[xmlsec] problem with <ds:Reference URI="#xpointer(//*[@authenticate='true'])"> ?

Aleksey Sanin aleksey at aleksey.com
Tue Apr 22 11:02:44 PDT 2008


Use --store-references and --store-signatures xmlsec options
to see what *exactly* was hashed and signed. If the other toolkit
has similar options then you can compare the data and figure out
what is wrong.


Aleksey

Sébastien BROSSARD wrote:
> Ohh, I'm so sorry and ashamed I sent you those wrong command lines that I
> used in previous tries!!
> In fact, I use DTD in my code :
> "xmlsec verify --dtd-file $DTD_Verif --keys-file $keyfile $inputName"
> 
> And 
> 
> "xmlsec sign --output $outputName --dtd-file $DTD_Sign --keys-file  $keyfile
> $tmplName"
> 
> So now, this is it, the problem is the one below, with those command lines
> above.
> 
> 
> -----Message d'origine-----
> De : Aleksey Sanin [mailto:aleksey at aleksey.com] 
> Envoyé : mardi 22 avril 2008 16:33
> À : Sebastien BROSSARD
> Cc : xmlsec at aleksey.com
> Objet : Re: [xmlsec] problem with <ds:Reference
> URI="#xpointer(//*[@authenticate='true'])"> ?
> 
> xmlsec --node-xpath selects the start *Signature* node. It has
> nothing to do with xpointer in the Reference URI.
> 
> Aleksey
> 
> Sebastien BROSSARD wrote:
>> Hi everybody
>>
>>  
>>
>> I am actually developing a software based on the German EBICS norm, 
>> which specifies that one’s got to use
>>
>> <ds:Reference URI="#xpointer(//*[@authenticate='true'])">
>>
>> as signature’s URI.
>>
>>  
>>
>> So long so well, when I sign a xml file with xmlsec
>>
>> (using command line : “xmlsec sign --node-xpath 
>> //*[@authenticate='true'] --output $outputName --keys-file  $keyfile”)
>>
>> and then I verify it with xmlsec,
>>
>> (using command line : “"xmlsec verify --node-xpath 
>> //*[@authenticate='true'] --keys-file $keyfile $inputName”)
>>
>> everything works perfect.
>>
>>  
>>
>> But here comes the trouble : I’m actually working on the server side of 
>> the EBICS norm, and I’m testing my developments on the client side 
>> thanks to a software called Travic  (which is commercialized in Germany 
>> and then, I can assume, works well).
>>
>> And when Travic sends me its signature… Verification fails… I keep 
>> getting this message :
>>
>> “error=18:data do not match:signature do not match FAIL SignedInfo 
>> References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: 
>> failed to verify file”.
>>
>>  
>>
>> It seems like the hash is ok (?), but not the signature.
>>
>> (Moreover, there’s no problem with the client public key, has I can 
>> decipher text asymmetrical encrypted by this same key.)
>>
>>  
>>
>> I read here http://www.w3.org/2007/xmlsec/ws/papers/10-ertel/ that the 
>> handling of this type of ("#xpointer) URI  can be subject to two 
>> different handling, due to two interpretations (both right !) of the 
>> same norm, i.e :
>>
>>  
>>
>> One interpretation says that the signed URI must remain unchanged:
>>
>> "#xpointer(//*[@authenticate='true'])",
>>
>> while the other one demands escaping which makes the URI look like this:
>>
>> "#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)"
>>
>>  
>>
>> So the main question is : could it be this type of problem in my case, 
>> or is the problem that I’m facing due to another totally different cause?
>>
>>  
>>
>>  
>>
>> Thanks for your kind help!
>>
>>  
>>
>>  
>>
>> Sébastien Brossard
>>
>> sebastien.brossard at turbosa.banquepopulaire.fr
>>
>>  
>>
>>  
>>
>> PS :
>>
>> By the way, here’s the xml string that I try to verify :
>>
>>  
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <ebicsNoPubKeyDigestsRequest Revision="1" Version="H001" 
>> xsi:schemaLocation="http://www.ebics.org/H001 
>> http://www.ebics.org/H001/ebics_keymgmt_request.xsd" 
>> xmlns="http://www.ebics.org/H001" 
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>
>>   <header authenticate="true">
>>
>>     <static>
>>
>>       <HostID>EBICSFR</HostID>
>>
>>       <Nonce>DB545BDC437B95999202C6EA69393A6E</Nonce>
>>
>>       <Timestamp>2008-04-22T09:29:24.838Z</Timestamp>
>>
>>       <PartnerID>SEB</PartnerID>
>>
>>       <UserID>USERID</UserID>
>>
>>       <OrderDetails>
>>
>>         <OrderType>HPB</OrderType>
>>
>>         <OrderAttribute>DZHNN</OrderAttribute>
>>
>>       </OrderDetails>
>>
>>       <SecurityMedium>0400</SecurityMedium>
>>
>>     </static>
>>
>>     <mutable/>
>>
>>   </header>
>>
>>   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>
>>     <ds:SignedInfo>
>>
>>       <ds:CanonicalizationMethod 
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>
>>       <ds:SignatureMethod 
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>>       <ds:Reference URI="#xpointer(//*[@authenticate='true'])">
>>
>>         <ds:Transforms>
>>
>>           <ds:Transform 
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>
>>         </ds:Transforms>
>>
>>         <ds:DigestMethod 
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>>         <ds:DigestValue>jyF+PD4mQ6P5q4krG/spn0tNc7w=</ds:DigestValue>
>>
>>       </ds:Reference>
>>
>>     </ds:SignedInfo>    
>>
> <ds:SignatureValue>EhinV8z06LDoNdeeYebT/Z9UGF0EZViPHexD6H2e5EgPWD8OBV1hYnro2
> KJ48N9WMyIf4UkZzKLWSIV4IfIcjtDYzUsLZFke6kL3BKGeFe2jAuAlGyHVD/MUxEU3Fsg6Qkqkn
> kQrybjiX1FA9SFdBzyjN8d/9qksRQZXmjkuBNM=</ds:SignatureValue>
>>   </Signature>
>>
>>   <body/>
>>
>> </ebicsNoPubKeyDigestsRequest>
>>
>>  
>>
>> And here’s the public key of the client software :
>>
>>  
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <Keys xmlns="http://www.aleksey.com/xmlsec/2002">
>>
>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>>
>> <KeyValue>
>>
>> <RSAKeyValue>
>>
>>
> <Modulus>AMWVUq4RSou1Dy4VaNIEkIBLddfysftYsXI5Hg+bncOYuDQFlU31B2kqSyzYhXXelhv
> hkSXTgNuBGwnf1VFw+VbVR/kVjDhvt2vgPjfKpbXJEEmy8QxJpSpsUFW9DbVbWocnzkxEZJzM7VK
> KyBdKXiMWT3wdhRIrqxaLc/NX+S+H</Modulus>
>> <Exponent>AQAB</Exponent>
>>
>> </RSAKeyValue>
>>
>> </KeyValue>
>>
>> </KeyInfo>
>>
>> </Keys>
>>
>>  
>>
>>  
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
> 



More information about the xmlsec mailing list