I am sorry but you need to read XML DTD spec and XMLDsig spec as well. Unfortunately, this is required reading if you want to use xmlsec library.
Aleksey On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote: > Hi Aleksey, > > Thanks for your quick replay. You mean I need to change attribute URI to > ID? Like this: > "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>" > > If my understanding is correct, there has two issues coming: > 1) it's saml response from ci, I need to change the URI to ID when I > receive the response > 2) when I change URI to ID, yes, below error is gone, but I got error: > func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unk > nown:error=12:invalid data:data and digest do not match > RESULT: Signature is INVALID > > I can make sure I use the correct public key to verify, it should be > VALID. I'm worry about changing URI to ID whether has problem. I check the > URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and > URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a node-set > containing the element with ID attribute value > 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource > containing the signature. XML Signature (and its applications) modify this > node-set to include the element plus all descendants including namespaces > and attributes -- but not comments. > > -Jeffrey > > On 8/1/13 2:00 AM, "Aleksey Sanin" <[email protected]> wrote: > >> You need to define ID attribute to the element where it is specified, >> not to the Reference element where it is used >> >> Aleksey >> >> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote: >>> Hi xmlsec team, >>> >>> I use xmlsec library to verify signature whether correct. But when saml >>> response include "<ds:Reference >>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308" >>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>" >>> I got the error: >>> >>> >>> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPt >>> rEval:error=5:libxml2 library function >>> failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')) >>> >>> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xm >>> lSecXPathDataExecute:error=1:xmlsec library function failed: >>> >>> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj= >>> xmlSecXPathDataExecute:error=1:xmlsec library function failed: >>> >>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpoint >>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: >>> >>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown >>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function >>> failed:transform=xpointer >>> >>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:su >>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: >>> >>> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unkno >>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function >>> failed: >>> >>> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unkno >>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library >>> function failed:node=Reference >>> >>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknow >>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library >>> function failed: >>> >>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecD >>> SigCtxSigantureProcessNode:error=1:xmlsec library function failed: >>> Error: signature verification failed >>> >>> >>> I found the answer of similar issue from >>> http://www.aleksey.com/xmlsec/faq.html >>> >>> So I add the DTD: >>> >>> <!DOCTYPE test [ >>> <!ATTLIST ds:Reference URI ID #IMPLIED> >>> ]> >>> >>> But it doesn't work. Someone can help me out. >>> >>> Thanks in advance. >>> >>> >>> -Jeffrey >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
