[xmlsec] failing to verify ..

Aleksey Sanin aleksey at aleksey.com
Wed Mar 19 06:56:12 PDT 2014


>From xmlsec help page:

 --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
    adds attributes <attr-name> (default value "id") from all nodes
with<node-name> and namespace <node-namespace-uri> to the list of known
ID attributes; this is a hack and if you can use DTD or schema to
declare ID attributes instead (see "--dtd-file" option), I don't know
what else might be broken in your application when you use this hack

So you need something like

--id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response"


Aleksey

On 3/19/14, 1:31 AM, Yousuf Jawwad wrote:
> when i run
> 
> xmlsec1 --verify --pubkey-cert-pem my.cer '--id-attr:ID'
> 'urn:oasis:names:tc:SAML:2.0' Response.xml
> 
> the stacktrace given to me is
> 
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> library function
> failed:expr=xpointer(id('_9b281906-5626-4579-b506-6e1e344b5dd7'))
> func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
> library function failed:transform=xpointer
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
> library function failed:
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> library function failed:node=Reference
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 0/1
> Manifests References (ok/all): 0/0
> Error: failed to verify file
> 
> the xml in question is
> 
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="_9b281906-5626-4579-b506-6e1e344b5dd7" Version="2.0"
> IssueInstant="2014-03-19T06:39:08.634Z"
>                
> Destination="https://perfectcloudstaging.happyfox.com/staff/smartsignin/callback">
>     <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:54660/saml2/metadata/6118c9130de04f60b09616de43fa7d27</saml:Issuer>
>     <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>         <SignedInfo>
>             <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>             <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>             <Reference URI="#_9b281906-5626-4579-b506-6e1e344b5dd7">
>                 <Transforms>
>                     <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                     <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                         <InclusiveNamespaces
> xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default
> samlp saml ds xs xsi"/>
>                     </Transform>
>                 </Transforms>
>                 <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                 <DigestValue>ZtZ7NdVHlkd0cHbI13ukQJyPwTE=</DigestValue>
>             </Reference>
>         </SignedInfo>
>        
> <SignatureValue>Tjr3DtAMF50tsxPXB929T8KZgw1D0jW4ugD6c9EFe1prpyA1anKkuwfOzcrrrFoRTo3jZ4aplENgb03ZYUjve9Q3UNUlOQiP9XId2IblvMYvf75Q9jyAZ8L024d5TlkkMoGHEB//+l4FfUh8sMrVXfR7gY0VaZRzwdIEfXpx60hxDuiTVBV/dqpfg+nc95Z/OXiJUWHvYZGY126lse/gqFrHG8YukzBalZdUsDM0dykefNWe5Dr8Rpn6JqCNmnze4hA4bsFfEW1mk1B8AJGDirXg4sQlLOSJFmDG2RrShVUT1oY0XY/xSJDI0oMokKehWMyP7A5q77Zg6jfeDHRJeA==</SignatureValue>
>         <KeyInfo>
>             <X509Data>
>                 <X509Certificate>
>                     <!-- my cert -->
>                 </X509Certificate>
>             </X509Data>
>         </KeyInfo>
>     </Signature>
>     <samlp:Status>
>         <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>     </samlp:Status>
>     <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> Version="2.0" ID="_31d8f30a-4db0-4f8a-9542-e7becec31456"
> IssueInstant="2014-03-19T06:39:08.634Z">
>        
> <saml:Issuer>http://localhost:54660/saml2/metadata/6118c9130de04f60b09616de43fa7d27</saml:Issuer>
>         <saml:Subject>
>             <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">draizada at smartsignin.com</saml:NameID>
>             <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>                 <saml:SubjectConfirmationData
> NotOnOrAfter="2014-03-19T06:59:08.686Z"
> Recipient="https://example.com/saml/"/>
>             </saml:SubjectConfirmation>
>         </saml:Subject>
>         <saml:Conditions NotBefore="2014-03-19T06:19:08.686Z"
> NotOnOrAfter="2014-03-19T06:59:08.686Z"/>
>         <saml:AttributeStatement>
>             <saml:Attribute Name="email">
>                 <saml:AttributeValue>my email</saml:AttributeValue>
>             </saml:Attribute>
>             <saml:Attribute Name="FirstName" NameFormat="urn:oasis:nam
>  es:tc:SAML:1.1:nameid-format:unspecified">
>                 <saml:AttributeValue>User Name</saml:AttributeValue>
>             </saml:Attribute>
>             <saml:Attribute Name="LastName"
> NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
>                 <saml:AttributeValue>User Name</saml:AttributeValue>
>             </saml:Attribute>
>             <saml:Attribute Name="EntityIdentifier"
> NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>                
> <saml:AttributeValue>8cc99e70-8a05-4fda-a0b8-ea0f24164b27</saml:AttributeValue>
>             </saml:Attribute>
>         </saml:AttributeStatement>
>         <saml:AuthnStatement AuthnInstant="2014-03-19T06:39:08.686Z">
>             <saml:AuthnContext>
>                
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
>             </saml:AuthnContext>
>         </saml:AuthnStatement>
>     </saml:Assertion>
> </samlp:Response>
> 
> i know from browsing the list, it has something to do with
> ''--id-attrd:ID" but can't seem to figure it out
> 
> thanks for help
> 
> //yousuf
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list