Curerntly simpleSAMLphp depends on a svn checkout of the project due to the 
need to have new signature methods. Would it be possible to create a new 
release?

getXPathObj to use let me know.
With all respect, I do not know.

I am not used to set xPath. Please.

- [email protected]

Hi,

I have the following PHP code to generate SOAP code using xmlseclibs,soap-wsa 
and soap-wsse.

I am tasked to connect using SOAP in the staging server, which uses self-signed 
certificate.

My code below sends a request to the client's server, however it generates 
"hash values do not match" in the server side.


<?php

ini_set('display_errors', 'On');

require('soap-wsa.php');
require('soap-wsse.php');

define('PRIVATE_KEY', 'privatekey-20150225.pem');
define('CERT_FILE', 'selfsignedcertificate-20150225.crt');

class mySoap extends SoapClient {

    function __doRequest($request, $location, $saction, $version) {

        $dom = new DOMDocument();
        $dom->loadXML($request);

        $objWSA = new WSASoap($dom);
        $objWSA->addAction($saction);
        $objWSA->addTo($location);
        $objWSA->addMessageID();
        $objWSA->addReplyTo();

        $dom = $objWSA->getDoc();

        $objWSSE = new WSSESoap($dom);
        /* Sign all headers to include signing the WS-Addressing headers */
        $objWSSE->signAllHeaders = TRUE;

        $objWSSE->addTimestamp();

        /* create new XMLSec Key using RSA SHA-1 and type is private key */
        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

        /* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
        $objKey->loadKey(PRIVATE_KEY, TRUE);

        /* Sign the message - also signs appropraite WS-Security items */
        $objWSSE->signSoapDoc($objKey);

        /* Add certificate (BinarySecurityToken) to the message and attach pointer to Signature */
        $token = $objWSSE->addBinaryToken(file_get_contents(CERT_FILE));
        $objWSSE->attachTokentoSig($token);

        $request = $objWSSE->saveXML();


        return parent::__doRequest($request, $location, $saction, $version);
    }
}

$url = "TheURL"; // censored
$wsdl = "TheWSDL"; // censored

$client = new mySoap($wsdl, array(
    'trace' => 1,
    'exceptions' => 0,
    'uri'=>$url,
    'location'=>$url,
));
$result = $client->ReturnWorkEntitlement(
    array(
        'Id'=>'1',
        "PersonIdentifier"=>array(
            "FamilyName"=>"Jane",
            "GivenNames"=>"Doe",
            "BirthDate"=>array(
                "BirthDay"=>"---01",
                "BirthMonth"=>"--03",
                "BirthYear"=>"1964"
            )
        )
    )
);

?>

What is the expected output? What do you see instead?
It should connect to the server an displaying the correct answer to your 
question.

What version of the product are you using? On what operating system?
1.3.0-dev in Windows 7.

I have tried tweaking here and there for 2-3 days, but to no avail.

Please advise whether my code is correct or not, especially since this is 
supposed to be self-signed X509.

<KeyInfo>
    <KeyValue>
    <RSAKeyValue>
        <Modulus>

        </Modulus>
        <Exponent>

        </Exponent>
    </RSAKeyValue>
    </KeyValue>
<X509Data>
    <X509Certificate>

    </X509Certificate>
</X509Data>
</KeyInfo>

What steps will reproduce the problem?
1. use composer to include your library e.g. with a TYPO3.FLOW project
2. get Exception about missing package
3. add composer.json
4. runs

I used the tar version you provide as download

example composer.json

{
    "name": "robrichards/xmlseclibs",
    "description": "RobRichards XMLSecLibs",
    "license": "Custom",
    "authors": [
        {
            "name": "Rob Richards",
            "email": "your mailadress"
        }
    ],
}

this way i can include your library using these lines in my composer.json

{
...
    "repositories": [
        {
            "type": "composer",
            "url": "https://raw.github.com/kaystrobach/simplesamlphp-composer/master/"
        }, {
            "type": "package",
            "package": {
                "name": "robrichards/xmlseclibs",
                "version": "1.3.1",
                "dist": {
                    "url": "https://xmlseclibs.googlecode.com/files/xmlseclibs-1.3.1.tar.gz",
                    "type": "tar"
                },
                "autoload": {
                    "files": ["xmlseclibs.php"]
                }
            }
        }
    ],
...
}

if you would also register on packagist.org and use tags in your svn we could 
use the short form instead ;)

Thank you so much.
Kay

Suport XAdES format.

http://en.wikipedia.org/wiki/XAdES

I'm noticing when I try to validateReference on an incoming saml2.0 token from 
a Thinktecture IdM the validation fails because data sent to validateDigest is 
null since it fails to populate the $dataObject in processRefNode().  I 
realized it's null because the xpath query is looking for the "Id" attribute in 
the Assertion element instead of an "ID" attribute.  So far from what I've 
researched the attribute should be caps, "ID".  If there's a specific case 
where "Id" is also appropriate cool, perhaps adding in a check for both would 
be a solution?

Using xmlseclibs 1.3.1

PSR-0 is the new way of structuring classes into include files. See 
https://gist.github.com/1234504. Using PSR-0 will make xmlseclibs easily 
embeddable in any system that uses a PSR-0-compatible class loader. Using 
namespaces prevents collisions with other projects.

What steps will reproduce the problem?
1. encrypt content ($enc->type = XMLSecEnc::Content;)
2. $dom->saveXML()
3. later during decryption, $objenc->decryptNode($objKey, TRUE)

What is the expected output? What do you see instead?
Fatal error: Call to undefined method
DOMDocument::createDOMDocumentFragment() in
/var/www/test/xml/xmlseclibs.php on line 1339

----------
Hello,
I got this error when I tried to decrypt a document, which was encrypted
with type : XMLSecEnc::Content instead of XMLSecEnc::Element

I changed the method name on line 1339 :
$newFrag = $doc->createDocumentFragment();
//$newFrag = $doc->createDOMDocumentFragment();

Then no error, but no parent node returned.

So i changed the following lines :
$this->rawNode->parentNode->replaceChild($newFrag, $this->rawNode);
return $this->rawNode->parentNode;

$parentNode = $this->rawNode->parentNode;
$this->rawNode->parentNode->replaceChild($newFrag, $this->rawNode);
return $parentNode;

And it worked.
François

Rob Richards is currently working on this.

Fix validate references for documents like 
<signature><object>data</object></signature>

Filename: soap-wsse.php

function attachTokentoSig

Set attribute of token reference:

$reference->setAttribute('ValueType', 
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509v3'); 

Could support for
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" type
signatures be added? Much appreciated!

Would it be possible to convert the CHANGELOG.txt file to UTF-8?

iconv --from=ISO-8859-1 --to=UTF-8 CHANGELOG.txt > CHANGELOG.txt.new
touch -r CHANGELOG.txt CHANGELOG.txt.new
mv CHANGELOG.txt.new CHANGELOG.txt

What steps will reproduce the problem?
1. Using PHP 5.2.17

What is the expected output? What do you see instead?
The expected output is that the script works, now I get an error:
Warning: openssl_sign() expects parameter 4 to be long, string given in 
*/xmlseclibs.php on line 479

What version of the product are you using? On what operating system?
Using xmlseclibs 1.3.0 on PHP 5.2.17.

Please provide any additional information below.
The script I use works on PHP 5.3.x but not on my other server with PHP 5.2.17. 
Is there something I can do to get it working?

I´m working on a C#-App that should verify the signature of an XML-file that 
has been signed by my server before.

The problem is that XML-files signed by Microsoft´s algorithm slightly differ 
from the ones produced by xmlseclibs: 
like in the example given by the W3C 
(http://www.w3.org/TR/xmldsig-core/#sec-o-Simple), they don´t include an 
additional "ds:"-namespace tag in front of the signature´s tags - as 
xmlseclibs does.
This difference then caused the signature check to fail.

Therefore, my question is if there is a way to make the XML produced by 
xmlseclibs to look like the one in the example from the W3C.

Any help would be appreciated!

---------

Here is an example of a file signed by xmlseclibs:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference>
...

Undefined variable: issuer in xmlseclibs/xmlseclibs.php on line 1375
change

array_unshift($parts, "$key=$value" . $issuer);
to
array_unshift($parts, "$key=$value");

a (naive?) proposal to add support for locating signatures created with 
different algorithms (eg. the SHA256 algorithm used by default in ADFS 2.0), in 
the same way as locateKey does; notice that this specific patch does strictly 
break the existing API which would return a signature XML node instead of a 
public key object; don't know if it hurts though

--- xmlseclibs.php  (revision xxxx)
+++ xmlseclibs.php  (working copy)
@@ -672,7 +672,16 @@
             $query = ".//secdsig:Signature";
             $nodeset = $xpath->query($query, $objDoc);
             $this->sigNode = $nodeset->item(0);
-            return $this->sigNode;
+            $query = 
"string(./secdsig:SignedInfo/secdsig:SignatureMethod/@Algorithm)";
+            $algorithm = $xpath->evaluate($query, $this->sigNode);
+            if ($algorithm) {
+                try {
+                    $objKey = new XMLSecurityKey($algorithm, 
array('type'=>'public'));
+                } catch (Exception $e) {
+                    return NULL;
+                }
+                return $objKey;
+            }
         }
         return NULL;
     }

I had problems with http://www.aleksey.com/cgi-bin/xmldsigverify verifying a 
signed XML using the library. The message return is as follows:

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X5
09_verify_cert:error=4:crypto library function 
failed:subj=/C=US/ST=Maine/L=Limington/O=xmlseclibs.php 
Library/CN=xmlseclibs/www.cdatazone.org;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=un
known:error=71:certificate verification failed:err=18;msg=self signed 
certificate
func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha1:sub
j=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID

As I have used your php example almost exactly, I wanted to see if your signed 
XML will get a Valid message, so I tried the sign-basic-test.res and the same 
error message is returned.

What steps will reproduce the problem?
1. Open sign-basic-test.res in notepad
2. Copy all content
3. Paste in http://www.aleksey.com/cgi-bin/xmldsigverify text box 

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?
1.2.2 on Windows 7

Please provide any additional information below.

I had problems with my signature validations by the prefix "ds", so I made 
changes to indicate whether the firm is required prefix or not.


Attachment changes made.


require(dirname(__FILE__) . '/../xmlseclibs.php');

if (file_exists(dirname(__FILE__) . '/sign-basic-test.xml')) {
    unlink(dirname(__FILE__) . '/sign-basic-test.xml');
}

$doc = new DOMDocument(); 
$doc->formatOutput = FALSE; 
$doc->preserveWhiteSpace = TRUE;

$semilla = getSeed();
$xml = 
"<getToken>\n\t<item>\n\t\t<Semilla>$semilla</Semilla>\n\t</item>\n</getToken>";

$doc->loadXML($xml);
$objDSig = new XMLSecurityDSig(FALSE);
//die;
$objDSig->setCanonicalMethod(XMLSecurityDSig::C14N);
$options['prefix'] = '';
$options['prefix_ns'] = '';
$options['force_uri'] = TRUE;
$options['id_name'] = 'ID';
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, 
array(XMLSecurityDSig::TR_ENV_SIG), $options);

$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, 
array('type'=>'private'));
$pfx = file_get_contents(dirname(__FILE__) . "/file.pfx");
openssl_pkcs12_read($pfx, $key, "pass");
$objKey->loadKey($key["pkey"]);
$objDSig->add509Cert($key["cert"]);
$objDSig->sign($objKey, $doc->documentElement);

$doc->save(dirname(__FILE__) . '/sign-basic-test.xml');

Hello.
Here is fork with namespaces (and 2 bugs fixed):
https://github.com/jamm/XMLSecurity

If owner of original code will request to delete this - I'll delete it.
Hope this code will be useful somehow for somebody.

See http://stackoverflow.com/questions/2200988/ for more detail. Basically
the exclusive canonicalization being used is incorrect.

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7b8df9609dfcb6b735ce90ea50a975b1979f5f14cd" Version="2.0" IssueInstant="2014-12-01T23:05:49Z" Destination="https://pitbulk.no-ip.org/newonelogin/demo1/index.php?acs" InResponseTo="ONELOGIN_cca5c4b75c18612ca8cd5fbbcde3d32f9d092370">
  <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_2ff35216bf2e1021778885fadd78ac5d6f82f83f16" Version="2.0" IssueInstant="2014-12-01T23:05:49Z">
    <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
    <Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference URI="#_2ff35216bf2e1021778885fadd78ac5d6f82f83f16">
          <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <DigestValue>KRTtSoaoB8ypMqC2yZlb2AzRGRo=</DigestValue>
        </Reference>
      </SignedInfo>
      <SignatureValue>0nG/mSAzS01TfID3oE/v+uyLDloI6p8invoWJO/X2aotI8qNGFK2wvtsEhXZt7WHf2On5D/Ui/KDnBsL+iwSytajZ/M/3equVCG8LpHo4Zd1dAQJqnhIrB3oT4NEdwN3ePR1wBNX+EmdbQ/CBgG1T0jzLocdPtIP1LollBuDSaA=</SignatureValue>
      <KeyInfo>
        <X509Data>
          <X509Certificate>MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m</X509Certificate>
        </X509Data>
      </KeyInfo>
    </Signature>
    <saml:Subject>
      <saml:NameID SPNameQualifier="https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_486af16ab7b1bb20c888be338e5dd19abed682d471</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2024-06-04T04:25:49Z" Recipient="https://pitbulk.no-ip.org/newonelogin/demo1/index.php?acs" InResponseTo="ONELOGIN_cca5c4b75c18612ca8cd5fbbcde3d32f9d092370"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-12-01T23:05:19Z" NotOnOrAfter="2024-06-04T04:25:49Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-12-01T23:05:49Z" SessionNotOnOrAfter="2014-12-02T07:05:49Z" SessionIndex="_1f1f4501c8077985135667801b97bd210dc4ca867e">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test_cn</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">waa2</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">user</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">manager</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="company" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">onelogin</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="street" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">street example</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="city" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">city example</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="country" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">country example</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="state" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">state example</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="zip" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">32323</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="telephone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">878732323</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="fax" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">828732323</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

Hello all , I am new to PHP.

How do i add Key Info and 
<ds:KeyInfo>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>?
 with encrypted XML data

As there is no addX509Cert(..) implementation in class XMLSecurityKey

I am using XMLSecLibs @version    1.3.1-dev in windows 

But with XML signature i am getting the above KeyInfo but i am not sure how to 
exclude <ds:X509Certificate> value

Kindly provide the sample code right way to call these 2 classes for adding the 
KeyInfo 

How to provide the input for $options
  add509Cert($cert, $isPEMFormat=TRUE, $isURL=False, $options=NULL)

I am just learning PHP , sorry for my very basic question.

Thanks in advance

Bosco

The patch in attachment adds HMAC-SHA1 support to the xmlseclibs library.
Interop with Java has been tested.

Hi, in first place, appreciate your effort of developing this useful library.

I'm try using it for signing XML responses in Google Apps Single Sign On 
process.

However I realized that the are some differeces between the xmlsec1 command and 
your library.

I've followed the test examples, but the result of the signing process isnt the 
same in both executions.

In the xmlsec1 command, the RSA key is appended to the signed response, however 
in the library test no key is added. 

I've inspected the source code, and I've found a XMLSecurityDSig class method 
called appendKey which call to XMLSecurityKey class method called serializeKey, 
but no one is implemented.

I attach the original response, the xmlsec1 command signed response, and the 
library signed response for comparying

I write here, the test code:

$doc = new DOMDocument();
$doc->loadXML($responseXmlString);

I have to delete Signature node, due to the library doesnt realize of the 
presence of it (xmlsec1 command detect the node and append the values in it)

$nodelist=$doc->getElementsByTagName("Signature");
$parentnode=$doc->getElementsByTagName("Response");
$parentnode=$parentnode->item(0);
$domElement=$nodelist->item(0);
$parentnode->removeChild($domElement);

///////////////////////////////////////////

$objDSig = new XMLSecurityDSig();

$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);

$objDSig->addReference($doc, XMLSecurityDSig::SHA1, 
array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'));

$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, 
array('type'=>'private'));

$objKey->loadKey($privKey,true);

$objDSig->appendKey($objKey); // DO NOTHING

$objDSig->sign($objKey);

$objDSig->appendSignature($doc->documentElement);


Sorry, but my skills of php DOM-XML and XML standars are poor.

I wish you give me a reponse about the difficulty of complete the library, 
which methods would be affected and in which way I could help us.

Thank so much.

What steps will reproduce the problem?
1. Edit php.ini, find mbstring.func_overload, and change the value to 7. 
Save & quit.
2. Run tests


What is the expected output?
> php ./xml-sign.phpt 
--TEST--
Basic Signature
--FILE--
DONE--EXPECTF--
DONE

> php ./xmlsec-decrypt.phpt 
--TEST--
Basic Decryption
--FILE--
AOESP_SHA1: Passed
--EXPECTF--
AOESP_SHA1: Passed

> php ./xmlsec-encrypt.phpt 
--TEST--
Basic Encryption
--FILE--
EncryptedData--EXPECTF--
EncryptedData

> php ./xmlsec-verify.phpt 
--TEST--
Basic Verify
--FILE--
SIGN_TEST: Signature validated!
--EXPECTF--
SIGN_TEST: Signature validated!




What do you see instead?
> php ./xml-sign.phpt
--TEST--
Basic Signature
--FILE--
DONE--EXPECTF--
DONE

> php ./xmlsec-decrypt.phpt
--TEST--
Basic Decryption
--FILE--
AOESP_SHA1: PHP Warning:  mcrypt_generic_init(): Iv size incorrect;
supplied length: 22, needed: 16 in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 356

Warning: mcrypt_generic_init(): Iv size incorrect; supplied length: 22,
needed: 16 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 356
PHP Warning:  DOMDocument::loadXML(): Empty string supplied as input in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 1288

Warning: DOMDocument::loadXML(): Empty string supplied as input in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 1288
PHP Catchable fatal error:  Argument 1 passed to DOMDocument::importNode()
must be an instance of DOMNode, null given, called in
/usr/home/craig/xmlseclibs/tests/xmlsec-decrypt.phpt on line 58 and defined
in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 1292

Catchable fatal error: Argument 1 passed to DOMDocument::importNode() must
be an instance of DOMNode, null given, called in
/usr/home/craig/xmlseclibs/tests/xmlsec-decrypt.phpt on line 58 and defined
in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 1292

> php ./xmlsec-encrypt.phpt
--TEST--
Basic Encryption
--FILE--
PHP Warning:  mcrypt_generic_init(): Key size too large; supplied length:
46, max: 32 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 336

Warning: mcrypt_generic_init(): Key size too large; supplied length: 46,
max: 32 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 336
EncryptedData--EXPECTF--
EncryptedData

> php ./xmlsec-verify.phpt
--TEST--
Basic Verify
--FILE--
SIGN_TEST: Signature validated!
--EXPECTF--
SIGN_TEST: Signature validated!


What version of the product are you using? On what operating system?
xmlseclibs-1.2.1.tar.gz on FreeBSD, running PHP 5.2.9


Please provide any additional information below.
The problem is the the mb_strlen() and mb_substr() function intrepret the
random binary characters as multibyte characters.  This causes mb_strlen()
to return a number that is not the same as the number of bytes.  This
causes all sorts of problems with mb_substr() as well.

I have a patch, but only for decryptMcrypt().  This is the only function
that I had to fix to get my SimpleSAML message to work.

Would it be possible to add a license file to the source code?

The license seems to be http://opensource.org/licenses/BSD-3-Clause.

What steps will reproduce the problem?
1. Create text node in xml with line break eq. <address>large text {line break} 
large text</address>
2. Sign xml
3. Try to verify signature in other software

I used some java application to send/recive xml message with signatures between 
php and java.

The problem is with line break in text element and C14N function. C14N function 
won't remove line break while other software when canonicalize xml did it. So 
the hash of xml was diffrent.

That was my problem.


To fix it replace return in function canonicalizeData to:

return str_replace(array("\r\n", "\n\r", "\r", "\n"), '', 
$node->C14N($exclusive, $withComments, $arXPath, $prefixList));

What steps will reproduce the problem?
1. Tried to canonize an XML

What is the expected output? What do you see instead?
Expected output - canonized XML, instead - Call to undefined method 
SimpleXMLElement::importNode() in xmlseclibs.php on line 77

What version of the product are you using? On what operating system?
xmlseclibs 1.3.1, PHP 5.3.3

Please provide any additional information below.
Method appendChild was replaced by addChild

i recieve this 

<DAERespuesta>
<Objeto>
<ErrorCodigo>1</ErrorCodigo>
<ErrorDescripcion>Sobre en archivo</ErrorDescripcion>
<FechaHoraArchivado>2012-02-23 19:32:02</FechaHoraArchivado>
</Objeto>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>EPotVVQvsv9YuFKiBqXPGQLlJZg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
JMIKvfJKbqbCusCHKh9BbHoSeMjGYpwXxJXCLROVGoWN+Q+PdGv3kNiwuHMxnK0j1BphdjKesee7T0g0
mFQpkJRrfwRKXqzwk/DEDoZ4sV56t6botF/Mk1XQ8FZbEBTByq+2sxHhIRxcMunxT+3/U0TkYFtOWLlS
5Izjs0IUVSw=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFfjCCA2agAwIBAgIQXSJREhWadv9PUQE2Ra5EtzANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
WTErMCkGA1UECgwiQURNSU5JU1RSQUNJT04gTkFDSU9OQUwgREUgQ09SUkVPUzEfMB0GA1UECwwWU0VS
VklD
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</DAERespuesta>

and c# dont validate because ds: prefix in signature labels please let me know 
if there is a way to safely remove this prefix, i remove manualy from 
xmlseclibs.php line 655 (    private $prefix = 'ds';) to     private $prefix = 
''; but this change throw exceptions i realice the prefix is needed in other 
way not only prefix of signature tags... so i dont know how to remove only in 
tags this ds: prefix???

When decryptNode() replaces encrypted data with the unencrypted node it uses 
DOMElement::replaceChild().
For some reason PHP thought it would be a fun idea to suddenly inject a new 
namespace prefix into the document called "default".

This screws over signature validation of the data, because suddenly "Signature" 
becomes "default:Signature" ("SignedInfo" becomes "default:SignedInfo" and so 
on for all descendants).

Mind you, the default namespace of "SignedInfo" is actually set 
("xmlns="http://www.w3.org/2000/09/xmldsig#"), so if the DOM lib just left the 
element untouched everything would've been fine.

The problem occurs on line 1606: 
https://code.google.com/p/xmlseclibs/source/browse/trunk/xmlseclibs.php?r=52#160
6

The following added line fixed it for me:
    $importEnc->removeAttributeNS('http://www.w3.org/2000/09/xmldsig#', 'default');

That is obviously not a very nice or general solution to the problem, but I 
thought it'd be better to share than not :-)