<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I'm not sure ... Even if the signature
is not valid, xmlsec can displays the PreDidest data<br>
<br>
After a lot of debug, I found the reason (but not the solution)<br>
<br>
The file I want to check is strange ...<br>
<br>
It contains 2 references in <ds:SignedInfo><br>
<br>
The first reference is correct (#B01201438 references an id of a
parent element)<br>
<br>
<ds:Reference URI="#B01201438"><br>
<ds:Transforms><br>
<ds:Transform Algorithm=<a
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/><br>
<ds:Transform Algorithm=<a
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/><br>
</ds:Transforms><br>
[...]<br>
<br>
The second reference also contains a <ds:Transform Algorithm=<a
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/><br>
(#IDC1141029105704p0100_SP references a Xades SignedProperties
element =>
Signature/Object/QualifyingProperties/SignedProperties, therefore
it's a child element of ds:Signature)<br>
<br>
<ds:Reference
URI="#IDC1141029105704p0100_SP"><br>
<ds:Transforms><br>
<ds:Transform Algorithm=<a
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/><br>
<ds:Transform Algorithm=<a
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/><br>
</ds:Transforms><br>
[...]<br>
<br>
When xmlsec processes this reference, the output of C14N is empty<br>
If I remove the <ds:Transform Algorithm=<a
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/>,
the output of C14N is correct<br>
<div id="gt-src-tools">
<div id="gt-src-tools-l">
<div style="display: inline-block;" id="gt-input-tool">
<div id="itamenu"><span class="ita-kd-inputtools-div"></span></div>
</div>
</div>
</div>
<div id="gt-res-content" class="almost_half_cell">
<div dir="ltr" style="zoom:1">
<div id="tts_button"><object
type="application/x-shockwave-flash"
data="//ssl.gstatic.com/translate/sound_player2.swf"
id="tts" height="18" width="18"></object></div>
<span id="result_box" class="short_text" lang="en"><span
class="hps">my knowledge is that </span></span>"enveloped-signature"
removes the node "Signature" from the tree of signed data<br>
</div>
</div>
<br>
<span id="result_box" class="" lang="en"><span class="hps">I do
not understand the side effect of "</span></span>enveloped-signature".
In the best case, xmlsec should ignore the additional
<ds:Transform ... enveloped-signature"/> (ie returns the
whole sub tree)<br>
<br>
what is your opinion ?<br>
<br>
Le 07/11/2014 17:25, Aleksey Sanin a écrit :<br>
</div>
<blockquote cite="mid:545CF27E.4030303@aleksey.com" type="cite">
<pre wrap="">Well, according to the output.txt file, xmlsec simply stops on the
first failed Reference element since the signature will not be valid
anyway (see while() loop at the end of the
xmlSecDSigCtxProcessSignedInfoNode() function).
Aleksey
On 11/7/14 4:31 AM, pfx wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi!
I have a signed xml file with Xades information
I try to verify the signature with:
$ xmlsec1 --verify --id-attr:Id Bordereau --id-attr:Id Signature
--id-attr:Id SignedProperties --node-id IDC1141029105800p0100 test.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
data:data and digest do not match
FAIL
SignedInfo References (ok/all): 1/2
The first part of the signature is validate by xmlsec1
but it seems that xmlsec1 can't access to the second part (Xades
information)
If I use the "--store-references" flags, I can see the "PreDigest data"
of the first part, but xmlsec1 never displays the "PreDigest data" of
the second part
Here an extract of the file
<Bordereau Id="*B01201462*">
<BlocBordereau>
...
<ds:Signature Id="IDC1141029105800p0100">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/>
<ds:SignatureMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</a>/>
<ds:Reference URI="#*B01201462*">
<ds:Transforms>
<ds:Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/>
<ds:Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/>
</ds:Transforms>
<ds:DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<ds:DigestValue>m24cE8pHsEwYBbVnCcUGUT49i3g=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#*IDC1141029105800p0100_SP*">
<ds:Transforms>
<ds:Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/>
<ds:Transform
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</a>/>
</ds:Transforms>
<ds:DigestMethod
Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<ds:DigestValue>OgLDEJDln8+bp7jX1pxs5j/0poM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
...
<ds:Object Id="IDC1141029105800p0100_QI">
<xad:QualifyingProperties
Target="IDC1141029105800p0100">
<xad:SignedProperties
Id="*IDC1141029105800p0100_SP*">
<xad:SignedSignatureProperties>
<xad:SigningTime>2014-10-29T09:58:00.191Z</xad:SigningTime>
</ds:Signature>
</Bordereau>
And an extract of the output
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#B01201462"
[...]
=== uri:
=== uri xpointer expr: #B01201462
=== Transform: xpointer
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)
=== Transform: enveloped-signature
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: exc-c14n (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
== PreDigest data - start buffer:
<Bordereau Id="B01201462"><BlocBordereau><Exer
V="2014"></Exer>.........</Bordereau>
== PreDigest data - end buffer
= REFERENCE VERIFICATION CONTEXT
== Status: invalid
== URI: "#IDC1141029105800p0100_SP"
[...]
=== uri:
=== uri xpointer expr: #IDC1141029105800p0100_SP
=== Transform: xpointer
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)
=== Transform: enveloped-signature
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
=== Transform: exc-c14n (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#</a>)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
=> No PreDigest data here !
where is my mistake ?
I use xmlsec 1.2.18 (openssl)
(here the full xml file and xmlsec output => <a class="moz-txt-link-freetext" href="http://dl.free.fr/ekDbPkF63">http://dl.free.fr/ekDbPkF63</a>)
Regards,
_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
</body>
</html>