[xmlsec] Verify XML signature with multiple KeyName
Paolo Smiraglia
paolo.smiraglia at gmail.com
Fri Jun 29 07:32:04 PDT 2018
Hi guys, my name is Paolo.
I'm trying to verify the signature of an SP (service provider) SAML
metadata, which was signed with "samlsign" tool and using a
certificate with two subjectAlternativeNames. Unfortunately, I receive
the following error
$ xmlsec1 --verify --id-attr:ID
urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor sp-metadata.xml
func=xmlSecKeyDataNameXmlRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=657:obj=key-name:subj=unknown:error=41:invalid
key data:details=key name is already specified
func=xmlSecKeyInfoNodeRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=117:obj=key-name:subj=xmlSecKeyDataXmlRead:error=1:xmlsec
library function failed:node=KeyName
func=xmlSecKeysMngrGetKey:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keys.c:line=1230:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec
library function failed:node=KeyInfo
func=xmlSecDSigCtxProcessKeyInfoNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key
is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "sp-metadata.xml"
The resulting signature is like the following
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_y8rptnmmdz5fksiz2v955c3wt7ije506raog1w6s24f">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>[...]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[...]</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>[alternative name 1]</ds:KeyName>
<ds:KeyName>[alternative name 2]</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>[...]</ds:X509SubjectName>
<ds:X509Certificate>[...]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
The error seems to be related to multiple <KeyName> tags nested within
<KeyInfo>. Indeed, if I resign the same document with a certificate
that has only one alternative name, the resulting signature has just
one <KeyName> and xmlsec verifies correctly.
Otherwise, if I try to verify both the signed document with samlsign
or xmlsectool, everything goes well.
Do you have something to suggest? Thanks!
Bests,
Paolo
--
PAOLO SMIRAGLIA
More information about the xmlsec
mailing list