I'm not familiar with DTD. If you could give me an example will be appreciated.
On 8/2/13 9:39 AM, "Aleksey Sanin" <[email protected]> wrote: >You don't need to make this change. What you need to do is to setup >correct DTD to tell XML where is your ID attribute. > >Aleksey > >On 8/1/13 6:21 PM, Jeffrey Jin (jefjin) wrote: >> Hi Aleksey, >> >> Sorry, I have to bother you again. >> If we change >> expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')) to >> expr=xpointer(//*[@ID='s29c0153b613859ac1c788536d2a924d65e643b308']) I >> think it should be okay. >> So , could we change xmlsec source code to achieve this? And could you >> tell us which file or some place do this changes? >> >> -Jeffrey >> >> On 8/1/13 3:28 PM, "Jeffrey Jin (jefjin)" <[email protected]> wrote: >> >>> Hi Aleksey, >>> >>> I found something: >>> failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b308')) >>> refers to the element in the target document, with the id value of >>> "s29c0153b613859ac1c788536d2a924d65e643b308". >>> >>> But my saml response : >>> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" >>> ID="s29c0153b613859ac1c788536d2a924d65e643b308" >>> IssueInstant="2013-07-30T09:57:48Z" Version="2.0">. It's a capital ID. >>> >>> If I change ID to id in assertion element then add >>> <!DOCTYPE test [ >>> <!ATTLIST saml:Assertion id ID #IMPLIED> >>> ]> >>> >>> It seems no this error. But I actually modify the saml response, it >>>will >>> lead verify failed. >>> So do you have any idea on this? Thanks in advance. >>> >>> -Jeffrey >>> >>> >>> >>> On 8/1/13 10:28 AM, "Jeffrey Jin (jefjin)" <[email protected]> wrote: >>> >>>> Anyway, thanks again. Let me check if there has other way to solve it! >>>> >>>> On 8/1/13 9:59 AM, "Aleksey Sanin" <[email protected]> wrote: >>>> >>>>> Well, it means that I failed to explain what needs to be done in my >>>>> first email and I don't have any other ides how to do it. >>>>> >>>>> Aleksey >>>>> >>>>> On 7/31/13 6:57 PM, Jeffrey Jin (jefjin) wrote: >>>>>> You mean xmlsec can't work in URI case? >>>>>> >>>>>> On 8/1/13 9:43 AM, "Aleksey Sanin" <[email protected]> wrote: >>>>>> >>>>>>> I am sorry but you need to read XML DTD spec and XMLDsig spec as >>>>>>> well. >>>>>>> Unfortunately, this is required reading if you want to use xmlsec >>>>>>> library. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Aleksey >>>>>>> >>>>>>> On 7/31/13 6:40 PM, Jeffrey Jin (jefjin) wrote: >>>>>>>> Hi Aleksey, >>>>>>>> >>>>>>>> Thanks for your quick replay. You mean I need to change attribute >>>>>>>> URI >>>>>>>> to >>>>>>>> ID? Like this: >>>>>>>> "<ds:Reference ID="#s29c0153b613859ac1c788536d2a924d65e643b308" >>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>" >>>>>>>> >>>>>>>> If my understanding is correct, there has two issues coming: >>>>>>>> 1) it's saml response from ci, I need to change the URI to ID >>>>>>>>when I >>>>>>>> receive the response >>>>>>>> 2) when I change URI to ID, yes, below error is gone, but I got >>>>>>>> error: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1: >>>>>>>>su >>>>>>>> b >>>>>>>> j >>>>>>>> =u >>>>>>>> nk >>>>>>>> nown:error=12:invalid data:data and digest do not match >>>>>>>> RESULT: Signature is INVALID >>>>>>>> >>>>>>>> I can make sure I use the correct public key to verify, it should >>>>>>>>be >>>>>>>> VALID. I'm worry about changing URI to ID whether has problem. I >>>>>>>> check >>>>>>>> the >>>>>>>> URI type in anyURI on http://www.w3.org/2000/09/xmldsig# and >>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308"identifies a >>>>>>>> node-set >>>>>>>> containing the element with ID attribute value >>>>>>>> 's29c0153b613859ac1c788536d2a924d65e643b308' of the XML resource >>>>>>>> containing the signature. XML Signature (and its applications) >>>>>>>> modify >>>>>>>> this >>>>>>>> node-set to include the element plus all descendants including >>>>>>>> namespaces >>>>>>>> and attributes -- but not comments. >>>>>>>> >>>>>>>> -Jeffrey >>>>>>>> >>>>>>>> On 8/1/13 2:00 AM, "Aleksey Sanin" <[email protected]> wrote: >>>>>>>> >>>>>>>>> You need to define ID attribute to the element where it is >>>>>>>>> specified, >>>>>>>>> not to the Reference element where it is used >>>>>>>>> >>>>>>>>> Aleksey >>>>>>>>> >>>>>>>>> On 7/31/13 12:25 AM, Jeffrey Jin (jefjin) wrote: >>>>>>>>>> Hi xmlsec team, >>>>>>>>>> >>>>>>>>>> I use xmlsec library to verify signature whether correct. But >>>>>>>>>>when >>>>>>>>>> saml >>>>>>>>>> response include "<ds:Reference >>>>>>>>>> URI="#s29c0153b613859ac1c788536d2a924d65e643b308" >>>>>>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>" >>>>>>>>>> I got the error: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:sub >>>>>>>>>>j= >>>>>>>>>> x >>>>>>>>>> m >>>>>>>>>> lX >>>>>>>>>> Pt >>>>>>>>>> rEval:error=5:libxml2 library function >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>failed:expr=xpointer(id('s29c0153b613859ac1c788536d2a924d65e643b3 >>>>>>>>>>08 >>>>>>>>>> ' >>>>>>>>>> ) >>>>>>>>>> ) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown >>>>>>>>>>:s >>>>>>>>>> u >>>>>>>>>> b >>>>>>>>>> j= >>>>>>>>>> xm >>>>>>>>>> lSecXPathDataExecute:error=1:xmlsec library function failed: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpoint >>>>>>>>>>er >>>>>>>>>> : >>>>>>>>>> s >>>>>>>>>> ub >>>>>>>>>> j= >>>>>>>>>> xmlSecXPathDataExecute:error=1:xmlsec library function failed: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:ob >>>>>>>>>>j= >>>>>>>>>> x >>>>>>>>>> p >>>>>>>>>> oi >>>>>>>>>> nt >>>>>>>>>> er:subj=xmlSecTransformExecute:error=1:xmlsec library function >>>>>>>>>> failed: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj >>>>>>>>>>=u >>>>>>>>>> n >>>>>>>>>> k >>>>>>>>>> no >>>>>>>>>> wn >>>>>>>>>> :subj=xmlSecTransformPushXml:error=1:xmlsec library function >>>>>>>>>> failed:transform=xpointer >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=un >>>>>>>>>>kn >>>>>>>>>> o >>>>>>>>>> w >>>>>>>>>> n: >>>>>>>>>> su >>>>>>>>>> bj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function >>>>>>>>>> failed: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:o >>>>>>>>>>bj >>>>>>>>>> = >>>>>>>>>> u >>>>>>>>>> nk >>>>>>>>>> no >>>>>>>>>> wn:subj=xmlSecTransformCtxExecute:error=1:xmlsec library >>>>>>>>>>function >>>>>>>>>> failed: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:o >>>>>>>>>>bj >>>>>>>>>> = >>>>>>>>>> u >>>>>>>>>> nk >>>>>>>>>> no >>>>>>>>>> wn:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library >>>>>>>>>> function failed:node=Reference >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:ob >>>>>>>>>>j= >>>>>>>>>> u >>>>>>>>>> n >>>>>>>>>> kn >>>>>>>>>> ow >>>>>>>>>> n:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library >>>>>>>>>> function failed: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj >>>>>>>>>>=x >>>>>>>>>> m >>>>>>>>>> l >>>>>>>>>> Se >>>>>>>>>> cD >>>>>>>>>> SigCtxSigantureProcessNode:error=1:xmlsec library function >>>>>>>>>>failed: >>>>>>>>>> Error: signature verification failed >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I found the answer of similar issue from >>>>>>>>>> http://www.aleksey.com/xmlsec/faq.html >>>>>>>>>> >>>>>>>>>> So I add the DTD: >>>>>>>>>> >>>>>>>>>> <!DOCTYPE test [ >>>>>>>>>> <!ATTLIST ds:Reference URI ID #IMPLIED> >>>>>>>>>> ]> >>>>>>>>>> >>>>>>>>>> But it doesn't work. Someone can help me out. >>>>>>>>>> >>>>>>>>>> Thanks in advance. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -Jeffrey >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> xmlsec mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>>>>>> >>>>>>>> >>>>>> >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> [email protected] >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
