<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Thanks for your answer.<br>
I will conduct some interoperability tests but right now the
digest is good.<br>
<br>
Regards.<br>
<br>
François<br>
<div class="moz-signature">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<br>
<div class="moz-signature">
<div class="moz-signature">
<div class="moz-signature">
<div class="moz-signature"><br>
</div>
</div>
</div>
</div>
</div>
Le 11/04/2014 17:44, Aleksey Sanin a écrit :<br>
</div>
<blockquote cite="mid:53480DE1.7040100@aleksey.com" type="cite">
<pre wrap="">Remove transforms section from the Manifest type reference:
<Reference Type=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#Manifest">"http://www.w3.org/2000/09/xmldsig#Manifest"</a>
URI="#manifest">
<DigestMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<DigestValue></DigestValue>
</Reference>
Otherwise you apply enveloped signature transform to the results of the
manifest and as the result you get empty node set/empty string.
Aleksey
On 4/11/14, 12:40 AM, François Plou wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Thanks for your answer.
I tried it but I always get this incorrect digest.
I modified the xml template according what I found in samples and
according your previous mail (see acmt.007.001.02_1.skel.1sign.object2.xml).
The xmlsec1 output still shows the bad digest for #manifest :
= SIGNATURE CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000002
==== keyUsage: 0x00000001
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
=== Transform: rsa-sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>)
=== Transform: base64 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Private
=== key usage: -1
=== rsa key: size = 2048
== SignedInfo References List:
=== list size: 1
*= REFERENCE CALCULATION CONTEXT**
**== Status: succeeded**
**== URI: "#manifest"**
**== Type: <a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#Manifest">"http://www.w3.org/2000/09/xmldsig#Manifest"</a>**
**== Reference Transform Ctx:**
**== TRANSFORMS CTX (status=2)**
**== flags: 0x00000000**
**== flags2: 0x00000000**
**== enabled transforms: all**
**=== uri: **
**=== uri xpointer expr: #manifest**
**=== Transform: xpointer
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)**
**=== Transform: enveloped-signature
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)**
**=== Transform: c14n
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)**
**=== Transform: membuf-transform (href=NULL)**
**=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)**
**=== Transform: base64 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)**
**=== Transform: membuf-transform (href=NULL)**
**== Digest Method:**
**=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)**
**== Result - start buffer:**
**2jmj7l5rSw0yVb/vlWAYkK/YBwk=**
**== Result - end buffer*
== Manifest References List:
=== list size: 2
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: c14n (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== PreDigest data - start buffer:
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF2</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
== PreDigest data - end buffer
== Result - start buffer:
vSK1aioRUa7Gz2jLpN9LFqFeXSI=
== Result - end buffer
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: "sign.sh"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: sign.sh
=== uri xpointer expr: NULL
=== Transform: input-uri (href=NULL)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== PreDigest data - start buffer:
xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
acmt.007.001.02_1.skel.1sign.object2.xml
== PreDigest data - end buffer
== Result - start buffer:
4JgfakTfEbqzVpb+lP8vAWsD0u8=
== Result - end buffer
== Result - start buffer:
x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH
1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD
PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr
zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye
fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i
KEvAz2lVM8oCsYgURmlGbA==
== Result - end buffer
The generated xml file :
<?xml version="1.0" encoding="UTF-8"?>
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF2</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
<Signature xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>>
<SignedInfo>
<CanonicalizationMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</a>/>
<SignatureMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</a>/>
<Reference
Type=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#Manifest">"http://www.w3.org/2000/09/xmldsig#Manifest"</a> URI="#manifest">
<Transforms>
<Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/>
</Transforms>
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH
1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD
PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr
zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye
fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i
KEvAz2lVM8oCsYgURmlGbA==</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
6YkxawwM+ydRECsRK+t1ONIAI6ZHz1zZyohEdtqYso/2a5/nDTst4MKT4mFYr3Gp
BlOgfSYxC0pUXWC3iSAIAbvcjNSQMSgeiAiJL4pbzX/5uYyBIXFHNdSuOQVyoSJB
jDaPx19UyMqmZaLn5Flj7YVmpUyPAR1V4DHSmHGC4gDSqUHEphVHU/lnjnB+KEGm
W03J6OzVjJi7bK/EmZjliOHZhgsNY1FmYesZsbI1GI/RsuBBA3NxvcAC0kXBUJ4n
qHW7y7Ww8Yv77sFP/2g5s/fqW7HrnUnVh/xf3bs2a6EuriY4BI9M8YEmF0EGpbth
ycR4QLM0jQPdGBEamqitFQ==
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
<Object>
<Manifest Id="manifest">
<Reference URI="">
<Transforms>
<Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/>
</Transforms>
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
</Reference>
<Reference URI="sign.sh">
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
</Reference>
</Manifest>
</Object>
</Signature>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
Regards
François
Le 10/04/2014 18:29, Aleksey Sanin a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">To process manifests according to the xmldsig spec the ref type
should be specified:
<Reference Type=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#Manifest">"http://www.w3.org/2000/09/xmldsig#Manifest"</a>
URI="#Manifest">
...
</>
XMLSec package contains a few test vectors that show manifests usage.
Best,
Aleksey
On 4/10/14, 5:40 AM, François Plou wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I found the problem, but don't know yet what really happens in the
source code.
I put some traces and I discovered that digest
2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer.
If you execute the following command openssl dgst -sha1 -binary
/dev/null | openssl enc -base64, you also get this digest.
So it seems xmlsec1 can't process correctly the #Manifest part :
<Object>
<Manifest Id="Manifest">
<Reference URI="">
<Transforms>
<Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/>
</Transforms>
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<DigestValue></DigestValue>
</Reference>
<Reference URI="sign.sh">
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<DigestValue></DigestValue>
</Reference>
</Manifest>
</Object>
Regards.
François
Le 10/04/2014 11:31, François Plou a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">Not really :-(
The store-references option does not display the xml part who matches
the digest displayed :
== Status: succeeded
== URI: "#Manifest"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #Manifest
=== Transform: xpointer
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)
=== Transform: enveloped-signature
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: c14n
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== Result - start buffer:
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
== Result - end buffer
The #Manifest is processed and --store-references provides the digest
2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to
provide this digest.
This digest does not match the one produced by Apache XML Security.
Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the
following XML part :
<Manifest xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a> Id="Manifest">
<Reference URI="">
<Transforms>
<Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>></Transform>
</Transforms>
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>></DigestMethod>
<DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
</Reference>
<Reference URI="sign.sh">
<DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>></DigestMethod>
<DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
</Reference>
</Manifest>
So I am trying to figure what XML part is used by xmlsec1.
Regards
François
Le 09/04/2014 20:12, Aleksey Sanin a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">This is exactly what --store-references option does :)
Aleksey
On 4/9/14, 10:15 AM, François Plou wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I am trying to discover what xml part is digested to understand why I
got another digest value than the one calculated by java XmlDsig API.
To do that I try to add some trace in the code just before the digest
algorithm but I was unable yet to find the right position.
Could you provide me a clue where to add trace in the source code ?
Thanks for your help.
Francois
Le 07/04/2014 14:49, François Plou a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
Below is the result of --store-references option :
xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
--store-references acmt.007.001.02_1.skel.1sign.object2.xml
Enter password for "/home/fplou/CA/fplousign.key<a class="moz-txt-link-rfc2396E" href="file:=SIGNATURECONTEXT==Status:succeeded==flags:0x00000006==flags2:0x00000000==KeyInfoReadCtx:=KEYINFOREADCONTEXT==flags:0x00000000==flags2:0x00000000==enabledkeydata:all==RetrievalMethodlevel(cur/max):0/1==TRANSFORMSCTX(status=0)==flags:0x00000000==flags2:0x00000000==enabledtransforms:all===uri:NULL===urixpointerexpr:NULL==EncryptedKeylevel(cur/max):0/1===KeyReq:====keyId:rsa====keyType:0x00000002====keyUsage:0x00000001====keyBitsSize:0===listsize:0==KeyInfoWriteCtx:=KEYINFOWRITECONTEXT==flags:0x00000000==flags2:0x00000000==enabledkeydata:all==RetrievalMethodlevel(cur/max):0/1==TRANSFORMSCTX(status=0)==flags:0x00000000==flags2:0x00000000==enabledtransforms:all===uri:NULL===urixpointerexpr:NULL==EncryptedKeylevel(cur/max):0/1===KeyReq:====keyId:NULL====keyType:0x00000001====keyUsage:0xffffffff====keyBitsSize:0===listsize:0==SignatureTransformCtx:==TRANSFORMSCTX(status=2)==flags:0x00000000==
flags2:
0x00000000==enabledtransforms:all===uri:NULL===urixpointerexpr:NULL===Transform:c14n(href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)===Transform:rsa-sha1(href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)===Transform:base64(href=http://www.w3.org/2000/09/xmldsig#base64)===Transform:membuf-transform(href=NULL)==SignatureMethod:===Transform:rsa-sha1(href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)==SignatureKey:==KEY===method:RSAKeyValue===keytype:Private===keyusage:-1===rsakey:size=2048==SignedInfoReferencesList:===listsize:1=REFERENCECALCULATIONCONTEXT==Status:succeeded==URI:">" file:
= SIGNATURE CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000002
==== keyUsage: 0x00000001
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n
(href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Private
=== key usage: -1
=== rsa key: size = 2048
== SignedInfo References List:
=== list size: 1
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: "</a>#Manifest"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #Manifest
=== Transform: xpointer
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)
=== Transform: enveloped-signature
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: c14n
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== Result - start buffer:
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
== Result - end buffer
== Manifest References List:
=== list size: 2
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: c14n
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== PreDigest data - start buffer:
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF2</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
== PreDigest data - end buffer
== Result - start buffer:
vSK1aioRUa7Gz2jLpN9LFqFeXSI=
== Result - end buffer
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: "sign.sh"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: sign.sh
=== uri xpointer expr: NULL
=== Transform: input-uri (href=NULL)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: base64 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== PreDigest data - start buffer:
xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
acmt.007.001.02_1.skel.1sign.object2.xml
== PreDigest data - end buffer
== Result - start buffer:
4JgfakTfEbqzVpb+lP8vAWsD0u8=
== Result - end buffer
== Result - start buffer:
oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
uD2ZSS1bWu236lKh1elKWw==
== Result - end buffer
François
On 03/04/2014 18:37, Aleksey Sanin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Try "--store-references" option to see what exactly was signed. Just
looking at the file, the DigestValue inside the #Manifest subtree looks
suspicious.
Aleksey
On 4/3/14, 5:46 AM, François Plou wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I am facing an issue trying to sign an xml document which makes
reference to an external file.
xmlsec1 gives me a digest for the URI=#Manifest which is not
verified by
tool like Apache XML Security.
I am pretty sure there is something missing in the XML document I give
to xmlsec but can't figure what.
I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
acmt.007.001.02_1.skel.1sign.object2.xml
The output document is fpl.xml
The digest which is not the same as the one computed by Apache XML
Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
I found that the expecting digest match the manifest3.xml file enclosed
(I built it manually).
So it seems xmlsec is not creating the same manifest part.
Do you have any idea what can be wrong in my
acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
transform ?
Thanks for your help.
Francois
_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
</blockquote>
<br>
</body>
</html>