[xmlsec] verify message
Aleksey Sanin
aleksey at aleksey.com
Mon Feb 4 09:24:47 PST 2008
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" ...
ResponseID="..." ... >
You forgot about namespaces...
Aleksey
Ulrich Wisser wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> of course I did try the FAQ first, but not really successful. Now I got the message to verify when I included a DTD to the document. Same DTD as file would give me parsing errors. And the "--id-attr ResponseID" didn't work at all. This is my DTD
>
> <!DOCTYPE test [<!ATTLIST Response ResponseID ID #IMPLIED>]>
>
> Next problem is that I want to check it programmatically and that doesn't work either. Not even when I add the DTD.
> xmlSecDSigCtxVerify just returns -1. How can I know what the problem is?
>
> Sincerely
>
> Ulrich
>
> - -----Original Message-----
> From: Aleksey Sanin [mailto:aleksey at aleksey.com]
> Sent: Friday, February 01, 2008 6:32 PM
> To: Ulrich Wisser
> Cc: xmlsec at aleksey.com
> Subject: Re: [xmlsec] verify message
>
> Look at the FAQ
>
> http://www.aleksey.com/xmlsec/faq.html
>
> Aleksey
>
> Ulrich Wisser wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> I desperatly try to verify a xml message I receive. Unfortunately it doesn't contain a xml:id attribute but rather uses ResponseID. Any ideas what I have to do to verify the message?
>>
>> This is my result
>>
>> user at ulrich:~# xmlsec1 --verify --pubkey-cert-pem /etc/shibboleth/idp.crt --id-attr ResponseID response.xml
>> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07'))
>> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
>> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
>> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
>> Error: signature failed
>> ERROR
>> SignedInfo References (ok/all): 0/1
>> Manifests References (ok/all): 0/0
>> Error: failed to verify file "response.xml"
>>
>> If I change the message and add a xml:id attribute with the same value as ResponseID I don't get any library failures but of course the message will not verify.
>>
>> Is there any command line option to make xmlsec1 use ResponseID?
>>
>> Please find my message below.
>>
>> Med vänlig hälsning
>>
>> Ulrich
>>
>> - --
>> Ulrich Wisser
>> utvecklare
>> .SE (Stiftelsen för Internetinfrastruktur)
>> Ringvägen 100, Box 7399, 103 91 Stockholm
>> Tel: 08-4523558, mobil: 0732-745900
>>
>>
>> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-02-01T08:27:49.382Z" MajorVersion="1" MinorVersion="1" Recipient="http://domainmanager/start/acs" ResponseID="_e2dd66488f8d6ae7d23d17e0aa8e3c07"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference URI="#_e2dd66488f8d6ae7d23d17e0aa8e3c07">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw sam
>> l samlp typens #default xsd xsi"/></ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>ErWp2Ove+0tBFJ63jWo1GPPWJOI=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>
>> rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO
>> QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku
>> 7fnL/8xOQynT0OYXkJo=
>> </ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:X509Data>
>> <ds:X509Certificate>
>> MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw
>> EAYDVQQHEwlTdG9ja2hvbG0xNTAzBgNVBAoTLC5TRSAoVGhlIEludGVybmV0IEluZnJhc3RydWN0
>> dXJlIEZvdW5kYXRpb24pMRYwFAYDVQQDEw1pZHAuZG5zc2VjLnNlMB4XDTA3MDYyNjExMjE1NloX
>> DTA3MDcyNjExMjE1NlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAcTCVN0b2NraG9sbTE1MDMGA1UE
>> ChMsLlNFIChUaGUgSW50ZXJuZXQgSW5mcmFzdHJ1Y3R1cmUgRm91bmRhdGlvbikxFjAUBgNVBAMT
>> DWlkcC5kbnNzZWMuc2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOSsqRE2m82D6ho3jcxh
>> RjMYq7JArN4aHl5Zroi9K97rgsDiwU6vsoaYrlbXSQLLeuDJX79hu8kf3BKN/6n5YmX8UogBTauz
>> a/7XOx/cMWDiwL79gwO4d4uOJ+hCHyL9CsWKN0Si3e2dkt0248lCaul+70qzq8TEgdA0Tr0o4xvZ
>> AgMBAAGjgdUwgdIwHQYDVR0OBBYEFA8hU9S9CBwom4OVGFPUD/GIgseeMIGiBgNVHSMEgZowgZeA
>> FA8hU9S9CBwom4OVGFPUD/GIgseeoXSkcjBwMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2to
>> b2xtMTUwMwYDVQQKEywuU0UgKFRoZSBJbnRlcm5ldCBJbmZyYXN0cnVjdHVyZSBGb3VuZGF0aW9u
>> KTEWMBQGA1UEAxMNaWRwLmRuc3NlYy5zZYIJAKqjIMJ8jZisMAwGA1UdEwQFMAMBAf8wDQYJKoZI
>> hvcNAQEFBQADgYEAjTW5LM0rVCehN6hL+6nSI4V+WiLUpk3iGs5TK7Qi5VHD3uxSGY2ykKAMTVGh
>> JakPzIuLFb5LLdkoMTkMUPmhYb0JWMDciMlHvNmZMdVPupKLanSAPoiUxvOMZ6SWNpcgcLdyHzk9
>> 6m0qdfNoa1sta4OfV7Go4I3Ag3EwCp8U32s=
>> </ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_ac6db8b49b31f7796079b
>> 8988e1b3e7b" IssueInstant="2008-02-01T08:27:49.381Z" Issuer="https://idp.dnssec.se/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-01T08:27:49.
>> 381Z" NotOnOrAfter="2008-02-01T08:32:49.381Z"><AudienceRestrictionCondition><Audience>urn:uuid:97820956-1fc3-4a8a-a10b-ae13bceea8f8</Audience><Audience>http://domainmanager
>> /</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-02-01T08:27:49.381Z" AuthenticationMethod="urn:oasis:names:tc:S
>> AML:1.0:am:X509-PKI"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML1.1:nameid-format:emailAddress" NameQualifier="https://idp.dnssec.se/shibboleth">u.wisser at publi
>> sher.de</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
>> IPAddress="172.18.24.50"/></AuthenticationStatement></Assertion></Response>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP 8.1
>>
>> iQA/AwUBR6M8wS9yrDO0wHQwEQIKFwCg/neIUVr8/InLP83887UqvKplJ6gAoNBx
>> M6rVJ5fQEhJtMO5ckn/XhBQC
>> =HSLn
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQA/AwUBR6behS9yrDO0wHQwEQLaAgCeNoITADl+E4w6hPsuQaMi5lnv9+EAoPu/
> fGH6W4ZW4zHEAPrZKOlT+Mj1
> =zdGh
> -----END PGP SIGNATURE-----
More information about the xmlsec
mailing list