我正在尝试使用 xmlsec1 实用程序验证 XML(附加在问题的底部)签名。但是,在执行命令时
xmlsec1 --verify test.xml
我得到以下堆栈跟踪:
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 库函数失败:expr=xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc' )) func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec 库函数失败:func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer :subj=xmlSecXPathDataExecute:error=1:xmlsec 库函数失败:func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec 库函数失败:func=xmlSecTransformCtxXmlExecute:file =transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec 库函数失败:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec 库函数失败:func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxProcessSignedInfoNode:file= xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 库函数失败:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode: error=1:xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败 ERROR SignedInfo References (ok/ all):0/1 清单参考(ok/all):0/0 错误:无法验证文件“test.xml”```````````````error=1:xmlsec 库函数失败:func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c: line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 库函数失败:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1: xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败 ERROR SignedInfo References (ok/all): 0 /1 清单参考(ok/all):0/0 错误:无法验证文件“test.xml”```error=1:xmlsec 库函数失败:func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c: line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 库函数失败:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1: xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败 ERROR SignedInfo References (ok/all): 0 /1 清单参考(ok/all):0/0 错误:无法验证文件“test.xml”```xmlsec 库函数失败:func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822: obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed : func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed: Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all):0/0 错误:无法验证文件“test.xml”```xmlsec 库函数失败:func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822: obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed : func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed: Error: signature failed ERROR SignedInfo References (ok/all): 0/1 Manifests References (ok/all):0/0 错误:无法验证文件“test.xml”```file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error =1:xmlsec 库函数失败:node=参考 func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig。 c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败错误 SignedInfo 引用(ok/all):0/1 Manifests References(ok/all):0/0错误:无法验证文件“test.xml”```file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error =1:xmlsec 库函数失败:node=参考 func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig。 c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败错误 SignedInfo 引用(ok/all):0/1 Manifests References(ok/all):0/0错误:无法验证文件“test.xml”```func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 库函数失败:node=参考 func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=未知:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败错误 SignedInfo 引用(ok/all):0/1 清单引用(ok/all):0/0 错误:无法验证文件“test.xml”```func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 库函数失败:node=参考 func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=未知:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败错误 SignedInfo 引用(ok/all):0/1 清单引用(ok/all):0/0 错误:无法验证文件“test.xml”```line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败错误 SignedInfo 引用(ok/all):0/1 清单引用(ok/all):0/0 错误:无法验证文件“test.xml”```line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 库函数失败:func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec 库函数失败:错误:签名失败错误 SignedInfo 引用(ok/all):0/1 清单引用(ok/all):0/0 错误:无法验证文件“test.xml”```
根据堆栈跟踪,我认为 ID 有问题。经过一番挖掘,我发现执行
xmlsec1 --verify --id-attr:ID
"urn:oasis:names:tc:SAML:2.0:protocol:Response" test.xml
产生以下堆栈跟踪
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=249:obj=sha1:subj=unknown:error=12:invalid data:data 和 digest 不匹配 FAIL SignedInfo References (ok/all): 0/1 Manifests References ( ok/all):0/0 错误:无法验证文件“test.xml”
这是文件的修剪内容test.xml
:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost/login" ID="uuid-73c06e86-88d2-4204-91f4-3d484bc782cc" InResponseTo="_bbaf45ef713be7a8c8701e41118ec2278cbf32828f" IssueInstant="2016-02-29T14:16:31.142Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">idp-name</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>H9ffPJ6/jq25p13BcziR0hNLkGg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>FegjeG..pJEQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFIj..mV7A==</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIFDj..5uLcw=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIE/z..3IDhA=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIEkT..h5/WrQ8</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="uuid-201bfc86-e7d7-4dca-bdb5-2263b2d27c22" IssueInstant="2016-02-29T14:16:01.175Z" Version="2.0">
<saml2:Issuer>idp-name</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#uuid-201bfc86-e7d7-4dca-bdb5-2263b2d27c22">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>EJzD3pVZwkvFkh8IX0xyF7tmP2k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>b3ONeh..zOEw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFIj..mV7A==</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIFDj..5uLcw=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIE/z..3IDhA=</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIEkT..5/WrQ8</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
</saml2p:Response>
你能解释一下我在这里做错了什么吗?如何使用 xmlsec 验证签名的 XML 文件?