RE: [xmlsec] verify message
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, of course I did try the FAQ first, but not really successful. Now I got the message to verify when I included a DTD to the document. Same DTD as file would give me parsing errors. And the --id-attr ResponseID didn't work at all. This is my DTD !DOCTYPE test [!ATTLIST Response ResponseID ID #IMPLIED] Next problem is that I want to check it programmatically and that doesn't work either. Not even when I add the DTD. xmlSecDSigCtxVerify just returns -1. How can I know what the problem is? Sincerely Ulrich - -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: Friday, February 01, 2008 6:32 PM To: Ulrich Wisser Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] verify message Look at the FAQ http://www.aleksey.com/xmlsec/faq.html Aleksey Ulrich Wisser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I desperatly try to verify a xml message I receive. Unfortunately it doesn't contain a xml:id attribute but rather uses ResponseID. Any ideas what I have to do to verify the message? This is my result [EMAIL PROTECTED]:~# xmlsec1 --verify --pubkey-cert-pem /etc/shibboleth/idp.crt --id-attr ResponseID response.xml func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07')) func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file response.xml If I change the message and add a xml:id attribute with the same value as ResponseID I don't get any library failures but of course the message will not verify. Is there any command line option to make xmlsec1 use ResponseID? Please find my message below. Med vänlig hälsning Ulrich - -- Ulrich Wisser utvecklare .SE (Stiftelsen för Internetinfrastruktur) Ringvägen 100, Box 7399, 103 91 Stockholm Tel: 08-4523558, mobil: 0732-745900 Response xmlns=urn:oasis:names:tc:SAML:1.0:protocol xmlns:saml=urn:oasis:names:tc:SAML:1.0:assertion xmlns:samlp=urn:oasis:names:tc:SAML:1.0:protocol xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; IssueInstant=2008-02-01T08:27:49.382Z MajorVersion=1 MinorVersion=1 Recipient=http://domainmanager/start/acs; ResponseID=_e2dd66488f8d6ae7d23d17e0aa8e3c07ds:Signature xmlns:ds=http://www.w3.org/2000/09/xmldsig#; ds:SignedInfo ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ ds:Reference URI=#_e2dd66488f8d6ae7d23d17e0aa8e3c07 ds:Transforms ds:Transform Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/ ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#;ec:InclusiveNamespaces xmlns:ec=http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList=code ds kind rw sam l samlp typens #default xsd xsi//ds:Transform /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ ds:DigestValueErWp2Ove+0tBFJ63jWo1GPPWJOI=/ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku 7fnL/8xOQynT0OYXkJo= /ds:SignatureValue ds:KeyInfo ds:X509Data ds:X509Certificate MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw
Re: [xmlsec] verify message
Response xmlns=urn:oasis:names:tc:SAML:1.0:protocol ... ResponseID=... ... You forgot about namespaces... Aleksey Ulrich Wisser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, of course I did try the FAQ first, but not really successful. Now I got the message to verify when I included a DTD to the document. Same DTD as file would give me parsing errors. And the --id-attr ResponseID didn't work at all. This is my DTD !DOCTYPE test [!ATTLIST Response ResponseID ID #IMPLIED] Next problem is that I want to check it programmatically and that doesn't work either. Not even when I add the DTD. xmlSecDSigCtxVerify just returns -1. How can I know what the problem is? Sincerely Ulrich - -Original Message- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: Friday, February 01, 2008 6:32 PM To: Ulrich Wisser Cc: xmlsec@aleksey.com Subject: Re: [xmlsec] verify message Look at the FAQ http://www.aleksey.com/xmlsec/faq.html Aleksey Ulrich Wisser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I desperatly try to verify a xml message I receive. Unfortunately it doesn't contain a xml:id attribute but rather uses ResponseID. Any ideas what I have to do to verify the message? This is my result [EMAIL PROTECTED]:~# xmlsec1 --verify --pubkey-cert-pem /etc/shibboleth/idp.crt --id-attr ResponseID response.xml func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07')) func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file response.xml If I change the message and add a xml:id attribute with the same value as ResponseID I don't get any library failures but of course the message will not verify. Is there any command line option to make xmlsec1 use ResponseID? Please find my message below. Med vänlig hälsning Ulrich - -- Ulrich Wisser utvecklare .SE (Stiftelsen för Internetinfrastruktur) Ringvägen 100, Box 7399, 103 91 Stockholm Tel: 08-4523558, mobil: 0732-745900 Response xmlns=urn:oasis:names:tc:SAML:1.0:protocol xmlns:saml=urn:oasis:names:tc:SAML:1.0:assertion xmlns:samlp=urn:oasis:names:tc:SAML:1.0:protocol xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; IssueInstant=2008-02-01T08:27:49.382Z MajorVersion=1 MinorVersion=1 Recipient=http://domainmanager/start/acs; ResponseID=_e2dd66488f8d6ae7d23d17e0aa8e3c07ds:Signature xmlns:ds=http://www.w3.org/2000/09/xmldsig#; ds:SignedInfo ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ ds:Reference URI=#_e2dd66488f8d6ae7d23d17e0aa8e3c07 ds:Transforms ds:Transform Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/ ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#;ec:InclusiveNamespaces xmlns:ec=http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList=code ds kind rw sam l samlp typens #default xsd xsi//ds:Transform /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ ds:DigestValueErWp2Ove+0tBFJ63jWo1GPPWJOI=/ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku 7fnL/8xOQynT0OYXkJo= /ds:SignatureValue ds:KeyInfo ds:X509Data ds:X509Certificate MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw