[xmlsec] Verifying signature with embedded x509 cert

Jim Nutt jim at nuttz.org
Mon Dec 3 23:44:22 PST 2007 

Here's the xml (with signature), it's a modified SAML token:

<?xml version="1.0"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="SecurityToken-d3aaac64-7f2d-4250-be09-176bcbcdb41f"
ID="SecurityToken-d3aaac64-7f2d-4250-be09-176bcbcdb41f" MajorVersion="1"
MinorVersion="1" Issuer="thomson.com"
IssueInstant="2007-09-18T04:44:42Z"><saml:Conditions
NotBefore="2007-09-18T04:44:42Z"
NotOnOrAfter="2007-09-18T04:54:42Z"/><saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2007-09-18T04:44:42Z"><saml:Subject><saml:NameIdentifier
Format="http://security.schemas.tfn.thomson.com/Principal/2007-01-25/#SubId
">1234</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:
1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement/><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
"/><DigestValue>zZJ8tOVaDO3PogS6SLWbk3D27g4=</DigestValue></Reference></SignedInfo><SignatureValue>k9AxevEOzbZXCGCl141KzIEv2guu6b2d5i6dYcWL3lvWb5oje0ufkDCJ8vyanO84
cTMOgCcKpJtzx8qFD/sL6ptnMKisQD103NUgnSefzAzgnDLm6Vc8U5UvDkQvecx6
fyxVZCXpIiR7Z8QuMbVgGQ/jvJ4F3IRYMPhnlF8Sbfk=</SignatureValue><KeyInfo><X509Data>
<X509Certificate>MIIDCzCCAnSgAwIBAgIDB0LYMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcwNDEzMTY0MzU0WhcNMDkwNDEzMTY0MzU0
WjCBlTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhO
ZXcgWW9yazEcMBoGA1UEChMTVGhvbXNvbiBDb3Jwb3JhdGlvbjEaMBgGA1UECxMR
VGhvbXNvbiBGaW5hbmNpYWwxJjAkBgNVBAMTHXNlY3VyaXR5LWRldi5zZXJ2aWNl
cy50Zm4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3pO898aOmbK1/
+quYg9QzPlSF85JdZQSAjAWbWPe4Tv6CraxGxSUPakImrbtjJuR4b4G0oWBGJ42P
yYOsKT/FcSXcpm7HgfoIE7inVMtHxlukpAqpkPyTmpvfpOG9Psczvj9bFB/upkyq
IjOBFupNtgeLNJZo4waYWiswFeq+QQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE
8DAdBgNVHQ4EFgQUvj3lMAx/8CNxDh/pVq62Nj10E9QwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYD
VR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAAQ/bvOU5DiOvYimTEYkxqHO
ZC1ylXTMFs6xDzcDZ0rf0AxD4IzPUbXKHdb16JJ5p/MET9K7TcFr6CKBQh9ANUAS
Q+eaw0BzhGgoxV8+IxVheRx34V1Vf+v6jA8xPa3d8fEbH2jFLZ/MPVPSGRFzD0fa
5ieETYx60WhVp1kT3G7R</X509Certificate>
</X509Data></KeyInfo></Signature></saml:Assertion>



On Dec 4, 2007 2:03 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> xmlSecOpenSSLAppKeyLoadMemory() ???
>
> Aleksey
>
> Jim Nutt wrote:
> > Ok, I'm pulling my hair out on this one. I'm trying to verify an xml
> > signature based on the x509 certificate embedded in the keyinfo and I
> > can not get it to work. If I verify using the same pem file I used for
> > signing, it verifies ok, so I know the signature is valid. The problem
> > is getting it to validate without going to the original pem file. I've
> > tried the straight forward method of letting xmlSecDSigVerify load the
> > key, but it can't find the key in signature. I've even tried writing the
> > base64 data to a file (bracketed with -----BEGIN CERTIFICATE----- and
> > -----END CERTIFICATE-----) and then loading that file as the
> > certificate. It refuses to read the file. And yes, I know the file is a
> > valid pem file because openssl x509 -in filename -text reads it just
> fine.
> >
> > Any suggestions would be greatly appreciated, as I'm on a time crunch on
> > this (now... wasn't when I started... *sigh*)
> >
> > --
> > Jim Nutt
> > http://jim.nuttz.org <http://jim.nuttz.org>
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>



-- 
Jim Nutt
http://jim.nuttz.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20071204/a645d0b0/attachment-0002.htm

More information about the xmlsec mailing list