Re: [xmlsec] xmlsec returns error when trying to validate SAML response

Wed, 02 Mar 2016 01:25:09 -0800 

Yes, i have tried this, but it didn't help at all.
Commands (judging from printed stack trace, they're equivalent):xmlsec1 
--verify --id-attr:ID saml2p:Response test.xmlxmlsec1 --verify test.xml
XML file (trimmed, but you'll get the idea):<saml2p:Response 
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"                 
ID="uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453">    <ds:Signature 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>        <ds:SignedInfo>           
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; 
/>            <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />            
<ds:Reference URI="#uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453">                
<ds:Transforms>                    <ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />            
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />    
            </ds:Transforms>                <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />                
<ds:DigestValue>lAcsILQxRk4LvbSfREkypyI6gMc=</ds:DigestValue>            
</ds:Reference>        </ds:SignedInfo>        
<ds:SignatureValue>gT/SeC..bjrQ==</ds:SignatureValue>        <ds:KeyInfo>       
     <ds:X509Data>                
<ds:X509Certificate>MII..A==</ds:X509Certificate>            </ds:X509Data>     
                   ..        </ds:KeyInfo>    </ds:Signature>
According to FAQ, I should have declare name of ID element, but in my case it 
is "ID". And yet, it still does display the error. Following the FAQ, point 3.4 
states that I am probably using Visa 3-D files, but again, that is not an 
option here.
It's highly likely that I just do not understand *how* to use xmlsec1 and doing 
it plain wrong. That said, please take a look and check where am I wrong.
Artur
> Subject: Re: [xmlsec] xmlsec returns error when trying to validate SAML 
> response
> To: [email protected]; [email protected]
> From: [email protected]
> Date: Tue, 1 Mar 2016 09:30:18 -0800
> 
> FAQ, section 3.2 (if I recall correctly).
> 
> Aleksey
> 
> On 3/1/16 8:57 AM, Artur Rychlewicz wrote:
> > 
> > 
> > Hello,
> > 
> > I've been trying to use xmlsec1 to validate signed XML response
> > containing SAML data.
> > 
> > When I execute:
> > 
> > xmlsec1 --verify test.xml
> > 
> > I receive following stack trace:
> > 
> > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> > library function
> > failed:expr=xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc'))
> > func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
> > library function failed:
> > func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
> > library function failed:
> > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
> > library function failed:
> > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
> > library function failed:transform=xpointer
> > func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
> > library function failed:
> > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> > library function failed:
> > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> > library function failed:node=Reference
> > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> > library function failed:
> > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
> > library function failed:
> > Error: signature failed
> > ERROR
> > SignedInfo References (ok/all): 0/1
> > Manifests References (ok/all): 0/0
> > Error: failed to verify file "test.xml"
> > 
> > I do not know how XML signatures work, but I presume that the ID was
> > taken from <saml2p:Response> tag which contains ID with value of
> > "uuid-73c06e86-88d2-4204-91f4-3d484bc782cc".  <saml2p:Response> element
> > contains <ds:Signature> element which in turn contains <ds:Reference>
> > with parameter URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc".
> > 
> > Since I do not need this value/data, I'd like to check signature of
> > <saml2:Assertion> element which also contains it's own <ds:Signature> value.
> > 
> > That said, I'd like to ask you for instruction how to validate element I
> > need. Thank you in advance.
> > 
> > Best regards,
> > Artur Rychlewicz
> > 
> > 
> > _______________________________________________
> > xmlsec mailing list
> > [email protected]
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> > 
                                                                                
  
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to