Anyway, thanks again. Let me check if there has other way to solve it! On 8/1/13 9:59 AM, "Aleksey Sanin" <[email protected]> wrote:
>Well, it means that I failed to explain what needs to be done in my >first email and I don't have any other ides how to do it. > >Aleksey > >On 7/31/13 6:57 PM, Jeffrey Jin (jefjin) wrote: >> You mean xmlsec can't work in URI case? >> >> On 8/1/13 9:43 AM, "Aleksey Sanin" <[email protected]> wrote: >> >>> I am sorry but you need to read XML DTD spec and XMLDsig spec as well. >>> Unfortunately, this is required reading if you want to use xmlsec >>> library. >>> >>> >>> >>> Aleksey >>> >>> On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote: >>>> Hi Aleksey, >>>> >>>> Thanks for your quick replay. You mean I need to change attribute URI >>>>to >>>> ID? Like this: >>>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308" >>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>" >>>> >>>> If my understanding is correct, there has two issues coming: >>>> 1) it's saml response from ci, I need to change the URI to ID when I >>>> receive the response >>>> 2) when I change URI to ID, yes, below error is gone, but I got error: >>>> >>>> >>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj >>>>=u >>>> nk >>>> nown:error=12:invalid data:data and digest do not match >>>> RESULT: Signature is INVALID >>>> >>>> I can make sure I use the correct public key to verify, it should be >>>> VALID. I'm worry about changing URI to ID whether has problem. I check >>>> the >>>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and >>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a node-set >>>> containing the element with ID attribute value >>>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource >>>> containing the signature. XML Signature (and its applications) modify >>>> this >>>> node-set to include the element plus all descendants including >>>> namespaces >>>> and attributes -- but not comments. >>>> >>>> -Jeffrey >>>> >>>> On 8/1/13 2:00 AM, "Aleksey Sanin" <[email protected]> wrote: >>>> >>>>> You need to define ID attribute to the element where it is specified, >>>>> not to the Reference element where it is used >>>>> >>>>> Aleksey >>>>> >>>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote: >>>>>> Hi xmlsec team, >>>>>> >>>>>> I use xmlsec library to verify signature whether correct. But when >>>>>> saml >>>>>> response include "<ds:Reference >>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308" >>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>" >>>>>> I got the error: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xm >>>>>>lX >>>>>> Pt >>>>>> rEval:error=5:libxml2 library function >>>>>> >>>>>>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308') >>>>>>) >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:sub >>>>>>j= >>>>>> xm >>>>>> lSecXPathDataExecute:error=1:xmlsec library function failed: >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:s >>>>>>ub >>>>>> j= >>>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed: >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xp >>>>>>oi >>>>>> nt >>>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function >>>>>>failed: >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unk >>>>>>no >>>>>> wn >>>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function >>>>>> failed:transform=xpointer >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknow >>>>>>n: >>>>>> su >>>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function >>>>>> failed: >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=u >>>>>>nk >>>>>> no >>>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function >>>>>> failed: >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=u >>>>>>nk >>>>>> no >>>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library >>>>>> function failed:node=Reference >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=un >>>>>>kn >>>>>> ow >>>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library >>>>>> function failed: >>>>>> >>>>>> >>>>>> >>>>>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xml >>>>>>Se >>>>>> cD >>>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function failed: >>>>>> Error: signature verification failed >>>>>> >>>>>> >>>>>> I found the answer of similar issue from >>>>>> http://www.aleksey.com/xmlsec/faq.html >>>>>> >>>>>> So I add the DTD: >>>>>> >>>>>> <!DOCTYPE test [ >>>>>> <!ATTLIST ds:Reference URI ID #IMPLIED> >>>>>> ]> >>>>>> >>>>>> But it doesn't work. Someone can help me out. >>>>>> >>>>>> Thanks in advance. >>>>>> >>>>>> >>>>>> -Jeffrey >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> xmlsec mailing list >>>>>> [email protected] >>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>> >>>> >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
