[xmlsec] xmlsec returns error when trying to validate SAML response

[Artur Rychlewicz]

Hello,

I've been trying to use xmlsec1 to validate signed XML response containing SAML data.

When I execute:

xmlsec1 --verify test.xml

I receive following stack trace:

func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "test.xml"

I do not know how XML signatures work, but I presume that the ID was taken from <saml2p:Response> tag which contains ID with value of "uuid-73c06e86-88d2-4204-91f4-3d484bc782cc".  <saml2p:Response> element contains <ds:Signature> element which in turn contains <ds:Reference> with parameter URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc".

Since I do not need this value/data, I'd like to check signature of <saml2:Assertion> element which also contains it's own <ds:Signature> value.

That said, I'd like to ask you for instruction how to validate element I need. Thank you in advance.

Best regards,
Artur Rychlewicz
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20160301/451c807e/attachment.html>