[xmlsec] RetrievalMethod with local URI?
Aleksey Sanin
aleksey@aleksey.com
Wed, 17 Jul 2002 10:13:56 -0700
--------------030602020104020703090405
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Brr..... I need to say "sorry" one more time :( The original code
is correct and xmlsec has no bug. I was confused by an outdated
example in xmldsig archive. Please take a look at the XML DSig
interop examples included into xmlsec package.
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue Id="foo">
<DSAKeyValue>
...
</DSAKeyValue>
</KeyValue>
</KeyInfo>
Aleksey
Aleksey Sanin wrote:
> Ops, sorry I am wrong. The correct pointer is
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <KeyValue>
> <DSAKeyValue
> Id="foo">
> ...
> </DSAKeyValue>
> </KeyValue>
> </KeyInfo>
>
> And there is a bug in xmlsec :( Thanks for finding it!
>
> Aleksey
>
>
> Aleksey Sanin wrote:
>
>> Thanks, the file made it clear: you have a mistake in your file.
>> The reference URI in RetrievalMethod should point to the
>> KeyValue, not the KeyInfo. It is not clear rom the spec but take
>> a look at the XML DSig archive:
>>
>> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001JanMar/0068.html
>>
>> The correct file in your case should look like this one:
>>
>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <KeyValue Id="foo">
>>
>> <DSAKeyValue>
>>
>> ...
>> </DSAKeyValue>
>> </KeyValue>
>> </KeyInfo>
>>
>>
>> Aleksey
>>
>> John Belmonte wrote:
>>
>>> Aleksey Sanin wrote:
>>>
>>>> How do you verify signature? Do you use xmlsec application or your
>>>> code?
>>>
>>>
>>> Sorry about that, I'm using the xmlsec application. That's what I
>>> meant by "xmlsec tool".
>>>
>>> I'll attach the actual xml. To verify, I run:
>>>
>>> xmlsec verify <file>
>>>
>>>
>>> -John
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>><?xml version="1.0" encoding="UTF-8"?>
>>><Envelope xmlns="urn:envelope">
>>> <Data>
>>> Hello, World!
>>> </Data>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>> <SignedInfo>
>>> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
>>> <Reference URI="">
>>> <Transforms>
>>> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>> </Transforms>
>>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <DigestValue>VweSIbNEl2P2r6lm+OL7hVJTwt8=</DigestValue>
>>> </Reference>
>>> </SignedInfo>
>>> <SignatureValue>HfKV8YVy6s+YIEejVAXMW1wUlq8KXQH+XNMQmwDOkdzMMnIvgTOtUw==</SignatureValue>
>>> <KeyInfo>
>>> <RetrievalMethod URI="#foo"/>
>>> </KeyInfo>
>>> </Signature>
>>> <KeyInfo Id="foo" xmlns="http://www.w3.org/2000/09/xmldsig#">
>>> <KeyValue>
>>> <DSAKeyValue>
>>> <P>
>>> iqx200qTk5ojXcvGRmTXtwLmBwDrmWoBfl0L1VzxQm0BDjmnVgoCIiyeeYQH7YDB
>>> iuP7f2AcJrocqaBa4pi+hG1pu/WfAyc2sc9dPavAqDo99ywL58dhE3blIL/bXhy7
>>> MH4NzXY7196xTCuZyMBnZQ3qxUReghREd22m2YmFe60=
>>> </P>
>>> <Q>
>>> nAIxeeJw9cjPjjD5NPT4X4I1eqU=
>>> </Q>
>>> <G>
>>> Wai06HIyzWrDJzaMtPeYbi3DXlIf0N9eBgEcDDvK77ikG8+9A9iw6ymStZJdummy
>>> MpBEKh7rSQ9GfaGvrBUyUlS34qaH7dvMfTHPWV9y1xaSysjuUT7U0dOxeBQw4uDF
>>> sQXwcJS+UT/twnWlYBf1L5OdNy4mq0wib6pfevWsLEo=
>>> </G>
>>> <Y>
>>> Oux1jjrB5ZYxIk1HHCBw5razG03KNhsHPDSU7ibHjWz+PonMTH6Tbcs32mCMaaOG
>>> k1YKuPpTwemHhr0JbR2DbyLJzCBdLUe9Czr2UF70euSr+SHPvSluqMByRmS3mNKL
>>> tUaYERHYl8dqzOEHTfD1D0QY2aCzAXrpYt56UEwMCoM=
>>> </Y>
>>> </DSAKeyValue>
>>> </KeyValue>
>>> </KeyInfo>
>>></Envelope>
>>>
>>>
>>
>
--------------030602020104020703090405
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body>
Brr..... I need to say "sorry" one more time :( The original code<br>
is correct and xmlsec has no bug. I was confused by an outdated<br>
example in xmldsig archive. Please take a look at the XML DSig<br>
interop examples included into xmlsec package.<br>
<br>
<KeyInfo xmlns=<a class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>>
<br>
<KeyValue Id="foo"> <br>
<DSAKeyValue>
<br>
...<br>
</DSAKeyValue><br>
</KeyValue><br>
</KeyInfo><br>
<br>
<br>
Aleksey<br>
<br>
Aleksey Sanin wrote:<br>
<blockquote type="cite" cite="mid3D35A414.3070102@aleksey.com">
<title></title>
Ops, sorry I am wrong. The correct pointer is<br>
<br>
<KeyInfo xmlns=<a class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>>
<br>
<KeyValue> <br>
<DSAKeyValue Id="foo">
<br>
...<br>
</DSAKeyValue><br>
</KeyValue><br>
</KeyInfo><br>
<br>
And there is a bug in xmlsec :( Thanks for finding it!<br>
<br>
Aleksey<br>
<br>
<br>
Aleksey Sanin wrote:<br>
<blockquote type="cite" cite="mid3D35A27E.8030807@aleksey.com">
<title></title>
Thanks, the file made it clear: you have a mistake in your file.<br>
The reference URI in RetrievalMethod should point to the <br>
KeyValue, not the KeyInfo. It is not clear rom the spec but take<br>
a look at the XML DSig archive:<br>
<a class="moz-txt-link-freetext"
href="http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001JanMar/0068.html">http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001JanMar/0068.html</a><br>
<br>
The correct file in your case should look like this one:<br>
<br>
<KeyInfo xmlns=<a class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>>
<br>
<KeyValue Id="foo"> <br>
<DSAKeyValue>
<br>
...<br>
</DSAKeyValue><br>
</KeyValue><br>
</KeyInfo><br>
<br>
<br>
Aleksey<br>
<br>
John Belmonte wrote:<br>
<blockquote type="cite" cite="mid3D358F51.7080201@prairienet.org">Aleksey
Sanin wrote: <br>
<blockquote type="cite">How do you verify signature? Do you use xmlsec
application or your code? <br>
</blockquote>
<br>
Sorry about that, I'm using the xmlsec application. That's what I meant
by "xmlsec tool". <br>
<br>
I'll attach the actual xml. To verify, I run: <br>
<br>
xmlsec verify <file> <br>
<br>
<br>
-John <br>
<br>
<br>
<pre wrap=""><hr width="90%" size="4">
<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
</Data>
<Signature xmlns=<a class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>>
<SignedInfo>
<CanonicalizationMethod Algorithm=<a
class="moz-txt-link-rfc2396E"
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</a>/>
<SignatureMethod Algorithm=<a class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#dsa-sha1">"http://www.w3.org/2000/09/xmldsig#dsa-sha1"</a>/>
<Reference URI="">
<Transforms>
<Transform Algorithm=<a class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</a>/>
</Transforms>
<DigestMethod Algorithm=<a class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/>
<DigestValue>VweSIbNEl2P2r6lm+OL7hVJTwt8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>HfKV8YVy6s+YIEejVAXMW1wUlq8KXQH+XNMQmwDOkdzMMnIvgTOtUw==</SignatureValue>
<KeyInfo>
<RetrievalMethod URI="#foo"/>
</KeyInfo>
</Signature>
<KeyInfo Id="foo" xmlns=<a class="moz-txt-link-rfc2396E"
href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>>
<KeyValue>
<DSAKeyValue>
<P>
iqx200qTk5ojXcvGRmTXtwLmBwDrmWoBfl0L1VzxQm0BDjmnVgoCIiyeeYQH7YDB
iuP7f2AcJrocqaBa4pi+hG1pu/WfAyc2sc9dPavAqDo99ywL58dhE3blIL/bXhy7
MH4NzXY7196xTCuZyMBnZQ3qxUReghREd22m2YmFe60=
</P>
<Q>
nAIxeeJw9cjPjjD5NPT4X4I1eqU=
</Q>
<G>
Wai06HIyzWrDJzaMtPeYbi3DXlIf0N9eBgEcDDvK77ikG8+9A9iw6ymStZJdummy
MpBEKh7rSQ9GfaGvrBUyUlS34qaH7dvMfTHPWV9y1xaSysjuUT7U0dOxeBQw4uDF
sQXwcJS+UT/twnWlYBf1L5OdNy4mq0wib6pfevWsLEo=
</G>
<Y>
Oux1jjrB5ZYxIk1HHCBw5razG03KNhsHPDSU7ibHjWz+PonMTH6Tbcs32mCMaaOG
k1YKuPpTwemHhr0JbR2DbyLJzCBdLUe9Czr2UF70euSr+SHPvSluqMByRmS3mNKL
tUaYERHYl8dqzOEHTfD1D0QY2aCzAXrpYt56UEwMCoM=
</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Envelope>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>
--------------030602020104020703090405--