Menu
I am trying to verify XML (attached on the bottom of the question) signature with xmlsec1 utility. However, when executing a command
xmlsec1 --verify test.xml
I am getting following stack trace:
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc')) func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed: Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "test.xml" ```
Based on stack trace, I presume something is wrong with ID. After some digging, I found that executing
xmlsec1 --verify --id-attr:ID
"urn:oasis:names:tc:SAML:2.0:protocol:Response" test.xml
produces following stack trace
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=249:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match FAIL SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "test.xml"
Here's trimmed content of test.xml file:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost/login" ID="uuid-73c06e86-88d2-4204-91f4-3d484bc782cc" InResponseTo="_bbaf45ef713be7a8c8701e41118ec2278cbf32828f" IssueInstant="2016-02-29T14:16:31.142Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">idp-name</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>H9ffPJ6/jq25p13BcziR0hNLkGg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>FegjeG..pJEQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFIj..mV7A==</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIFDj..5uLcw=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIE/z..3IDhA=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIEkT..h5/WrQ8</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="uuid-201bfc86-e7d7-4dca-bdb5-2263b2d27c22" IssueInstant="2016-02-29T14:16:01.175Z" Version="2.0">
<saml2:Issuer>idp-name</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#uuid-201bfc86-e7d7-4dca-bdb5-2263b2d27c22">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>EJzD3pVZwkvFkh8IX0xyF7tmP2k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>b3ONeh..zOEw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFIj..mV7A==</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIFDj..5uLcw=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIE/z..3IDhA=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIEkT..5/WrQ8</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
</saml2p:Response>
Can you please explain me what am I doing wrong here? How to validate signed XML file with xmlsec?
801
I have found a correct way to validate this, so here's how:
First, ID attribute must be specified:
xmlsec1 --verify --id-attr:ID
"urn:oasis:names:tc:SAML:2.0:protocol:Response" test.xml
Executing this command against my XML file resulted in error invalid data:data and digest do not match.
I've been invoking this command against output returned by SAML Tracer (Firefox addon) which formats XML - this changes the signature so xmlsec1 prints error.
Invoking xmlsec1 against original (decrypted) content works fine.
68
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
