-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I desperatly try to verify a xml message I receive. Unfortunately it doesn't contain a xml:id attribute but rather uses ResponseID. Any ideas what I have to do to verify the message? This is my result [EMAIL PROTECTED]:~# xmlsec1 --verify --pubkey-cert-pem /etc/shibboleth/idp.crt --id-attr ResponseID response.xml func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07')) func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "response.xml" If I change the message and add a xml:id attribute with the same value as ResponseID I don't get any library failures but of course the message will not verify. Is there any command line option to make xmlsec1 use ResponseID? Please find my message below. Med vänlig hälsning Ulrich - -- Ulrich Wisser utvecklare .SE (Stiftelsen för Internetinfrastruktur) Ringvägen 100, Box 7399, 103 91 Stockholm Tel: 08-4523558, mobil: 0732-745900 <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-02-01T08:27:49.382Z" MajorVersion="1" MinorVersion="1" Recipient="http://domainmanager/start/acs" ResponseID="_e2dd66488f8d6ae7d23d17e0aa8e3c07"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_e2dd66488f8d6ae7d23d17e0aa8e3c07"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw sam l samlp typens #default xsd xsi"/></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>ErWp2Ove+0tBFJ63jWo1GPPWJOI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku 7fnL/8xOQynT0OYXkJo= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw EAYDVQQHEwlTdG9ja2hvbG0xNTAzBgNVBAoTLC5TRSAoVGhlIEludGVybmV0IEluZnJhc3RydWN0 dXJlIEZvdW5kYXRpb24pMRYwFAYDVQQDEw1pZHAuZG5zc2VjLnNlMB4XDTA3MDYyNjExMjE1NloX DTA3MDcyNjExMjE1NlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAcTCVN0b2NraG9sbTE1MDMGA1UE ChMsLlNFIChUaGUgSW50ZXJuZXQgSW5mcmFzdHJ1Y3R1cmUgRm91bmRhdGlvbikxFjAUBgNVBAMT DWlkcC5kbnNzZWMuc2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOSsqRE2m82D6ho3jcxh RjMYq7JArN4aHl5Zroi9K97rgsDiwU6vsoaYrlbXSQLLeuDJX79hu8kf3BKN/6n5YmX8UogBTauz a/7XOx/cMWDiwL79gwO4d4uOJ+hCHyL9CsWKN0Si3e2dkt0248lCaul+70qzq8TEgdA0Tr0o4xvZ AgMBAAGjgdUwgdIwHQYDVR0OBBYEFA8hU9S9CBwom4OVGFPUD/GIgseeMIGiBgNVHSMEgZowgZeA FA8hU9S9CBwom4OVGFPUD/GIgseeoXSkcjBwMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2to b2xtMTUwMwYDVQQKEywuU0UgKFRoZSBJbnRlcm5ldCBJbmZyYXN0cnVjdHVyZSBGb3VuZGF0aW9u KTEWMBQGA1UEAxMNaWRwLmRuc3NlYy5zZYIJAKqjIMJ8jZisMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQEFBQADgYEAjTW5LM0rVCehN6hL+6nSI4V+WiLUpk3iGs5TK7Qi5VHD3uxSGY2ykKAMTVGh JakPzIuLFb5LLdkoMTkMUPmhYb0JWMDciMlHvNmZMdVPupKLanSAPoiUxvOMZ6SWNpcgcLdyHzk9 6m0qdfNoa1sta4OfV7Go4I3Ag3EwCp8U32s= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_ac6db8b49b31f7796079b 8988e1b3e7b" IssueInstant="2008-02-01T08:27:49.381Z" Issuer="https://idp.dnssec.se/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-01T08:27:49. 381Z" NotOnOrAfter="2008-02-01T08:32:49.381Z"><AudienceRestrictionCondition><Audience>urn:uuid:97820956-1fc3-4a8a-a10b-ae13bceea8f8</Audience><Audience>http://domainmanager /</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-02-01T08:27:49.381Z" AuthenticationMethod="urn:oasis:names:tc:S AML:1.0:am:X509-PKI"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML1.1:nameid-format:emailAddress" NameQualifier="https://idp.dnssec.se/shibboleth">[EMAIL PROTECTED] sher.de</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="172.18.24.50"/></AuthenticationStatement></Assertion></Response> -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBR6M8wS9yrDO0wHQwEQIKFwCg/neIUVr8/InLP83887UqvKplJ6gAoNBx M6rVJ5fQEhJtMO5ckn/XhBQC =HSLn -----END PGP SIGNATURE----- _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec