<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hello, <br>I have a question regarding signature verification for enveloped signatures.<br>The question seems related to previous discussions in the forum:<br><br>http://www.aleksey.com/pipermail/xmlsec/2010/008910.html<br>http://www.aleksey.com/pipermail/xmlsec/2010/008911.html<br>http://www.aleksey.com/pipermail/xmlsec/2012/009340.html<br>http://www.aleksey.com/pipermail/xmlsec/2012/009341.html<br><br>But even with help of the previous posts I have not been able to verify my xml file.<br>I have tried the command line application "xmlsec1", as well as writing code, <br>but it seems the same problem happens in both cases, so I will show the code below,<br>which is similar to the "verify3.c" example application shipped with the xmlsec library.<br><br><br>The relevant code part looks like this (written in C++):<br>==================================================<br> std::cout << "Will find start node" << std::endl;<br><br> // find start node<br> xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);<br> if(node == NULL)<br> {<br> throw std::string("Start node not found in XML file");<br> }<br><br> std::cout << "-Found this node: \"" << node->name << "\"" << std::endl;<br><br> // create signature context<br> xmlSecDSigCtxPtr dsigCtx = xmlSecDSigCtxCreate(mngr);<br> if(dsigCtx == NULL)<br> {<br> throw std::string("failed to create signature context");<br> }<br>==================================================<br><br><br>When I run the application i get the following output:<br><br>-----------------------------------<br>Will verify file<br>Will load file: signedmod.xml<br>Will find start node<br>-Found this node: "Signature"<br>Will verify signature<br>func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('SignedRouting'))<br>func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: <br>func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: <br>func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: <br>func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer<br>func=xmlSecTransformCtxExecute:file=transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: <br>func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: <br>func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference<br>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: <br>func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: <br>Error: signature verify<br>-----------------------------------<br><br><br>The XML input XML file is shown at the end of this email. <br>(also see the attached file signedxml.xml)<br><br><br>As can be seen from the output, the call to xmlSecFindNode() succeeds, and the node found is "Signature":<br> -Found this node: "Signature"<br><br>However, after this the call to xmlSecDSigCtxCreate() fails. <br><br>My guess it that first the "Signature" node is (correctly) found, <br>but since this is an enveloped signature rather than an enveloping signature, the call fails. <br><br>I have looked through the example XML files at the xmlsec online verifier web page:<br>http://www.aleksey.com/xmlsec/xmldsig-verifier.html<br><br>In those examples, the "Signature" tag is the outermost tag, with everything else contained in it.<br>However, in my case, the "Signature" tag is embedded in other tags that should be included in the signature. <br><br>I guess the problem is that the "Signature" tag is found, but not everything needed to verify the<br>signature is contained in that tag. Instead, some information is outside of the tag.<br><br>So the question is, how should I solve this? <br>Can you give some hints how I should implement the signature verification for my XML document?<br><br>The XML document will always have the same structure/XML schema, so it would be possible to<br>hard code search paths etc rather than making the solution generic enough for all kinds of documents. <br><br><br>Regards<br>/Magnus<br><br><br><br><br>+++++++++++++++++++++++++++++++++<br><soap:Envelope xmlns:myapp="http://www.mycompany.com/myapp" xmlns:soap="http://www.w3.org/2001/12/soap-envelope"><br> <soap:Header><br> <myapp:Routing Filename="testfile.docx" ID="SignedRouting"><br> <myapp:Transforms><br> <myapp:Transform Order="1" Type="Base64"></myapp:Transform><br> </myapp:Transforms><br> </myapp:Routing><br> <myapp:MyWorker ID="SignedMyWorker"></myapp:MyWorker><br> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><br> <SignedInfo><br> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><br> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><br> <Reference URI="#SignedRouting"><br> <Transforms><br> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><br> </Transforms><br> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><br> <DigestValue>RHhNanfgz950DdpZUZeX3zNdvmY=</DigestValue><br> </Reference><br><br> <Reference URI="#SignedBody"><br> <Transforms><br> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><br> </Transforms><br> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><br> <DigestValue>jdfsfsdlfkjsdflkjsdflkjdsf</DigestValue><br> </Reference><br> </SignedInfo><br> <SignatureValue>poisdufsoifusdofiusdoifusdfpuidsf</SignatureValue><br> <KeyInfo><br> <KeyValue><br> <RSAKeyValue><br> <Modulus>ksfhsdkhfsdkjfhskdhf</Modulus><br> <Exponent>AQAB</Exponent><br> </RSAKeyValue><br> </KeyValue></KeyInfo><br> </Signature><br> </soap:Header><br> <soap:Body ID="SignedBody"><br> <myapp:FileData><br> <![CDATA[UEIUYIUYUIYUIYUIYUIY<br>]]><br> </myapp:FileData><br> </soap:Body><br></soap:Envelope><br>+++++++++++++++++++++++++++++++++<br><br> </div></body>
</html>