[xmlsec] Verify XML signature with multiple KeyName
Aleksey Sanin
aleksey at aleksey.com
Fri Jun 29 08:36:45 PDT 2018
At the moment XMLSec library only supports a single KeyName. Do you mind creating a github issue? I will take a look how easy or hard is it to add support for multiple KeyNames.
Thanks!
-- Aleksey
> On Jun 29, 2018, at 7:32 AM, Paolo Smiraglia <paolo.smiraglia at gmail.com> wrote:
>
> Hi guys, my name is Paolo.
>
> I'm trying to verify the signature of an SP (service provider) SAML
> metadata, which was signed with "samlsign" tool and using a
> certificate with two subjectAlternativeNames. Unfortunately, I receive
> the following error
>
> $ xmlsec1 --verify --id-attr:ID
> urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor sp-metadata.xml
> func=xmlSecKeyDataNameXmlRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=657:obj=key-name:subj=unknown:error=41:invalid
> key data:details=key name is already specified
> func=xmlSecKeyInfoNodeRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=117:obj=key-name:subj=xmlSecKeyDataXmlRead:error=1:xmlsec
> library function failed:node=KeyName
> func=xmlSecKeysMngrGetKey:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keys.c:line=1230:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec
> library function failed:node=KeyInfo
> func=xmlSecDSigCtxProcessKeyInfoNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key
> is not found:details=NULL
> func=xmlSecDSigCtxProcessSignatureNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 0/0
> Manifests References (ok/all): 0/0
> Error: failed to verify file "sp-metadata.xml"
>
> The resulting signature is like the following
>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference URI="#_y8rptnmmdz5fksiz2v955c3wt7ije506raog1w6s24f">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <ds:DigestValue>[...]</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>[...]</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:KeyName>[alternative name 1]</ds:KeyName>
> <ds:KeyName>[alternative name 2]</ds:KeyName>
> <ds:X509Data>
> <ds:X509SubjectName>[...]</ds:X509SubjectName>
> <ds:X509Certificate>[...]</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
>
> The error seems to be related to multiple <KeyName> tags nested within
> <KeyInfo>. Indeed, if I resign the same document with a certificate
> that has only one alternative name, the resulting signature has just
> one <KeyName> and xmlsec verifies correctly.
>
> Otherwise, if I try to verify both the signed document with samlsign
> or xmlsectool, everything goes well.
>
> Do you have something to suggest? Thanks!
>
> Bests,
>
> Paolo
>
> --
> PAOLO SMIRAGLIA
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list