I'm trying to verify a message that arrives at the method below as an XmlDocument. The document is created with PreserverWhitespace=true and is created from a base64 decoded string recieved from an HTTP Post. The error I'm getting is: Malformed Reference Element. I get the basic idea of what the error is saying but I'm not sure where to go to figure out what needs to be done to fix this so it validates. I have very limited control of the incoming xml so a fix that doesn't require modifying that would be best. I'll take links to articles or anything that will help if you can't see the solution at a glance.
thanks for any help.
The string of Xml after decoding looks like:
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_95754da531d7d92a7f287242eca5c9da">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>OxUFDbe2eXnxbtjNFz2P2+9uYYM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
L/cUk4QluOiNtzu8ffiG/TSVm3D8Z6JjUSZi6jqJLwzGT9ApsjhvUbDqJZLSRaDQFT1y0SBM0p+p
sbtDTkiWKGtQfQ2D7Ta40ZIJUNgDsC+d2/m1iUKXg3m0ff/yKxH1hz9OV4Tx1RO4DlVOmKbSgRR0
pKL0YxNE7UqmoFggvlo=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICkzCCAfygAwIBAgIER2aoYzANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAk5KMQ8wDQYDVQQHEwZOZXdhcmsxHTAbBgNVBAoTFFBydWRlbnRpYWwgRmluYW5jaWFsMS8w
LQYDVQQLEyZBcmNoaXRlY3R1cmUgYW5kIFRlY2hub2xvZ3kgRW5hYmxlbWVudDEQMA4GA1UEAxMH
ZmltdGVzdDAeFw0wNzEyMTcxNjQ4MzVaFw0xMDEyMTYxNjQ4MzVaMIGNMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTkoxDzANBgNVBAcTBk5ld2FyazEdMBsGA1UEChMUUHJ1ZGVudGlhbCBGaW5hbmNp
YWwxLzAtBgNVBAsTJkFyY2hpdGVjdHVyZSBhbmQgVGVjaG5vbG9neSBFbmFibGVtZW50MRAwDgYD
VQQDEwdmaW10ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCB996Ig5Wxoxwn3zwu7h1Z
N60UtQ9Ijff4v44457Zsh+mTxl6fCmOtc44bPkEeP1P75FQBVxUKBXQJ8mSm4luEA3lZuraDtkYB
PpjgKy2bQMllNPmWu6VbfEYP4T8lqHbFAdSZXLzOd3IFoNtbEbMzTmJnCuR00A7v5BlxFZoyqwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBABhJIOE8D9bIVRJ+R7KhRGb6I0rENe9PwF85Uk5MVme+F1ny
OXhsP3NHT0L24fbRW7kdp6eHPIMftFlaN8OTMjfSgSKdrRS7i1+hARZ7HcYxqT+HFXag3mH2G7GL
brQifLzzWQoPxwbtyJ/DJP+zChYt2nKjUXDMcB2GYghZg+PA
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_d815953e87678d0ba2aab2c167c06640" IssueInstant="2008-02-29T13:31:55.069Z" Issuer="http://www.prudential.com/samlassertingparty/AP" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-29T13:31:55.051Z" NotOnOrAfter="2008-02-29T13:33:55.051Z"><AudienceRestrictionCondition><Audience>http://208.40.237.98/aprimomarketing</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-02-29T13:31:55.051Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="aprimo.com">X150740</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="aprimo.com">X150740</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName="username" AttributeNamespace="aprimo.com"><AttributeValue>X150740</AttributeValue></Attribute><Attribute AttributeName="datasource" AttributeNamespace="aprimo.com"><AttributeValue>LeadManagement</AttributeValue></Attribute></AttributeStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_d815953e87678d0ba2aab2c167c06640">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>hpGN3B+fS8bt2Bbxg/ySEqKb+M4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
c5ik97ieGD4JYWjBaD3H9z9HalEwAghn3EDeo56hbf2sG3Xtw01vSIVl+MZQwF7W3LlaTCphGnSf
qrbNjVQWDcEUmwaJ1E6kjgHITJJLYGqPacYzGddqgs+KXuhaSot1WgEhyEUBqDvvcPKhGh0UcYFe
VlA8OQCC6H1yfOqW7i0=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICkzCCAfygAwIBAgIER2aoYzANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAk5KMQ8wDQYDVQQHEwZOZXdhcmsxHTAbBgNVBAoTFFBydWRlbnRpYWwgRmluYW5jaWFsMS8w
LQYDVQQLEyZBcmNoaXRlY3R1cmUgYW5kIFRlY2hub2xvZ3kgRW5hYmxlbWVudDEQMA4GA1UEAxMH
ZmltdGVzdDAeFw0wNzEyMTcxNjQ4MzVaFw0xMDEyMTYxNjQ4MzVaMIGNMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTkoxDzANBgNVBAcTBk5ld2FyazEdMBsGA1UEChMUUHJ1ZGVudGlhbCBGaW5hbmNp
YWwxLzAtBgNVBAsTJkFyY2hpdGVjdHVyZSBhbmQgVGVjaG5vbG9neSBFbmFibGVtZW50MRAwDgYD
VQQDEwdmaW10ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCB996Ig5Wxoxwn3zwu7h1Z
N60UtQ9Ijff4v44457Zsh+mTxl6fCmOtc44bPkEeP1P75FQBVxUKBXQJ8mSm4luEA3lZuraDtkYB
PpjgKy2bQMllNPmWu6VbfEYP4T8lqHbFAdSZXLzOd3IFoNtbEbMzTmJnCuR00A7v5BlxFZoyqwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBABhJIOE8D9bIVRJ+R7KhRGb6I0rENe9PwF85Uk5MVme+F1ny
OXhsP3NHT0L24fbRW7kdp6eHPIMftFlaN8OTMjfSgSKdrRS7i1+hARZ7HcYxqT+HFXag3mH2G7GL
brQifLzzWQoPxwbtyJ/DJP+zChYt2nKjUXDMcB2GYghZg+PA
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature></Assertion></Response>
thanks for any help.
Code Snippet
private void VerifySAML(System.Xml.XmlDocument docToVerify)
{
try
{
SignedXml sXml = new SignedXml(docToVerify);
sXml.LoadXml((XmlElement)docToVerify.GetElementsByTagName("ds:Signature")[0]);
if (sXml == null)
throw new SsoException("Could not locate signature in assertion");
//assertion must be correctly verified against itself
if (!sXml.CheckSignature())
throw new SsoException("Assertion failed verification");
...
}
catch (Exception ex)
{
AprimoEventLog.Instance.LogError(ex);
throw new SsoException("SAML Verification failed.", ex);
}
}
The string of Xml after decoding looks like:
Code Snippet
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-02-29T13:31:55.050Z" MajorVersion="1" MinorVersion="1" Recipient="http://208.40.237.98/aprimomarketing" ResponseID="_95754da531d7d92a7f287242eca5c9da"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_95754da531d7d92a7f287242eca5c9da">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>OxUFDbe2eXnxbtjNFz2P2+9uYYM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
L/cUk4QluOiNtzu8ffiG/TSVm3D8Z6JjUSZi6jqJLwzGT9ApsjhvUbDqJZLSRaDQFT1y0SBM0p+p
sbtDTkiWKGtQfQ2D7Ta40ZIJUNgDsC+d2/m1iUKXg3m0ff/yKxH1hz9OV4Tx1RO4DlVOmKbSgRR0
pKL0YxNE7UqmoFggvlo=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICkzCCAfygAwIBAgIER2aoYzANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAk5KMQ8wDQYDVQQHEwZOZXdhcmsxHTAbBgNVBAoTFFBydWRlbnRpYWwgRmluYW5jaWFsMS8w
LQYDVQQLEyZBcmNoaXRlY3R1cmUgYW5kIFRlY2hub2xvZ3kgRW5hYmxlbWVudDEQMA4GA1UEAxMH
ZmltdGVzdDAeFw0wNzEyMTcxNjQ4MzVaFw0xMDEyMTYxNjQ4MzVaMIGNMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTkoxDzANBgNVBAcTBk5ld2FyazEdMBsGA1UEChMUUHJ1ZGVudGlhbCBGaW5hbmNp
YWwxLzAtBgNVBAsTJkFyY2hpdGVjdHVyZSBhbmQgVGVjaG5vbG9neSBFbmFibGVtZW50MRAwDgYD
VQQDEwdmaW10ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCB996Ig5Wxoxwn3zwu7h1Z
N60UtQ9Ijff4v44457Zsh+mTxl6fCmOtc44bPkEeP1P75FQBVxUKBXQJ8mSm4luEA3lZuraDtkYB
PpjgKy2bQMllNPmWu6VbfEYP4T8lqHbFAdSZXLzOd3IFoNtbEbMzTmJnCuR00A7v5BlxFZoyqwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBABhJIOE8D9bIVRJ+R7KhRGb6I0rENe9PwF85Uk5MVme+F1ny
OXhsP3NHT0L24fbRW7kdp6eHPIMftFlaN8OTMjfSgSKdrRS7i1+hARZ7HcYxqT+HFXag3mH2G7GL
brQifLzzWQoPxwbtyJ/DJP+zChYt2nKjUXDMcB2GYghZg+PA
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_d815953e87678d0ba2aab2c167c06640" IssueInstant="2008-02-29T13:31:55.069Z" Issuer="http://www.prudential.com/samlassertingparty/AP" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-29T13:31:55.051Z" NotOnOrAfter="2008-02-29T13:33:55.051Z"><AudienceRestrictionCondition><Audience>http://208.40.237.98/aprimomarketing</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-02-29T13:31:55.051Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="aprimo.com">X150740</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="aprimo.com">X150740</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName="username" AttributeNamespace="aprimo.com"><AttributeValue>X150740</AttributeValue></Attribute><Attribute AttributeName="datasource" AttributeNamespace="aprimo.com"><AttributeValue>LeadManagement</AttributeValue></Attribute></AttributeStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_d815953e87678d0ba2aab2c167c06640">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>hpGN3B+fS8bt2Bbxg/ySEqKb+M4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
c5ik97ieGD4JYWjBaD3H9z9HalEwAghn3EDeo56hbf2sG3Xtw01vSIVl+MZQwF7W3LlaTCphGnSf
qrbNjVQWDcEUmwaJ1E6kjgHITJJLYGqPacYzGddqgs+KXuhaSot1WgEhyEUBqDvvcPKhGh0UcYFe
VlA8OQCC6H1yfOqW7i0=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICkzCCAfygAwIBAgIER2aoYzANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAk5KMQ8wDQYDVQQHEwZOZXdhcmsxHTAbBgNVBAoTFFBydWRlbnRpYWwgRmluYW5jaWFsMS8w
LQYDVQQLEyZBcmNoaXRlY3R1cmUgYW5kIFRlY2hub2xvZ3kgRW5hYmxlbWVudDEQMA4GA1UEAxMH
ZmltdGVzdDAeFw0wNzEyMTcxNjQ4MzVaFw0xMDEyMTYxNjQ4MzVaMIGNMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTkoxDzANBgNVBAcTBk5ld2FyazEdMBsGA1UEChMUUHJ1ZGVudGlhbCBGaW5hbmNp
YWwxLzAtBgNVBAsTJkFyY2hpdGVjdHVyZSBhbmQgVGVjaG5vbG9neSBFbmFibGVtZW50MRAwDgYD
VQQDEwdmaW10ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCB996Ig5Wxoxwn3zwu7h1Z
N60UtQ9Ijff4v44457Zsh+mTxl6fCmOtc44bPkEeP1P75FQBVxUKBXQJ8mSm4luEA3lZuraDtkYB
PpjgKy2bQMllNPmWu6VbfEYP4T8lqHbFAdSZXLzOd3IFoNtbEbMzTmJnCuR00A7v5BlxFZoyqwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBABhJIOE8D9bIVRJ+R7KhRGb6I0rENe9PwF85Uk5MVme+F1ny
OXhsP3NHT0L24fbRW7kdp6eHPIMftFlaN8OTMjfSgSKdrRS7i1+hARZ7HcYxqT+HFXag3mH2G7GL
brQifLzzWQoPxwbtyJ/DJP+zChYt2nKjUXDMcB2GYghZg+PA
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature></Assertion></Response>