[xmlsec] failing to verify ..

Yousuf Jawwad yjawwad at smartsignin.com
Wed Mar 19 01:31:53 PDT 2014


when i run

xmlsec1 --verify --pubkey-cert-pem my.cer '--id-attr:ID' 
'urn:oasis:names:tc:SAML:2.0' Response.xml

the stacktrace given to me is

func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 
library function 
failed:expr=xpointer(id('_9b281906-5626-4579-b506-6e1e344b5dd7'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec 
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec 
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file

the xml in question is

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
ID="_9b281906-5626-4579-b506-6e1e344b5dd7" Version="2.0" 
IssueInstant="2014-03-19T06:39:08.634Z"
                 
Destination="https://perfectcloudstaging.happyfox.com/staff/smartsignin/callback">
<saml:Issuer 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:54660/saml2/metadata/6118c9130de04f60b09616de43fa7d27</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_9b281906-5626-4579-b506-6e1e344b5dd7">
<Transforms>
<Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" 
PrefixList="#default samlp saml ds xs xsi"/>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>ZtZ7NdVHlkd0cHbI13ukQJyPwTE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Tjr3DtAMF50tsxPXB929T8KZgw1D0jW4ugD6c9EFe1prpyA1anKkuwfOzcrrrFoRTo3jZ4aplENgb03ZYUjve9Q3UNUlOQiP9XId2IblvMYvf75Q9jyAZ8L024d5TlkkMoGHEB//+l4FfUh8sMrVXfR7gY0VaZRzwdIEfXpx60hxDuiTVBV/dqpfg+nc95Z/OXiJUWHvYZGY126lse/gqFrHG8YukzBalZdUsDM0dykefNWe5Dr8Rpn6JqCNmnze4hA4bsFfEW1mk1B8AJGDirXg4sQlLOSJFmDG2RrShVUT1oY0XY/xSJDI0oMokKehWMyP7A5q77Zg6jfeDHRJeA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
<!-- my cert -->
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
Version="2.0" ID="_31d8f30a-4db0-4f8a-9542-e7becec31456" 
IssueInstant="2014-03-19T06:39:08.634Z">
<saml:Issuer>http://localhost:54660/saml2/metadata/6118c9130de04f60b09616de43fa7d27</saml:Issuer>
<saml:Subject>
<saml:NameID 
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">draizada at smartsignin.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-03-19T06:59:08.686Z" 
Recipient="https://example.com/saml/"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-03-19T06:19:08.686Z" 
NotOnOrAfter="2014-03-19T06:59:08.686Z"/>
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>my email</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="FirstName" NameFormat="urn:oasis:nam
  es:tc:SAML:1.1:nameid-format:unspecified">
<saml:AttributeValue>User Name</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="LastName" 
NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
<saml:AttributeValue>User Name</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="EntityIdentifier" 
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
<saml:AttributeValue>8cc99e70-8a05-4fda-a0b8-ea0f24164b27</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthnStatement AuthnInstant="2014-03-19T06:39:08.686Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

i know from browsing the list, it has something to do with 
''--id-attrd:ID" but can't seem to figure it out

thanks for help

//yousuf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140319/db0c3fa1/attachment.html>


More information about the xmlsec mailing list