When using xmlsec 1.2.2x, SAML response signature verification works correctly. However, after upgrading to xmlsec 1.2.3x, verification fails with the following error:func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=436:obj=unknown:subj=dsigCtx->signValueNode == NULL:error=100:assertion
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed
In reduce_xml_to_signed (crypto.rs), collect_id_attributes correctly calls libxml2's xmlAddID to register ID attributes, but xmlsec 1.2.3x now strictly requires that ID attributes also be registered via xmlSecAddIDs.
The current code only calls xmlSecAddIDs on the root node inside verify_document, but reduce_xml_to_signed uses verify_node directly, bypassing this registration entirely.
For a typical SAML response containing both a signed samlp:Response and a signed saml2:Assertion, the Assertion node's ID attribute is never registered, causing xmlsec 1.2.3x to fail when resolving the URI="#_xxxxx" reference — resulting in signValueNode == NULL.
When using xmlsec 1.2.2x, SAML response signature verification works correctly. However, after upgrading to xmlsec 1.2.3x, verification fails with the following error:func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=436:obj=unknown:subj=dsigCtx->signValueNode == NULL:error=100:assertion
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed
In reduce_xml_to_signed (crypto.rs), collect_id_attributes correctly calls libxml2's xmlAddID to register ID attributes, but xmlsec 1.2.3x now strictly requires that ID attributes also be registered via xmlSecAddIDs.
The current code only calls xmlSecAddIDs on the root node inside verify_document, but reduce_xml_to_signed uses verify_node directly, bypassing this registration entirely.
For a typical SAML response containing both a signed samlp:Response and a signed saml2:Assertion, the Assertion node's ID attribute is never registered, causing xmlsec 1.2.3x to fail when resolving the URI="#_xxxxx" reference — resulting in signValueNode == NULL.