[xmlsec] unable to dereference URI
Jeffrey Jin (jefjin)
jefjin at cisco.com
Wed Jul 31 18:57:24 PDT 2013
You mean xmlsec can't work in URI case?
On 8/1/13 9:43 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>I am sorry but you need to read XML DTD spec and XMLDsig spec as well.
>Unfortunately, this is required reading if you want to use xmlsec
>library.
>
>
>
>Aleksey
>
>On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote:
>> Hi Aleksey,
>>
>> Thanks for your quick replay. You mean I need to change attribute URI to
>> ID? Like this:
>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308"
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>
>> If my understanding is correct, there has two issues coming:
>> 1) it's saml response from ci, I need to change the URI to ID when I
>> receive the response
>> 2) when I change URI to ID, yes, below error is gone, but I got error:
>>
>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=u
>>nk
>> nown:error=12:invalid data:data and digest do not match
>> RESULT: Signature is INVALID
>>
>> I can make sure I use the correct public key to verify, it should be
>> VALID. I'm worry about changing URI to ID whether has problem. I check
>>the
>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and
>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a node-set
>> containing the element with ID attribute value
>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource
>> containing the signature. XML Signature (and its applications) modify
>>this
>> node-set to include the element plus all descendants including
>>namespaces
>> and attributes -- but not comments.
>>
>> -Jeffrey
>>
>> On 8/1/13 2:00 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>
>>> You need to define ID attribute to the element where it is specified,
>>> not to the Reference element where it is used
>>>
>>> Aleksey
>>>
>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote:
>>>> Hi xmlsec team,
>>>>
>>>> I use xmlsec library to verify signature whether correct. But when
>>>>saml
>>>> response include "<ds:Reference
>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>> I got the error:
>>>>
>>>>
>>>>
>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlX
>>>>Pt
>>>> rEval:error=5:libxml2 library function
>>>> failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308'))
>>>>
>>>>
>>>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=
>>>>xm
>>>> lSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>
>>>>
>>>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:sub
>>>>j=
>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>
>>>>
>>>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpoi
>>>>nt
>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
>>>>
>>>>
>>>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unkno
>>>>wn
>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function
>>>> failed:transform=xpointer
>>>>
>>>>
>>>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:
>>>>su
>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function
>>>>failed:
>>>>
>>>>
>>>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unk
>>>>no
>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
>>>> failed:
>>>>
>>>>
>>>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unk
>>>>no
>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
>>>> function failed:node=Reference
>>>>
>>>>
>>>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unkn
>>>>ow
>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
>>>> function failed:
>>>>
>>>>
>>>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSe
>>>>cD
>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function failed:
>>>> Error: signature verification failed
>>>>
>>>>
>>>> I found the answer of similar issue from
>>>> http://www.aleksey.com/xmlsec/faq.html
>>>>
>>>> So I add the DTD:
>>>>
>>>> <!DOCTYPE test [
>>>> <!ATTLIST ds:Reference URI ID #IMPLIED>
>>>> ]>
>>>>
>>>> But it doesn't work. Someone can help me out.
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>> -Jeffrey
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>
More information about the xmlsec
mailing list