[xmlsec] Problem verifying SAML response signature with xmlsec API

Elena Fedorov Elena.Fedorov at ca.ibm.com
Thu Nov 7 13:11:26 PST 2019 


Hello,
I've spent a few days trying to verify a signature in the SAML response.
If I run a command line xmlsec1 - I can verify the signature fine:

xmlsec1 --verify --id-attr:ID
urn:oasis:names:tc:SAML:2.0:assertion:Assertion --trusted-pem myCert.pem
samlResponse.xml

Verifying a signature of the same saml using xmlsec api (code similar to
verify4.c example) gives these errors:

func=xmlSecTransformIdListFindByHref:file=transforms.c:line=2239:obj=unknown:subj=xmlSecPtrListCheckId
(list, xmlSecTransformIdListId):error=100:assertion:
func=xmlSecTransformNodeRead:file=transforms.c:line=1315:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec
 library function failed:href=
http://www.w3.org/2001/10/xml-exc-c14n#
func=xmlSecTransformCtxNodeRead:file=transforms.c:line=596:obj=CanonicalizationMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec
 library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=623:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec
 library function failed:node=CanonicalizationMethod
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
 library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec
 library function failed:

I tried updating xmlsec1 version from 1.2.20 (openssl) to 1.2.29 (openssl)
- but it did not help.  Still getting the same exception stack.


I generated dump:

= VERIFICATION CONTEXT
== Status: unknown
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000000
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== SignedInfo References List:
=== list size: 0
== Manifest References List:
=== list size: 0
= REFERENCE VERIFICATION CONTEXT
== Status: unknown
== Reference Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL

An example signature in the SAML:

	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			<ds:SignedInfo>
				<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
				<ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
				<ds:Reference
URI="#_17ba951-d40a-4fa6-83e9-405v11ab6d01">
					<ds:Transforms>
						<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
						<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
					</ds:Transforms>
					<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256" />
					<ds:DigestValue>......</ds:DigestValue>
				</ds:Reference>
			</ds:SignedInfo>

<ds:SignatureValue>ZqbHJI9GUOXV8gfKGHjaHY8iTXJiQd...</ds:SignatureValue>
			<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate>....</ds:X509Certificate>
				</ds:X509Data>
			</KeyInfo>
		</ds:Signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20191107/157c520f/attachment.html>

More information about the xmlsec mailing list