[xmlsec] unable to dereference URI
Aleksey Sanin
aleksey at aleksey.com
Thu Aug 1 18:39:02 PDT 2013
You don't need to make this change. What you need to do is to setup
correct DTD to tell XML where is your ID attribute.
Aleksey
On 8/1/13 6:21 PM, Jeffrey Jin (jefjin) wrote:
> Hi Aleksey,
>
> Sorry, I have to bother you again.
> If we change
> expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')) to
> expr=xpointer(//*[@ID='s29c0153b613859ac1c788536d2a924d65e643b308']) I
> think it should be okay.
> So , could we change xmlsec source code to achieve this? And could you
> tell us which file or some place do this changes?
>
> -Jeffrey
>
> On 8/1/13 3:28 PM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:
>
>> Hi Aleksey,
>>
>> I found something:
>> failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308'))
>> refers to the element in the target document, with the id value of
>> "s29c0153b613859ac1c788536d2a924d65e643b308".
>>
>> But my saml response :
>> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="s29c0153b613859ac1c788536d2a924d65e643b308"
>> IssueInstant="2013-07-30T09:57:48Z" Version="2.0">. It's a capital ID.
>>
>> If I change ID to id in assertion element then add
>> <!DOCTYPE test [
>> <!ATTLIST saml:Assertion id ID #IMPLIED>
>> ]>
>>
>> It seems no this error. But I actually modify the saml response, it will
>> lead verify failed.
>> So do you have any idea on this? Thanks in advance.
>>
>> -Jeffrey
>>
>>
>>
>> On 8/1/13 10:28 AM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:
>>
>>> Anyway, thanks again. Let me check if there has other way to solve it!
>>>
>>> On 8/1/13 9:59 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>
>>>> Well, it means that I failed to explain what needs to be done in my
>>>> first email and I don't have any other ides how to do it.
>>>>
>>>> Aleksey
>>>>
>>>> On 7/31/13 6:57 PM, Jeffrey Jin (jefjin) wrote:
>>>>> You mean xmlsec can't work in URI case?
>>>>>
>>>>> On 8/1/13 9:43 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>
>>>>>> I am sorry but you need to read XML DTD spec and XMLDsig spec as
>>>>>> well.
>>>>>> Unfortunately, this is required reading if you want to use xmlsec
>>>>>> library.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote:
>>>>>>> Hi Aleksey,
>>>>>>>
>>>>>>> Thanks for your quick replay. You mean I need to change attribute
>>>>>>> URI
>>>>>>> to
>>>>>>> ID? Like this:
>>>>>>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>>>
>>>>>>> If my understanding is correct, there has two issues coming:
>>>>>>> 1) it's saml response from ci, I need to change the URI to ID when I
>>>>>>> receive the response
>>>>>>> 2) when I change URI to ID, yes, below error is gone, but I got
>>>>>>> error:
>>>>>>>
>>>>>>>
>>>>>>> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:su
>>>>>>> b
>>>>>>> j
>>>>>>> =u
>>>>>>> nk
>>>>>>> nown:error=12:invalid data:data and digest do not match
>>>>>>> RESULT: Signature is INVALID
>>>>>>>
>>>>>>> I can make sure I use the correct public key to verify, it should be
>>>>>>> VALID. I'm worry about changing URI to ID whether has problem. I
>>>>>>> check
>>>>>>> the
>>>>>>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and
>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a
>>>>>>> node-set
>>>>>>> containing the element with ID attribute value
>>>>>>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource
>>>>>>> containing the signature. XML Signature (and its applications)
>>>>>>> modify
>>>>>>> this
>>>>>>> node-set to include the element plus all descendants including
>>>>>>> namespaces
>>>>>>> and attributes -- but not comments.
>>>>>>>
>>>>>>> -Jeffrey
>>>>>>>
>>>>>>> On 8/1/13 2:00 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>>>
>>>>>>>> You need to define ID attribute to the element where it is
>>>>>>>> specified,
>>>>>>>> not to the Reference element where it is used
>>>>>>>>
>>>>>>>> Aleksey
>>>>>>>>
>>>>>>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote:
>>>>>>>>> Hi xmlsec team,
>>>>>>>>>
>>>>>>>>> I use xmlsec library to verify signature whether correct. But when
>>>>>>>>> saml
>>>>>>>>> response include "<ds:Reference
>>>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>>>>> I got the error:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=
>>>>>>>>> x
>>>>>>>>> m
>>>>>>>>> lX
>>>>>>>>> Pt
>>>>>>>>> rEval:error=5:libxml2 library function
>>>>>>>>>
>>>>>>>>> failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308
>>>>>>>>> '
>>>>>>>>> )
>>>>>>>>> )
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:s
>>>>>>>>> u
>>>>>>>>> b
>>>>>>>>> j=
>>>>>>>>> xm
>>>>>>>>> lSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer
>>>>>>>>> :
>>>>>>>>> s
>>>>>>>>> ub
>>>>>>>>> j=
>>>>>>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=
>>>>>>>>> x
>>>>>>>>> p
>>>>>>>>> oi
>>>>>>>>> nt
>>>>>>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function
>>>>>>>>> failed:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=u
>>>>>>>>> n
>>>>>>>>> k
>>>>>>>>> no
>>>>>>>>> wn
>>>>>>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function
>>>>>>>>> failed:transform=xpointer
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unkn
>>>>>>>>> o
>>>>>>>>> w
>>>>>>>>> n:
>>>>>>>>> su
>>>>>>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function
>>>>>>>>> failed:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj
>>>>>>>>> =
>>>>>>>>> u
>>>>>>>>> nk
>>>>>>>>> no
>>>>>>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function
>>>>>>>>> failed:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj
>>>>>>>>> =
>>>>>>>>> u
>>>>>>>>> nk
>>>>>>>>> no
>>>>>>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
>>>>>>>>> function failed:node=Reference
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=
>>>>>>>>> u
>>>>>>>>> n
>>>>>>>>> kn
>>>>>>>>> ow
>>>>>>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
>>>>>>>>> function failed:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=x
>>>>>>>>> m
>>>>>>>>> l
>>>>>>>>> Se
>>>>>>>>> cD
>>>>>>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function failed:
>>>>>>>>> Error: signature verification failed
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I found the answer of similar issue from
>>>>>>>>> http://www.aleksey.com/xmlsec/faq.html
>>>>>>>>>
>>>>>>>>> So I add the DTD:
>>>>>>>>>
>>>>>>>>> <!DOCTYPE test [
>>>>>>>>> <!ATTLIST ds:Reference URI ID #IMPLIED>
>>>>>>>>> ]>
>>>>>>>>>
>>>>>>>>> But it doesn't work. Someone can help me out.
>>>>>>>>>
>>>>>>>>> Thanks in advance.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -Jeffrey
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> xmlsec mailing list
>>>>>>>>> xmlsec at aleksey.com
>>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
More information about the xmlsec
mailing list