[xmlsec] problem verifying a signature

Marko Macek marko.macek at hermes.si
Tue Mar 30 03:45:16 PST 2004


Hello!

I have a problem verifying a signature (attached xml) made with
Ubisignature.

I'm trying to verify it using xmlsec  and MS .NET SignedXml that we use
on the server.

The of xmlsec output is:

C:\work\xmlsec>xmlsec --verify --node-xpath
//*[@Id='DepositorSignature'] --trusted-der sigov-ca.crt --print-debug
podpis_mm3.xml
= VERIFICATION CONTEXT
== Status: invalid
== flags: 0x00000000
== flags2: 0x00000000
== Id: "DepositorSignature"
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key usage: 65535
=== rsa key: size = 1023
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
func=:file=..\src\openssl\signatures.c:line=248:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data 

do not match:signature do not match
FAIL
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "podpis_mm3.xml"
============================================================

One thing that I find odd is:

=== rsa key: size = 1023

I have also tried verifying the signature with Microsoft SignedXml class
(framework 1.1) and it dies like this:

System.Security.Cryptography.CryptographicException:
Cryptographic service provider (CSP) for this implementation generated an
internal error while attempting to verify the signature. at
System.Security.Cryptography.RSACryptoServiceProvider.VerifyHash(Byte[]
rgbHash, String str, Byte[] rgbSignature) at
System.Security.Cryptography.RSAPKCS1SignatureDeformatter.VerifySignature(By
te[] rgbHash, Byte[] rgbSignature) at
System.Security.Cryptography.AsymmetricSignatureDeformatter.VerifySignature(
HashAlgorithm hash, Byte[] rgbSignature) at
System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorith
m key) at
System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(Asymme
tricAlgorithm& signingKey) at


But Ubisignature and Java (apache) implementations verify the signature
as valid.

Can anyone help? Is the signature valid or not? Where is the problem?

The CA certificate is at http://www.sigov-ca.gov.si/sigov-ca.crt

Thanks,
Mark



-------------- next part --------------
A non-text attachment was scrubbed...
Name: podpis_mm3.xml
Type: text/xml
Size: 4239 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20040330/7dfddf09/podpis_mm3.xml


More information about the xmlsec mailing list