[xmlsec] xmlsec signing saml response with Reference URI
Cook, Sean D (Genworth)
Sean.Cook at genworth.com
Wed May 20 19:03:25 PDT 2009
Hello! I am relatively new to all of this and would appreciate any help
you can provide. I am trying to sign the following response and get an
error related to the Reference URI. Can you point me in the right
direction as to what I am doing wrong?
Command:
/apps/xmlsec/bin/xmlsec1 sign --store-signatures --store-references
--privkey-pem keys/private.key,keys/hewitt.pem --id-attr:ID 1234
--trusted-pem keys/hewitt.pem --output
saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml.out
saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml
The error that I receive is:
/apps/xmlsec/bin/xmlsec1 sign --store-signatures --store-references
--privkey-pem keys/private.key,keys/hewitt.pem --id-attr:ID 1234
--trusted-pem keys/hewitt.pem --output
saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml.out
saml-response-bepiflgpdfecdkjmgbimjdjdplmnmmiobiggdmgh.xml
func=xmlSecTransformInputURIOpen:file=io.c:line=423:obj=input-uri:subj=o
pencallback:error=7:io function failed:uri=1234;errno=2
func=xmlSecTransformCtxUriExecute:file=transforms.c:line=1135:obj=unknow
n:subj=xmlSecTransformInputURIOpen:error=1:xmlsec library function
failed:uri=1234
func=xmlSecTransformCtxExecute:file=transforms.c:line=1280:obj=unknown:s
ubj=xmlSecTransformCtxUriExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unkn
own:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unkn
own:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unkno
wn:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDS
igCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
= SIGNATURE CONTEXT
== Status: unknown
== flags: 0x0000000e
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000000
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: membuf-transform (href=NULL)
=== Transform: rsa-sha1
(href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Method:
=== Transform: rsa-sha1
(href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== SignedInfo References List:
=== list size: 1
= REFERENCE CALCULATION CONTEXT
== Status: unknown
== URI: "1234"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: 1234
=== uri xpointer expr: NULL
=== Transform: input-uri (href=NULL)
=== Transform: xml-parser (href=NULL)
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
This is the SAML Response:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="eangjhbokpbelnnlhopofglhhjmblhnahlhbd
ipo" Version="2.0" IssueInstant="2009-05-21T01:56:51Z"
Destination="https://two.qsse.hewitt.com/federation/C
onsumer/metaAlias/sp">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">dev.genworth.com:saml
2.0</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAM
L:2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Version="2.0" ID="1234" IssueInstant=
"2009-05-21T01:56:51Z">
<saml:Issuer>dev.genworth.com:saml2.0</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns="http://www.w3
.org/2000/09/xmldsig#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
xmlns="http://www.w3.org
/2000/09/xmldsig#"/>
<Reference URI="1234"
xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
xmlns="http
://www.w3.org/2000/09/xmldsig#"/>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns="http://www.w3.org/
2000/09/xmldsig#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns="http://www.w3.org/20
00/09/xmldsig#"/>
<DigestValue
xmlns="http://www.w3.org/2000/09/xmldsig#"></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue
xmlns="http://www.w3.org/2000/09/xmldsig#"></SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Certificate
xmlns="http://www.w3.org/2000/09/xmldsig#"></X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID NameQualifier="dev.genworth.com:saml2.0"
SPNameQualifier="qc.hewitt.com:saml2.0
"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">0000</saml:
NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
NotOnOrAfter="2009-05-21T01:57:51Z" Recipient="https:/
/was6-tba-dv.hewitt.com/federation/Consumer/metaAlias/sp" >
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2009-05-21T01:55:51Z"
NotOnOrAfter="2009-05-21T01:57:51Z">
<saml:AudienceRestriction>
<saml:Audience>qc.hewitt.com:saml2.0</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2009-05-21T01:56:51Z"
SessionIndex="ibcepapgopfdgalnjipfpnfgj
mimfiknjmbinbpl">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwo
rdProtectedTransport</sa
ml:AuthnContextClassRef>
</saml:AuthnContext></saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">326001093</s
aml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="clientId">
<saml:AttributeValue
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">10557</saml:
AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090520/23edb3c2/attachment-0001.htm
More information about the xmlsec
mailing list