[xmlsec] unable to dereference URI
Jeffrey Jin (jefjin)
jefjin at cisco.com
Thu Aug 1 20:23:04 PDT 2013
Thanks Aleksey, when I add correct DTD, it works fine. And Xmlsec is a
very good library.
-Jeffrey
On 8/2/13 9:39 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>You don't need to make this change. What you need to do is to setup
>correct DTD to tell XML where is your ID attribute.
>
>Aleksey
>
>On 8/1/13 6:21 PM, Jeffrey Jin (jefjin) wrote:
>> Hi Aleksey,
>>
>> Sorry, I have to bother you again.
>> If we change
>> expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')) to
>> expr=xpointer(//*[@ID='s29c0153b613859ac1c788536d2a924d65e643b308']) I
>> think it should be okay.
>> So , could we change xmlsec source code to achieve this? And could you
>> tell us which file or some place do this changes?
>>
>> -Jeffrey
>>
>> On 8/1/13 3:28 PM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:
>>
>>> Hi Aleksey,
>>>
>>> I found something:
>>> failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308'))
>>> refers to the element in the target document, with the id value of
>>> "s29c0153b613859ac1c788536d2a924d65e643b308".
>>>
>>> But my saml response :
>>> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>>> ID="s29c0153b613859ac1c788536d2a924d65e643b308"
>>> IssueInstant="2013-07-30T09:57:48Z" Version="2.0">. It's a capital ID.
>>>
>>> If I change ID to id in assertion element then add
>>> <!DOCTYPE test [
>>> <!ATTLIST saml:Assertion id ID #IMPLIED>
>>> ]>
>>>
>>> It seems no this error. But I actually modify the saml response, it
>>>will
>>> lead verify failed.
>>> So do you have any idea on this? Thanks in advance.
>>>
>>> -Jeffrey
>>>
>>>
>>>
>>> On 8/1/13 10:28 AM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:
>>>
>>>> Anyway, thanks again. Let me check if there has other way to solve it!
>>>>
>>>> On 8/1/13 9:59 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>
>>>>> Well, it means that I failed to explain what needs to be done in my
>>>>> first email and I don't have any other ides how to do it.
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 7/31/13 6:57 PM, Jeffrey Jin (jefjin) wrote:
>>>>>> You mean xmlsec can't work in URI case?
>>>>>>
>>>>>> On 8/1/13 9:43 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>>
>>>>>>> I am sorry but you need to read XML DTD spec and XMLDsig spec as
>>>>>>> well.
>>>>>>> Unfortunately, this is required reading if you want to use xmlsec
>>>>>>> library.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Aleksey
>>>>>>>
>>>>>>> On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote:
>>>>>>>> Hi Aleksey,
>>>>>>>>
>>>>>>>> Thanks for your quick replay. You mean I need to change attribute
>>>>>>>> URI
>>>>>>>> to
>>>>>>>> ID? Like this:
>>>>>>>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>>>>
>>>>>>>> If my understanding is correct, there has two issues coming:
>>>>>>>> 1) it's saml response from ci, I need to change the URI to ID
>>>>>>>>when I
>>>>>>>> receive the response
>>>>>>>> 2) when I change URI to ID, yes, below error is gone, but I got
>>>>>>>> error:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:
>>>>>>>>su
>>>>>>>> b
>>>>>>>> j
>>>>>>>> =u
>>>>>>>> nk
>>>>>>>> nown:error=12:invalid data:data and digest do not match
>>>>>>>> RESULT: Signature is INVALID
>>>>>>>>
>>>>>>>> I can make sure I use the correct public key to verify, it should
>>>>>>>>be
>>>>>>>> VALID. I'm worry about changing URI to ID whether has problem. I
>>>>>>>> check
>>>>>>>> the
>>>>>>>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and
>>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a
>>>>>>>> node-set
>>>>>>>> containing the element with ID attribute value
>>>>>>>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource
>>>>>>>> containing the signature. XML Signature (and its applications)
>>>>>>>> modify
>>>>>>>> this
>>>>>>>> node-set to include the element plus all descendants including
>>>>>>>> namespaces
>>>>>>>> and attributes -- but not comments.
>>>>>>>>
>>>>>>>> -Jeffrey
>>>>>>>>
>>>>>>>> On 8/1/13 2:00 AM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>>>>
>>>>>>>>> You need to define ID attribute to the element where it is
>>>>>>>>> specified,
>>>>>>>>> not to the Reference element where it is used
>>>>>>>>>
>>>>>>>>> Aleksey
>>>>>>>>>
>>>>>>>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote:
>>>>>>>>>> Hi xmlsec team,
>>>>>>>>>>
>>>>>>>>>> I use xmlsec library to verify signature whether correct. But
>>>>>>>>>>when
>>>>>>>>>> saml
>>>>>>>>>> response include "<ds:Reference
>>>>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"
>>>>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">"
>>>>>>>>>> I got the error:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:sub
>>>>>>>>>>j=
>>>>>>>>>> x
>>>>>>>>>> m
>>>>>>>>>> lX
>>>>>>>>>> Pt
>>>>>>>>>> rEval:error=5:libxml2 library function
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b3
>>>>>>>>>>08
>>>>>>>>>> '
>>>>>>>>>> )
>>>>>>>>>> )
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown
>>>>>>>>>>:s
>>>>>>>>>> u
>>>>>>>>>> b
>>>>>>>>>> j=
>>>>>>>>>> xm
>>>>>>>>>> lSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpoint
>>>>>>>>>>er
>>>>>>>>>> :
>>>>>>>>>> s
>>>>>>>>>> ub
>>>>>>>>>> j=
>>>>>>>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:ob
>>>>>>>>>>j=
>>>>>>>>>> x
>>>>>>>>>> p
>>>>>>>>>> oi
>>>>>>>>>> nt
>>>>>>>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function
>>>>>>>>>> failed:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj
>>>>>>>>>>=u
>>>>>>>>>> n
>>>>>>>>>> k
>>>>>>>>>> no
>>>>>>>>>> wn
>>>>>>>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function
>>>>>>>>>> failed:transform=xpointer
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=un
>>>>>>>>>>kn
>>>>>>>>>> o
>>>>>>>>>> w
>>>>>>>>>> n:
>>>>>>>>>> su
>>>>>>>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function
>>>>>>>>>> failed:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:o
>>>>>>>>>>bj
>>>>>>>>>> =
>>>>>>>>>> u
>>>>>>>>>> nk
>>>>>>>>>> no
>>>>>>>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library
>>>>>>>>>>function
>>>>>>>>>> failed:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:o
>>>>>>>>>>bj
>>>>>>>>>> =
>>>>>>>>>> u
>>>>>>>>>> nk
>>>>>>>>>> no
>>>>>>>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library
>>>>>>>>>> function failed:node=Reference
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:ob
>>>>>>>>>>j=
>>>>>>>>>> u
>>>>>>>>>> n
>>>>>>>>>> kn
>>>>>>>>>> ow
>>>>>>>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library
>>>>>>>>>> function failed:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj
>>>>>>>>>>=x
>>>>>>>>>> m
>>>>>>>>>> l
>>>>>>>>>> Se
>>>>>>>>>> cD
>>>>>>>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function
>>>>>>>>>>failed:
>>>>>>>>>> Error: signature verification failed
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I found the answer of similar issue from
>>>>>>>>>> http://www.aleksey.com/xmlsec/faq.html
>>>>>>>>>>
>>>>>>>>>> So I add the DTD:
>>>>>>>>>>
>>>>>>>>>> <!DOCTYPE test [
>>>>>>>>>> <!ATTLIST ds:Reference URI ID #IMPLIED>
>>>>>>>>>> ]>
>>>>>>>>>>
>>>>>>>>>> But it doesn't work. Someone can help me out.
>>>>>>>>>>
>>>>>>>>>> Thanks in advance.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -Jeffrey
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> xmlsec mailing list
>>>>>>>>>> xmlsec at aleksey.com
>>>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>
More information about the xmlsec
mailing list