[xmlsec] RE: Can you Verify this signature ?

Ed Shallow ed.shallow at rogers.com
Mon Aug 7 12:51:29 PDT 2006


Hi Andreas and Aleksey,

   Andreas, thanks for your prompt reply.

   I suspect it has something to do with the use of emailAddress in the
X509SubjectName. Konrad says this is incorrect and that I should be using
EMAIL instead of emailAddress. I think he is using IAIK also.

   I generated this certificate with OpenSSL.

   Aleksey, is emailAddress incorrect or non-standard ? If so, am I
introducing this improper use of emailAddress or is it XMLSec ?

Thanks,
Ed

 

-----Original Message-----
From: Andreas Kuehne [mailto:akuehne at yahoo.com] 
Sent: August 7, 2006 6:34 AM
To: ed.shallow at rogers.com
Subject: Re: Can you Verify this signature ?

Hi Ed !

Good to hear from you regarding 'real' business ! More than one year gone by
since our last effort to do some InterOp tests ...

And it took me some time to have my XMLDSig stuff up and running again. I'm
still working with plain old PKCS7 most of the time.

As you might remember I'm using the iaik stuff and upgraded to the current
version. I see a an interesting message from the verifier :

Exception in thread "main" javax.xml.crypto.MarshalException:
X509SubjectName 'emailAddress=CAAdmin at upu.int,CN=Universal Postal Union
Pilot EPM Timestamp,OU=Electronic Post Mark,O=For Test Use Only,O=Universal
Postal Union,L=Berne,ST=Berne,C=CH' is not RFC 2253 compliant.
        at
iaik.xml.crypto.dsig.keyinfo.X509DataImpl.unmarshalStructures(Unknown
Source)
        at iaik.xml.crypto.dom.DOMStructure.unmarshal(Unknown Source)
        at iaik.xml.crypto.dsig.keyinfo.X509DataImpl.<init>(Unknown Source)
        ...

Do you have any clue why it complains ? Does the double use of organisation
violate the RFC ? I can't extract any restrictions from the spec.

Greetings

Andreas

>    Can I ask you for a small favor ?
> 
>    Could you please verify this signature using your XMLDSIG crypto 
> toolkit as a sanity check ?
> 
>    It would be enormously appreciated.
> 
>    I have also included the trusted public root from which the UPUtsa 
> signing certificate was issued.
> 
> 
> Thanks loads,
> 
> Ed Shallow
> Chief Architect
> Canada Post Corporation
> Electronic PostMarking Services
> 613-852-6410
> > <?xml version="1.0" encoding="UTF-8"?>
> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
Id="PostMarkedReceiptSignature">
>     <dsig:SignedInfo>
>         <dsig:CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>         <dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>         <dsig:Reference URI="#TstInfo">
>             <dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
<dsig:DigestValue>x0q4X69WBzlCQg3Qbu3BNzdHseY=</dsig:DigestValue>
>         </dsig:Reference>
>         <dsig:Reference URI="#Receipt">
>             <dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
<dsig:DigestValue>tH/s6vMnSs8pvi8LDKRghsEZnQE=</dsig:DigestValue>
>         </dsig:Reference>
>         <dsig:Reference URI="#PostMarkedData">
>             <dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
<dsig:DigestValue>iurDPcMJ2yYQQoOTVCpGUXeJ6rQ=</dsig:DigestValue>
>         </dsig:Reference>
>     </dsig:SignedInfo>
>     
> <dsig:SignatureValue>LQ8IbC0zduAdhop4/q1OwhOiPOdyUoSRtjO9IFUmIWtDUh8oq
> DfkitMFXW9IFn4+
> BIWO5y5QN4upnybOGqR7ng+2scqcqk/baoTczdBRCkSRRWa02ouR9guEv/3Btnvz
> 8q/Zgxt2nGKXUQBe+V03pjiRS5gOZ5xnkbvOT7+imPc=</dsig:SignatureValue>
>     <dsig:KeyInfo>
>         <dsig:KeyName>UPUtsa</dsig:KeyName>
>         <dsig:X509Data>
>         <X509Certificate
>
xmlns="http://www.w3.org/2000/09/xmldsig#">MIIEXDCCA0SgAwIBAgIBBDANBgkqhkiG9
w0BAQUFADCB3jELMAkGA1UEBhMCQ0gx
> DjAMBgNVBAgTBUJlcm5lMQ4wDAYDVQQHEwVCZXJuZTEfMB0GA1UEChMWVW5pdmVy
> c2FsIFBvc3RhbCBVbmlvbjEaMBgGA1UEChMRRm9yIFRlc3QgVXNlIE9ubHkxHTAb
> BgNVBAsTFEVsZWN0cm9uaWMgUG9zdCBNYXJrMTMwMQYDVQQDEypVbml2ZXJzYWwg
> UG9zdGFsIFVuaW9uIFBpbG90IEVQTSBBdXRob3JpdHkxHjAcBgkqhkiG9w0BCQEW
> D0NBQWRtaW5AdXB1LmludDAeFw0wNTAxMjUxOTU3NDFaFw0xMDAxMjQxOTU3NDFa
> MIHeMQswCQYDVQQGEwJDSDEOMAwGA1UECBMFQmVybmUxDjAMBgNVBAcTBUJlcm5l
> MR8wHQYDVQQKExZVbml2ZXJzYWwgUG9zdGFsIFVuaW9uMRowGAYDVQQKExFGb3Ig
> VGVzdCBVc2UgT25seTEdMBsGA1UECxMURWxlY3Ryb25pYyBQb3N0IE1hcmsxMzAx
> BgNVBAMTKlVuaXZlcnNhbCBQb3N0YWwgVW5pb24gUGlsb3QgRVBNIFRpbWVzdGFt
> cDEeMBwGCSqGSIb3DQEJARYPQ0FBZG1pbkB1cHUuaW50MIGfMA0GCSqGSIb3DQEB
> AQUAA4GNADCBiQKBgQDZcXRnH8LSa57tHZH5i4JsKN5MiTADOud2ThVKctheNd5B
> wqP5JxkyK75jBVrFz5efJLOlpSbALtTwMzOuXn8C+UcdB1/Mu0gnTpgFaonMmKuk
> xq9pi4u/7zlzmA+6vI6pUHu8RrBbHUa0PgM6OkgniZqIfkLjtD0Y9IzJpflczwID
> AQABo4GmMIGjMAwGA1UdEwQFMAMCAQAwHQYDVR0OBBYEFBEFCs6yi4oBFWYGSCLY
> +4lb0PrEMB8GA1UdIwQYMBaAFO0VydJTZFy9p5n9OT6icSir2KhQMC4GA1UdHwQn
> MCUwI6AhoB+GHWh0dHA6Ly9jYTEudXB1LmludC9tYXN0ZXIuY3JsMAsGA1UdDwQE
> AwIGwDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG9w0BAQUFAAOCAQEA
> EiPjbN4zcLPOztr9WLSVB3C+e+qdl1xdzO9xu4tgtiXmeu6liSicWnRv8VNHJLyx
> acSjCHM5rvn+ItVRCKcQf5l6aXab4XaIJFHCqjW6m09v0T0CNRawQaMYTx83iAcA
> jot4dQ11kca4sL3nYIrxiBMPjwRjsLS/UvogLWjmwwx07lFrat5vLwGYPTjmxGyI
> vngOIpc7Deg1xKhBXK4pBof4l0gukhZ0p98Xq181QcW2C/453kGCA307GY2+bsEe
> 9BvnoWPKk+udtb2+NHKgiFmh0arupWd0YI/szP2Zdim5XyVnXV+UuKW8Wi/83TBB
> b2u1v4jWQWzHV/WfjdX2lg==</X509Certificate>
> <X509SubjectName
> xmlns="http://www.w3.org/2000/09/xmldsig#">emailAddress=CAAdmin at upu.in
> t,CN=Universal Postal Union Pilot EPM Timestamp,OU=Electronic Post 
> Mark,O=For Test Use Only,O=Universal Postal 
> Union,L=Berne,ST=Berne,C=CH</X509SubjectName>
> <X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#">
> <X509IssuerName>emailAddress=CAAdmin at upu.int,CN=Universal Postal Union 
> Pilot EPM Authority,OU=Electronic Post Mark,O=For Test Use 
> Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH</X509IssuerName>
> <X509SerialNumber>4</X509SerialNumber>
> </X509IssuerSerial>
> </dsig:X509Data>
>     </dsig:KeyInfo>
>     <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>         <dss:TstInfo
>
xmlns:dss="http://www.docs.oasis-open.org/dss/oasis-dss-1.0-core-schema-cd-0
2.xsd" Id="TstInfo">
>             <SerialNumber>100000005284</SerialNumber>
>             <CreationTime>2006-8-3T15:22:11.431</CreationTime>
>             <Policy/>
>             <ErrorBound/>
>             <Ordered/>
>             <TSA>emailAddress=CAAdmin at upu.int, CN=Universal Postal 
> Union Pilot EPM Timestamp, OU=Electronic Post Mark, O=For Test Use 
> Only, O=Universal Postal Union, L=Berne, S=Berne, C=CH</TSA>
>         </dss:TstInfo>
>     </dsig:Object>
>     <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>         <epm:PostMarkedReceipt
xmlns:epm="http://www.upu.int/EPMService/schemas" Id="Receipt">
>             <Receipt>
>                 <TransactionKey>
>                     <Locator>
>                        <CountryCode>CA</CountryCode>
>                        <Version>115</Version>
>                        <ServiceProvider>epost</ServiceProvider>
>                        <Environment>test</Environment>
>                     </Locator>
>                     <Key>123456789</Key>
>                     <Sequence>1</Sequence>
>                 </TransactionKey>
>                 <Requester>Joe Public</Requester>
>                 <Operation>PostMark</Operation>
>                 <TSAX509SubjectName>emailAddress=CAAdmin at upu.int, 
> CN=Universal Postal Union Pilot EPM Timestamp, OU=Electronic Post 
> Mark, O=For Test Use Only, O=Universal Postal Union, L=Berne, S=Berne,
C=CH</TSAX509SubjectName>
>                 <TimeStampValue>2006-8-3T12:49:23.188</TimeStampValue>
>                 <RevocationStatusQualifier>CRL
Checked</RevocationStatusQualifier>
>                 <TimeStampToken 
> MimeType="application/pkcs7-signature">base64encoded TS token would go
here</TimeStampToken>
>                 <MessageImprint>optional for XMLDSIG</MessageImprint>
>                 <PostMarkImage>base64encoded graphic would go
here</PostMarkImage>
>                 <ReceiptMetadata>
>                     <Name></Name>
>                     <Value></Value>
>                 </ReceiptMetadata>
>             </Receipt>
>         </epm:PostMarkedReceipt>
>     </dsig:Object>
>     <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>         <epm:PostMarkedContent
xmlns:epm="http://www.upu.int/EPMService/schemas"
> Id="PostMarkedData">Here is a small plain text file without mark-up.
> </epm:PostMarkedContent>
>     </dsig:Object>
> </dsig:Signature>
> 






More information about the xmlsec mailing list