[xmlsec] invalid data:data and digest do not match

weizhong qiang weizhongqiang at gmail.com
Thu Oct 9 08:57:30 PDT 2008


hello,
When I verify the signature I got the following error:
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
data:data and digest do not match

The point is I can use the same code to verify some other xml signature
except this one which I got response from other's Web Service.
Could you check the following xml piece to see whether  there is something
which cause this error? Could it possible caused by "<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml
xs"/>" which seems not exist in my own generating response.

Thanks
Weizhong Qiang


**********************

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_4f357ca2-ad38-4611-8dfd-f5e4d193d95c"
IssueInstant="2008-10-09T15:48:59.621Z"
Version="2.0"><saml:Issuer>CN=Weizhong
Qiang,OU=fys.uio.no,O=NorduGrid,O=Grid</saml:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_4f357ca2-ad38-4611-8dfd-f5e4d193d95c">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml
xs"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>6GUoFLrpxDGrP3b8nYToGuTGDkQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Tv8kUkw0Lvplsa5WY/GfT5TW2ggxsKCFp9p+VEBLIcHQATy/kCUDQiPLeBT8ZcgOB6YFR/xo3848
GWBX4GwtREGAhIznm6GSic67lnfvpwzb/GQhxVZf+YnIvPfpytAutmM2dSm03ZTO8tPXBfG4Tcyu
kqHPcwnZs34BaWKss2I=
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDMjCCApugAwIBAgICC3kwDQYJKoZIhvcNAQEFBQAwTzENMAsGA1UEChMER3JpZDESMBAGA1UE
ChMJTm9yZHVHcmlkMSowKAYDVQQDEyFOb3JkdUdyaWQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDgwNDE2MDk1NzUxWhcNMDkwNDE2MDk1NzUxWjBRMQ0wCwYDVQQKEwRHcmlkMRIwEAYDVQQK
EwlOb3JkdUdyaWQxEzARBgNVBAsTCmZ5cy51aW8ubm8xFzAVBgNVBAMTDldlaXpob25nIFFpYW5n
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwVJsM8PUkeBVSRXWbmlwSvIxwOMvDnw0CbM4k
d9EBZBjjaW/TTwBfKiTuLyONSQ3BV9APndWXPoqNy3F7cZbsA9IeIalOi0KtVtNVktybspEGJZRy
FN+kprbLJKoEViOB8q1DG0rv09zWA7n6qRFJcKqzePzsKy8Zo/bL3bI85QIDAQABo4IBGTCCARUw
CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQf
Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUfkmW6yooaz8IDx6cd2BK
7RUrDjcwdwYDVR0jBHAwboAUGAXA/AvRtzr0ZZIJ+1mhX8eIxPChU6RRME8xDTALBgNVBAoTBEdy
aWQxEjAQBgNVBAoTCU5vcmR1R3JpZDEqMCgGA1UEAxMhTm9yZHVHcmlkIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5ggEAMCIGA1UdEQQbMBmBF3dlaXpob25ncWlhbmdAZ21haWwuY29tMA0GCSqGSIb3
DQEBBQUAA4GBABgih1dwIS2FDdMlzO/pucYju87s8V1xcVxxjh7jYeSbOgmc3rWfohKkkvomtmnJ
22Ae0mfN/sNaZVwxO82XNej5lob8xp+iroYM+Rrt6ZnhWDNaMuIKTbFA/HgfnTcZjrPm5ttNYorb
qDCr7j/ab0xkaTwQYVjnJc0lyjaWGsdL</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=test,O=UiO,ST=Oslo,C=NO</saml:NameID><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml:SubjectConfirmationData><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#
"><ds:X509Data><ds:X509Certificate>MIICozCCAgygAwIBAgIBATANBgkqhkiG9w0BAQQFADA3MQswCQYDVQQGEwJOTzENMAsGA1UECBME
T3NsbzEMMAoGA1UEChMDVWlPMQswCQYDVQQDEwJDQTAeFw0wNzExMDYxNTE4NDlaFw0wODExMDUx
NTE4NDlaMDkxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIEwRPc2xvMQwwCgYDVQQKEwNVaU8xDTALBgNV
BAMTBHRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMUZpDYNYNuoqohEkP4w/MnGAiXV
sZUSPuFChL2HT2sE7VQ2/RsFKRyAFXNaBIPcpoJF2uTv6Llc0G9F5v4G5ZyZiiexgl3HtnmiMcgW
ie/d5XfYf0o+2xhofdsgxb5d2DRFyUVxkKnBRYSSebR9wsdlwtlduSDxsN22CFITqL3FAgMBAAGj
gbwwgbkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFGtX2cUVfSVs1xLKLwwscpNon2duMF8GA1UdIwRYMFaAFLg5jUhGbh+u
jBIx6kabFY+E5JrWoTukOTA3MQswCQYDVQQGEwJOTzENMAsGA1UECBMET3NsbzEMMAoGA1UEChMD
VWlPMQswCQYDVQQDEwJDQYIBADANBgkqhkiG9w0BAQQFAAOBgQAIrqV+I9YbXvpsRvwJLOFIVIuX
Cy8l5RjfSrd4UG3oX3c0nmr5oe93XomAJ525ULOGSh5w8kmfGA96yUi2LRmdM9ZQyyVWLDagU0dt
mdcJm2CedeRxI+ShtIE3PRc/OTEjz/dvY6gD/jiHDUr/IcooHMSApIuDZXWvSNWSql0Swg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions
NotBefore="2008-10-09T15:48:59.621Z"
NotOnOrAfter="2008-10-10T02:48:59.621Z"/><saml:AttributeStatement><saml:Attribute
Name="Degree"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue
xsi:type="xs:string">PhD</saml:AttributeValue></saml:Attribute><saml:Attribute
Name="http://voms.forge.cnaf.infn.it/group"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue
xsi:type="xs:string">/knowarc</saml:AttributeValue><saml:AttributeValue
xsi:type="xs:string">/knowarc/UiO</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20081009/70da940c/attachment-0002.htm


More information about the xmlsec mailing list