[xmlsec] Verifying fails to find KeyInfo
Aleksey Sanin
aleksey at aleksey.com
Fri Aug 10 13:01:45 PDT 2007
Since passing key directly in the signature is not the
safest way to do it, "by default" it might have been
disabled (sorry, I can not check the sources code right
now because I am traveling and I have very limited
internet access). Search for enabledKeyData (e.g. here
http://www.aleksey.com/xmlsec/api/xmlsec-notes-contexts.html
) for examples of how to remove this limitation.
Aleksey
Alexander Alderweireldt wrote:
> Hi all,
>
> I have problems with verifying a signature, using its keyvalue in keyinfo.
> When I verify the signature with the same pem file I used to sign it, it
> works like a charm.
>
> I recently added :
>
> [code]
> // add <dsig:KeyInfo/> node to signature
> keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
> // adds <dsig:KeyValue/> node to the <dsig:KeyInfo/> node
> xmlSecTmplKeyInfoAddKeyValue(keyInfoNode);
> [/code]
>
> to the signature generation so I didn't need the pem file to verify the
> signature. But I now get the error that xmlSecDSigCtxProcessKeyInfoNode
> can't find the key ?
> Can anyone give me a hint or a pointer what I do wrong ?
>
> Many thnx !!!
> Alex
>
>
> [Errors]
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> is not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature verify
> [/Errors]
>
> [verify_C_code]
> int verify_file(char* xmlMessage)
> {
> xmlDocPtr doc = NULL;
> xmlNodePtr node = NULL;
> xmlSecDSigCtxPtr dsigCtx = NULL;
> char* key_file = "key.pem";
> const xmlChar* ids[] = {BAD_CAST "Id", NULL };
> int res = -1;
>
> doc = xmlParseDoc((xmlChar *) xmlMessage) ;
>
> if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
> fprintf(stderr, "Error: unable to parse file \"%s\"\n", xmlMessage);
> goto done;
> }
>
> /* find start node */
> node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature,
> xmlSecDSigNs);
> if(node == NULL) {
> fprintf(stdout, "Error: start node not found in \"%s\"\n", xmlMessage);
> goto done;
> }
>
> /* create signature context */
> dsigCtx = xmlSecDSigCtxCreate(NULL);
> if(dsigCtx == NULL) {
> fprintf(stdout,"Error: failed to create signature context\n");
> goto done;
> }
>
> /* load public key | currently trying to verify through keyinfo*/
> // dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file,
> xmlSecKeyDataFormatPem, NULL, NULL, NULL);
> // if(dsigCtx->signKey == NULL) {
> // fprintf(stdout,"Error: failed to load public pem key from \"%s\"\n",
> key_file);
> // goto done;
> // }
>
> /* Verify signature */
> if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
> fprintf(stdout,"Error: signature verify\n");
> goto done;
> }
>
> /* print verification result to stdout */
> if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
> fprintf(stdout, "Test : Signature is OK!!\n\n");
> } else {
> fprintf(stdout, "Test : Signature is INVALID\n\n");
> }
>
> /* success */
> res = 1;
>
> done:
> /* cleanup */
> if(dsigCtx != NULL) {
> xmlSecDSigCtxDestroy(dsigCtx);
> }
>
> if(doc != NULL) {
> xmlFreeDoc(doc);
> }
>
> return(res);
> }
> [/verify_C_code]
>
> [signed_XML]
> <?xml version="1.0" encoding="UTF-8"?>
> <tsp:TimeStampResponse xmlns:xades="http://uri.etsi.org/01903/v1.1.1#"
> xmlns:tsp="http://www.esat.kuleuven.ac.be/~kwouters/2002/08/xmltsp#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> Type="http://localhost/studjob1/timestampserver/timestampserver.wsdl"
> CertReq="true"
> xsi:schemaLocation="http://www.esat.kuleuven.ac.be/~kwouters/2002/08/xmltsp#TimeStampSchema.xsd">
>
> <tsp:Status>
> <tsp:MajorStatus Code="0">Time-stamp
> Granted..</tsp:MajorStatus>
> </tsp:Status>
>
> <tsp:TimeStampToken>
> <tsp:MessageImprints xml:id="ImprintID">
> <tsp:DigestAlgValue Id="DigestID1">
> <xades:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
> <xades:DigestValue>YTJhMzE5OWJiOTA1MDI3MWJkNTQwODljOTM2NGM3MzM1OTBlOWYxOQ==</xades:DigestValue>
> </tsp:DigestAlgValue>
> <tsp:DigestAlgValue Id="DigestID2">
> <xades:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
> <xades:DigestValue>NzJiNzQ2ODhmODZiZGE2Yjk2ZWQzMjg1YzlkMjUxZDU4Y2MyOGMyMQ==</xades:DigestValue>
> </tsp:DigestAlgValue>
> </tsp:MessageImprints>
> <tsp:TSTInfo xml:id="TSTInfoID">
> <xades:SignaturePolicyIdentifier>
> <xades:SignaturePolicyImplied/>
> </xades:SignaturePolicyIdentifier>
> <tsp:SerialNumber>666</tsp:SerialNumber>
> <tsp:GenTime>2007-08-02T8:33:30</tsp:GenTime>
> </tsp:TSTInfo>
> <tsp:bindingInfo Algorithm="LinearLinking-URI-HS91"
> xml:id="BindingID">
> <tsp:DigestAlgValue>
> <xades:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
> <xades:DigestValue>OUIzQjBDOUM1QjI5MjI5OEFFMEY3OTA2MEZERkYyRTg3OUY2NkY5RHJpLmUx</xades:DigestValue>
> </tsp:DigestAlgValue>
> </tsp:bindingInfo>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#ImprintID">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
> <DigestValue>JNUyEMSnMC9v1ysZkgLIVyGOcZE=</DigestValue>
> </Reference>
> <Reference URI="#TSTInfoID">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
> <DigestValue>bVK6SI09ea9MJO31WamnkH4Fw64=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>kicg8f+ttAsNsn19wAmZtiXOxzxnLam9fmHgFBZohXp97tPDlmM3zRhiAPfFycL9
> H02zvxu22sm9NJICtNKim71Zpz0waCVsjfsGf/TchEIxbBtIjKYEWVTHaFMrKsdb
> 3ijG4PMWXS/3cCJN2fuyFbWp+afIjmSkBNyzArWFD54=</SignatureValue>
> <KeyInfo>
> <KeyValue>
> <RSAKeyValue>
> <Modulus>
> 4HTQeETBkM7f1/1PHI3eshgOrZ1axHFmrjsN4Vf1hmDUNgoJ/sMMrPnj2HVA3fIT
> vRMb3Cd6Eb4gvapPHnMuB/xlyEbwIMj+L5gNfWfhxbaIKbN3jcp2n7oD2dlInnKr
> 3lJYEqC9u0jUUZJJr0VtDl0bOPNIalw1YVoodGI1vTs=
> </Modulus>
> <Exponent>
> AQAB
> </Exponent>
> </RSAKeyValue>
> </KeyValue>
> <KeyName/>
> </KeyInfo>
> </Signature></tsp:TimeStampToken>
> </tsp:TimeStampResponse>
> [signed_XML]
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list