[xmlsec] [Fwd: HMACOutputLength and xmlsec]
Jonathan Wenocur
jwenocur@datapower.com
Fri, 24 Jan 2003 13:21:42 -0500
This is a multi-part message in MIME format.
--------------000402030707070709060507
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Forgot to copy the list. Hope this helps, Aleksy. (Note I'm not on
the xmlsec mailing list.)
-- Jonathan
-------- Original Message --------
Subject: HMACOutputLength and xmlsec
Date: Fri, 24 Jan 2003 13:15:08 -0500
From: Jonathan Wenocur <jwenocur@datapower.com>
To: Rich Salz <rsalz@datapower.com>, Jonathan Wenocur
<jwenocur@datapower.com>
The file simple-91.xml.signed is a version of simple-91.xml which we
signed with secret1. xmlsec doesn't verify the sig because
HMACOutputLength is 91, which is not evenly divisible by 8 (see
xmlsec/src/hmac.c:xmlSecMacHmacReadNode() where res=atoi((char
*)content) / 8).
I tried feeding the same input file into xmlsec to see how it signs it,
the file is simple-91.xml.templ is the file I fed into xmlsec, and the
signed output is simple-91.xml.templ.signed
You'll note that the difference between the two files is only in the
last couple of characters of the base64 encoded SignatureValue. The
base64 decoded value we output is:
0000000: d8 77 9e d9 ca 91 3a 6b 61 08 82 20 .w....:ka..
The base64 decoded value from xmlsec is:
0000000: d8 77 9e d9 ca 91 3a 6b 61 08 82
Which is the same signature but truncated down to 88 bits instead of 91 bits (assuming of course that the last few bits we add are correct).
-- Jonathan
--------------000402030707070709060507
Content-Type: text/xml;
name="simple-91.xml"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="simple-91.xml"
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP:Body>
<echo xmlns="http://www.example.org">
this
is
a
test
of
echoing
simple-91
</echo>
</SOAP:Body>
</SOAP:Envelope>
--------------000402030707070709060507
Content-Type: text/plain;
name="simple-91.xml.signed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="simple-91.xml.signed"
<?xml version="1.0" encoding="UTF-8"?>
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"><SOAP:Header><wsse:Security><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>91</HMACOutputLength>
</SignatureMethod>
<Reference URI="#Body">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>KlK8TF9wnLYvXz008MJV4umoHhE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gmtoF50KWNUTGQCg</SignatureValue><KeyInfo><KeyName>name:KEY</KeyName></KeyInfo></Signature></wsse:Security></SOAP:Header><SOAP:Body id="Body">
<echo xmlns="http://www.example.org">
this
is
a
test
of
echoing
simple-91
</echo>
</SOAP:Body></SOAP:Envelope>
--------------000402030707070709060507
Content-Type: text/plain;
name="secret1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="secret1"
secret
--------------000402030707070709060507
Content-Type: text/plain;
name="simple-91.xml.templ"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="simple-91.xml.templ"
<?xml version="1.0" encoding="UTF-8"?>
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"><SOAP:Header><wsse:Security><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>91</HMACOutputLength>
</SignatureMethod>
<Reference URI="#Body">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue><KeyInfo><KeyName>name:KEY</KeyName></KeyInfo></Signature></wsse:Security></SOAP:Header><SOAP:Body id="Body">
<echo xmlns="http://www.example.org">
this
is
a
test
of
echoing
simple-91
</echo>
</SOAP:Body></SOAP:Envelope>
--------------000402030707070709060507
Content-Type: text/plain;
name="simple-91.xml.templ.signed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="simple-91.xml.templ.signed"
<?xml version="1.0" encoding="UTF-8"?>
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"><SOAP:Header><wsse:Security><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>91</HMACOutputLength>
</SignatureMethod>
<Reference URI="#Body">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>KlK8TF9wnLYvXz008MJV4umoHhE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gmtoF50KWNUTGQA=</SignatureValue><KeyInfo><KeyName>name:KEY</KeyName></KeyInfo></Signature></wsse:Security></SOAP:Header><SOAP:Body id="Body">
<echo xmlns="http://www.example.org">
this
is
a
test
of
echoing
simple-91
</echo>
</SOAP:Body></SOAP:Envelope>
--------------000402030707070709060507--