TechQA.

How to force libxml1 to ignore cert in file and use a cert I pass it on the command line?

227 views Asked by At

I am trying to verify a signed XML SAML Response. It contains a spoofed cert in the XML.

I have the known real cert in a PEM file.

When I run 

xmlsec1 --verify --pubkey-cert-pem  pubkey-real.pem \
--id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion \
--node-id DaavCk888T6_KR-Rtdm52CZSceG saml-req-spoofed.xml

it correctly validates it! It uses the certificate inside of the spoofed SAML request, instead of the known good one I am passing it on the command line. I know this because when I add --print-debug to the params it outputs the spoofed cert info.

Is there a way to force xmlsec1 to ignore the certificate inside of the XML file and force it to use the one I pass on the command line?

I am running xmlsec1 1.2.20 on a Mac.

saml-2.0 xmlsec xmlsec1
Original Q&A
1

There are 1 answers

0
Mescalito On

After quite a bit of struggle, I found out you can try adding --enabled-key-data, for example:

--enabled-key-data rsa or --enabled-key-data x509

Either those should work. You can also try

xmlsec1 --list-key-data to see the ones you can choose.

Related Questions in SAML-2.0

Related Questions in XMLSEC

Related Questions in XMLSEC1

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions