我正在尝试使用xmlsec1实用程序来验证XML(附加在问题的底部)签名。但是,执行命令时
xmlsec1 --verify test.xml
我得到以下堆栈跟踪:
func = xmlSecXPathDataExecute:file = xpath.c:line = 273:obj = unknown:subj = xmlXPtrEval:error = 5:libxml2库函数失败:expr = xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc' ))func = xmlSecXPathDataListExecute:file = xpath.c:line = 373:obj = unknown:subj = xmlSecXPathDataExecute:error = 1:xmlsec库函数失败:func = xmlSecTransformXPathExecute:file = xpath.c:line = 483:obj = xpointer :subj = xmlSecXPathDataExecute:error = 1:xmlsec库函数失败:func = xmlSecTransformDefaultPushXml:file = transforms.c:line = 2411:obj = xpointer:subj = xmlSecTransformExecute:error = 1:xmlsec库函数失败:func = xmlSecTransformCtxXmlExecute:file = transforms.c:line = 1242:obj =未知:subj = xmlSecTransformPushXml:错误= 1:xmlsec库函数失败:transform = xpointer func = xmlSecTransformCtxExecute:file = transforms.c:line = 1302:obj = unknown:subj = xmlSecTransformCtxXmlExecute:错误= 1:xmlsec库函数失败:func = xmlSecDSigReferenceCtxProcessNode:file = xmldsig.c:line = 1589:obj =未知:subj = xmlSecTransformCtxExecute:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtxProcessSignedInfoNode:file xmldsig.c:line = 822:obj = unknown:subj = xmlSecDSigReferenceCtxProcessNode:error = 1:xmlsec库函数失败:node =参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj = unknown:subj = xmlSecDSigCtxProcessSignedInfoNode: error = 1:xmlsec库函数失败:func = xmlSecDSigCtxVerify:file = xmldsig.c:line = 382:obj = unknown:subj = xmlSecDSigCtxSignatureProcessNode:error = 1:xmlsec库函数失败:错误:签名失败ERROR SignedInfo引用错误(确定/全部):0/1清单引用(正常/全部):0/0错误:无法验证文件“ test.xml”xmlsec库函数失败:func = xmlSecDSigReferenceCtxProcessNode:file = xmldsig.c:line = 1589:obj = unknown:subj = xmlSecTransformCtxExecute:error = 1:xmlsec库函数失败:func = xmlSecDSigCtxProcessSignedInfoNode:file = xmldsig.c:line = 822: obj =未知:subj = xmlSecDSigReferenceCtxProcessNode:错误= 1:xmlsec库函数失败:节点=参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj =未知:subj = xmlSecDSigCtxProcessSignedInfoNode:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtxVerify:file = xmldsig.c:line = 382:obj = unknown:subj = xmlSecDSigCtxSignatureProcessNode:error = 1:xmlsec库函数失败:错误:签名失败ERROR SignedInfo参考(ok / all):0/1清单参考(正常/全部):0/0错误:无法验证文件“ test.xml”xmlsec库函数失败:func = xmlSecDSigReferenceCtxProcessNode:file = xmldsig.c:line = 1589:obj = unknown:subj = xmlSecTransformCtxExecute:error = 1:xmlsec库函数失败:func = xmlSecDSigCtxProcessSignedInfoNode:file = xmldsig.c:line = 822: obj =未知:subj = xmlSecDSigReferenceCtxProcessNode:错误= 1:xmlsec库函数失败:节点=参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj =未知:subj = xmlSecDSigCtxProcessSignedInfoNode:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtxVerify:file = xmldsig.c:line = 382:obj = unknown:subj = xmlSecDSigCtxSignatureProcessNode:error = 1:xmlsec库函数失败:错误:签名失败ERROR SignedInfo参考(ok / all):0/1清单参考(正常/全部):0/0错误:无法验证文件“ test.xml”func = xmlSecDSigReferenceCtxProcessNode:file = xmldsig.c:line = 1589:obj = unknown:subj = xmlSecTransformCtxExecute:error = 1:xmlsec库函数失败:func = xmlSecDSigCtxProcessSignedInfoNode:file = xmldsig.c:line = 822:obj = unknown:subj = xmlSecDSigReferenceCtxProcessNode:错误= 1:xmlsec库函数失败:节点=参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj =未知:subj = xmlSecDSigCtxProcessSignedInfoNode:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtx file = xmldsig.c:line = 382:obj = unknown:subj = xmlSecDSigCtxSignatureProcessNode:error = 1:xmlsec库函数失败:错误:签名失败错误SignedInfo参考(确定/全部):0/1清单参考(确定/全部) :0/0错误:无法验证文件“ test.xml”func = xmlSecDSigReferenceCtxProcessNode:file = xmldsig.c:line = 1589:obj = unknown:subj = xmlSecTransformCtxExecute:error = 1:xmlsec库函数失败:func = xmlSecDSigCtxProcessSignedInfoNode:file = xmldsig.c:line = 822:obj = unknown:subj = xmlSecDSigReferenceCtxProcessNode:错误= 1:xmlsec库函数失败:节点=参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj =未知:subj = xmlSecDSigCtxProcessSignedInfoNode:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtx file = xmldsig.c:line = 382:obj = unknown:subj = xmlSecDSigCtxSignatureProcessNode:error = 1:xmlsec库函数失败:错误:签名失败错误SignedInfo参考(确定/全部):0/1清单参考(确定/全部) :0/0错误:无法验证文件“ test.xml”xmlsec库函数失败:func = xmlSecDSigCtxProcessSignedInfoNode:file = xmldsig.c:line = 822:obj = unknown:subj = xmlSecDSigReferenceCtxProcessNode:error = 1:xmlsec库函数失败:node =参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj =未知:subj = xmlSecDSigCtxProcessSignedInfoNode:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtxVerify:file = xmldsig.c:line = 382:obj = unknown:subj = xmlSecDSigCtxSignatureProcessNode:error = 1:xmlsec库函数失败:错误:签名失败错误SignedInfo参考(确定/全部):0/1清单参考(确定/全部):0/0错误:无法验证文件“ test.xml”xmlsec库函数失败:func = xmlSecDSigCtxProcessSignedInfoNode:file = xmldsig.c:line = 822:obj = unknown:subj = xmlSecDSigReferenceCtxProcessNode:error = 1:xmlsec库函数失败:node =参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj =未知:subj = xmlSecDSigCtxProcessSignedInfoNode:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtxVerify:file = xmldsig.c:line = 382:obj = unknown:subj = xmlSecDSigCtxSignatureProcessNode:error = 1:xmlsec库函数失败:错误:签名失败错误SignedInfo参考(确定/全部):0/1清单参考(确定/全部):0/0错误:无法验证文件“ test.xml”节点=参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj =未知:subj = xmlSecDSigCtxProcessSignedInfoNode:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtxVerify:file = xmldsig.c:line = 382:obj =未知:subj = xmlSecDSigCtxSignatureProcessNode:错误= 1:xmlsec库函数失败:错误:签名失败错误SignedInfo参考(确定/全部):0/1清单参考(确定/全部):0/0错误:无法验证文件“测试” .xml“```节点=参考func = xmlSecDSigCtxProcessSignatureNode:file = xmldsig.c:line = 563:obj =未知:subj = xmlSecDSigCtxProcessSignedInfoNode:错误= 1:xmlsec库函数失败:func = xmlSecDSigCtxVerify:file = xmldsig.c:line = 382:obj =未知:subj = xmlSecDSigCtxSignatureProcessNode:错误= 1:xmlsec库函数失败:错误:签名失败错误SignedInfo参考(确定/全部):0/1清单参考(确定/全部):0/0错误:无法验证文件“测试” .xml“```无法验证文件“ test.xml”无法验证文件“ test.xml”
基于堆栈跟踪,我认为ID有点问题。经过一番挖掘,我发现执行
xmlsec1 --verify --id-attr:ID
"urn:oasis:names:tc:SAML:2.0:protocol:Response" test.xml
产生以下堆栈跟踪
func = xmlSecOpenSSLEvpDigestVerify:file = digests.c:line = 249:obj = sha1:subj =未知:错误= 12:无效数据:数据和摘要与FAIL SignedInfo引用不正确(正常/全部):0/1清单引用(正常/全部):0/0错误:无法验证文件“ test.xml”
这是test.xml
文件的修剪内容:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost/login" ID="uuid-73c06e86-88d2-4204-91f4-3d484bc782cc" InResponseTo="_bbaf45ef713be7a8c8701e41118ec2278cbf32828f" IssueInstant="2016-02-29T14:16:31.142Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">idp-name</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>H9ffPJ6/jq25p13BcziR0hNLkGg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>FegjeG..pJEQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFIj..mV7A==</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIFDj..5uLcw=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIE/z..3IDhA=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIEkT..h5/WrQ8</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="uuid-201bfc86-e7d7-4dca-bdb5-2263b2d27c22" IssueInstant="2016-02-29T14:16:01.175Z" Version="2.0">
<saml2:Issuer>idp-name</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#uuid-201bfc86-e7d7-4dca-bdb5-2263b2d27c22">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>EJzD3pVZwkvFkh8IX0xyF7tmP2k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>b3ONeh..zOEw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFIj..mV7A==</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIFDj..5uLcw=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIE/z..3IDhA=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIEkT..5/WrQ8</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
</saml2p:Response>
你能解释一下我在做什么错吗?如何使用xmlsec验证签名的XML文件?
我找到了验证此方法的正确方法,因此,方法如下:
首先,必须指定ID属性:
xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" test.xml
对我的XML文件执行此命令导致错误invalid data:data and digest do not match
。
我一直在针对SAML Tracer(Firefox插件)返回的输出调用此命令,该输出格式化XML-这会更改签名,从而显示xmlsec1
错误。
调用xmlsec1
原始(解密)内容可以正常工作。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句