RE: [xmlsec] verify message
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
of course I did try the FAQ first, but not really successful. Now I got the
message to verify when I included a DTD to the document. Same DTD as file would
give me parsing errors. And the --id-attr ResponseID didn't work at all. This
is my DTD
!DOCTYPE test [!ATTLIST Response ResponseID ID #IMPLIED]
Next problem is that I want to check it programmatically and that doesn't work
either. Not even when I add the DTD.
xmlSecDSigCtxVerify just returns -1. How can I know what the problem is?
Sincerely
Ulrich
- -Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]
Sent: Friday, February 01, 2008 6:32 PM
To: Ulrich Wisser
Cc: xmlsec@aleksey.com
Subject: Re: [xmlsec] verify message
Look at the FAQ
http://www.aleksey.com/xmlsec/faq.html
Aleksey
Ulrich Wisser wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I desperatly try to verify a xml message I receive. Unfortunately it doesn't
contain a xml:id attribute but rather uses ResponseID. Any ideas what I have
to do to verify the message?
This is my result
[EMAIL PROTECTED]:~# xmlsec1 --verify --pubkey-cert-pem
/etc/shibboleth/idp.crt --id-attr ResponseID response.xml
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
library function
failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file response.xml
If I change the message and add a xml:id attribute with the same value as
ResponseID I don't get any library failures but of course the message will
not verify.
Is there any command line option to make xmlsec1 use ResponseID?
Please find my message below.
Med vänlig hälsning
Ulrich
- --
Ulrich Wisser
utvecklare
.SE (Stiftelsen för Internetinfrastruktur)
Ringvägen 100, Box 7399, 103 91 Stockholm
Tel: 08-4523558, mobil: 0732-745900
Response xmlns=urn:oasis:names:tc:SAML:1.0:protocol
xmlns:saml=urn:oasis:names:tc:SAML:1.0:assertion
xmlns:samlp=urn:oasis:names:tc:SAML:1.0:protocol
xmlns:xsd=http://www.w3.org/2001/XMLSchema;
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;
IssueInstant=2008-02-01T08:27:49.382Z MajorVersion=1 MinorVersion=1
Recipient=http://domainmanager/start/acs;
ResponseID=_e2dd66488f8d6ae7d23d17e0aa8e3c07ds:Signature
xmlns:ds=http://www.w3.org/2000/09/xmldsig#;
ds:SignedInfo
ds:CanonicalizationMethod
Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/
ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/
ds:Reference URI=#_e2dd66488f8d6ae7d23d17e0aa8e3c07
ds:Transforms
ds:Transform
Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/
ds:Transform
Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#;ec:InclusiveNamespaces
xmlns:ec=http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList=code ds kind
rw sam
l samlp typens #default xsd xsi//ds:Transform
/ds:Transforms
ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/
ds:DigestValueErWp2Ove+0tBFJ63jWo1GPPWJOI=/ds:DigestValue
/ds:Reference
/ds:SignedInfo
ds:SignatureValue
rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO
QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku
7fnL/8xOQynT0OYXkJo=
/ds:SignatureValue
ds:KeyInfo
ds:X509Data
ds:X509Certificate
MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw
Re: [xmlsec] verify message
Response xmlns=urn:oasis:names:tc:SAML:1.0:protocol ...
ResponseID=... ...
You forgot about namespaces...
Aleksey
Ulrich Wisser wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
of course I did try the FAQ first, but not really successful. Now I got the message to
verify when I included a DTD to the document. Same DTD as file would give me parsing
errors. And the --id-attr ResponseID didn't work at all. This is my DTD
!DOCTYPE test [!ATTLIST Response ResponseID ID #IMPLIED]
Next problem is that I want to check it programmatically and that doesn't work
either. Not even when I add the DTD.
xmlSecDSigCtxVerify just returns -1. How can I know what the problem is?
Sincerely
Ulrich
- -Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]
Sent: Friday, February 01, 2008 6:32 PM
To: Ulrich Wisser
Cc: xmlsec@aleksey.com
Subject: Re: [xmlsec] verify message
Look at the FAQ
http://www.aleksey.com/xmlsec/faq.html
Aleksey
Ulrich Wisser wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I desperatly try to verify a xml message I receive. Unfortunately it doesn't
contain a xml:id attribute but rather uses ResponseID. Any ideas what I have to
do to verify the message?
This is my result
[EMAIL PROTECTED]:~# xmlsec1 --verify --pubkey-cert-pem /etc/shibboleth/idp.crt
--id-attr ResponseID response.xml
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
library function failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file response.xml
If I change the message and add a xml:id attribute with the same value as
ResponseID I don't get any library failures but of course the message will not
verify.
Is there any command line option to make xmlsec1 use ResponseID?
Please find my message below.
Med vänlig hälsning
Ulrich
- --
Ulrich Wisser
utvecklare
.SE (Stiftelsen för Internetinfrastruktur)
Ringvägen 100, Box 7399, 103 91 Stockholm
Tel: 08-4523558, mobil: 0732-745900
Response xmlns=urn:oasis:names:tc:SAML:1.0:protocol xmlns:saml=urn:oasis:names:tc:SAML:1.0:assertion xmlns:samlp=urn:oasis:names:tc:SAML:1.0:protocol
xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; IssueInstant=2008-02-01T08:27:49.382Z MajorVersion=1
MinorVersion=1 Recipient=http://domainmanager/start/acs; ResponseID=_e2dd66488f8d6ae7d23d17e0aa8e3c07ds:Signature
xmlns:ds=http://www.w3.org/2000/09/xmldsig#;
ds:SignedInfo
ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/
ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/
ds:Reference URI=#_e2dd66488f8d6ae7d23d17e0aa8e3c07
ds:Transforms
ds:Transform
Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/
ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#;ec:InclusiveNamespaces
xmlns:ec=http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList=code ds kind rw sam
l samlp typens #default xsd xsi//ds:Transform
/ds:Transforms
ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/
ds:DigestValueErWp2Ove+0tBFJ63jWo1GPPWJOI=/ds:DigestValue
/ds:Reference
/ds:SignedInfo
ds:SignatureValue
rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO
QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku
7fnL/8xOQynT0OYXkJo=
/ds:SignatureValue
ds:KeyInfo
ds:X509Data
ds:X509Certificate
MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw
