-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
of course I did try the FAQ first, but not really successful. Now I got the message to verify when I included a DTD to the document. Same DTD as file would give me parsing errors. And the "--id-attr ResponseID" didn't work at all. This is my DTD <!DOCTYPE test [<!ATTLIST Response ResponseID ID #IMPLIED>]> Next problem is that I want to check it programmatically and that doesn't work either. Not even when I add the DTD. xmlSecDSigCtxVerify just returns -1. How can I know what the problem is? Sincerely Ulrich - -----Original Message----- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: Friday, February 01, 2008 6:32 PM To: Ulrich Wisser Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] verify message Look at the FAQ http://www.aleksey.com/xmlsec/faq.html Aleksey Ulrich Wisser wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I desperatly try to verify a xml message I receive. Unfortunately it doesn't > contain a xml:id attribute but rather uses ResponseID. Any ideas what I have > to do to verify the message? > > This is my result > > [EMAIL PROTECTED]:~# xmlsec1 --verify --pubkey-cert-pem > /etc/shibboleth/idp.crt --id-attr ResponseID response.xml > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > library function > failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07')) > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec > library function failed:transform=xpointer > func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > ERROR > SignedInfo References (ok/all): 0/1 > Manifests References (ok/all): 0/0 > Error: failed to verify file "response.xml" > > If I change the message and add a xml:id attribute with the same value as > ResponseID I don't get any library failures but of course the message will > not verify. > > Is there any command line option to make xmlsec1 use ResponseID? > > Please find my message below. > > Med vänlig hälsning > > Ulrich > > - -- > Ulrich Wisser > utvecklare > .SE (Stiftelsen för Internetinfrastruktur) > Ringvägen 100, Box 7399, 103 91 Stockholm > Tel: 08-4523558, mobil: 0732-745900 > > > <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > IssueInstant="2008-02-01T08:27:49.382Z" MajorVersion="1" MinorVersion="1" > Recipient="http://domainmanager/start/acs"; > ResponseID="_e2dd66488f8d6ae7d23d17e0aa8e3c07"><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#_e2dd66488f8d6ae7d23d17e0aa8e3c07"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="code ds kind > rw sam > l samlp typens #default xsd xsi"/></ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>ErWp2Ove+0tBFJ63jWo1GPPWJOI=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO > QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku > 7fnL/8xOQynT0OYXkJo= > </ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > <ds:X509Certificate> > MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw > EAYDVQQHEwlTdG9ja2hvbG0xNTAzBgNVBAoTLC5TRSAoVGhlIEludGVybmV0IEluZnJhc3RydWN0 > dXJlIEZvdW5kYXRpb24pMRYwFAYDVQQDEw1pZHAuZG5zc2VjLnNlMB4XDTA3MDYyNjExMjE1NloX > DTA3MDcyNjExMjE1NlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAcTCVN0b2NraG9sbTE1MDMGA1UE > ChMsLlNFIChUaGUgSW50ZXJuZXQgSW5mcmFzdHJ1Y3R1cmUgRm91bmRhdGlvbikxFjAUBgNVBAMT > DWlkcC5kbnNzZWMuc2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOSsqRE2m82D6ho3jcxh > RjMYq7JArN4aHl5Zroi9K97rgsDiwU6vsoaYrlbXSQLLeuDJX79hu8kf3BKN/6n5YmX8UogBTauz > a/7XOx/cMWDiwL79gwO4d4uOJ+hCHyL9CsWKN0Si3e2dkt0248lCaul+70qzq8TEgdA0Tr0o4xvZ > AgMBAAGjgdUwgdIwHQYDVR0OBBYEFA8hU9S9CBwom4OVGFPUD/GIgseeMIGiBgNVHSMEgZowgZeA > FA8hU9S9CBwom4OVGFPUD/GIgseeoXSkcjBwMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2to > b2xtMTUwMwYDVQQKEywuU0UgKFRoZSBJbnRlcm5ldCBJbmZyYXN0cnVjdHVyZSBGb3VuZGF0aW9u > KTEWMBQGA1UEAxMNaWRwLmRuc3NlYy5zZYIJAKqjIMJ8jZisMAwGA1UdEwQFMAMBAf8wDQYJKoZI > hvcNAQEFBQADgYEAjTW5LM0rVCehN6hL+6nSI4V+WiLUpk3iGs5TK7Qi5VHD3uxSGY2ykKAMTVGh > JakPzIuLFb5LLdkoMTkMUPmhYb0JWMDciMlHvNmZMdVPupKLanSAPoiUxvOMZ6SWNpcgcLdyHzk9 > 6m0qdfNoa1sta4OfV7Go4I3Ag3EwCp8U32s= > </ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo></ds:Signature><Status><StatusCode > Value="samlp:Success"/></Status><Assertion > xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="_ac6db8b49b31f7796079b > 8988e1b3e7b" IssueInstant="2008-02-01T08:27:49.381Z" > Issuer="https://idp.dnssec.se/shibboleth"; MajorVersion="1" > MinorVersion="1"><Conditions NotBefore="2008-02-01T08:27:49. > 381Z" > NotOnOrAfter="2008-02-01T08:32:49.381Z"><AudienceRestrictionCondition><Audience>urn:uuid:97820956-1fc3-4a8a-a10b-ae13bceea8f8</Audience><Audience>http://domainmanager > /</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement > AuthenticationInstant="2008-02-01T08:27:49.381Z" > AuthenticationMethod="urn:oasis:names:tc:S > AML:1.0:am:X509-PKI"><Subject><NameIdentifier > Format="urn:oasis:names:tc:SAML1.1:nameid-format:emailAddress" > NameQualifier="https://idp.dnssec.se/shibboleth";>[EMAIL PROTECTED] > sher.de</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality > IPAddress="172.18.24.50"/></AuthenticationStatement></Assertion></Response> > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.1 > > iQA/AwUBR6M8wS9yrDO0wHQwEQIKFwCg/neIUVr8/InLP83887UqvKplJ6gAoNBx > M6rVJ5fQEhJtMO5ckn/XhBQC > =HSLn > -----END PGP SIGNATURE----- > _______________________________________________ > xmlsec mailing list > xmlsec@aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBR6behS9yrDO0wHQwEQLaAgCeNoITADl+E4w6hPsuQaMi5lnv9+EAoPu/ fGH6W4ZW4zHEAPrZKOlT+Mj1 =zdGh -----END PGP SIGNATURE----- _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
