[xmlsec] unable to dereference URI

Alexwell Sandro alexwellll at gmail.com
Thu Aug 29 10:50:54 PDT 2013


I do not understand saml.

But, to use URI to retrieve ID, this works:

static const xmlChar* xmlDSigIds[] = { BAD_CAST "Id", BAD_CAST "id",
BAD_CAST "iD", BAD_CAST "ID", NULL };
xmlSecAddIDs( node->doc, xmlDocGetRootElement(node->doc), xmlDSigIds );



On Fri, Aug 2, 2013 at 12:23 AM, Jeffrey Jin (jefjin) <jefjin at cisco.com>wrote:

> Thanks Aleksey, when I add correct DTD, it works fine. And Xmlsec is a
> very good library.
>
> -Jeffrey
>
> On 8/2/13 9:39 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>
> >You don't need to make this change. What you need to do is to setup
> >correct DTD to tell XML where is your ID attribute.
> >
> >Aleksey
> >
> >On 8/1/13 6:21 PM, Jeffrey Jin (jefjin) wrote:
> >> Hi Aleksey,
> >>
> >> Sorry, I have to bother you again.
> >> If we change
> >> expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')) to
> >> expr=xpointer(//*[@ID='s29c0153b613859ac1c788536d2a924d65e643b308']) I
> >> think it should be okay.
> >> So , could we change xmlsec source code to achieve this? And could you
> >> tell us which file or some place do this changes?
> >>
> >> -Jeffrey
> >>
> >> On 8/1/13 3:28 PM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:
> >>
> >>> Hi Aleksey,
> >>>
> >>> I found something:
> >>> failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308'))
> >>> refers to the element in the target document, with the id value of
> >>> "s29c0153b613859ac1c788536d2a924d65e643b308".
> >>>
> >>> But my saml response :
> >>> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> >>> ID="s29c0153b613859ac1c788536d2a924d65e643b308"
> >>> IssueInstant="2013-07-30T09:57:48Z" Version="2.0">. It's a capital ID.
> >>>
> >>> If I change ID to id in assertion element then add
> >>> <!DOCTYPE test [
> >>> <!ATTLIST saml:Assertion id ID #IMPLIED>
> >>> ]>
> >>>
> >>> It seems no this error. But I actually modify the saml response, it
> >>>will
> >>> lead verify failed.
> >>> So do you have any idea on this? Thanks in advance.
> >>>
> >>> -Jeffrey
> >>>
> >>>
> >>>
> >>> On 8/1/13 10:28 AM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:
> >>>
> >>>> Anyway, thanks again. Let me check if there has other way to solve it!
> >>>>
> >>>> On 8/1/13 9:59 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
> >>>>
> >>>>> Well, it means that I failed to explain what needs to be done in my
> >>>>> first email and I don't have any other ides how to do it.
> >>>>>
> >>>>> Aleksey
> >>>>>
> >>>>> On 7/31/13 6:57 PM, Jeffrey Jin (jefjin) wrote:
> >>>>>> You mean xmlsec can't work in URI case?
> >>>>>>
> >>>>>> On 8/1/13 9:43 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
> >>>>>>
> >>>>>>> I am sorry but you need to read XML DTD spec and XMLDsig spec as
> >>>>>>> well.
> >>>>>>> Unfortunately, this is required reading if you want to use xmlsec
> >>>>>>> library.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Aleksey
> >>>>>>>
> >>>>>>> On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote:
> >>>>>>>> Hi Aleksey,
> >>>>>>>>
> >>>>>>>> Thanks for your quick replay. You mean I need to change attribute
> >>>>>>>> URI
> >>>>>>>> to
> >>>>>>>> ID? Like this:
> >>>>>>>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308"
> >>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
> >>>>>>>>
> >>>>>>>> If my understanding is correct, there has two issues coming:
> >>>>>>>> 1) it's saml response from ci, I need to change the URI to ID
> >>>>>>>>when I
> >>>>>>>> receive the response
> >>>>>>>> 2) when I change URI to ID, yes, below error is gone, but I got
> >>>>>>>> error:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:
> >>>>>>>>su
> >>>>>>>> b
> >>>>>>>> j
> >>>>>>>> =u
> >>>>>>>> nk
> >>>>>>>> nown:error=12:invalid data:data and digest do not match
> >>>>>>>> RESULT: Signature is INVALID
> >>>>>>>>
> >>>>>>>> I can make sure I use the correct public key to verify, it should
> >>>>>>>>be
> >>>>>>>> VALID. I'm worry about changing URI to ID whether has problem. I
> >>>>>>>> check
> >>>>>>>> the
> >>>>>>>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and
> >>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a
> >>>>>>>> node-set
> >>>>>>>> containing the element with ID attribute value
> >>>>>>>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource
> >>>>>>>> containing the signature. XML Signature (and its applications)
> >>>>>>>> modify
> >>>>>>>> this
> >>>>>>>> node-set to include the element plus all descendants including
> >>>>>>>> namespaces
> >>>>>>>> and attributes -- but not comments.
> >>>>>>>>
> >>>>>>>> -Jeffrey
> >>>>>>>>
> >>>>>>>> On 8/1/13 2:00 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
> >>>>>>>>
> >>>>>>>>> You need to define ID attribute to the element where it is
> >>>>>>>>> specified,
> >>>>>>>>> not to the Reference element where it is used
> >>>>>>>>>
> >>>>>>>>> Aleksey
> >>>>>>>>>
> >>>>>>>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote:
> >>>>>>>>>> Hi xmlsec team,
> >>>>>>>>>>
> >>>>>>>>>> I use xmlsec library to verify signature whether correct. But
> >>>>>>>>>>when
> >>>>>>>>>> saml
> >>>>>>>>>> response include "<ds:Reference
> >>>>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"
> >>>>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
> >>>>>>>>>> I got the error:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:sub
> >>>>>>>>>>j=
> >>>>>>>>>> x
> >>>>>>>>>> m
> >>>>>>>>>> lX
> >>>>>>>>>> Pt
> >>>>>>>>>> rEval:error=5:libxml2 library function
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b3
> >>>>>>>>>>08
> >>>>>>>>>> '
> >>>>>>>>>> )
> >>>>>>>>>> )
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown
> >>>>>>>>>>:s
> >>>>>>>>>> u
> >>>>>>>>>> b
> >>>>>>>>>> j=
> >>>>>>>>>> xm
> >>>>>>>>>> lSecXPathDataExecute:error=1:xmlsec library function failed:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpoint
> >>>>>>>>>>er
> >>>>>>>>>> :
> >>>>>>>>>> s
> >>>>>>>>>> ub
> >>>>>>>>>> j=
> >>>>>>>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:ob
> >>>>>>>>>>j=
> >>>>>>>>>> x
> >>>>>>>>>> p
> >>>>>>>>>> oi
> >>>>>>>>>> nt
> >>>>>>>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function
> >>>>>>>>>> failed:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj
> >>>>>>>>>>=u
> >>>>>>>>>> n
> >>>>>>>>>> k
> >>>>>>>>>> no
> >>>>>>>>>> wn
> >>>>>>>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function
> >>>>>>>>>> failed:transform=xpointer
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=un
> >>>>>>>>>>kn
> >>>>>>>>>> o
> >>>>>>>>>> w
> >>>>>>>>>> n:
> >>>>>>>>>> su
> >>>>>>>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function
> >>>>>>>>>> failed:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:o
> >>>>>>>>>>bj
> >>>>>>>>>> =
> >>>>>>>>>> u
> >>>>>>>>>> nk
> >>>>>>>>>> no
> >>>>>>>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library
> >>>>>>>>>>function
> >>>>>>>>>> failed:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:o
> >>>>>>>>>>bj
> >>>>>>>>>> =
> >>>>>>>>>> u
> >>>>>>>>>> nk
> >>>>>>>>>> no
> >>>>>>>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
> >>>>>>>>>> function failed:node=Reference
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:ob
> >>>>>>>>>>j=
> >>>>>>>>>> u
> >>>>>>>>>> n
> >>>>>>>>>> kn
> >>>>>>>>>> ow
> >>>>>>>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
> >>>>>>>>>> function failed:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj
> >>>>>>>>>>=x
> >>>>>>>>>> m
> >>>>>>>>>> l
> >>>>>>>>>> Se
> >>>>>>>>>> cD
> >>>>>>>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function
> >>>>>>>>>>failed:
> >>>>>>>>>> Error: signature verification failed
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> I found the answer of similar issue from
> >>>>>>>>>> http://www.aleksey.com/xmlsec/faq.html
> >>>>>>>>>>
> >>>>>>>>>> So I add the DTD:
> >>>>>>>>>>
> >>>>>>>>>> <!DOCTYPE test [
> >>>>>>>>>> <!ATTLIST ds:Reference URI ID #IMPLIED>
> >>>>>>>>>> ]>
> >>>>>>>>>>
> >>>>>>>>>> But it doesn't work. Someone can help me out.
> >>>>>>>>>>
> >>>>>>>>>> Thanks in advance.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> -Jeffrey
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> xmlsec mailing list
> >>>>>>>>>> xmlsec at aleksey.com
> >>>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>> _______________________________________________
> >>>> xmlsec mailing list
> >>>> xmlsec at aleksey.com
> >>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> >>>
> >>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130829/76b6b2a8/attachment-0001.html>


More information about the xmlsec mailing list