Paolo Smiraglia
2018-06-29 14:32:04 UTC
Hi guys, my name is Paolo.
I'm trying to verify the signature of an SP (service provider) SAML
metadata, which was signed with "samlsign" tool and using a
certificate with two subjectAlternativeNames. Unfortunately, I receive
the following error
$ xmlsec1 --verify --id-attr:ID
urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor sp-metadata.xml
func=xmlSecKeyDataNameXmlRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=657:obj=key-name:subj=unknown:error=41:invalid
key data:details=key name is already specified
func=xmlSecKeyInfoNodeRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=117:obj=key-name:subj=xmlSecKeyDataXmlRead:error=1:xmlsec
library function failed:node=KeyName
func=xmlSecKeysMngrGetKey:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keys.c:line=1230:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec
library function failed:node=KeyInfo
func=xmlSecDSigCtxProcessKeyInfoNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key
is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "sp-metadata.xml"
The resulting signature is like the following
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_y8rptnmmdz5fksiz2v955c3wt7ije506raog1w6s24f">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>[...]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[...]</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>[alternative name 1]</ds:KeyName>
<ds:KeyName>[alternative name 2]</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>[...]</ds:X509SubjectName>
<ds:X509Certificate>[...]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
The error seems to be related to multiple <KeyName> tags nested within
<KeyInfo>. Indeed, if I resign the same document with a certificate
that has only one alternative name, the resulting signature has just
one <KeyName> and xmlsec verifies correctly.
Otherwise, if I try to verify both the signed document with samlsign
or xmlsectool, everything goes well.
Do you have something to suggest? Thanks!
Bests,
Paolo
I'm trying to verify the signature of an SP (service provider) SAML
metadata, which was signed with "samlsign" tool and using a
certificate with two subjectAlternativeNames. Unfortunately, I receive
the following error
$ xmlsec1 --verify --id-attr:ID
urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor sp-metadata.xml
func=xmlSecKeyDataNameXmlRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=657:obj=key-name:subj=unknown:error=41:invalid
key data:details=key name is already specified
func=xmlSecKeyInfoNodeRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=117:obj=key-name:subj=xmlSecKeyDataXmlRead:error=1:xmlsec
library function failed:node=KeyName
func=xmlSecKeysMngrGetKey:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keys.c:line=1230:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec
library function failed:node=KeyInfo
func=xmlSecDSigCtxProcessKeyInfoNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key
is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "sp-metadata.xml"
The resulting signature is like the following
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_y8rptnmmdz5fksiz2v955c3wt7ije506raog1w6s24f">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>[...]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[...]</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>[alternative name 1]</ds:KeyName>
<ds:KeyName>[alternative name 2]</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>[...]</ds:X509SubjectName>
<ds:X509Certificate>[...]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
The error seems to be related to multiple <KeyName> tags nested within
<KeyInfo>. Indeed, if I resign the same document with a certificate
that has only one alternative name, the resulting signature has just
one <KeyName> and xmlsec verifies correctly.
Otherwise, if I try to verify both the signed document with samlsign
or xmlsectool, everything goes well.
Do you have something to suggest? Thanks!
Bests,
Paolo
--
PAOLO SMIRAGLIA
PAOLO SMIRAGLIA