<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body>
First of all, I would appreciate if you would use xmlsec mailing list <br>
for any question about xmlsec library (this reply is copied to the
list, btw).<br>
<br>
It seems that your &lt;Reference/&gt; element contains URI with Id
attribute.<br>
And I am not sure I understand how you got the error you describe
without a DTD.<br>
Most likely you should have something like this instead:<br>
<br>
func=xmlSecXPathDataExecute:file=xpath.c:line=250:obj=unknown:subj=xmlXPtrEval:<br>
error=5:libxml2 library function failed:<br>
expr=xpointer(id('wssecurity_body_id_3550107555769326699_1054623170226'))<br>
<br>
Please read section 3.2 from the FAQ
(<a class="moz-txt-link-freetext" href="http://www.aleksey.com/xmlsec/faq.html">http://www.aleksey.com/xmlsec/faq.html</a>)<br>
for explanation "why".<br>
<br>
Assuming you add a correct DTD, the signature seems to be trivial
(Reference with an ID<br>
type URI plus one exc C14N transform) and I would be really surprised
if xmlsec does<br>
a wrong thing here. Unfortunately, there is no easy way to determine
why digests do not <br>
match. In xmlsec you can use '--print-all' option to get the binary
stream just before<br>
digesting. The best you can do is to compare this data with similar
ones from WebSphere<br>
(if you would be able to get same data from WebSphere). Read
documentation or search<br>
mailing list. There were several similar problems before.<br>
<br>
And if you want me to guess, I would bet that you have different
digests because<br>
something introduced spaces and/or end of lines when you've dumped XML
document <br>
to file.<br>
<br>
<br>
Aleksey<br>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:arvasoft@attbi.com">arvasoft@attbi.com</a> wrote:<br>
<blockquote type="cite"
 cite="mid000401c329d3$bff971e0$030aa8c0@corp.arvasoft.com">
  <pre wrap="">Hi Alexsey,

I am implementing WS-Security using XMLSec. Currently, I am trying to
validate signatures generated by Websphere, but am running into a problem
where the Digests generated by Websphere and that by XMLSec are different.
This causes the following error

func=:file=..\src\openssl\digests.c:line=164:obj=sha1:subj=unknown:error=12:
inva
lid <a class="moz-txt-link-freetext" href="data:data">data:data</a> and digest do not match
Signature is INVALID

I would really appreciate your help on resolving this issue.

Thanks,

Regards,

-Venky


PS: I am attaching the following files:

  1. original Websphere signed document
  2. a modified version of the xml document that I am using for the test, I
have
     copied the X509 from &lt;wsse:BinarySecurityToken&gt; to &lt;X509Certificate&gt; in
     &lt;KeyInfo&gt;.
  3. cacert.pem the trusted root that I use
  </pre>
  <pre wrap="">
<hr width="90%" size="4">
&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;soapenv:Envelope xmlns:soapenv=<a class="moz-txt-link-rfc2396E" href="http://schemas.xmlsoap.org/soap/envelope/">"http://schemas.xmlsoap.org/soap/envelope/"</a> xmlns:xsd=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema">"http://www.w3.org/2001/XMLSchema"</a> xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a>&gt;
  &lt;soapenv:Header&gt;
    &lt;wsse:Security soapenv:mustUnderstand="1" xmlns:wsse=<a class="moz-txt-link-rfc2396E" href="http://schemas.xmlsoap.org/ws/2002/07/secext">"http://schemas.xmlsoap.org/ws/2002/07/secext"</a>&gt;
      &lt;wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3" wsu:Id="wssecurity_binary_security_token_id_3491871345588805218_1054623170226" xmlns:wsu=<a class="moz-txt-link-rfc2396E" href="http://schemas.xmlsoap.org/ws/2002/07/utility">"http://schemas.xmlsoap.org/ws/2002/07/utility"</a>&gt;
        MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
        BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
        IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
        MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
        A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
        cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
        hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
        ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
        aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
        eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
        VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
        YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
        FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
        MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
        b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
        ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
        cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
        QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
        FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583
      &lt;/wsse:BinarySecurityToken&gt;
      &lt;Signature xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>&gt;
        &lt;SignedInfo&gt;
          &lt;CanonicalizationMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/&gt;
          &lt;SignatureMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</a>/&gt;
          &lt;Reference URI="#wssecurity_body_id_3550107555769326699_1054623170226"&gt;
            &lt;Transforms&gt;
              &lt;Transform Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/&gt;
            &lt;/Transforms&gt;
            &lt;DigestMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/&gt;
            &lt;DigestValue&gt;5zj77bM9zGNVvLBIdy6yho/IZ+g=&lt;/DigestValue&gt;
          &lt;/Reference&gt;
        &lt;/SignedInfo&gt;
        &lt;SignatureValue&gt;
          vU35ynJzQdJ7zu09Gitf4hcsoG6OT/qYW1MTcvAigjNxKfgdZYN90BASwwpPN5LxaL
          sEi+f8OXpAYM5aPMlLH1rht+es1xPkq6lrG5JbGcUJtNbSG0LfLhcoWfV4aak1pXdC
          vczRurJyoDEpImeYNsFr6ItLaRciTTTA7qaSCKw=
        &lt;/SignatureValue&gt;
        &lt;KeyInfo&gt;
          &lt;wsse:SecurityTokenReference&gt;
            &lt;wsse:Reference URI="#wssecurity_binary_security_token_id_3491871345588805218_1054623170226"/&gt;
          &lt;/wsse:SecurityTokenReference&gt;
        &lt;/KeyInfo&gt;
      &lt;/Signature&gt;
    &lt;/wsse:Security&gt;
  &lt;/soapenv:Header&gt;
 &lt;soapenv:Body wsu:Id="wssecurity_body_id_3550107555769326699_1054623170226" xmlns:wsu=<a class="moz-txt-link-rfc2396E" href="http://schemas.xmlsoap.org/ws/2002/07/utility">"http://schemas.xmlsoap.org/ws/2002/07/utility"</a>&gt;
  &lt;getGreetingResponse xmlns=<a class="moz-txt-link-rfc2396E" href="http://Sample8.wsdk.ibm.com">"http://Sample8.wsdk.ibm.com"</a>&gt;
   &lt;getGreetingReturn xmlns=""&gt;Hello venky. How are you?&lt;/getGreetingReturn&gt;
  &lt;/getGreetingResponse&gt;
 &lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;</pre>
  <pre wrap="">
<hr width="90%" size="4">
&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;soapenv:Envelope xmlns:soapenv=<a class="moz-txt-link-rfc2396E" href="http://schemas.xmlsoap.org/soap/envelope/">"http://schemas.xmlsoap.org/soap/envelope/"</a> xmlns:xsd=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema">"http://www.w3.org/2001/XMLSchema"</a> xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a>&gt;
  &lt;soapenv:Header&gt;
    &lt;wsse:Security soapenv:mustUnderstand="1" xmlns:wsse=<a class="moz-txt-link-rfc2396E" href="http://schemas.xmlsoap.org/ws/2002/07/secext">"http://schemas.xmlsoap.org/ws/2002/07/secext"</a>&gt;
      &lt;wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3" wsu:Id="wssecurity_binary_security_token_id_3491871345588805218_1054623170226" xmlns:wsu=<a class="moz-txt-link-rfc2396E" href="http://schemas.xmlsoap.org/ws/2002/07/utility">"http://schemas.xmlsoap.org/ws/2002/07/utility"</a>&gt;
        MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
        BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
        IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
        MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
        A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
        cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
        hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
        ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
        aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
        eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
        VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
        YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
        FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
        MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
        b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
        ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
        cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
        QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
        FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583
      &lt;/wsse:BinarySecurityToken&gt;
      &lt;Signature xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>&gt;
        &lt;SignedInfo&gt;
          &lt;CanonicalizationMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/&gt;
          &lt;SignatureMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</a>/&gt;
          &lt;Reference URI="#wssecurity_body_id_3550107555769326699_1054623170226"&gt;
            &lt;Transforms&gt;
              &lt;Transform Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/&gt;
            &lt;/Transforms&gt;
            &lt;DigestMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/&gt;
            &lt;DigestValue&gt;5zj77bM9zGNVvLBIdy6yho/IZ+g=&lt;/DigestValue&gt;
          &lt;/Reference&gt;
        &lt;/SignedInfo&gt;
        &lt;SignatureValue&gt;
          vU35ynJzQdJ7zu09Gitf4hcsoG6OT/qYW1MTcvAigjNxKfgdZYN90BASwwpPN5LxaL
          sEi+f8OXpAYM5aPMlLH1rht+es1xPkq6lrG5JbGcUJtNbSG0LfLhcoWfV4aak1pXdC
          vczRurJyoDEpImeYNsFr6ItLaRciTTTA7qaSCKw=
        &lt;/SignatureValue&gt;
        &lt;KeyInfo&gt;
          &lt;X509Data&gt;
            &lt;X509Certificate&gt;MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
        BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
        IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
        MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
        A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
        cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
        hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
        ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
        aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
        eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
        VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
        YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
        FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
        MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
        b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
        ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
        cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
        QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
        FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583&lt;/X509Certificate&gt;
          &lt;/X509Data&gt;
        &lt;/KeyInfo&gt;
      &lt;/Signature&gt;
    &lt;/wsse:Security&gt;
  &lt;/soapenv:Header&gt;
 &lt;soapenv:Body wsu:Id="wssecurity_body_id_3550107555769326699_1054623170226" xmlns:wsu=<a class="moz-txt-link-rfc2396E" href="http://schemas.xmlsoap.org/ws/2002/07/utility">"http://schemas.xmlsoap.org/ws/2002/07/utility"</a>&gt;
  &lt;getGreetingResponse xmlns=<a class="moz-txt-link-rfc2396E" href="http://Sample8.wsdk.ibm.com">"http://Sample8.wsdk.ibm.com"</a>&gt;
   &lt;getGreetingReturn xmlns=""&gt;Hello venky. How are you?&lt;/getGreetingReturn&gt;
  &lt;/getGreetingResponse&gt;
 &lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;</pre>
</blockquote>
</body>
</html>