[xmlsec] xmlsec returns error when trying to validate SAML response

Aleksey Sanin aleksey at aleksey.com
Thu Mar 3 08:56:55 PST 2016 

This error indicates that OpenSSL can't establish certificates
trust chain. You might want to add the necessary trusted certs.

Aleksey

On 3/3/16 2:34 AM, Artur Rychlewicz wrote:
> That solves the issue, there were unnecessary spaces indeed. At this
> point it's verifying, but I get an error "unable to get local issuer
> certificate". I'm fine with that, but if it could be eliminated, I would
> be even better.
> 
> All certificates are included in SAML response (total of 4 certs) and
> yet same error is printed for each of them. 
> 
>> Subject: Re: [xmlsec] xmlsec returns error when trying to validate
> SAML response
>> To: artur513 at outlook.com; xmlsec at aleksey.com
>> From: aleksey at aleksey.com
>> Date: Wed, 2 Mar 2016 09:44:09 -0800
>>
>> I would start from checkings spaces/eols that might change the signature.
>>
>> Aleksey
>>
>> On 3/2/16 8:56 AM, Artur Rychlewicz wrote:
>> > But the data *is* correct. It is being validated by SimpleSamlPHP and
>> > allows user (in this case, me) to login.
>> >
>> >> Subject: Re: [xmlsec] xmlsec returns error when trying to validate
>> > SAML response
>> >> To: artur513 at outlook.com; xmlsec at aleksey.com
>> >> From: aleksey at aleksey.com
>> >> Date: Wed, 2 Mar 2016 08:51:22 -0800
>> >>
>> >> As you can see from error, the digest didn't match and signature
>> >> was invalid.
>> >>
>> >> Aleksey
>> >>
>> >> On 3/2/16 8:27 AM, Artur Rychlewicz wrote:
>> >> > OK, that changes the output, but it is still not validating:
>> >> >
>> >> >
>> >
> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=249:obj=sha1:subj=unknown:error=12:invalid
>> >> > data:data and digest do not match
>> >> >
>> >> > FAIL
>> >> >
>> >> > SignedInfo References (ok/all): 0/1
>> >> >
>> >> > Manifests References (ok/all): 0/0
>> >> >
>> >> > Error: failed to verify file "/tmp/test-new.xml"
>> >> >
>> >> >
>> >> > I have generated SAML response moment before invoking command with
>> >> > --id-attr that you provided, so the response itself was still
> valid (not
>> >> > obsolete).
>> >> >
>> >> > Artur
>> >> >
>> >> >> Subject: Re: [xmlsec] xmlsec returns error when trying to validate
>> >> > SAML response
>> >> >> To: artur513 at outlook.com; xmlsec at aleksey.com
>> >> >> From: aleksey at aleksey.com
>> >> >> Date: Wed, 2 Mar 2016 07:58:51 -0800
>> >> >>
>> >> >> It should be
>> >> >>
>> >> >> --id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:Response
>> >> >>
>> >> >> Aleksey
>> >> >>
>> >> >> On 3/2/16 1:24 AM, Artur Rychlewicz wrote:
>> >> >> > Yes, i have tried this, but it didn't help at all.
>> >> >> >
>> >> >> > Commands (judging from printed stack trace, they're equivalent):
>> >> >> > xmlsec1 --verify --id-attr:ID saml2p:Response test.xml
>> >> >> > xmlsec1 --verify test.xml
>> >> >> >
>> >> >> > XML file (trimmed, but you'll get the idea):
>> >> >> > <saml2p:Response
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> >> >> > ID="uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453">
>> >> >> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> >> >> > <ds:SignedInfo>
>> >> >> > <ds:CanonicalizationMethod
>> >> >> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>> >> >> > <ds:SignatureMethod
>> >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>> >> >> > <ds:Reference URI="#uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453">
>> >> >> > <ds:Transforms>
>> >> >> > <ds:Transform
>> >> >> >
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>> >> >> > <ds:Transform
>> >> >> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>> >> >> > </ds:Transforms>
>> >> >> > <ds:DigestMethod
>> >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>> >> >> >
>> >> >> > <ds:DigestValue>lAcsILQxRk4LvbSfREkypyI6gMc=</ds:DigestValue>
>> >> >> > </ds:Reference>
>> >> >> > </ds:SignedInfo>
>> >> >> > <ds:SignatureValue>gT/SeC..bjrQ==</ds:SignatureValue>
>> >> >> > <ds:KeyInfo>
>> >> >> > <ds:X509Data>
>> >> >> > <ds:X509Certificate>MII..A==</ds:X509Certificate>
>> >> >> > </ds:X509Data>
>> >> >> > ..
>> >> >> > </ds:KeyInfo>
>> >> >> > </ds:Signature>
>> >> >> >
>> >> >> > According to FAQ, I should have declare name of ID element,
> but in my
>> >> >> > case it is "ID". And yet, it still does display the error.
>> > Following the
>> >> >> > FAQ, point 3.4 states that I am probably using Visa 3-D files, but
>> >> >> > again, that is not an option here.
>> >> >> >
>> >> >> > It's highly likely that I just do not understand *how* to use
> xmlsec1
>> >> >> > and doing it plain wrong. That said, please take a look and check
>> > where
>> >> >> > am I wrong.
>> >> >> >
>> >> >> > Artur
>> >> >> >
>> >> >> >> Subject: Re: [xmlsec] xmlsec returns error when trying to
> validate
>> >> >> > SAML response
>> >> >> >> To: artur513 at outlook.com; xmlsec at aleksey.com
>> >> >> >> From: aleksey at aleksey.com
>> >> >> >> Date: Tue, 1 Mar 2016 09:30:18 -0800
>> >> >> >>
>> >> >> >> FAQ, section 3.2 (if I recall correctly).
>> >> >> >>
>> >> >> >> Aleksey
>> >> >> >>
>> >> >> >> On 3/1/16 8:57 AM, Artur Rychlewicz wrote:
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > Hello,
>> >> >> >> >
>> >> >> >> > I've been trying to use xmlsec1 to validate signed XML response
>> >> >> >> > containing SAML data.
>> >> >> >> >
>> >> >> >> > When I execute:
>> >> >> >> >
>> >> >> >> > xmlsec1 --verify test.xml
>> >> >> >> >
>> >> >> >> > I receive following stack trace:
>> >> >> >> >
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
>> >> >> >> > library function
>> >> >> >> >
>> > failed:expr=xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc'))
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
>> >> >> >> > library function failed:
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
>> >> >> >> > library function failed:
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
>> >> >> >> > library function failed:
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
>> >> >> >> > library function failed:transform=xpointer
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
>> >> >> >> > library function failed:
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
>> >> >> >> > library function failed:
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
>> >> >> >> > library function failed:node=Reference
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
>> >> >> >> > library function failed:
>> >> >> >> >
>> >> >> >
>> >> >
>> >
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
>> >> >> >> > library function failed:
>> >> >> >> > Error: signature failed
>> >> >> >> > ERROR
>> >> >> >> > SignedInfo References (ok/all): 0/1
>> >> >> >> > Manifests References (ok/all): 0/0
>> >> >> >> > Error: failed to verify file "test.xml"
>> >> >> >> >
>> >> >> >> > I do not know how XML signatures work, but I presume that the
>> > ID was
>> >> >> >> > taken from <saml2p:Response> tag which contains ID with
> value of
>> >> >> >> > "uuid-73c06e86-88d2-4204-91f4-3d484bc782cc". <saml2p:Response>
>> >> > element
>> >> >> >> > contains <ds:Signature> element which in turn contains
>> > <ds:Reference>
>> >> >> >> > with parameter
> URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc".
>> >> >> >> >
>> >> >> >> > Since I do not need this value/data, I'd like to check
>> > signature of
>> >> >> >> > <saml2:Assertion> element which also contains it's own
>> >> >> > <ds:Signature> value.
>> >> >> >> >
>> >> >> >> > That said, I'd like to ask you for instruction how to validate
>> >> > element I
>> >> >> >> > need. Thank you in advance.
>> >> >> >> >
>> >> >> >> > Best regards,
>> >> >> >> > Artur Rychlewicz
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > _______________________________________________
>> >> >> >> > xmlsec mailing list
>> >> >> >> > xmlsec at aleksey.com
>> >> >> >> > http://www.aleksey.com/mailman/listinfo/xmlsec
>> >> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > xmlsec mailing list
>> >> >> > xmlsec at aleksey.com
>> >> >> > http://www.aleksey.com/mailman/listinfo/xmlsec
>> >> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > xmlsec mailing list
>> >> > xmlsec at aleksey.com
>> >> > http://www.aleksey.com/mailman/listinfo/xmlsec
>> >> >

More information about the xmlsec mailing list