[xmlsec] problem with <ds:Reference
URI="#xpointer(//*[@authenticate='true'])"> ?
Sébastien BROSSARD
sebastien.brossard at turbosa.banquepopulaire.fr
Tue Apr 22 09:26:54 PDT 2008
Ohh, I'm so sorry and ashamed I sent you those wrong command lines that I
used in previous tries!!
In fact, I use DTD in my code :
"xmlsec verify --dtd-file $DTD_Verif --keys-file $keyfile $inputName"
And
"xmlsec sign --output $outputName --dtd-file $DTD_Sign --keys-file $keyfile
$tmplName"
So now, this is it, the problem is the one below, with those command lines
above.
-----Message d'origine-----
De : Aleksey Sanin [mailto:aleksey at aleksey.com]
Envoyé : mardi 22 avril 2008 16:33
À : Sebastien BROSSARD
Cc : xmlsec at aleksey.com
Objet : Re: [xmlsec] problem with <ds:Reference
URI="#xpointer(//*[@authenticate='true'])"> ?
xmlsec --node-xpath selects the start *Signature* node. It has
nothing to do with xpointer in the Reference URI.
Aleksey
Sebastien BROSSARD wrote:
> Hi everybody
>
>
>
> I am actually developing a software based on the German EBICS norm,
> which specifies that ones got to use
>
> <ds:Reference URI="#xpointer(//*[@authenticate='true'])">
>
> as signatures URI.
>
>
>
> So long so well, when I sign a xml file with xmlsec
>
> (using command line : xmlsec sign --node-xpath
> //*[@authenticate='true'] --output $outputName --keys-file $keyfile)
>
> and then I verify it with xmlsec,
>
> (using command line : "xmlsec verify --node-xpath
> //*[@authenticate='true'] --keys-file $keyfile $inputName)
>
> everything works perfect.
>
>
>
> But here comes the trouble : Im actually working on the server side of
> the EBICS norm, and Im testing my developments on the client side
> thanks to a software called Travic (which is commercialized in Germany
> and then, I can assume, works well).
>
> And when Travic sends me its signature
Verification fails
I keep
> getting this message :
>
> error=18:data do not match:signature do not match FAIL SignedInfo
> References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error:
> failed to verify file.
>
>
>
> It seems like the hash is ok (?), but not the signature.
>
> (Moreover, theres no problem with the client public key, has I can
> decipher text asymmetrical encrypted by this same key.)
>
>
>
> I read here http://www.w3.org/2007/xmlsec/ws/papers/10-ertel/ that the
> handling of this type of ("#xpointer) URI can be subject to two
> different handling, due to two interpretations (both right !) of the
> same norm, i.e :
>
>
>
> One interpretation says that the signed URI must remain unchanged:
>
> "#xpointer(//*[@authenticate='true'])",
>
> while the other one demands escaping which makes the URI look like this:
>
> "#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)"
>
>
>
> So the main question is : could it be this type of problem in my case,
> or is the problem that Im facing due to another totally different cause?
>
>
>
>
>
> Thanks for your kind help!
>
>
>
>
>
> Sébastien Brossard
>
> sebastien.brossard at turbosa.banquepopulaire.fr
>
>
>
>
>
> PS :
>
> By the way, heres the xml string that I try to verify :
>
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <ebicsNoPubKeyDigestsRequest Revision="1" Version="H001"
> xsi:schemaLocation="http://www.ebics.org/H001
> http://www.ebics.org/H001/ebics_keymgmt_request.xsd"
> xmlns="http://www.ebics.org/H001"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>
> <header authenticate="true">
>
> <static>
>
> <HostID>EBICSFR</HostID>
>
> <Nonce>DB545BDC437B95999202C6EA69393A6E</Nonce>
>
> <Timestamp>2008-04-22T09:29:24.838Z</Timestamp>
>
> <PartnerID>SEB</PartnerID>
>
> <UserID>USERID</UserID>
>
> <OrderDetails>
>
> <OrderType>HPB</OrderType>
>
> <OrderAttribute>DZHNN</OrderAttribute>
>
> </OrderDetails>
>
> <SecurityMedium>0400</SecurityMedium>
>
> </static>
>
> <mutable/>
>
> </header>
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <ds:Reference URI="#xpointer(//*[@authenticate='true'])">
>
> <ds:Transforms>
>
> <ds:Transform
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>jyF+PD4mQ6P5q4krG/spn0tNc7w=</ds:DigestValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
<ds:SignatureValue>EhinV8z06LDoNdeeYebT/Z9UGF0EZViPHexD6H2e5EgPWD8OBV1hYnro2
KJ48N9WMyIf4UkZzKLWSIV4IfIcjtDYzUsLZFke6kL3BKGeFe2jAuAlGyHVD/MUxEU3Fsg6Qkqkn
kQrybjiX1FA9SFdBzyjN8d/9qksRQZXmjkuBNM=</ds:SignatureValue>
>
> </Signature>
>
> <body/>
>
> </ebicsNoPubKeyDigestsRequest>
>
>
>
> And heres the public key of the client software :
>
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <Keys xmlns="http://www.aleksey.com/xmlsec/2002">
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <KeyValue>
>
> <RSAKeyValue>
>
>
<Modulus>AMWVUq4RSou1Dy4VaNIEkIBLddfysftYsXI5Hg+bncOYuDQFlU31B2kqSyzYhXXelhv
hkSXTgNuBGwnf1VFw+VbVR/kVjDhvt2vgPjfKpbXJEEmy8QxJpSpsUFW9DbVbWocnzkxEZJzM7VK
KyBdKXiMWT3wdhRIrqxaLc/NX+S+H</Modulus>
>
> <Exponent>AQAB</Exponent>
>
> </RSAKeyValue>
>
> </KeyValue>
>
> </KeyInfo>
>
> </Keys>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list