[xmlsec] failing to verify ..

Yousuf Jawwad yjawwad at smartsignin.com
Wed Mar 19 04:57:35 PDT 2014 

with --print-debug, here is the output

Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: unknown
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000000
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: unknown
== URI: "#_9b281906-5626-4579-b506-6e1e344b5dd7"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=1)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #_9b281906-5626-4579-b506-6e1e344b5dd7
=== Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature 
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
Error: failed to verify file "SAMLResponse.xml"

is it a matter of key verification, or malformed xml? because the same 
xml is passing when using php.

> Yousuf Jawwad <mailto:yjawwad at smartsignin.com>
> 19 March 2014 1:31 pm
> when i run
>
> xmlsec1 --verify --pubkey-cert-pem my.cer '--id-attr:ID' 
> 'urn:oasis:names:tc:SAML:2.0' Response.xml
>
> the stacktrace given to me is
>
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 
> library function 
> failed:expr=xpointer(id('_9b281906-5626-4579-b506-6e1e344b5dd7'))
> func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec 
> library function failed:
> func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec 
> library function failed:
> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec 
> library function failed:
> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec 
> library function failed:transform=xpointer
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec 
> library function failed:
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 
> library function failed:
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 
> library function failed:node=Reference
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 
> library function failed:
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 0/1
> Manifests References (ok/all): 0/0
> Error: failed to verify file
>
> the xml in question is
>
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> ID="_9b281906-5626-4579-b506-6e1e344b5dd7" Version="2.0" 
> IssueInstant="2014-03-19T06:39:08.634Z"
>                 
> Destination="https://perfectcloudstaging.happyfox.com/staff/smartsignin/callback">
> <saml:Issuer 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:54660/saml2/metadata/6118c9130de04f60b09616de43fa7d27</saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#_9b281906-5626-4579-b506-6e1e344b5dd7">
> <Transforms>
> <Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" 
> PrefixList="#default samlp saml ds xs xsi"/>
> </Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>ZtZ7NdVHlkd0cHbI13ukQJyPwTE=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>Tjr3DtAMF50tsxPXB929T8KZgw1D0jW4ugD6c9EFe1prpyA1anKkuwfOzcrrrFoRTo3jZ4aplENgb03ZYUjve9Q3UNUlOQiP9XId2IblvMYvf75Q9jyAZ8L024d5TlkkMoGHEB//+l4FfUh8sMrVXfR7gY0VaZRzwdIEfXpx60hxDuiTVBV/dqpfg+nc95Z/OXiJUWHvYZGY126lse/gqFrHG8YukzBalZdUsDM0dykefNWe5Dr8Rpn6JqCNmnze4hA4bsFfEW1mk1B8AJGDirXg4sQlLOSJFmDG2RrShVUT1oY0XY/xSJDI0oMokKehWMyP7A5q77Zg6jfeDHRJeA==</SignatureValue>
> <KeyInfo>
> <X509Data>
> <X509Certificate>
> <!-- my cert -->
> </X509Certificate>
> </X509Data>
> </KeyInfo>
> </Signature>
> <samlp:Status>
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </samlp:Status>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
> Version="2.0" ID="_31d8f30a-4db0-4f8a-9542-e7becec31456" 
> IssueInstant="2014-03-19T06:39:08.634Z">
> <saml:Issuer>http://localhost:54660/saml2/metadata/6118c9130de04f60b09616de43fa7d27</saml:Issuer>
> <saml:Subject>
> <saml:NameID 
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">draizada at smartsignin.com</saml:NameID>
> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml:SubjectConfirmationData NotOnOrAfter="2014-03-19T06:59:08.686Z" 
> Recipient="https://example.com/saml/"/>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Conditions NotBefore="2014-03-19T06:19:08.686Z" 
> NotOnOrAfter="2014-03-19T06:59:08.686Z"/>
> <saml:AttributeStatement>
> <saml:Attribute Name="email">
> <saml:AttributeValue>my email</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="FirstName" NameFormat="urn:oasis:nam
>  es:tc:SAML:1.1:nameid-format:unspecified">
> <saml:AttributeValue>User Name</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="LastName" 
> NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
> <saml:AttributeValue>User Name</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="EntityIdentifier" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> <saml:AttributeValue>8cc99e70-8a05-4fda-a0b8-ea0f24164b27</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AuthnStatement AuthnInstant="2014-03-19T06:39:08.686Z">
> <saml:AuthnContext>
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
> </saml:AuthnContext>
> </saml:AuthnStatement>
> </saml:Assertion>
> </samlp:Response>
>
> i know from browsing the list, it has something to do with 
> ''--id-attrd:ID" but can't seem to figure it out
>
> thanks for help
>
> //yousuf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140319/dd07572b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140319/dd07572b/attachment-0001.jpg>

More information about the xmlsec mailing list