Hello, I've spent a few days trying to verify a signature in the SAML response. If I run a command line xmlsec1 - I can verify the signature fine:
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion --trusted-pem myCert.pem samlResponse.xml Verifying a signature of the same saml using xmlsec api (code similar to verify4.c example) gives these errors: func=xmlSecTransformIdListFindByHref:file=transforms.c:line=2239:obj=unknown:subj=xmlSecPtrListCheckId (list, xmlSecTransformIdListId):error=100:assertion: func=xmlSecTransformNodeRead:file=transforms.c:line=1315:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec library function failed:href= http://www.w3.org/2001/10/xml-exc-c14n# func=xmlSecTransformCtxNodeRead:file=transforms.c:line=596:obj=CanonicalizationMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=623:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function failed:node=CanonicalizationMethod func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: I tried updating xmlsec1 version from 1.2.20 (openssl) to 1.2.29 (openssl) - but it did not help. Still getting the same exception stack. I generated dump: = VERIFICATION CONTEXT == Status: unknown == flags: 0x00000000 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000000 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == SignedInfo References List: === list size: 0 == Manifest References List: === list size: 0 = REFERENCE VERIFICATION CONTEXT == Status: unknown == Reference Transform Ctx: == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL An example signature in the SAML: <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm=" http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; /> <ds:Reference URI="#_17ba951-d40a-4fa6-83e9-405v11ab6d01"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"; /> <ds:DigestValue>......</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>ZqbHJI9GUOXV8gfKGHjaHY8iTXJiQd...</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate>....</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature>
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
