<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I found the problem, but don't know yet
what really happens in the source code.<br>
I put some traces and I discovered that digest
2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer.<br>
If you execute the following command openssl dgst -sha1 -binary
/dev/null | openssl enc -base64, you also get this digest.<br>
<br>
So it seems xmlsec1 can't process correctly the #Manifest part :<br>
<br>
<Object><br>
<Manifest Id="Manifest"><br>
<Reference URI=""><br>
<Transforms><br>
<Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/><br>
</Transforms><br>
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/><br>
<DigestValue></DigestValue><br>
</Reference><br>
<Reference URI="sign.sh"><br>
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/><br>
<DigestValue></DigestValue><br>
</Reference><br>
</Manifest><br>
</Object><br>
<br>
<br>
<div class="moz-signature">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Regards.<br>
<br>
François<br>
<div class="moz-signature">
<div class="moz-signature">
<div class="moz-signature">
<div class="moz-signature"><br>
</div>
</div>
</div>
</div>
</div>
Le 10/04/2014 11:31, François Plou a écrit :<br>
</div>
<blockquote cite="mid:534664E1.4030701@webank.fr" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Not really :-(<br>
<br>
The store-references option does not display the xml part who
matches the digest displayed :<br>
<br>
<pre wrap="">== Status: succeeded
== URI: "#Manifest"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #Manifest
=== Transform: xpointer
(href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)
=== Transform: enveloped-signature
(href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: c14n
(href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== Result - start buffer:
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
== Result - end buffer</pre>
The #Manifest is processed and --store-references provides the
digest 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was
used to provide this digest.<br>
<br>
This digest does not match the one produced by Apache XML
Security. Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who
match the following XML part :<br>
<br>
<Manifest xmlns=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>
Id="Manifest"><br>
<Reference URI=""><br>
<Transforms><br>
<Transform
Algorithm=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>></Transform><br>
</Transforms><br>
<DigestMethod
Algorithm=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>></DigestMethod><br>
<DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue><br>
</Reference><br>
<Reference URI="sign.sh"><br>
<DigestMethod
Algorithm=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>></DigestMethod><br>
<DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue><br>
</Reference><br>
</Manifest><br>
<br>
So I am trying to figure what XML part is used by xmlsec1.<br>
<br>
<div class="moz-signature">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<title></title>
Regards<br>
<div class="moz-signature">
<div class="moz-signature">
<div class="moz-signature"><br>
François<br>
<br>
</div>
</div>
</div>
</div>
Le 09/04/2014 20:12, Aleksey Sanin a écrit :<br>
</div>
<blockquote cite="mid:53458D71.8050809@aleksey.com" type="cite">
<pre wrap="">This is exactly what --store-references option does :)
Aleksey
On 4/9/14, 10:15 AM, François Plou wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I am trying to discover what xml part is digested to understand why I
got another digest value than the one calculated by java XmlDsig API.
To do that I try to add some trace in the code just before the digest
algorithm but I was unable yet to find the right position.
Could you provide me a clue where to add trace in the source code ?
Thanks for your help.
Francois
Le 07/04/2014 14:49, François Plou a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
Below is the result of --store-references option :
xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
--store-references acmt.007.001.02_1.skel.1sign.object2.xml
Enter password for "/home/fplou/CA/fplousign.key<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="file:=SIGNATURECONTEXT==Status:succeeded==flags:0x00000006==flags2:0x00000000==KeyInfoReadCtx:=KEYINFOREADCONTEXT==flags:0x00000000==flags2:0x00000000==enabledkeydata:all==RetrievalMethodlevel%28cur/max%29:0/1==TRANSFORMSCTX%28status=0%29==flags:0x00000000==flags2:0x00000000==enabledtransforms:all===uri:NULL===urixpointerexpr:NULL==EncryptedKeylevel%28cur/max%29:0/1===KeyReq:====keyId:rsa====keyType:0x00000002====keyUsage:0x00000001====keyBitsSize:0===listsize:0==KeyInfoWriteCtx:=KEYINFOWRITECONTEXT==flags:0x00000000==flags2:0x00000000==enabledkeydata:all==RetrievalMethodlevel%28cur/max%29:0/1==TRANSFORMSCTX%28status=0%29==flags:0x00000000==flags2:0x00000000==enabledtransforms:all===uri:NULL===urixpointerexpr:NULL==EncryptedKeylevel%28cur/max%29:0/1===KeyReq:====keyId:NULL====keyType:0x00000001====keyUsage:0xffffffff====keyBitsSize:0===listsize:0==SignatureTransformCt
x:==TRA
NSFORMSCTX%28status=2%29==flags:0x00000000==flags2:%0A0x00000000==enabledtransforms:all===uri:NULL===urixpointerexpr:NULL===Transform:c14n%28href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315%29===Transform:rsa-sha1%28href=http://www.w3.org/2000/09/xmldsig#rsa-sha1%29===Transform:base64%28href=http://www.w3.org/2000/09/xmldsig#base64%29===Transform:membuf-transform%28href=NULL%29==SignatureMethod:===Transform:rsa-sha1%28href=http://www.w3.org/2000/09/xmldsig#rsa-sha1%29==SignatureKey:==KEY===method:RSAKeyValue===keytype:Private===keyusage:-1===rsakey:size=2048==SignedInfoReferencesList:===listsize:1=REFERENCECALCULATIONCONTEXT==Status:succeeded==URI:">" file:
= SIGNATURE CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000002
==== keyUsage: 0x00000001
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n
(href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Private
=== key usage: -1
=== rsa key: size = 2048
== SignedInfo References List:
=== list size: 1
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: "</a>#Manifest"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #Manifest
=== Transform: xpointer
(href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)
=== Transform: enveloped-signature
(href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: c14n
(href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== Result - start buffer:
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
== Result - end buffer
== Manifest References List:
=== list size: 2
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: c14n
(href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== PreDigest data - start buffer:
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF2</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
== PreDigest data - end buffer
== Result - start buffer:
vSK1aioRUa7Gz2jLpN9LFqFeXSI=
== Result - end buffer
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: "sign.sh"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: sign.sh
=== uri xpointer expr: NULL
=== Transform: input-uri (href=NULL)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== PreDigest data - start buffer:
xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
acmt.007.001.02_1.skel.1sign.object2.xml
== PreDigest data - end buffer
== Result - start buffer:
4JgfakTfEbqzVpb+lP8vAWsD0u8=
== Result - end buffer
== Result - start buffer:
oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
uD2ZSS1bWu236lKh1elKWw==
== Result - end buffer
François
On 03/04/2014 18:37, Aleksey Sanin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Try "--store-references" option to see what exactly was signed. Just
looking at the file, the DigestValue inside the #Manifest subtree looks
suspicious.
Aleksey
On 4/3/14, 5:46 AM, François Plou wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I am facing an issue trying to sign an xml document which makes
reference to an external file.
xmlsec1 gives me a digest for the URI=#Manifest which is not
verified by
tool like Apache XML Security.
I am pretty sure there is something missing in the XML document I give
to xmlsec but can't figure what.
I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
acmt.007.001.02_1.skel.1sign.object2.xml
The output document is fpl.xml
The digest which is not the same as the one computed by Apache XML
Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
I found that the expecting digest match the manifest3.xml file enclosed
(I built it manually).
So it seems xmlsec is not creating the same manifest part.
Do you have any idea what can be wrong in my
acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
transform ?
Thanks for your help.
Francois
_______________________________________________
xmlsec mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
xmlsec mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>