s29c0153b613859ac1c788536d2a924d65e643b308"
IssueInstant="2013-07-30T09:57:48Z" Version="2.0">. It's a capital ID.

If I change ID to id in assertion element then add
<!DOCTYPE test [
<!ATTLIST saml:Assertion id ID #IMPLIED>
]>

It seems no this error. But I actually modify the saml response, it will
lead verify failed.
So do you have any idea on this? Thanks in advance.

-Jeffrey



On 8/1/13 10:28 AM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:

>Anyway, thanks again. Let me check if there has other way to solve it!
>
>On 8/1/13 9:59 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>
>>Well, it means that I failed to explain what needs to be done in my
>>first email and I don't have any other ides how to do it.
>>
>>Aleksey
>>
>>On 7/31/13 6:57 PM, Jeffrey Jin (jefjin) wrote:
>>> You mean xmlsec can't work in URI case?
>>> 
>>> On 8/1/13 9:43 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>> 
>>>> I am sorry but you need to read XML DTD spec and XMLDsig spec as well.
>>>> Unfortunately, this is required reading if you want to use xmlsec
>>>> library.
>>>>
>>>>
>>>>
>>>> Aleksey
>>>>
>>>> On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote:
>>>>> Hi Aleksey,
>>>>>
>>>>> Thanks for your quick replay. You mean I need to change attribute URI
>>>>>to
>>>>> ID? Like this:
>>>>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>
>>>>> If my understanding is correct, there has two issues coming:
>>>>> 1) it's saml response from ci, I need to change the URI to ID when I
>>>>> receive the response
>>>>> 2) when I change URI to ID, yes, below error is gone, but I got
>>>>>error:
>>>>>
>>>>> 
>>>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:sub
>>>>>j
>>>>>=u
>>>>> nk
>>>>> nown:error=12:invalid data:data and digest do not match
>>>>> RESULT: Signature is INVALID
>>>>>
>>>>> I can make sure I use the correct public key to verify, it should be
>>>>> VALID. I'm worry about changing URI to ID whether has problem. I
>>>>>check
>>>>> the
>>>>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and
>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a
>>>>>node-set
>>>>> containing the element with ID attribute value
>>>>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource
>>>>> containing the signature. XML Signature (and its applications) modify
>>>>> this
>>>>> node-set to include the element plus all descendants including
>>>>> namespaces
>>>>> and attributes -- but not comments.
>>>>>
>>>>> -Jeffrey
>>>>>
>>>>> On 8/1/13 2:00 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>
>>>>>> You need to define ID attribute to the element where it is
>>>>>>specified,
>>>>>> not to the Reference element where it is used
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote:
>>>>>>> Hi xmlsec team,
>>>>>>>
>>>>>>> I use xmlsec library to verify signature whether correct. But when
>>>>>>> saml
>>>>>>> response include "<ds:Reference
>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>>> I got the error:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=x
>>>>>>>m
>>>>>>>lX
>>>>>>> Pt
>>>>>>> rEval:error=5:libxml2 library function
>>>>>>> 
>>>>>>>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308'
>>>>>>>)
>>>>>>>)
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:su
>>>>>>>b
>>>>>>>j=
>>>>>>> xm
>>>>>>> lSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:
>>>>>>>s
>>>>>>>ub
>>>>>>> j=
>>>>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=x
>>>>>>>p
>>>>>>>oi
>>>>>>> nt
>>>>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function
>>>>>>>failed:
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=un
>>>>>>>k
>>>>>>>no
>>>>>>> wn
>>>>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function
>>>>>>> failed:transform=xpointer
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unkno
>>>>>>>w
>>>>>>>n:
>>>>>>> su
>>>>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function
>>>>>>> failed:
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=
>>>>>>>u
>>>>>>>nk
>>>>>>> no
>>>>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
>>>>>>> failed: 
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=
>>>>>>>u
>>>>>>>nk
>>>>>>> no
>>>>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
>>>>>>> function failed:node=Reference
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=u
>>>>>>>n
>>>>>>>kn
>>>>>>> ow
>>>>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
>>>>>>> function failed:
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xm
>>>>>>>l
>>>>>>>Se
>>>>>>> cD
>>>>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function failed:
>>>>>>> Error: signature verification failed
>>>>>>>
>>>>>>>
>>>>>>> I found the answer of similar issue from
>>>>>>> http://www.aleksey.com/xmlsec/faq.html
>>>>>>>
>>>>>>> So I add the DTD:
>>>>>>>
>>>>>>> <!DOCTYPE test [
>>>>>>> <!ATTLIST ds:Reference URI ID #IMPLIED>
>>>>>>> ]>
>>>>>>>
>>>>>>> But it doesn't work. Someone can help me out.
>>>>>>>
>>>>>>> Thanks in advance.
>>>>>>>
>>>>>>>
>>>>>>> -Jeffrey
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> xmlsec mailing list
>>>>>>> xmlsec at aleksey.com
>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>
>>>>>
>>> 
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list