[xmlsec] XMLsec-openssl signature verification failure

Frederic HEULIN fheulin at influe.com
Tue Aug 28 06:35:16 PDT 2007


On Mon, Aug 27, 2007 at 09:22:25AM -0700, Aleksey Sanin wrote:
>
>> In the most simple case, I have generated a signature with no indentation 
>> except on
>> first line :
>
> OK, then I don't know. The error means that signatures don't match.
> You can try to dump the pre-signature buffer (after c14n) to make
> sure they match (see --print-signature xmlsec command line option).

So i've found the XMLSEC_DSIG_FLAGS_STORE_SIGNATURE flag here are the results :
signing :

...
== PreSigned data - start buffer:
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:eb="http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xlink="http://www.w3.org/1999/xlink">
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>not(ancestor-or-self::node()[@soap:actor="urn:oasis:names:tc:ebxml-msg:service:nextMSH"]
|
ancestor-or-self::node()[@soap:actor="http://schemas.xmlsoap.org/soap/actor/next"])</XPath>
</Transform>
<Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>nLo8xi/sqV0d4Cnl4L8vN0SzXMU=</DigestValue>
</Reference>
<Reference URI="cid:payload-1-contid0000330b46d41445000a8049">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>/mBI15W23WOx3Lw0hcLzIMzPvsk=</DigestValue>
</Reference>
</SignedInfo>
== PreSigned data - end buffer

Checking signature :

... (SignedInfo on 1 single line)
== PreSigned data - start buffer:
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:eb="http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xlink="http://www.w3.org/1999/xlink"><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"><XPath>not(ancestor-or-self::node()[@soap:actor="urn:oasis:names:tc:ebxml-msg:service:nextMSH"] | ancestor-or-self::node()[@soap:actor="http://schemas.xmlsoap.org/soap/actor/next"])</XPath></Transform><Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>nLo8xi/sqV0d4Cnl4L8vN0SzXMU=</DigestValue></Reference><Reference URI="cid:payload-1-contid0000330b46d41445000a8049"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>/mBI15W23WOx3Lw0hcLzIMzPvsk=</DigestValue></Reference></SignedInfo>
== PreSigned data - end buffer

whereas the received message is formatted as emmitted ...
Is the signature node extraction that do modify the message ?
Is there a way to check the signature without using XPath extraction ?

Fredd.



More information about the xmlsec mailing list