[xmlsec] unable to dereference URI
Jeffrey Jin (jefjin)
jefjin at cisco.com
Thu Aug 1 18:21:36 PDT 2013
Hi Aleksey,
Sorry, I have to bother you again.
If we change
expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')) to
expr=xpointer(//*[@ID='s29c0153b613859ac1c788536d2a924d65e643b308']) I
think it should be okay.
So , could we change xmlsec source code to achieve this? And could you
tell us which file or some place do this changes?
-Jeffrey
On 8/1/13 3:28 PM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:
>Hi Aleksey,
>
>I found something:
>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308'))
>refers to the element in the target document, with the id value of
>"s29c0153b613859ac1c788536d2a924d65e643b308".
>
> But my saml response :
><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>ID="s29c0153b613859ac1c788536d2a924d65e643b308"
>IssueInstant="2013-07-30T09:57:48Z" Version="2.0">. It's a capital ID.
>
>If I change ID to id in assertion element then add
><!DOCTYPE test [
><!ATTLIST saml:Assertion id ID #IMPLIED>
>]>
>
>It seems no this error. But I actually modify the saml response, it will
>lead verify failed.
>So do you have any idea on this? Thanks in advance.
>
>-Jeffrey
>
>
>
>On 8/1/13 10:28 AM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:
>
>>Anyway, thanks again. Let me check if there has other way to solve it!
>>
>>On 8/1/13 9:59 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>
>>>Well, it means that I failed to explain what needs to be done in my
>>>first email and I don't have any other ides how to do it.
>>>
>>>Aleksey
>>>
>>>On 7/31/13 6:57 PM, Jeffrey Jin (jefjin) wrote:
>>>> You mean xmlsec can't work in URI case?
>>>>
>>>> On 8/1/13 9:43 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>
>>>>> I am sorry but you need to read XML DTD spec and XMLDsig spec as
>>>>>well.
>>>>> Unfortunately, this is required reading if you want to use xmlsec
>>>>> library.
>>>>>
>>>>>
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote:
>>>>>> Hi Aleksey,
>>>>>>
>>>>>> Thanks for your quick replay. You mean I need to change attribute
>>>>>>URI
>>>>>>to
>>>>>> ID? Like this:
>>>>>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>>
>>>>>> If my understanding is correct, there has two issues coming:
>>>>>> 1) it's saml response from ci, I need to change the URI to ID when I
>>>>>> receive the response
>>>>>> 2) when I change URI to ID, yes, below error is gone, but I got
>>>>>>error:
>>>>>>
>>>>>>
>>>>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:su
>>>>>>b
>>>>>>j
>>>>>>=u
>>>>>> nk
>>>>>> nown:error=12:invalid data:data and digest do not match
>>>>>> RESULT: Signature is INVALID
>>>>>>
>>>>>> I can make sure I use the correct public key to verify, it should be
>>>>>> VALID. I'm worry about changing URI to ID whether has problem. I
>>>>>>check
>>>>>> the
>>>>>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and
>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a
>>>>>>node-set
>>>>>> containing the element with ID attribute value
>>>>>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource
>>>>>> containing the signature. XML Signature (and its applications)
>>>>>>modify
>>>>>> this
>>>>>> node-set to include the element plus all descendants including
>>>>>> namespaces
>>>>>> and attributes -- but not comments.
>>>>>>
>>>>>> -Jeffrey
>>>>>>
>>>>>> On 8/1/13 2:00 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>>
>>>>>>> You need to define ID attribute to the element where it is
>>>>>>>specified,
>>>>>>> not to the Reference element where it is used
>>>>>>>
>>>>>>> Aleksey
>>>>>>>
>>>>>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote:
>>>>>>>> Hi xmlsec team,
>>>>>>>>
>>>>>>>> I use xmlsec library to verify signature whether correct. But when
>>>>>>>> saml
>>>>>>>> response include "<ds:Reference
>>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>>>> I got the error:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=
>>>>>>>>x
>>>>>>>>m
>>>>>>>>lX
>>>>>>>> Pt
>>>>>>>> rEval:error=5:libxml2 library function
>>>>>>>>
>>>>>>>>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308
>>>>>>>>'
>>>>>>>>)
>>>>>>>>)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:s
>>>>>>>>u
>>>>>>>>b
>>>>>>>>j=
>>>>>>>> xm
>>>>>>>> lSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer
>>>>>>>>:
>>>>>>>>s
>>>>>>>>ub
>>>>>>>> j=
>>>>>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=
>>>>>>>>x
>>>>>>>>p
>>>>>>>>oi
>>>>>>>> nt
>>>>>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function
>>>>>>>>failed:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=u
>>>>>>>>n
>>>>>>>>k
>>>>>>>>no
>>>>>>>> wn
>>>>>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function
>>>>>>>> failed:transform=xpointer
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unkn
>>>>>>>>o
>>>>>>>>w
>>>>>>>>n:
>>>>>>>> su
>>>>>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function
>>>>>>>> failed:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj
>>>>>>>>=
>>>>>>>>u
>>>>>>>>nk
>>>>>>>> no
>>>>>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
>>>>>>>> failed:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj
>>>>>>>>=
>>>>>>>>u
>>>>>>>>nk
>>>>>>>> no
>>>>>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
>>>>>>>> function failed:node=Reference
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=
>>>>>>>>u
>>>>>>>>n
>>>>>>>>kn
>>>>>>>> ow
>>>>>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
>>>>>>>> function failed:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=x
>>>>>>>>m
>>>>>>>>l
>>>>>>>>Se
>>>>>>>> cD
>>>>>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function failed:
>>>>>>>> Error: signature verification failed
>>>>>>>>
>>>>>>>>
>>>>>>>> I found the answer of similar issue from
>>>>>>>> http://www.aleksey.com/xmlsec/faq.html
>>>>>>>>
>>>>>>>> So I add the DTD:
>>>>>>>>
>>>>>>>> <!DOCTYPE test [
>>>>>>>> <!ATTLIST ds:Reference URI ID #IMPLIED>
>>>>>>>> ]>
>>>>>>>>
>>>>>>>> But it doesn't work. Someone can help me out.
>>>>>>>>
>>>>>>>> Thanks in advance.
>>>>>>>>
>>>>>>>>
>>>>>>>> -Jeffrey
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> xmlsec mailing list
>>>>>>>> xmlsec at aleksey.com
>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>>
>>>>>>
>>>>
>>
>>_______________________________________________
>>xmlsec mailing list
>>xmlsec at aleksey.com
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list