Look at the FAQ

http://www.aleksey.com/xmlsec/faq.html

Aleksey

Ulrich Wisser wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I desperatly try to verify a xml message I receive. Unfortunately it doesn't 
contain a xml:id attribute but rather uses ResponseID. Any ideas what I have to 
do to verify the message?

This is my result
[EMAIL PROTECTED]:~# xmlsec1 --verify --pubkey-cert-pem /etc/shibboleth/idp.crt 
--id-attr ResponseID response.xml
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
 library function failed:expr=xpointer(id('_e2dd66488f8d6ae7d23d17e0aa8e3c07'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
 library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
 library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
 library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
 library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
 library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
 library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
 library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
 library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
 library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "response.xml"

If I change the message and add a xml:id attribute with the same value as 
ResponseID I don't get any library failures but of course the message will not 
verify.

Is there any command line option to make xmlsec1 use ResponseID?

Please find my message below.

Med vänlig hälsning

Ulrich - -- Ulrich Wisser
utvecklare
.SE (Stiftelsen för Internetinfrastruktur)
Ringvägen 100, Box 7399, 103 91 Stockholm
Tel: 08-4523558, mobil: 0732-745900


<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; IssueInstant="2008-02-01T08:27:49.382Z" MajorVersion="1" 
MinorVersion="1" Recipient="http://domainmanager/start/acs"; ResponseID="_e2dd66488f8d6ae7d23d17e0aa8e3c07"><ds:Signature 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_e2dd66488f8d6ae7d23d17e0aa8e3c07">
<ds:Transforms>
<ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="code ds kind rw sam
l samlp typens #default xsd xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ErWp2Ove+0tBFJ63jWo1GPPWJOI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
rDmH0K29qsLsTIUqSwpdE0Zf9KJYDC5nmU/hSI/exMtTYXg5L2kon9c9A9sMcXvrSyX65yQQxzgO
QtUDgNklvJtYhiIl5ScO04dCE370auHtm0gg5BGD+3Bf8O0LkoHAy6PyfG7zoOOZNd/kUDegE9ku
7fnL/8xOQynT0OYXkJo=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDNDCCAp2gAwIBAgIJAKqjIMJ8jZisMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlNFMRIw
EAYDVQQHEwlTdG9ja2hvbG0xNTAzBgNVBAoTLC5TRSAoVGhlIEludGVybmV0IEluZnJhc3RydWN0
dXJlIEZvdW5kYXRpb24pMRYwFAYDVQQDEw1pZHAuZG5zc2VjLnNlMB4XDTA3MDYyNjExMjE1NloX
DTA3MDcyNjExMjE1NlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAcTCVN0b2NraG9sbTE1MDMGA1UE
ChMsLlNFIChUaGUgSW50ZXJuZXQgSW5mcmFzdHJ1Y3R1cmUgRm91bmRhdGlvbikxFjAUBgNVBAMT
DWlkcC5kbnNzZWMuc2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOSsqRE2m82D6ho3jcxh
RjMYq7JArN4aHl5Zroi9K97rgsDiwU6vsoaYrlbXSQLLeuDJX79hu8kf3BKN/6n5YmX8UogBTauz
a/7XOx/cMWDiwL79gwO4d4uOJ+hCHyL9CsWKN0Si3e2dkt0248lCaul+70qzq8TEgdA0Tr0o4xvZ
AgMBAAGjgdUwgdIwHQYDVR0OBBYEFA8hU9S9CBwom4OVGFPUD/GIgseeMIGiBgNVHSMEgZowgZeA
FA8hU9S9CBwom4OVGFPUD/GIgseeoXSkcjBwMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2to
b2xtMTUwMwYDVQQKEywuU0UgKFRoZSBJbnRlcm5ldCBJbmZyYXN0cnVjdHVyZSBGb3VuZGF0aW9u
KTEWMBQGA1UEAxMNaWRwLmRuc3NlYy5zZYIJAKqjIMJ8jZisMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQEFBQADgYEAjTW5LM0rVCehN6hL+6nSI4V+WiLUpk3iGs5TK7Qi5VHD3uxSGY2ykKAMTVGh
JakPzIuLFb5LLdkoMTkMUPmhYb0JWMDciMlHvNmZMdVPupKLanSAPoiUxvOMZ6SWNpcgcLdyHzk9
6m0qdfNoa1sta4OfV7Go4I3Ag3EwCp8U32s=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"/></Status><Assertion 
xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_ac6db8b49b31f7796079b
8988e1b3e7b" IssueInstant="2008-02-01T08:27:49.381Z" Issuer="https://idp.dnssec.se/shibboleth"; 
MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-01T08:27:49.
381Z" 
NotOnOrAfter="2008-02-01T08:32:49.381Z"><AudienceRestrictionCondition><Audience>urn:uuid:97820956-1fc3-4a8a-a10b-ae13bceea8f8</Audience><Audience>http://domainmanager
/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement 
AuthenticationInstant="2008-02-01T08:27:49.381Z" AuthenticationMethod="urn:oasis:names:tc:S
AML:1.0:am:X509-PKI"><Subject><NameIdentifier 
Format="urn:oasis:names:tc:SAML1.1:nameid-format:emailAddress" 
NameQualifier="https://idp.dnssec.se/shibboleth";>[EMAIL PROTECTED]
sher.de</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
IPAddress="172.18.24.50"/></AuthenticationStatement></Assertion></Response>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR6M8wS9yrDO0wHQwEQIKFwCg/neIUVr8/InLP83887UqvKplJ6gAoNBx
M6rVJ5fQEhJtMO5ckn/XhBQC
=HSLn
-----END PGP SIGNATURE-----
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to