Let xmllint be you friend and savior part 2 (xmllint and catalogs)

Last time we talked about the basic use of xmllint. This time we will go a bit deeper and talk about how to use catalogs for validating XML, specifically SAML xml documents.

So you work with XML. There is a great tool that you might not know of that can do a lot of things for you.

It’s called xmllint. This command is available in most standard unix/linux distributions of today, and it is normally part of libxml. It can help you in many ways.

In the previous blog about xmllint I described how to use xmllint to validate against a schema, and how to create a root.xsd file with all the xsd files for epp.

Now we are going to use xmllint to validate SAML xml, and that’s a bit more difficult.

SAML root.xsd file

Well, first this is to build a root.xsd file for saml.

Not a big issue. It would look something like this:

<?xml version="1.0" encoding="UTF-8"?>

<schema targetNamespace="urn:ietf:params:xml:ns:dummy-1.0"

xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns="http://www.w3.org/2001/XMLSchema"

elementFormDefault="unqualified"

attributeFormDefault="unqualified"

blockDefault="substitution"

>

<!--

Import standard element types.

-->

<import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"/>

<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>

<import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"/>

<import namespace="http://www.w3.org/2001/04/xmlenc#" schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>

<import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>

<annotation>

<documentation>

SAML.

</documentation>

</annotation>

</schema>

So now you can check a SAML xml file.

Or well. Not really – this won’t work. Instead you should try this command now:

xmllint -schema root.xsd -noout skolfederation-2_0.xml

You will most likely get some errors and it would also take a number of minutes to complete.

This is due to the fact that a lot of the XSD files for SAML is not directly downloadable from the web. It would also cause problems if you are not connected to the internet. So how do we solve this?

Xml catalogs is the answer.

So what is a catalog? It’s a way for a user to specify how xmllint should find external entities when it is parsing an xml document. It can be used to:

  • Rewrite or map logical file named to real uri’s
  • Rewrite one uri to a another one so that you can download it
  • Point real uri’s to local resources (files)

You can read more about all the possibilities at the xmllint catalog page at http://www.xmlsoft.org/catalog.html.

There is a standard catalog (in /etc/xml/catalog) that xmllint will use, and you can check that one out if you like.

So how do we create a catalog?

You can create and edit a catalog with a normal editor, but there is also the xmlcatalog command that you can use.

By default the xmlcatalog command shows the new catalog on the standard output, but if you want to save it to a file you need to use the –noout flag.

With the xmlcatalog command you can create a catalog with the –create option. You can add new entities to it with the –add command, and delete with the –delete command. There is also a “shell” mode where you can test catalogs.

Creating a catalog for SAML

So to be able to validate SAML xml we need to download a few files, create our catalog and fix our root.xsd file.

Download

I created all the files I needed for this and stored it in /var/xml/saml

cd /var/xml/saml

wget http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd

wget http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd

wget http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd

wget http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd

wget http://www.w3.org/2001/xml.xsd

This downloads the saml-metadata schema file, the assertion schema file and the signature schema, as well as the xml core file and the encoding schema, and stores it in /var/xml/saml.

Create catalog

Now when we have all that files, we can create our catalog with the xmlcatalog command:

cd /var/xml

xmlcatalog --noout --create catalog

xmlcatalog --noout --add uri http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd file:///opt/xml/saml-schema-metadata-2.0.xsd catalog

xmlcatalog --noout --add uri http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd file:///opt/xml/saml-schema-assertion-2.0.xsd catalog

xmlcatalog --noout --add uri http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd file:///opt/xml/xmldsig-core-schema.xsd catalog

xmlcatalog --noout --add uri http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd file:///opt/xml/xenc-schema.xsd catalog

xmlcatalog --noout --add uri http://www.w3.org/2001/xml.xsd

file:///opt/xml/xml.xsd catalog

Setup environment

We are now ready to start using the new catalog. However, we do have two small things to fix before we can use it. We need to set one environment to tell xmllint to use our new catalog, and we need to fix our root.xsd file.

First – to specify where xmlint looks for a catalog, you specify the XML_CATALOG_FILES environment variable:

export XML_CATALOG_FILES=/var/xml/catalog

Then we need to fix the root-xsd file. Here is what it should look like:

<?xml version="1.0" encoding="UTF-8"?>

<schema targetNamespace="urn:ietf:params:xml:ns:dummy-1.0"

xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns="http://www.w3.org/2001/XMLSchema"

elementFormDefault="unqualified"

attributeFormDefault="unqualified"

blockDefault="substitution"

>

<!--

Import standard element types.

-->

<import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"/>

<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>

<annotation>

<documentation>

SAML.

</documentation>

</annotation>

</schema>

And now for the test

If we now run the xmllint command again you will see that the xml file (if it’s correct) validates. So now you have a way to test SAML xml messages!

xmllint -schema root.xsd -noout skolfederation-2_0.xml

skolfederation-2_0.xml validates

I hope that this shows you a way how to use catalogs together with the tool xmllint. And that it shows a way to use it for, among other things, validated SAML xml.

Please comment with your own thoughts.

Related links:

http://www.xmlsoft.org/catalog.html

This article has no tags Photo: MacBook Colors by Quentin Meulepas (CC BY 2.0)

About the blogger

Jan Säll Jan Säll EPP-Expert and systems manager at IIS Jan Säll is working with the EPP parts of PDT, the business where IIS test the new TLDs for ICANN. He is also a systems manager at IIS. He has a background in Unix / Linux and has been registering domain names since 1991 when Bjorn Eriksen took care of domain registrations in Sweden.

Leave a comment

Reply to a comment

Required

Required

Optional

Comments

No comments yet.