At the moment XMLSec library only supports a single KeyName. Do you mind creating a github issue? I will take a look how easy or hard is it to add support for multiple KeyNames.
Thanks! -- Aleksey > On Jun 29, 2018, at 7:32 AM, Paolo Smiraglia <[email protected]> > wrote: > > Hi guys, my name is Paolo. > > I'm trying to verify the signature of an SP (service provider) SAML > metadata, which was signed with "samlsign" tool and using a > certificate with two subjectAlternativeNames. Unfortunately, I receive > the following error > > $ xmlsec1 --verify --id-attr:ID > urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor sp-metadata.xml > func=xmlSecKeyDataNameXmlRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=657:obj=key-name:subj=unknown:error=41:invalid > key data:details=key name is already specified > func=xmlSecKeyInfoNodeRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=117:obj=key-name:subj=xmlSecKeyDataXmlRead:error=1:xmlsec > library function failed:node=KeyName > func=xmlSecKeysMngrGetKey:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keys.c:line=1230:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec > library function failed:node=KeyInfo > func=xmlSecDSigCtxProcessKeyInfoNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key > is not found:details=NULL > func=xmlSecDSigCtxProcessSignatureNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxVerify:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > ERROR > SignedInfo References (ok/all): 0/0 > Manifests References (ok/all): 0/0 > Error: failed to verify file "sp-metadata.xml" > > The resulting signature is like the following > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference URI="#_y8rptnmmdz5fksiz2v955c3wt7ije506raog1w6s24f"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > <ds:DigestValue>[...]</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>[...]</ds:SignatureValue> > <ds:KeyInfo> > <ds:KeyName>[alternative name 1]</ds:KeyName> > <ds:KeyName>[alternative name 2]</ds:KeyName> > <ds:X509Data> > <ds:X509SubjectName>[...]</ds:X509SubjectName> > <ds:X509Certificate>[...]</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > > The error seems to be related to multiple <KeyName> tags nested within > <KeyInfo>. Indeed, if I resign the same document with a certificate > that has only one alternative name, the resulting signature has just > one <KeyName> and xmlsec verifies correctly. > > Otherwise, if I try to verify both the signed document with samlsign > or xmlsectool, everything goes well. > > Do you have something to suggest? Thanks! > > Bests, > > Paolo > > -- > PAOLO SMIRAGLIA > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
