[xmlsec] Problem wtih xml namespace

Aleksey Sanin aleksey at aleksey.com
Mon Feb 17 17:30:35 PST 2014 

Hm... this makes no sense. The error you get is that xmlsec can't find
the key. Changing namespaces should not impact it.

I've hacked the cert verification and I get success with the un-modified
file:

[aleksey at xmlsec]$ ./apps/xmlsec1 --verify ../Sample_assertion.txt
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

Best

Aleksey

On 2/16/14, 11:37 PM, sébastien spilmann wrote:
> Hello,
> 
> Sorry for that . Here is the full xml.
> I add the dtd after the processus of signing. Can this failed the
> verification ? Is there a function or a property which can do the same
> thing without altered the xml ?
> 
> 
> Sébastien
> 
> 
> 2014-02-15 20:29 GMT+01:00 Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>:
> 
>     You didn't show the most interesting part - the ds:KeyInfo node
> 
>     Aleksey
> 
>     On 2/14/14, 9:19 AM, sébastien spilmann wrote:
>     > Hello,
>     >
>     > I have a problem verifying a signature and that seems to be cause by
>     > namespace.
>     >
>     > My xml is something like this :
>     > <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
>     >
>     Destination="https://www.concursolutions.com/SAMLRedirector/ClientSAMLLogin.aspx"
>     > ID="_fe9537697781d3b3539fd23e4c027e4e5150"
>     > IssueInstant="2013-07-23T18:44:40Z" Version="2.0">
>     >     <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
>     >
>     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.alcatel-lucent.com/wps/portal</ns1:Issuer>
>     >     <Status>
>     >         <StatusCode
>     Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>     >     </Status>
>     >     <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
>     > ID="_ce339b73d43307de102c421fddef59aaa8c4"
>     > IssueInstant="2013-07-23T18:44:40Z" Version="2.0">
>     >         <ns2:Issuer
>     >
>     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.alcatel-lucent.com/wps/portal</ns2:Issuer><ds:Signature
>     > xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>     > <ds:SignedInfo>
>     > <ds:CanonicalizationMethod
>     > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>     > <ds:SignatureMethod
>     Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>     > <ds:Reference URI="#_ce339b73d43307de102c421fddef59aaa8c4">
>     > <ds:Transforms>
>     > <ds:Transform
>     > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>     > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>     > </ds:Transforms>
>     > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>     > <ds:DigestValue>avA6FiiMVjEe3rPNfuwXBt+FH6c=</ds:DigestValue>
>     > </ds:Reference>
>     > </ds:SignedInfo>
>     > <ds:SignatureValue>
>     >
>     DlWzq6dS+FlGO6HYc0uBRhJ6nRQ2aIE/UP0vnM2MENOvR/n8/xEAz0QjPAEKxjfCd1R1XU+B6uKw
>     >
>     1XKT0Ku8jFNms6FwesDhabUvY6Nt9iLTabNynF33O9YGVxYELNwnKKFBS1Oj2aKbQ3Z5CyAH0xwc
>     > KH6ht7ppL9OD3CX65Sk=
>     > </ds:SignatureValue>
>     > <ds:KeyInfo>
>     > <ds:X509Data>
>     > ....
>     >
>     > if i try to verify , i have the error :
>     >
>     "func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>     > is not found:"
>     >
>     > If i change all ns1 and ns2  namespace by ds namespace, the verify
>     > function works but the digest is not correct
>     >
>     > How could i do my code works with ns1 and ns2 ?
>     >
>     > Sébastien
>     >
>     >
>     > _______________________________________________
>     > xmlsec mailing list
>     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     > http://www.aleksey.com/mailman/listinfo/xmlsec
>     >
> 
>

More information about the xmlsec mailing list