[xmlsec] unable to dereference URI

Jeffrey Jin (jefjin) jefjin at cisco.com
Wed Jul 31 19:28:40 PDT 2013 

Anyway, thanks again. Let me check if there has other way to solve it!

On 8/1/13 9:59 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:

>Well, it means that I failed to explain what needs to be done in my
>first email and I don't have any other ides how to do it.
>
>Aleksey
>
>On 7/31/13 6:57 PM, Jeffrey Jin (jefjin) wrote:
>> You mean xmlsec can't work in URI case?
>> 
>> On 8/1/13 9:43 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>> 
>>> I am sorry but you need to read XML DTD spec and XMLDsig spec as well.
>>> Unfortunately, this is required reading if you want to use xmlsec
>>> library.
>>>
>>>
>>>
>>> Aleksey
>>>
>>> On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote:
>>>> Hi Aleksey,
>>>>
>>>> Thanks for your quick replay. You mean I need to change attribute URI
>>>>to
>>>> ID? Like this:
>>>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>
>>>> If my understanding is correct, there has two issues coming:
>>>> 1) it's saml response from ci, I need to change the URI to ID when I
>>>> receive the response
>>>> 2) when I change URI to ID, yes, below error is gone, but I got error:
>>>>
>>>> 
>>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj
>>>>=u
>>>> nk
>>>> nown:error=12:invalid data:data and digest do not match
>>>> RESULT: Signature is INVALID
>>>>
>>>> I can make sure I use the correct public key to verify, it should be
>>>> VALID. I'm worry about changing URI to ID whether has problem. I check
>>>> the
>>>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and
>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a node-set
>>>> containing the element with ID attribute value
>>>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource
>>>> containing the signature. XML Signature (and its applications) modify
>>>> this
>>>> node-set to include the element plus all descendants including
>>>> namespaces
>>>> and attributes -- but not comments.
>>>>
>>>> -Jeffrey
>>>>
>>>> On 8/1/13 2:00 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>
>>>>> You need to define ID attribute to the element where it is specified,
>>>>> not to the Reference element where it is used
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote:
>>>>>> Hi xmlsec team,
>>>>>>
>>>>>> I use xmlsec library to verify signature whether correct. But when
>>>>>> saml
>>>>>> response include "<ds:Reference
>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>> I got the error:
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xm
>>>>>>lX
>>>>>> Pt
>>>>>> rEval:error=5:libxml2 library function
>>>>>> 
>>>>>>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')
>>>>>>)
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:sub
>>>>>>j=
>>>>>> xm
>>>>>> lSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:s
>>>>>>ub
>>>>>> j=
>>>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xp
>>>>>>oi
>>>>>> nt
>>>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function
>>>>>>failed:
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unk
>>>>>>no
>>>>>> wn
>>>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function
>>>>>> failed:transform=xpointer
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknow
>>>>>>n:
>>>>>> su
>>>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function
>>>>>> failed:
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=u
>>>>>>nk
>>>>>> no
>>>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
>>>>>> failed: 
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=u
>>>>>>nk
>>>>>> no
>>>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
>>>>>> function failed:node=Reference
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=un
>>>>>>kn
>>>>>> ow
>>>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
>>>>>> function failed:
>>>>>>
>>>>>>
>>>>>> 
>>>>>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xml
>>>>>>Se
>>>>>> cD
>>>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function failed:
>>>>>> Error: signature verification failed
>>>>>>
>>>>>>
>>>>>> I found the answer of similar issue from
>>>>>> http://www.aleksey.com/xmlsec/faq.html
>>>>>>
>>>>>> So I add the DTD:
>>>>>>
>>>>>> <!DOCTYPE test [
>>>>>> <!ATTLIST ds:Reference URI ID #IMPLIED>
>>>>>> ]>
>>>>>>
>>>>>> But it doesn't work. Someone can help me out.
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>>
>>>>>> -Jeffrey
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> xmlsec mailing list
>>>>>> xmlsec at aleksey.com
>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>
>>>>
>>

More information about the xmlsec mailing list