Description
Hi,
I'm trying to debug a problem with SAML response validation using python3-saml and am trying to check whether the problem is down in python-xmlsec.
I have a response from a server and the servers public cert. I've also the CA cert for the server added to the client (/etc/openssl/certs and /etc/certs/CA in my case on Solaris). And with that sure enough the xml validation works using xmlsec1:
# xmlsec1 --verify --id-attr:ID Assertion --pubkey-cert-pem idcs.cer r4.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
However if I try with python-xmlsec I can't validate:
xmlsec.enable_debug_trace(True)
xml= etree.parse('r4.xml').getroot()
xmlsec.tree.add_ids(xml, ["ID"])
signature_node = xmlsec.tree.find_node(xml, xmlsec.constants.NodeSignature)
ctx = xmlsec.SignatureContext()
ctx.set_enabled_key_data([xmlsec.KeyData.X509])
ctx.key = xmlsec.Key.from_file('./idcs.cer', xmlsec.KeyFormat.CERT_PEM)
ctx.verify(signature_node)
# python test.py
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=436:obj=unknown:subj=dsigCtx->signValueNode == NULL:error=100:assertion:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed:
Traceback (most recent call last):
File "test.py", line 21, in <module>
ctx.verify(signature_node)
xmlsec.Error: (1, 'failed to verify')
Perhaps my python is wrong there, it's what I've put together from the examples and what python3-saml is doing. error 100 is 'Invalid assertion' but that doesn't help me much.
The OS delivers xmlsec (1.2.28) and libxml2(2.9.9) and pip installed python-xmlsec (1.3.12), and pkg-config tells me the cflags for xmlsec1 are:
-DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 -D__XMLSEC_FUNCTION__=func -DXMLSEC_NO_GOST=1 -DXMLSEC_NO_GOST2012=1 -DXMLSEC_DL_LIBLTDL=1 -I/usr/include/xmlsec1 -I/usr/include/libxml2
Can anyone advise if the python above is correct and expected to work or how I might debug this further? Is there perhaps some other file or directory I need to add the server CA cert to? Or some additional processing of the XML in addition to extracting the signature_node before verification?
Thanks