That solves the issue, there were unnecessary spaces indeed. At this point it's verifying, but I get an error "unable to get local issuer certificate". I'm fine with that, but if it could be eliminated, I would be even better. All certificates are included in SAML response (total of 4 certs) and yet same error is printed for each of them.
> Subject: Re: [xmlsec] xmlsec returns error when trying to validate SAML > response > To: [email protected]; [email protected] > From: [email protected] > Date: Wed, 2 Mar 2016 09:44:09 -0800 > > I would start from checkings spaces/eols that might change the signature. > > Aleksey > > On 3/2/16 8:56 AM, Artur Rychlewicz wrote: > > But the data *is* correct. It is being validated by SimpleSamlPHP and > > allows user (in this case, me) to login. > > > >> Subject: Re: [xmlsec] xmlsec returns error when trying to validate > > SAML response > >> To: [email protected]; [email protected] > >> From: [email protected] > >> Date: Wed, 2 Mar 2016 08:51:22 -0800 > >> > >> As you can see from error, the digest didn't match and signature > >> was invalid. > >> > >> Aleksey > >> > >> On 3/2/16 8:27 AM, Artur Rychlewicz wrote: > >> > OK, that changes the output, but it is still not validating: > >> > > >> > > > func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=249:obj=sha1:subj=unknown:error=12:invalid > >> > data:data and digest do not match > >> > > >> > FAIL > >> > > >> > SignedInfo References (ok/all): 0/1 > >> > > >> > Manifests References (ok/all): 0/0 > >> > > >> > Error: failed to verify file "/tmp/test-new.xml" > >> > > >> > > >> > I have generated SAML response moment before invoking command with > >> > --id-attr that you provided, so the response itself was still valid (not > >> > obsolete). > >> > > >> > Artur > >> > > >> >> Subject: Re: [xmlsec] xmlsec returns error when trying to validate > >> > SAML response > >> >> To: [email protected]; [email protected] > >> >> From: [email protected] > >> >> Date: Wed, 2 Mar 2016 07:58:51 -0800 > >> >> > >> >> It should be > >> >> > >> >> --id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:Response > >> >> > >> >> Aleksey > >> >> > >> >> On 3/2/16 1:24 AM, Artur Rychlewicz wrote: > >> >> > Yes, i have tried this, but it didn't help at all. > >> >> > > >> >> > Commands (judging from printed stack trace, they're equivalent): > >> >> > xmlsec1 --verify --id-attr:ID saml2p:Response test.xml > >> >> > xmlsec1 --verify test.xml > >> >> > > >> >> > XML file (trimmed, but you'll get the idea): > >> >> > <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > >> >> > ID="uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453"> > >> >> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > >> >> > <ds:SignedInfo> > >> >> > <ds:CanonicalizationMethod > >> >> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> > >> >> > <ds:SignatureMethod > >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> > >> >> > <ds:Reference URI="#uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453"> > >> >> > <ds:Transforms> > >> >> > <ds:Transform > >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > >> >> > <ds:Transform > >> >> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> > >> >> > </ds:Transforms> > >> >> > <ds:DigestMethod > >> >> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> > >> >> > > >> >> > <ds:DigestValue>lAcsILQxRk4LvbSfREkypyI6gMc=</ds:DigestValue> > >> >> > </ds:Reference> > >> >> > </ds:SignedInfo> > >> >> > <ds:SignatureValue>gT/SeC..bjrQ==</ds:SignatureValue> > >> >> > <ds:KeyInfo> > >> >> > <ds:X509Data> > >> >> > <ds:X509Certificate>MII..A==</ds:X509Certificate> > >> >> > </ds:X509Data> > >> >> > .. > >> >> > </ds:KeyInfo> > >> >> > </ds:Signature> > >> >> > > >> >> > According to FAQ, I should have declare name of ID element, but in my > >> >> > case it is "ID". And yet, it still does display the error. > > Following the > >> >> > FAQ, point 3.4 states that I am probably using Visa 3-D files, but > >> >> > again, that is not an option here. > >> >> > > >> >> > It's highly likely that I just do not understand *how* to use xmlsec1 > >> >> > and doing it plain wrong. That said, please take a look and check > > where > >> >> > am I wrong. > >> >> > > >> >> > Artur > >> >> > > >> >> >> Subject: Re: [xmlsec] xmlsec returns error when trying to validate > >> >> > SAML response > >> >> >> To: [email protected]; [email protected] > >> >> >> From: [email protected] > >> >> >> Date: Tue, 1 Mar 2016 09:30:18 -0800 > >> >> >> > >> >> >> FAQ, section 3.2 (if I recall correctly). > >> >> >> > >> >> >> Aleksey > >> >> >> > >> >> >> On 3/1/16 8:57 AM, Artur Rychlewicz wrote: > >> >> >> > > >> >> >> > > >> >> >> > Hello, > >> >> >> > > >> >> >> > I've been trying to use xmlsec1 to validate signed XML response > >> >> >> > containing SAML data. > >> >> >> > > >> >> >> > When I execute: > >> >> >> > > >> >> >> > xmlsec1 --verify test.xml > >> >> >> > > >> >> >> > I receive following stack trace: > >> >> >> > > >> >> >> > > >> >> > > >> > > > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > >> >> >> > library function > >> >> >> > > > failed:expr=xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc')) > >> >> >> > > >> >> > > >> > > > func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > >> >> >> > library function failed: > >> >> >> > > >> >> > > >> > > > func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec > >> >> >> > library function failed: > >> >> >> > > >> >> > > >> > > > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > >> >> >> > library function failed: > >> >> >> > > >> >> > > >> > > > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec > >> >> >> > library function failed:transform=xpointer > >> >> >> > > >> >> > > >> > > > func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > >> >> >> > library function failed: > >> >> >> > > >> >> > > >> > > > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > >> >> >> > library function failed: > >> >> >> > > >> >> > > >> > > > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > >> >> >> > library function failed:node=Reference > >> >> >> > > >> >> > > >> > > > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > >> >> >> > library function failed: > >> >> >> > > >> >> > > >> > > > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec > >> >> >> > library function failed: > >> >> >> > Error: signature failed > >> >> >> > ERROR > >> >> >> > SignedInfo References (ok/all): 0/1 > >> >> >> > Manifests References (ok/all): 0/0 > >> >> >> > Error: failed to verify file "test.xml" > >> >> >> > > >> >> >> > I do not know how XML signatures work, but I presume that the > > ID was > >> >> >> > taken from <saml2p:Response> tag which contains ID with value of > >> >> >> > "uuid-73c06e86-88d2-4204-91f4-3d484bc782cc". <saml2p:Response> > >> > element > >> >> >> > contains <ds:Signature> element which in turn contains > > <ds:Reference> > >> >> >> > with parameter URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc". > >> >> >> > > >> >> >> > Since I do not need this value/data, I'd like to check > > signature of > >> >> >> > <saml2:Assertion> element which also contains it's own > >> >> > <ds:Signature> value. > >> >> >> > > >> >> >> > That said, I'd like to ask you for instruction how to validate > >> > element I > >> >> >> > need. Thank you in advance. > >> >> >> > > >> >> >> > Best regards, > >> >> >> > Artur Rychlewicz > >> >> >> > > >> >> >> > > >> >> >> > _______________________________________________ > >> >> >> > xmlsec mailing list > >> >> >> > [email protected] > >> >> >> > http://www.aleksey.com/mailman/listinfo/xmlsec > >> >> >> > > >> >> > > >> >> > > >> >> > _______________________________________________ > >> >> > xmlsec mailing list > >> >> > [email protected] > >> >> > http://www.aleksey.com/mailman/listinfo/xmlsec > >> >> > > >> > > >> > > >> > _______________________________________________ > >> > xmlsec mailing list > >> > [email protected] > >> > http://www.aleksey.com/mailman/listinfo/xmlsec > >> >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
