Post by Paolo Smiraglia
Hi guys, my name is Paolo.
I'm trying to verify the signature of an SP (service provider) SAML
metadata, which was signed with "samlsign" tool and using a
certificate with two subjectAlternativeNames. Unfortunately, I receive
the following error
$ xmlsec1 --verify --id-attr:ID
urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor sp-metadata.xml
func=xmlSecKeyDataNameXmlRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=657:obj=key-name:subj=unknown:error=41:invalid
key data:details=key name is already specified
func=xmlSecKeyInfoNodeRead:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keyinfo.c:line=117:obj=key-name:subj=xmlSecKeyDataXmlRead:error=1:xmlsec
library function failed:node=KeyName
func=xmlSecKeysMngrGetKey:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/keys.c:line=1230:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec
library function failed:node=KeyInfo
func=xmlSecDSigCtxProcessKeyInfoNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key
is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxVerify:file=/usr/src/ports/xmlsec1/xmlsec1-1.2.24-1.x86_64/src/xmlsec1-1.2.24/src/xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "sp-metadata.xml"
The resulting signature is like the following
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_y8rptnmmdz5fksiz2v955c3wt7ije506raog1w6s24f">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>[...]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[...]</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>[alternative name 1]</ds:KeyName>
<ds:KeyName>[alternative name 2]</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>[...]</ds:X509SubjectName>
<ds:X509Certificate>[...]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
The error seems to be related to multiple <KeyName> tags nested within
<KeyInfo>. Indeed, if I resign the same document with a certificate
that has only one alternative name, the resulting signature has just
one <KeyName> and xmlsec verifies correctly.
Otherwise, if I try to verify both the signed document with samlsign
or xmlsectool, everything goes well.
Do you have something to suggest? Thanks!
Bests,
Paolo
--
PAOLO SMIRAGLIA
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec

Post by Paolo Smiraglia
Hi guys, my name is Paolo.
I'm trying to verify the signature of an SP (service provider) SAML
metadata, which was signed with "samlsign" tool and using a
certificate with two subjectAlternativeNames. Unfortunately, I receive
the following error

Post by Paolo Smiraglia
The error seems to be related to multiple <KeyName> tags nested within
<KeyInfo>. Indeed, if I resign the same document with a certificate
that has only one alternative name, the resulting signature has just
one <KeyName> and xmlsec verifies correctly.
Otherwise, if I try to verify both the signed document with samlsign
or xmlsectool, everything goes well.

Post by Paolo Smiraglia
Do you have something to suggest? Thanks!

Post by Paolo Smiraglia
Bests,
Paolo