[xmlsec] Problem wtih xml namespace

Sun Feb 16 23:37:31 PST 2014

Hello,

Sorry for that . Here is the full xml.
I add the dtd after the processus of signing. Can this failed the
verification ? Is there a function or a property which can do the same
thing without altered the xml ?

Sébastien

2014-02-15 20:29 GMT+01:00 Aleksey Sanin <aleksey at aleksey.com>:

> You didn't show the most interesting part - the ds:KeyInfo node
>
> Aleksey
>
> On 2/14/14, 9:19 AM, sébastien spilmann wrote:
> > Hello,
> >
> > I have a problem verifying a signature and that seems to be cause by
> > namespace.
> >
> > My xml is something like this :
> > <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
> > Destination="
> https://www.concursolutions.com/SAMLRedirector/ClientSAMLLogin.aspx"
> > ID="_fe9537697781d3b3539fd23e4c027e4e5150"
> > IssueInstant="2013-07-23T18:44:40Z" Version="2.0">
> >     <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> http://www.alcatel-lucent.com/wps/portal</ns1:Issuer>
> >     <Status>
> >         <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> >     </Status>
> >     <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
> > ID="_ce339b73d43307de102c421fddef59aaa8c4"
> > IssueInstant="2013-07-23T18:44:40Z" Version="2.0">
> >         <ns2:Issuer
> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> http://www.alcatel-lucent.com/wps/portal</ns2:Issuer><ds:Signature
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> > <ds:SignedInfo>
> > <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > <ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > <ds:Reference URI="#_ce339b73d43307de102c421fddef59aaa8c4">
> > <ds:Transforms>
> > <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > </ds:Transforms>
> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > <ds:DigestValue>avA6FiiMVjEe3rPNfuwXBt+FH6c=</ds:DigestValue>
> > </ds:Reference>
> > </ds:SignedInfo>
> > <ds:SignatureValue>
> >
> DlWzq6dS+FlGO6HYc0uBRhJ6nRQ2aIE/UP0vnM2MENOvR/n8/xEAz0QjPAEKxjfCd1R1XU+B6uKw
> >
> 1XKT0Ku8jFNms6FwesDhabUvY6Nt9iLTabNynF33O9YGVxYELNwnKKFBS1Oj2aKbQ3Z5CyAH0xwc
> > KH6ht7ppL9OD3CX65Sk=
> > </ds:SignatureValue>
> > <ds:KeyInfo>
> > <ds:X509Data>
> > ....
> >
> > if i try to verify , i have the error :
> >
> "func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> > is not found:"
> >
> > If i change all ns1 and ns2  namespace by ds namespace, the verify
> > function works but the digest is not correct
> >
> > How could i do my code works with ns1 and ns2 ?
> >
> > Sébastien
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140217/9f2ad6ec/attachment.html>
-------------- next part --------------
<!DOCTYPE test [
<!ATTLIST ns2:Assertion ID ID #IMPLIED>
]>
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.concursolutions.com/SAMLRedirector/ClientSAMLLogin.aspx" ID="_fe9537697781d3b3539fd23e4c027e4e5150" IssueInstant="2013-07-23T18:44:40Z" Version="2.0">
    <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.alcatel-lucent.com/wps/portal</ns1:Issuer>
    <Status>
        <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </Status>
    <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ce339b73d43307de102c421fddef59aaa8c4" IssueInstant="2013-07-23T18:44:40Z" Version="2.0">
        <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.alcatel-lucent.com/wps/portal</ns2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_ce339b73d43307de102c421fddef59aaa8c4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>avA6FiiMVjEe3rPNfuwXBt+FH6c=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
DlWzq6dS+FlGO6HYc0uBRhJ6nRQ2aIE/UP0vnM2MENOvR/n8/xEAz0QjPAEKxjfCd1R1XU+B6uKw
1XKT0Ku8jFNms6FwesDhabUvY6Nt9iLTabNynF33O9YGVxYELNwnKKFBS1Oj2aKbQ3Z5CyAH0xwc
KH6ht7ppL9OD3CX65Sk=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIG5DCCBcygAwIBAgIKUY6D8QAAABg0fDANBgkqhkiG9w0BAQUFADCBiTETMBEGCgmSJomT8ixk
ARkWA2NvbTEWMBQGCgmSJomT8ixkARkWBmx1Y2VudDEUMBIGCgmSJomT8ixkARkWBG5hMDIxFzAV
BgNVBAoTDkFsY2F0ZWwgTHVjZW50MSswKQYDVQQDEyJBbGNhdGVsIEx1Y2VudCBJbnRlcm5hbCBT
U0wgU3ViIENBMB4XDTEyMDQwNTEzNDIyNloXDTE0MDQwNTEzNDIyNlowgasxCzAJBgNVBAYTAlVT
MREwDwYDVQQIEwhJbGxpbm9pczETMBEGA1UEBxMKTmFwZXJ2aWxsZTEXMBUGA1UEChMOQWxjYXRl
bC1MdWNlbnQxCzAJBgNVBAsTAklUMRswGQYDVQQDExJhbGNhdGVsLWx1Y2VudC5jb20xMTAvBgkq
hkiG9w0BCQEWInZpbmF5LmxhZ2lzZXR0eUBhbGNhdGVsLWx1Y2VudC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBANR4c7bujfYENvDz3sovVu7GaLbii4KcWYwuoLGm1AaLA8cBX4U68qcF
zIrE9oYVwSOJG8cy/Dr22Qo0tDwrihGOzUrj83H3EJV+ugns1ZDDctk3PanGTr1Iw3hXSbWIt57Q
7poaxc2aBR1Xf1N6a17GjhHILa+Qg6hUD0hwdzojAgMBAAGjggOsMIIDqDAdBgNVHQ4EFgQUC5+N
ajQs2hMugO0YBmnJ1RuA7fEwHwYDVR0jBBgwFoAUZNFRLVv86fAj9N9k6nXGHvkEGLMwggFoBgNV
HR8EggFfMIIBWzCCAVegggFToIIBT4aB32xkYXA6Ly8vQ049QWxjYXRlbCUyMEx1Y2VudCUyMElu
dGVybmFsJTIwU1NMJTIwU3ViJTIwQ0EsQ049dXNuYXZzcGtpMDJwLENOPUNEUCxDTj1QdWJsaWMl
MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWx1YWQsREM9
bHVjZW50LERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9
Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLmh0dHA6Ly93d3cuYWxjYXRlbC1sdWNlbnQuY29tL1BLSS9T
U0xzdWJDQS5jcmyGO2h0dHA6Ly9zZXJ2aWNlcy5zdXBwb3J0LmFsY2F0ZWwtbHVjZW50LmNvbS9Q
S0kvU1NMc3ViQ0EuY3JsMIIBbAYIKwYBBQUHAQEEggFeMIIBWjCB0gYIKwYBBQUHMAKGgcVsZGFw
Oi8vL0NOPUFsY2F0ZWwlMjBMdWNlbnQlMjBJbnRlcm5hbCUyMFNTTCUyMFN1YiUyMENBLENOPUFJ
QSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
LERDPWx1YWQsREM9bHVjZW50LERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9
Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA6BggrBgEFBQcwAoYuaHR0cDovL3d3dy5hbGNhdGVsLWx1
Y2VudC5jb20vUEtJL1NTTHN1YkNBLmNydDBHBggrBgEFBQcwAoY7aHR0cDovL3NlcnZpY2VzLnN1
cHBvcnQuYWxjYXRlbC1sdWNlbnQuY29tL1BLSS9TU0xzdWJDQS5jcnQwDAYDVR0TAQH/BAIwADAL
BgNVHQ8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIhb3FWYPjsTmHpYEqhr/DQoWU
mBmBC+3FA4WC2gACAWQCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYJKwYBBAGCNxUKBA4wDDAK
BggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEACxTnGBNJGdguy3rSErUnhbuvpWW/Te8370M5
tNG40Dfqm8V9UbJpC+zbPp6is2jKDa2VfxSnkrjAGT1OA9z2ikuoIZYng46J9QlLqr45/TjXXvNa
rLnkMQ0OhuWHmql7U6PcxnPjnI3Mf1LuYBWXzjs5/sJmgOGgoRCbEOQA5s7l/cvmcOe6dcVl+4JO
8E7a/nNtH+9Df5x+u2sJRbWwE47kH8oLMCK+lvYiHpuO9EJfHvlZZPDcZyYmwSbcYWbRzu8BwUlK
E06ApZznLfMOxtywXN9LYBV9qLEL3Iu5YV+fNSm9Jo/VBpmfjmues28LzVF27GBEak0JDkBWIYep
dg==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
        <ns2:Subject>
            <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">PA0011017 at alcatel-lucent.com</ns2:NameID>
            <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <ns2:SubjectConfirmationData NotOnOrAfter="2013-07-23T18:46:10Z" Recipient="https://www.concursolutions.com/SAMLRedirector/ClientSAMLLogin.aspx"/>
            </ns2:SubjectConfirmation>
        </ns2:Subject>
        <ns2:Conditions NotBefore="2013-07-23T18:44:10Z" NotOnOrAfter="2013-07-23T18:46:10Z">
            <ns2:AudienceRestriction>
                <ns2:Audience>concursolutions.com</ns2:Audience>
            </ns2:AudienceRestriction>
        </ns2:Conditions>
        <ns2:AuthnStatement AuthnInstant="2013-07-23T18:44:38Z" SessionIndex="BN/1lOzYzV3kJGl0Ow3oYAoylvI=8JKUOA==" SessionNotOnOrAfter="2013-07-23T18:46:10Z">
            <ns2:AuthnContext>
                <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
            </ns2:AuthnContext>
        </ns2:AuthnStatement>
    </ns2:Assertion>
</Response>