[xmlsec] Problem verifying SAML response signature with xmlsec API

Aleksey Sanin aleksey at aleksey.com
Thu Nov 7 15:20:19 PST 2019 

Thanks for sharing the test case. I don't see the error you have and
(as expected) I get digest verification error:

$ xmlsec1 --verify --id-attr:ID 
urn:oasis:names:tc:SAML:2.0:assertion:Assertion --trusted-pem myCert.pem 
samlResponse_Decoded.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=274:obj=sha256:subj=unknown:error=12:invalid 
data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "samlResponse_Decoded.xml"


I would suspect that you have either a problem with the build or
a problem with mixing versions for shared libraries. If you can debug
it, then put a breakpoint in xmlSecTransformIdsRegisterDefault()
function that registers various transforms. The error you see indicates
that Exc-C114N is not found and it is registered in this function.

Best,

Aleksey

On 11/7/19 1:24 PM, Aleksey Sanin wrote:
> Could you please provide complete repro test case?
> 
> Aleksey
> 
> On 11/7/19 1:11 PM, Elena Fedorov wrote:
>> Hello,
>> I've spent a few days trying to verify a signature in the SAML response.
>> If I run a command line xmlsec1 - I can verify the signature fine:
>>
>> *xmlsec1 --verify --id-attr:ID 
>> urn:oasis:names:tc:SAML:2.0:assertion:Assertion --trusted-pem 
>> myCert.pem samlResponse.xml*
>>
>> Verifying a signature of the same saml using xmlsec api (code similar 
>> to verify4.c example) gives these errors:
>>
>> *func=xmlSecTransformIdListFindByHref:file=transforms.c:line=2239:obj=unknown:subj=xmlSecPtrListCheckId(list, 
>> xmlSecTransformIdListId):error=100:assertion:*
>> *func=xmlSecTransformNodeRead:file=transforms.c:line=1315:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec 
>> library function failed:href=**http://www.w3.org/2001/10/xml-exc-c14n#*
>> *func=xmlSecTransformCtxNodeRead:file=transforms.c:line=596:obj=CanonicalizationMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec 
>> library function failed:*
>> *func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=623:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec 
>> library function failed:node=CanonicalizationMethod*
>> *func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 
>> library function failed:*
>> *func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec 
>> library function failed:*
>>
>> I tried updating xmlsec1 version from 1.2.20 (openssl) to 1.2.29 
>> (openssl) - but it did not help. Still getting the same exception stack.
>>
>>
>> I generated dump:
>>
>> = VERIFICATION CONTEXT
>> == Status: unknown
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == Key Info Read Ctx:
>> = KEY INFO READ CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: NULL
>> ==== keyType: 0x00000000
>> ==== keyUsage: 0xffffffff
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Key Info Write Ctx:
>> = KEY INFO WRITE CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: NULL
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0xffffffff
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Signature Transform Ctx:
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == SignedInfo References List:
>> === list size: 0
>> == Manifest References List:
>> === list size: 0
>> = REFERENCE VERIFICATION CONTEXT
>> == Status: unknown
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>>
>> *An example signature in the SAML:*
>>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod 
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>> <ds:SignatureMethod 
>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
>> <ds:Reference URI="#_17ba951-d40a-4fa6-83e9-405v11ab6d01">
>> <ds:Transforms>
>> <ds:Transform 
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
>> <ds:DigestValue>......</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>ZqbHJI9GUOXV8gfKGHjaHY8iTXJiQd...</ds:SignatureValue>
>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <ds:X509Data>
>> <ds:X509Certificate>....</ds:X509Certificate>
>> </ds:X509Data>
>> </KeyInfo>
>> </ds:Signature>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list