Hm... this makes no sense. The error you get is that xmlsec can't find the key. Changing namespaces should not impact it.
I've hacked the cert verification and I get success with the un-modified file: [aleksey@xmlsec]$ ./apps/xmlsec1 --verify ../Sample_assertion.txt OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Best Aleksey On 2/16/14, 11:37 PM, sébastien spilmann wrote: > Hello, > > Sorry for that . Here is the full xml. > I add the dtd after the processus of signing. Can this failed the > verification ? Is there a function or a property which can do the same > thing without altered the xml ? > > > Sébastien > > > 2014-02-15 20:29 GMT+01:00 Aleksey Sanin <[email protected] > <mailto:[email protected]>>: > > You didn't show the most interesting part - the ds:KeyInfo node > > Aleksey > > On 2/14/14, 9:19 AM, sébastien spilmann wrote: > > Hello, > > > > I have a problem verifying a signature and that seems to be cause by > > namespace. > > > > My xml is something like this : > > <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" > > > > Destination="https://www.concursolutions.com/SAMLRedirector/ClientSAMLLogin.aspx"; > > ID="_fe9537697781d3b3539fd23e4c027e4e5150" > > IssueInstant="2013-07-23T18:44:40Z" Version="2.0"> > > <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" > > > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.alcatel-lucent.com/wps/portal</ns1:Issuer> > > <Status> > > <StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> > > </Status> > > <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" > > ID="_ce339b73d43307de102c421fddef59aaa8c4" > > IssueInstant="2013-07-23T18:44:40Z" Version="2.0"> > > <ns2:Issuer > > > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.alcatel-lucent.com/wps/portal</ns2:Issuer><ds:Signature > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <ds:Reference URI="#_ce339b73d43307de102c421fddef59aaa8c4"> > > <ds:Transforms> > > <ds:Transform > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>avA6FiiMVjEe3rPNfuwXBt+FH6c=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue> > > > > DlWzq6dS+FlGO6HYc0uBRhJ6nRQ2aIE/UP0vnM2MENOvR/n8/xEAz0QjPAEKxjfCd1R1XU+B6uKw > > > > 1XKT0Ku8jFNms6FwesDhabUvY6Nt9iLTabNynF33O9YGVxYELNwnKKFBS1Oj2aKbQ3Z5CyAH0xwc > > KH6ht7ppL9OD3CX65Sk= > > </ds:SignatureValue> > > <ds:KeyInfo> > > <ds:X509Data> > > .... > > > > if i try to verify , i have the error : > > > > "func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key > > is not found:" > > > > If i change all ns1 and ns2 namespace by ds namespace, the verify > > function works but the digest is not correct > > > > How could i do my code works with ns1 and ns2 ? > > > > Sébastien > > > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] <mailto:[email protected]> > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
