Re: [xmlsec] failing to verify ..

Yousuf Jawwad Wed, 19 Mar 2014 04:59:25 -0700

with --print-debug, here is the output

Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: unknown
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000000
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href="" class="moz-txt-link-freetext" href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha1 (href="" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Method:
=== Transform: rsa-sha1 (href="" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: unknown
== URI: "#_9b281906-5626-4579-b506-6e1e344b5dd7"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=1)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #_9b281906-5626-4579-b506-6e1e344b5dd7
=== Transform: xpointer (href="" class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature (href="" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href="" class="moz-txt-link-freetext" href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: sha1 (href="" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=""> == Digest Method:
=== Transform: sha1 (href="" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
Error: failed to verify file "SAMLResponse.xml"

is it a matter of key verification, or malformed xml? because the same xml is passing when using php.

Yousuf Jawwad

19 March 2014 1:31 pm

when i run

xmlsec1 --verify --pubkey-cert-pem my.cer '--id-attr:ID' 'urn:oasis:names:tc:SAML:2.0' Response.xml

the stacktrace given to me is

func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_9b281906-5626-4579-b506-6e1e344b5dd7'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file

the xml in question is

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_9b281906-5626-4579-b506-6e1e344b5dd7" Version="2.0" IssueInstant="2014-03-19T06:39:08.634Z"
                Destination="https://perfectcloudstaging.happyfox.com/staff/smartsignin/callback">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:54660/saml2/metadata/6118c9130de04f60b09616de43fa7d27</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#_9b281906-5626-4579-b506-6e1e344b5dd7">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/>
                    </Transform>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>ZtZ7NdVHlkd0cHbI13ukQJyPwTE=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>Tjr3DtAMF50tsxPXB929T8KZgw1D0jW4ugD6c9EFe1prpyA1anKkuwfOzcrrrFoRTo3jZ4aplENgb03ZYUjve9Q3UNUlOQiP9XId2IblvMYvf75Q9jyAZ8L024d5TlkkMoGHEB//+l4FfUh8sMrVXfR7gY0VaZRzwdIEfXpx60hxDuiTVBV/dqpfg+nc95Z/OXiJUWHvYZGY126lse/gqFrHG8YukzBalZdUsDM0dykefNWe5Dr8Rpn6JqCNmnze4hA4bsFfEW1mk1B8AJGDirXg4sQlLOSJFmDG2RrShVUT1oY0XY/xSJDI0oMokKehWMyP7A5q77Zg6jfeDHRJeA==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_31d8f30a-4db0-4f8a-9542-e7becec31456" IssueInstant="2014-03-19T06:39:08.634Z">
        <saml:Issuer>http://localhost:54660/saml2/metadata/6118c9130de04f60b09616de43fa7d27</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2014-03-19T06:59:08.686Z" Recipient="https://example.com/saml/"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2014-03-19T06:19:08.686Z" NotOnOrAfter="2014-03-19T06:59:08.686Z"/>
        <saml:AttributeStatement>
            <saml:Attribute Name="email">
                <saml:AttributeValue>my email</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="FirstName" NameFormat="urn:oasis:nam
es:tc:SAML:1.1:nameid-format:unspecified">
                <saml:AttributeValue>User Name</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                <saml:AttributeValue>User Name</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="EntityIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                <saml:AttributeValue>8cc99e70-8a05-4fda-a0b8-ea0f24164b27</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
        <saml:AuthnStatement AuthnInstant="2014-03-19T06:39:08.686Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

i know from browsing the list, it has something to do with ''--id-attrd:ID" but can't seem to figure it out

thanks for help

//yousuf

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Re: [xmlsec] failing to verify ..

Reply via email to