Hi Aleksey, Thanks for your quick replay. You mean I need to change attribute URI to ID? Like this: "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>"
If my understanding is correct, there has two issues coming: 1) it's saml response from ci, I need to change the URI to ID when I receive the response 2) when I change URI to ID, yes, below error is gone, but I got error: func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unk nown:error=12:invalid data:data and digest do not match RESULT: Signature is INVALID I can make sure I use the correct public key to verify, it should be VALID. I'm worry about changing URI to ID whether has problem. I check the URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a node-set containing the element with ID attribute value 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource containing the signature. XML Signature (and its applications) modify this node-set to include the element plus all descendants including namespaces and attributes -- but not comments. -Jeffrey On 8/1/13 2:00 AM, "Aleksey Sanin" <[email protected]> wrote: >You need to define ID attribute to the element where it is specified, >not to the Reference element where it is used > >Aleksey > >On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote: >> Hi xmlsec team, >> >> I use xmlsec library to verify signature whether correct. But when saml >> response include "<ds:Reference >> URI="#s29c0153b613859ac1c788536d2a924d65e643b308" >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>" >> I got the error: >> >> >>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPt >>rEval:error=5:libxml2 library function >>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')) >> >>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xm >>lSecXPathDataExecute:error=1:xmlsec library function failed: >> >>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj= >>xmlSecXPathDataExecute:error=1:xmlsec library function failed: >> >>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpoint >>er:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: >> >>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown >>:subj=xmlSecTransformPushXml:error=1:xmlsec library function >>failed:transform=xpointer >> >>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:su >>bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: >> >>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unkno >>wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function >>failed: >> >>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unkno >>wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library >>function failed:node=Reference >> >>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknow >>n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library >>function failed: >> >>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecD >>SigCtxSigantureProcessNode:error=1:xmlsec library function failed: >> Error: signature verification failed >> >> >> I found the answer of similar issue from >>http://www.aleksey.com/xmlsec/faq.html >> >> So I add the DTD: >> >> <!DOCTYPE test [ >> <!ATTLIST ds:Reference URI ID #IMPLIED> >> ]> >> >> But it doesn't work. Someone can help me out. >> >> Thanks in advance. >> >> >> -Jeffrey >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
