Here's the xml (with signature), it's a modified SAML token: <?xml version="1.0"?> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="SecurityToken-d3aaac64-7f2d-4250-be09-176bcbcdb41f" ID="SecurityToken-d3aaac64-7f2d-4250-be09-176bcbcdb41f" MajorVersion="1" MinorVersion="1" Issuer="thomson.com" IssueInstant="2007-09-18T04:44:42Z"><saml:Conditions NotBefore="2007-09-18T04:44:42Z" NotOnOrAfter="2007-09-18T04:54:42Z"/><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2007-09-18T04:44:42Z"><saml:Subject><saml:NameIdentifier Format="http://security.schemas.tfn.thomson.com/Principal/2007-01-25/#SubId ">1234</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML: 1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement/><Signature xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 "/><DigestValue>zZJ8tOVaDO3PogS6SLWbk3D27g4=</DigestValue></Reference></SignedInfo><SignatureValue>k9AxevEOzbZXCGCl141KzIEv2guu6b2d5i6dYcWL3lvWb5oje0ufkDCJ8vyanO84 cTMOgCcKpJtzx8qFD/sL6ptnMKisQD103NUgnSefzAzgnDLm6Vc8U5UvDkQvecx6 fyxVZCXpIiR7Z8QuMbVgGQ/jvJ4F3IRYMPhnlF8Sbfk=</SignatureValue><KeyInfo><X509Data> <X509Certificate>MIIDCzCCAnSgAwIBAgIDB0LYMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcwNDEzMTY0MzU0WhcNMDkwNDEzMTY0MzU0 WjCBlTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhO ZXcgWW9yazEcMBoGA1UEChMTVGhvbXNvbiBDb3Jwb3JhdGlvbjEaMBgGA1UECxMR VGhvbXNvbiBGaW5hbmNpYWwxJjAkBgNVBAMTHXNlY3VyaXR5LWRldi5zZXJ2aWNl cy50Zm4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3pO898aOmbK1/ +quYg9QzPlSF85JdZQSAjAWbWPe4Tv6CraxGxSUPakImrbtjJuR4b4G0oWBGJ42P yYOsKT/FcSXcpm7HgfoIE7inVMtHxlukpAqpkPyTmpvfpOG9Psczvj9bFB/upkyq IjOBFupNtgeLNJZo4waYWiswFeq+QQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE 8DAdBgNVHQ4EFgQUvj3lMAx/8CNxDh/pVq62Nj10E9QwOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYD VR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAAQ/bvOU5DiOvYimTEYkxqHO ZC1ylXTMFs6xDzcDZ0rf0AxD4IzPUbXKHdb16JJ5p/MET9K7TcFr6CKBQh9ANUAS Q+eaw0BzhGgoxV8+IxVheRx34V1Vf+v6jA8xPa3d8fEbH2jFLZ/MPVPSGRFzD0fa 5ieETYx60WhVp1kT3G7R</X509Certificate> </X509Data></KeyInfo></Signature></saml:Assertion>
On Dec 4, 2007 2:03 AM, Aleksey Sanin <[EMAIL PROTECTED]> wrote: > xmlSecOpenSSLAppKeyLoadMemory() ??? > > Aleksey > > Jim Nutt wrote: > > Ok, I'm pulling my hair out on this one. I'm trying to verify an xml > > signature based on the x509 certificate embedded in the keyinfo and I > > can not get it to work. If I verify using the same pem file I used for > > signing, it verifies ok, so I know the signature is valid. The problem > > is getting it to validate without going to the original pem file. I've > > tried the straight forward method of letting xmlSecDSigVerify load the > > key, but it can't find the key in signature. I've even tried writing the > > base64 data to a file (bracketed with -----BEGIN CERTIFICATE----- and > > -----END CERTIFICATE-----) and then loading that file as the > > certificate. It refuses to read the file. And yes, I know the file is a > > valid pem file because openssl x509 -in filename -text reads it just > fine. > > > > Any suggestions would be greatly appreciated, as I'm on a time crunch on > > this (now... wasn't when I started... *sigh*) > > > > -- > > Jim Nutt > > http://jim.nuttz.org <http://jim.nuttz.org> > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec > -- Jim Nutt http://jim.nuttz.org
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
