[xmlsec] Problem verifying SAML response signature with xmlsec API
Aleksey Sanin
aleksey at aleksey.com
Thu Nov 7 13:24:08 PST 2019
Could you please provide complete repro test case?
Aleksey
On 11/7/19 1:11 PM, Elena Fedorov wrote:
> Hello,
> I've spent a few days trying to verify a signature in the SAML response.
> If I run a command line xmlsec1 - I can verify the signature fine:
>
> *xmlsec1 --verify --id-attr:ID
> urn:oasis:names:tc:SAML:2.0:assertion:Assertion --trusted-pem myCert.pem
> samlResponse.xml*
>
> Verifying a signature of the same saml using xmlsec api (code similar to
> verify4.c example) gives these errors:
>
> *func=xmlSecTransformIdListFindByHref:file=transforms.c:line=2239:obj=unknown:subj=xmlSecPtrListCheckId(list,
> xmlSecTransformIdListId):error=100:assertion:*
> *func=xmlSecTransformNodeRead:file=transforms.c:line=1315:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec
> library function failed:href=**http://www.w3.org/2001/10/xml-exc-c14n#*
> *func=xmlSecTransformCtxNodeRead:file=transforms.c:line=596:obj=CanonicalizationMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec
> library function failed:*
> *func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=623:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec
> library function failed:node=CanonicalizationMethod*
> *func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:*
> *func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec
> library function failed:*
>
> I tried updating xmlsec1 version from 1.2.20 (openssl) to 1.2.29
> (openssl) - but it did not help. Still getting the same exception stack.
>
>
> I generated dump:
>
> = VERIFICATION CONTEXT
> == Status: unknown
> == flags: 0x00000000
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000000
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == SignedInfo References List:
> === list size: 0
> == Manifest References List:
> === list size: 0
> = REFERENCE VERIFICATION CONTEXT
> == Status: unknown
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
>
> *An example signature in the SAML:*
>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
> <ds:Reference URI="#_17ba951-d40a-4fa6-83e9-405v11ab6d01">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
> <ds:DigestValue>......</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>ZqbHJI9GUOXV8gfKGHjaHY8iTXJiQd...</ds:SignatureValue>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <ds:X509Data>
> <ds:X509Certificate>....</ds:X509Certificate>
> </ds:X509Data>
> </KeyInfo>
> </ds:Signature>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list