xmlsec output: OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: succeeded == flags: 0x00000006 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) === Transform: membuf-transform (href=NULL) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Key: == KEY === method: RSAKeyValue === key type: Public === key usage: -1 === rsa key: size = 1024 === list size: 1 === X509 Data: ==== Certificate: ==== Subject Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon ==== Issuer Name: /C=US/ST=TN/L=Nashville/O=Emdeon/OU=Emdeon/CN=Emdeon ==== Issuer Serial: 4CAB2D3B == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "#Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: === uri xpointer expr: #Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404 === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: enveloped-signature (href= http://www.w3.org/2000/09/xmldsig#enveloped-signature) === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) === Transform: membuf-transform (href=NULL) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == PreDigest data - start buffer: <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd=" http://www.w3.org/2001/XMLSchema"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; IssueInstant="2010-10-06T21:15:38.906Z" MajorVersion="1" MinorVersion="1" Recipient="http://amgr.emdeon.com"; ResponseID="Response-guid-ab3e423b-4f6e-4376-b910-553b31bc6404"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="kpenti-df8fac42-ac9d-4317-98c4-7c05fc4bb761" IssueInstant="2010-10-06T16:15:38.906Z" Issuer="http://access.emdeon.com"; MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2010-10-06T21:15:38.905Z" NotOnOrAfter="2010-10-06T21:25:38.905Z"></Conditions><AuthenticationStatement AuthenticationInstant="2010-10-06T16:15:38.906Z" AuthenticationMethod="urn:oasis:names:tc:1.0:am:password"><Subject><NameIdentifier>kpenti</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response> == PreDigest data - end buffer == Manifest References List: === list size: 0
On Wed, Oct 13, 2010 at 7:28 AM, Aleksey Sanin <[email protected]> wrote: > What is the output of the xmlsec1 command? > > Aleksey > > > On 10/12/10 11:36 PM, Erik Smith wrote: > >> After I call xmlSecDSigCtxVerify, the status in the contex is corrupted >> with a large number. However xmlsec1 reports validation as OK. >> >> xmlsec1 --verify --pubkey-cert-pem cert.crt --store-references >> --id-attr:ResponseID urn:oasis:names:tc:SAML:1.0:protocol:Response >> /saml.xml >> >> Also xmlSecDSigCtxDebugDump output is exactly the same for xmlsec1 and >> my program. >> >> I've reduced the code down to what is below and I'm having trouble >> seeing what could be wrong. >> >> libxml version: 2.6.27 >> xmlsec version: 1.2.11 >> >> Thanks for any help. >> >> >> >> #include <iostream> >> #include <xmlsec/xmltree.h> >> #include <xmlsec/xmldsig.h> >> #include <xmlsec/crypto.h> >> #include <xmlsec/errors.h> >> >> #ifndef XMLSEC_NO_XSLT >> #include <libxslt/xslt.h> >> #endif >> >> void error(const char *); >> >> int main(int argc, char **argv) { >> using namespace std; >> int status(0); >> >> xmlSecKeysMngrPtr mngr_; >> xmlSecDSigCtxPtr dsigCtx; >> xmlDocPtr doc_; >> >> cout << "libxml version: " << LIBXML_DOTTED_VERSION << endl; >> cout << "xmlsec version: " << XMLSEC_VERSION << endl; >> >> xmlInitParser(); >> LIBXML_TEST_VERSION; >> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS; >> xmlSubstituteEntitiesDefault(1); >> >> #ifndef XMLSEC_NO_XSLT >> xmlIndentTreeOutput = 1; >> #endif >> // Init xmlsec library >> if (xmlSecInit() < 0) error("xmlSecInit"); >> if (xmlSecCheckVersion() != 1) error("xmlSecCheckVersion"); >> >> #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING >> if(xmlSecCryptoDLLoadLibrary(BAD_CAST "openssl") < 0) >> error("xmlSecCryptoDLLoadLibrary"); >> #endif >> >> if(xmlSecCryptoAppInit(NULL) < 0) error("Error: crypto >> initialization failed."); >> if(xmlSecCryptoInit() < 0) error("Error: xmlsec-crypto >> initialization failed."); >> >> mngr_ = xmlSecKeysMngrCreate(); >> if (!mngr_) error("bad"); >> >> if (xmlSecCryptoAppDefaultKeysMngrInit(mngr_) < 0) error("bad"); >> >> xmlSecKeyDataFormat format(xmlSecKeyDataFormatCertPem); >> xmlSecKeyPtr key = xmlSecCryptoAppKeyLoad("cert.crt", format, NULL, >> NULL, NULL); >> if (!key) error("key load error"); >> >> if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr_, key) < 0) >> error("could not add key"); >> >> doc_ = xmlParseFile("saml.xml"); >> if (!doc_ || !xmlDocGetRootElement(doc_)) error("bad"); >> >> set_id(doc_); >> >> xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc_), >> xmlSecNodeSignature, xmlSecDSigNs); >> if (!node) error("start node not found"); >> >> dsigCtx = xmlSecDSigCtxCreate(mngr_); >> if (!dsigCtx) error("failed to create signature context"); >> >> std::cout << "status before: " << dsigCtx->status << std::endl; >> if (xmlSecDSigCtxVerify(dsigCtx, node) < 0) error("signature verify >> error"); >> std::cout << "status: " << dsigCtx->status << std::endl; >> //xmlSecDSigCtxDebugDump(dsigCtx, stdout); >> >> return status; >> } >> >> void set_id(xmlDocPtr doc) { >> using namespace std; >> >> xmlNodePtr node = xmlSecFindNode( >> xmlDocGetRootElement(doc), >> BAD_CAST "Response", >> BAD_CAST "urn:oasis:names:tc:SAML:1.0:protocol"); >> >> cout << "element name: " << node->name<< endl; >> xmlAttrPtr attr = xmlHasProp(node, BAD_CAST "ResponseID"); >> if (!attr) error("attribute not found"); >> cout << "attribute name: " << attr->name<< endl; >> >> xmlChar *value = xmlNodeListGetString(node->doc, attr->children, 1); >> if (!value) error("xmlNodeListGetString"); >> cout << "value: " << value << endl; >> >> xmlAttrPtr tmp(xmlGetID(node->doc, value)); >> if (tmp) { >> cout << "id already registered" << endl; >> } else { >> xmlIDPtr id = xmlAddID(NULL, doc, BAD_CAST value, attr); >> if (!id) { >> xmlFree(value); // fix >> error("xmlAddID error"); >> } >> cout << "id added" << endl; >> } >> >> //xmlFree(value); // fix >> } >> >> void error(const char *e) { >> std::cout << e << std::endl; >> std::cout << "exiting" << std::endl; >> exit(0); >> } >> >> >> >> >> >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
