[xmlsec] Question about signature verification
Aleksey Sanin
aleksey at aleksey.com
Wed Mar 19 08:38:51 PST 2008
What is the error you get from xmlsec command line tool?
Aleksey
Ivan R. Toledo Ivanovic wrote:
> Hi. I've been trying to verify a signature with an X509 certificate included
> in the KeyInfo node of the signature.
> The XML file being verified contains many documents, each one with its
> signature, and all of them wrapped & signed with the same cert. Tried with
> just one document, does not work.
>
> It seems that xmlsec loads the keys from KeyInfo. Tried with loading them
> manually using xmlSecKeyDataXmlRead, same result.
>
> The signature is marked as invalid (data and digest do not match). The debug
> dump is as follows...
>
> *** snip ***
>
> = VERIFICATION CONTEXT
> == Status: invalid
> == flags: 0x00000000
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000000
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: "c14n","exc-c14n","sha1","rsa-sha1"
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Method:
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: invalid
> == URI: "#R96972300-KT34F476928"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: "c14n","exc-c14n","sha1","enveloped-signature"
> === uri:
> === uri xpointer expr: #R96972300-KT34F476928
> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == Manifest References List:
> === list size: 0
>
> *** snip ***
>
> For the URI (#R96972300-KT34F476928), i've used xmlAddID as suggested in the
> FAQ. But the "reference verification context" is marked as invalid.
>
> The signature:
>
> *** snip ***
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonicalizati
> onMethod>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#R96972300-KT34F476928">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Transform>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>+v9SPAlAeABcdiBAtniCVJ1tj50=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>N1MEp1ckRxMgEQYfrqY4pdq/A4mazx/RhuZNS+IEzJkJueNiHIexU+Vh7Js8
> M09bOGKypbDdTZbVlgarKs61YDdncwIh9NIKX6+H0Lv8FPhHqGbOCe2yf2P6gzK1eGMTT9oC6DyD
> IDeB9h3UE2z+4Aqt1WSupq7ZS14JzrTRFfA=</SignatureValue>
> <KeyInfo>
> <KeyValue>
> <RSAKeyValue>
> <Modulus>w9Jdm/e0BRYGm64tw/mx4O39DHPJbFWzE7WRwWMc2y8F/fg6pw71Hz12f3I6aEpjH9e
> 5Ic38hWql40iJ1DsAd/curVuW/PQNbb5wu31tCtAAaycodkFEDa2GoA8TLqE2InycIkg6aQGIiZd
> DIkMJwCa1Nsb/uJPXBGkpTzPQu1k=</Modulus>
> <Exponent>AQAB</Exponent>
> </RSAKeyValue>
> </KeyValue>
> <X509Data>
> <X509Certificate>MIIEkTCCA/qgAwIBAgIEAQAqmDANBgkqhkiG9w0BAQUFADCBtTELMAkGA1U
> EBhMCQ0wxHTAbBgNVBAgUFFJlZ2lvbiBNZXRyb3BvbGl0YW5hMREwDwYDVQQHFAhTYW50aWFnbzE
> UMBIGA1UEChQLRS1DRVJUQ0hJTEUxIDAeBgNVBAsUF0F1dG9yaWRhZCBDZXJ0aWZpY2Fkb3JhMRc
> wFQYDVQQDFA5FLUNFUlRDSElMRSBDQTEjMCEGCSqGSIb3DQEJARYUZW1haWxAZS1jZXJ0Y2hpbGU
> uY2wwHhcNMDcwOTAzMTQ1NzQxWhcNMDgwOTAyMDAwMDAwWjCBxzELMAkGA1UEBhMCQ0wxFjAUBgN
> VBAgUDU1ldHJvcG9saXRhbmExETAPBgNVBAcUCFNhbnRpYWdvMTAwLgYDVQQKFCdTb2MgQ29uY2V
> jaW9uYXJpYSBBbWVyaWNvIFZlc3B1Y2lvbiBTdXIxEDAOBgNVBAsUB1Npc3RlbWExIzAhBgNVBAM
> UGk1hcmlvIFVsaXNlcyBUb2JhciBBcmF2ZW5hMSQwIgYJKoZIhvcNAQkBFhVtdG9iYXJAdmVzcHV
> jaW9zdXIuY2wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPSXZv3tAUWBpuuLcP5seDt/Qx
> zyWxVsxO1kcFjHNsvBf34OqcO9R89dn9yOmhKYx/XuSHN/IVqpeNIidQ7AHf3Lq1blvz0DW2+cLt
> 9bQrQAGsnKHZBRA2thqAPEy6hNiJ8nCJIOmkBiImXQyJDCcAmtTbG/7iT1wRpKU8z0LtZAgMBAAG
> jggGYMIIBlDAjBgNVHREEHDAaoBgGCCsGAQQBwQEBoAwWCjA3NTEwNDgyLTAwCQYDVR0TBAIwADA
> 8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmUtY2VydGNoaWxlLmNsL2UtY2VydGNoaWxlY2E
> uY3JsMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTY5MjgxODAtNTAfBgNVHSMEGDAWgBTgKP3
> S4GBPs0brGsz1CJEHcjodCDCB0AYDVR0gBIHIMIHFMIHCBggrBgEEAcNSBTCBtTAvBggrBgEFBQc
> CARYjaHR0cDovL3d3dy5lLWNlcnRjaGlsZS5jbC8yMDAwL0NQUy8wgYEGCCsGAQUFBwICMHUac0V
> sIHRpdHVsYXIgaGEgc2lkbyB2YWxpZG8gZW4gZm9ybWEgcHJlc2VuY2lhbCwgcXVlZGFuZG8gZWw
> gQ2VydGlmaWNhZG8gcGFyYSB1c28gdHJpYnV0YXJpbywgcGFnb3MsIGNvbWVyY2lvIHkgb3Ryb3M
> wCwYDVR0PBAQDAgTwMA0GCSqGSIb3DQEBBQUAA4GBAIFSEMePY0KMHqsDKilD8KUnoZqlIwLYKMv
> eG3Y+y92KtV2JIYZn0XLajhSlTgzzfS8R36BuFIeKfoA2tkrLmfGC581SRsM1HtPLdxKYSuVwap5
> Jmpo9bkHpps15qDQU+kpCnFDsGuB5rE0AqtKkvG4+nppWxCfRhixicV6oZ4qd</X509Certifica
> te>
> </X509Data>
> </KeyInfo>
> </Signature>
>
> *** snip ***
>
> Right now I don't know what else to do. The examples in the source tarball
> work fine with certificates loaded from files, but this is not the case.
>
> The structure of the XML file is as follows:
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <DTE xmlns="http://www.sii.cl/SiiDte"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> version="1.0"><Documento
> ID="R96972300-KT34F476928">......CONTENTS......</Documento><Signature
> xmlns="http://www.w3.org/2000/09/xmldsig#">.....CONTENTS.....</Signature></D
> TE>
>
> The "DTE" element is on the same line.
>
>
> Any hints?
>
> Thanks,
> Ivan Toledo
> MovilData Chile
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list