Thanks for sharing the test case. I don't see the error you have and
(as expected) I get digest verification error:
$ xmlsec1 --verify --id-attr:ID
urn:oasis:names:tc:SAML:2.0:assertion:Assertion --trusted-pem myCert.pem
samlResponse_Decoded.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=274:obj=sha256:subj=unknown:error=12:invalid
data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "samlResponse_Decoded.xml"
I would suspect that you have either a problem with the build or
a problem with mixing versions for shared libraries. If you can debug
it, then put a breakpoint in xmlSecTransformIdsRegisterDefault()
function that registers various transforms. The error you see indicates
that Exc-C114N is not found and it is registered in this function.
Best,
Aleksey
On 11/7/19 1:24 PM, Aleksey Sanin wrote:
Could you please provide complete repro test case?
Aleksey
On 11/7/19 1:11 PM, Elena Fedorov wrote:
Hello,
I've spent a few days trying to verify a signature in the SAML response.
If I run a command line xmlsec1 - I can verify the signature fine:
*xmlsec1 --verify --id-attr:ID
urn:oasis:names:tc:SAML:2.0:assertion:Assertion --trusted-pem
myCert.pem samlResponse.xml*
Verifying a signature of the same saml using xmlsec api (code similar
to verify4.c example) gives these errors:
*func=xmlSecTransformIdListFindByHref:file=transforms.c:line=2239:obj=unknown:subj=xmlSecPtrListCheckId(list,
xmlSecTransformIdListId):error=100:assertion:*
*func=xmlSecTransformNodeRead:file=transforms.c:line=1315:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec
library function failed:href=**http://www.w3.org/2001/10/xml-exc-c14n#*
*func=xmlSecTransformCtxNodeRead:file=transforms.c:line=596:obj=CanonicalizationMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec
library function failed:*
*func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=623:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec
library function failed:node=CanonicalizationMethod*
*func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=497:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
library function failed:*
*func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec
library function failed:*
I tried updating xmlsec1 version from 1.2.20 (openssl) to 1.2.29
(openssl) - but it did not help. Still getting the same exception stack.
I generated dump:
= VERIFICATION CONTEXT
== Status: unknown
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000000
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== SignedInfo References List:
=== list size: 0
== Manifest References List:
=== list size: 0
= REFERENCE VERIFICATION CONTEXT
== Status: unknown
== Reference Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
*An example signature in the SAML:*
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; />
<ds:Reference URI="#_17ba951-d40a-4fa6-83e9-405v11ab6d01">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"; />
<ds:DigestValue>......</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ZqbHJI9GUOXV8gfKGHjaHY8iTXJiQd...</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>....</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
