[xmlsec] verify message

Ulrich Wisser Ulrich.Wisser at iis.se
Fri Feb 1 07:37:37 PST 2008 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I desperatly try to verify a xml message I receive. Unfortunately it doesn't contain a xml:id attribute but rather uses ResponseID. Any ideas what I have to do to verify the message?

This is my result 

user at ulrich:~# xmlsec1 --verify --pubkey-cert-pem /etc/shibboleth/idp.crt --id-attr ResponseID response.xml
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "response.xml"

If I change the message and add a xml:id attribute with the same value as ResponseID I don't get any library failures but of course the message will not verify.

Is there any command line option to make xmlsec1 use ResponseID?

Please find my message below.

Med vänlig hälsning

Ulrich 

- -- 
Ulrich Wisser
utvecklare
.SE (Stiftelsen för Internetinfrastruktur)
Ringvägen 100, Box 7399, 103 91 Stockholm
Tel: 08-4523558, mobil: 0732-745900


<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-02-01T08:27:49.382Z" MajorVersion="1" MinorVersion="1" Recipient="http://domainmanager/start/acs" ResponseID="_e2dd66488f8d6ae7d23d17e0aa8e3c07"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_e2dd66488f8d6ae7d23d17e0aa8e3c07">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw sam
l samlp typens #default xsd xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ErWp2Ove+0tBFJ63jWo1GPPWJOI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO
QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku
7fnL/8xOQynT0OYXkJo=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw
EAYDVQQHEwlTdG9ja2hvbG0xNTAzBgNVBAoTLC5TRSAoVGhlIEludGVybmV0IEluZnJhc3RydWN0
dXJlIEZvdW5kYXRpb24pMRYwFAYDVQQDEw1pZHAuZG5zc2VjLnNlMB4XDTA3MDYyNjExMjE1NloX
DTA3MDcyNjExMjE1NlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAcTCVN0b2NraG9sbTE1MDMGA1UE
ChMsLlNFIChUaGUgSW50ZXJuZXQgSW5mcmFzdHJ1Y3R1cmUgRm91bmRhdGlvbikxFjAUBgNVBAMT
DWlkcC5kbnNzZWMuc2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOSsqRE2m82D6ho3jcxh
RjMYq7JArN4aHl5Zroi9K97rgsDiwU6vsoaYrlbXSQLLeuDJX79hu8kf3BKN/6n5YmX8UogBTauz
a/7XOx/cMWDiwL79gwO4d4uOJ+hCHyL9CsWKN0Si3e2dkt0248lCaul+70qzq8TEgdA0Tr0o4xvZ
AgMBAAGjgdUwgdIwHQYDVR0OBBYEFA8hU9S9CBwom4OVGFPUD/GIgseeMIGiBgNVHSMEgZowgZeA
FA8hU9S9CBwom4OVGFPUD/GIgseeoXSkcjBwMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2to
b2xtMTUwMwYDVQQKEywuU0UgKFRoZSBJbnRlcm5ldCBJbmZyYXN0cnVjdHVyZSBGb3VuZGF0aW9u
KTEWMBQGA1UEAxMNaWRwLmRuc3NlYy5zZYIJAKqjIMJ8jZisMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQEFBQADgYEAjTW5LM0rVCehN6hL+6nSI4V+WiLUpk3iGs5TK7Qi5VHD3uxSGY2ykKAMTVGh
JakPzIuLFb5LLdkoMTkMUPmhYb0JWMDciMlHvNmZMdVPupKLanSAPoiUxvOMZ6SWNpcgcLdyHzk9
6m0qdfNoa1sta4OfV7Go4I3Ag3EwCp8U32s=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_ac6db8b49b31f7796079b
8988e1b3e7b" IssueInstant="2008-02-01T08:27:49.381Z" Issuer="https://idp.dnssec.se/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-01T08:27:49.
381Z" NotOnOrAfter="2008-02-01T08:32:49.381Z"><AudienceRestrictionCondition><Audience>urn:uuid:97820956-1fc3-4a8a-a10b-ae13bceea8f8</Audience><Audience>http://domainmanager
/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-02-01T08:27:49.381Z" AuthenticationMethod="urn:oasis:names:tc:S
AML:1.0:am:X509-PKI"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML1.1:nameid-format:emailAddress" NameQualifier="https://idp.dnssec.se/shibboleth">u.wisser at publi
sher.de</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
IPAddress="172.18.24.50"/></AuthenticationStatement></Assertion></Response>
 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR6M8wS9yrDO0wHQwEQIKFwCg/neIUVr8/InLP83887UqvKplJ6gAoNBx
M6rVJ5fQEhJtMO5ckn/XhBQC
=HSLn
-----END PGP SIGNATURE-----

More information about the xmlsec mailing list