[xmlsec] Question about signature verification

Ivan R. Toledo Ivanovic itoledo at mdchile.com
Wed Mar 19 11:34:22 PST 2008


Version:
xmlsec 1.2.11 (openssl)

Command line:
xmlsec --verify --dtd-file \dtd.xml \sobrefirmados_p1_28.xml

DTD file: (to fix ID issues)
<?xml version="1.0" encoding="ISO-8859-1"?>
<!ATTLIST Documento ID ID #IMPLIED>

Console output:

Loads of text like this:

/sobrefirmados_p1_28.xml:125: element Exponent: validity error : No
declaration
for element Exponent
/sobrefirmados_p1_28.xml:130: element X509Data: validity error : No
declaration
for element X509Data
/sobrefirmados_p1_28.xml:131: element X509Certificate: validity error : No
decla
ration for element X509Certificate

And at the end:

func=xmlSecOpenSSLEvpDigestVerify:file=..\src\openssl\digests.c:line=229:obj
=sha
1:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "\sobrefirmados_p1_28.xml"


All of my files fail like these. The interesting bit is that the receiving
end (a web service made by something like the IRS of Chile) validates all of
these files, but I'm doing something wrong at my end.


Thanks,
Ivan Toledo
MDC 

-----Mensaje original-----
De: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Enviado el: Miércoles, 19 de Marzo de 2008 13:39
Para: Ivan R. Toledo Ivanovic
CC: xmlsec at aleksey.com
Asunto: Re: [xmlsec] Question about signature verification

What is the error you get from xmlsec command line tool?

Aleksey

Ivan R. Toledo Ivanovic wrote:
> Hi. I've been trying to verify a signature with an X509 certificate 
> included in the KeyInfo node of the signature.
> The XML file being verified contains many documents, each one with its 
> signature, and all of them wrapped & signed with the same cert. Tried 
> with just one document, does not work.
> 
> It seems that xmlsec loads the keys from KeyInfo. Tried with loading 
> them manually using xmlSecKeyDataXmlRead, same result.
> 
> The signature is marked as invalid (data and digest do not match). The 
> debug dump is as follows...
> 
> *** snip ***
> 
> = VERIFICATION CONTEXT
> == Status: invalid
> == flags: 0x00000000
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) 
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all 
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level 
> (cur/max): 0/1 === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000000
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) 
> == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all 
> === uri: NULL === uri xpointer expr: NULL == EncryptedKey level 
> (cur/max): 0/1 === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: "c14n","exc-c14n","sha1","rsa-sha1"
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n 
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1 
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Method:
> === Transform: rsa-sha1 
> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == SignedInfo References List:
> === list size: 1
> = REFERENCE VERIFICATION CONTEXT
> == Status: invalid
> == URI: "#R96972300-KT34F476928"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: "c14n","exc-c14n","sha1","enveloped-signature"
> === uri: 
> === uri xpointer expr: #R96972300-KT34F476928 === Transform: xpointer 
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: c14n 
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: membuf-transform (href=NULL) == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == Manifest References List:
> === list size: 0
> 
> *** snip ***
> 
> For the URI (#R96972300-KT34F476928), i've used xmlAddID as suggested 
> in the FAQ. But the "reference verification context" is marked as invalid.
> 
> The signature:
> 
> *** snip ***
> 
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonica
> lizati
> onMethod>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMeth
> od> <Reference URI="#R96972300-KT34F476928"> <Transforms> <Transform 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Transfor
> m>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>+v9SPAlAeABcdiBAtniCVJ1tj50=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>N1MEp1ckRxMgEQYfrqY4pdq/A4mazx/RhuZNS+IEzJkJueNiHIexU+
> Vh7Js8
> M09bOGKypbDdTZbVlgarKs61YDdncwIh9NIKX6+H0Lv8FPhHqGbOCe2yf2P6gzK1eGMTT9
> M09bOGKypbDdTZbVlgarKs61YDdncwIh9NIKX6+oC6DyD
> IDeB9h3UE2z+4Aqt1WSupq7ZS14JzrTRFfA=</SignatureValue>
> <KeyInfo>
> <KeyValue>
> <RSAKeyValue>
> <Modulus>w9Jdm/e0BRYGm64tw/mx4O39DHPJbFWzE7WRwWMc2y8F/fg6pw71Hz12f3I6a
> EpjH9e 
> 5Ic38hWql40iJ1DsAd/curVuW/PQNbb5wu31tCtAAaycodkFEDa2GoA8TLqE2InycIkg6a
> QGIiZd DIkMJwCa1Nsb/uJPXBGkpTzPQu1k=</Modulus>
> <Exponent>AQAB</Exponent>
> </RSAKeyValue>
> </KeyValue>
> <X509Data>
> <X509Certificate>MIIEkTCCA/qgAwIBAgIEAQAqmDANBgkqhkiG9w0BAQUFADCBtTELM
> AkGA1U 
> EBhMCQ0wxHTAbBgNVBAgUFFJlZ2lvbiBNZXRyb3BvbGl0YW5hMREwDwYDVQQHFAhTYW50a
> WFnbzE 
> UMBIGA1UEChQLRS1DRVJUQ0hJTEUxIDAeBgNVBAsUF0F1dG9yaWRhZCBDZXJ0aWZpY2Fkb
> 3JhMRc 
> wFQYDVQQDFA5FLUNFUlRDSElMRSBDQTEjMCEGCSqGSIb3DQEJARYUZW1haWxAZS1jZXJ0Y
> 2hpbGU 
> uY2wwHhcNMDcwOTAzMTQ1NzQxWhcNMDgwOTAyMDAwMDAwWjCBxzELMAkGA1UEBhMCQ0wxF
> jAUBgN 
> VBAgUDU1ldHJvcG9saXRhbmExETAPBgNVBAcUCFNhbnRpYWdvMTAwLgYDVQQKFCdTb2MgQ
> 29uY2V 
> jaW9uYXJpYSBBbWVyaWNvIFZlc3B1Y2lvbiBTdXIxEDAOBgNVBAsUB1Npc3RlbWExIzAhB
> gNVBAM 
> UGk1hcmlvIFVsaXNlcyBUb2JhciBBcmF2ZW5hMSQwIgYJKoZIhvcNAQkBFhVtdG9iYXJAd
> mVzcHV 
> jaW9zdXIuY2wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPSXZv3tAUWBpuuLcP5s
> eDt/Qx 
> zyWxVsxO1kcFjHNsvBf34OqcO9R89dn9yOmhKYx/XuSHN/IVqpeNIidQ7AHf3Lq1blvz0D
> W2+cLt 
> 9bQrQAGsnKHZBRA2thqAPEy6hNiJ8nCJIOmkBiImXQyJDCcAmtTbG/7iT1wRpKU8z0LtZA
> gMBAAG 
> jggGYMIIBlDAjBgNVHREEHDAaoBgGCCsGAQQBwQEBoAwWCjA3NTEwNDgyLTAwCQYDVR0TB
> AIwADA 
> 8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmUtY2VydGNoaWxlLmNsL2UtY2VydGNoa
> WxlY2E
> uY3JsMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTY5MjgxODAtNTAfBgNVHSMEGDAWg
> BTgKP3 
> S4GBPs0brGsz1CJEHcjodCDCB0AYDVR0gBIHIMIHFMIHCBggrBgEEAcNSBTCBtTAvBggrB
> gEFBQc 
> CARYjaHR0cDovL3d3dy5lLWNlcnRjaGlsZS5jbC8yMDAwL0NQUy8wgYEGCCsGAQUFBwICM
> HUac0V 
> sIHRpdHVsYXIgaGEgc2lkbyB2YWxpZG8gZW4gZm9ybWEgcHJlc2VuY2lhbCwgcXVlZGFuZ
> G8gZWw 
> gQ2VydGlmaWNhZG8gcGFyYSB1c28gdHJpYnV0YXJpbywgcGFnb3MsIGNvbWVyY2lvIHkgb
> 3Ryb3M 
> wCwYDVR0PBAQDAgTwMA0GCSqGSIb3DQEBBQUAA4GBAIFSEMePY0KMHqsDKilD8KUnoZqlI
> wLYKMv
> eG3Y+y92KtV2JIYZn0XLajhSlTgzzfS8R36BuFIeKfoA2tkrLmfGC581SRsM1HtPLdxKYS
> eG3Y+uVwap5
> Jmpo9bkHpps15qDQU+kpCnFDsGuB5rE0AqtKkvG4+nppWxCfRhixicV6oZ4qd</X509Cer
> Jmpo9bkHpps15qDQU+kpCnFDsGuB5rE0AqtKkvG4+tifica
> te>
> </X509Data>
> </KeyInfo>
> </Signature>
> 
> *** snip ***
> 
> Right now I don't know what else to do. The examples in the source 
> tarball work fine with certificates loaded from files, but this is not the
case.
> 
> The structure of the XML file is as follows:
> 
> <?xml version="1.0" encoding="ISO-8859-1"?> <DTE 
> xmlns="http://www.sii.cl/SiiDte"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> version="1.0"><Documento
> ID="R96972300-KT34F476928">......CONTENTS......</Documento><Signature
> xmlns="http://www.w3.org/2000/09/xmldsig#">.....CONTENTS.....</Signatu
> re></D
> TE>
> 
> The "DTE" element is on the same line.
> 
> 
> Any hints?
> 
> Thanks,
> Ivan Toledo
> MovilData Chile
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec




More information about the xmlsec mailing list