[xmlsec] XML Enveloped signature: problem declaring Reference URI to root node

Aleksey Sanin aleksey at aleksey.com
Wed May 5 00:41:25 PDT 2010


http://www.aleksey.com/xmlsec/faq.html

Aleksey

On 5/5/2010 12:39 AM, Carlos Gutiérrez wrote:
> Hello,
> I'm trying to validate the belowd XML enveloping/envoped signature at
> http://www.aleksey.com/xmlsec/xmldsig-verifier.html but I'm getting an
> xpointer-related error
> The error received is :
>
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('RemesaMensajeLigeroFirmaGlobal'))
> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
> Error: signature verification failed
>
> the XML:
>   ?xml version="1.0" encoding="UTF-8" ?>
> <ape:RemesaMensajeLigeroFirmaGlobal xmlns:ape="urn:correos:ape:1.0"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> Id="RemesaMensajeLigeroFirmaGlobal" ape:idRef="20100429132756490000">
> <ape:Mensaje ape:idUnico="0959000001180" tipo="NOTIFICACION">
> <ape:Emisor>Q2826000H</ape:Emisor>
> <ape:Buzon>05113189J</ape:Buzon>
> <ape:Notificado obligado="true">05113189J</ape:Notificado>
> <ape:Autorizado nif="A78999273" />
> <ape:ActoNotificado>AEATPI20040504GECOEX</ape:ActoNotificado>
> <ape:Asunto>MODIF.IMPORTE CREDITOS Nº020923300221Y</ape:Asunto>
> <ape:Contenido>
> <ape:HuellaDigital
> algoritmo="SHA-1">9335d792cef1a2de3a61e6728188c3bc43a431fa</ape:HuellaDigital>
>
> </ape:Contenido>
> </ape:Mensaje>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Firma">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <Reference URI="#RemesaMensajeLigeroFirmaGlobal">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <DigestValue>kOK2dhpXe/Qywad8hvAiFQiondo=</DigestValue>
> </Reference>
> <Reference URI="#CertificadoFirmante">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <DigestValue>/Q5DR3ceJgc+1NK2LI3MP3YTrtM=</DigestValue>
> </Reference>
> <Reference URI="#SignedProperties">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <DigestValue>EgQYPNGKuwTnzsjVS/AVgUYSEd4=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>AGsgkJ+UC73pekxf/13B6UI4otHKQV5PNXMEkxVb0grhdm9ozffnFok0988AB/I/6AbE0MNhrTbU
> H5FIt12mGo8uwt2KGo0YJnJfDlNH9+I3MB1flskQMcYOnJg2T/haWTB5u3FjdM22Q7UZsrJ2ri5C
> y2NNao6c5RJlJU3WVUk=</SignatureValue>
> <KeyInfo Id="CertificadoFirmante">
> <X509Data>
> <X509Certificate>MIIFHjCCBIegAwIBAgIEPLueRTANBgkqhkiG9w0BAQUFADA2MQswCQYDVQQGEwJFUzENMAsGA1UE
> ChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIENBMB4XDTEwMDQxMjE4MDcyOFoXDTEzMDQx
> MjE4MDcyOFowgYAxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENs
> YXNlIDIgQ0ExEjAQBgNVBAsTCTUwMDA1MzA3NTE0MDIGA1UEAxQrTk9NQlJFIEVTUEHxT0wgRVNQ
> QfFPTCBKVUFOIC0gTklGIDk5OTk5OTk5UjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtodl
> IWnO/HEJig91PQBPy7F9WI/X6q4EeCipS+ZnMzlhiOzY8V5bUOCxr+JlULtOVlwhAMw/CLImyMfx
> vCV1ECkXOCFkgUFssTBl9MqU9zSvZnIrZ1pkApsVpTWcQAhBt8m6mEiLKkwojPKosv64f7PWVtFz
> 8EdRQLhLwUvXoisCAwEAAaOCAuwwggLoMGwGA1UdEQRlMGOkYTBfMRgwFgYJKwYBBAGsZgEEEwk5
> OTk5OTk5OVIxFjAUBgkrBgEEAaxmAQMUB0VTUEHRT0wxFjAUBgkrBgEEAaxmAQIUB0VTUEHRT0wx
> EzARBgkrBgEEAaxmAQETBEpVQU4wCQYDVR0TBAIwADArBgNVHRAEJDAigA8yMDEwMDQxMjE4MDcy
> OFqBDzIwMTMwNDEyMTgwNzI4WjALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1Ud
> DgQWBBSZi9FNqfHZcEL9Nx8gfEis9Lp1IDAfBgNVHSMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDX
> YTCCATEGA1UdIASCASgwggEkMIIBIAYJKwYBBAGsZgMFMIIBETA0BggrBgEFBQcCARYoaHR0cDov
> L3d3dy5jZXJ0LmZubXQuZXMvY29udmVuaW8vZHBjLnBkZjCB2AYIKwYBBQUHAgIwgcsagchDZXJ0
> aWZpY2FkbyBSZWNvbm9jaWRvIGV4cGVkaWRvIHNlZ/puIGxlZ2lzbGFjafNuIHZpZ2VudGUuVXNv
> IGxpbWl0YWRvIGEgbGEgQ29tdW5pZGFkIEVsZWN0cvNuaWNhIHBvciB2YWxvciBt4XhpbW8gZGUg
> MTAwIGUgc2Fsdm8gZXhjZXBjaW9uZXMgZW4gRFBDLkNvbnRhY3RvIEZOTVQ6Qy9Kb3JnZSBKdWFu
> IDEwNi0yODAwOS1NYWRyaWQtRXNwYfFhLjAdBgkrBgEEAaxmASEEEBYOUEVSU09OQSBGSVNJQ0Ew
> LwYIKwYBBQUHAQMEIzAhMAgGBgQAjkYBATAVBgYEAI5GAQIwCxMDRVVSAgFkAgEAMFsGA1UdHwRU
> MFIwUKBOoEykSjBIMQswCQYDVQQGEwJFUzENMAsGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBD
> bGFzZSAyIENBMRAwDgYDVQQDEwdDUkw3MDE0MA0GCSqGSIb3DQEBBQUAA4GBABq/mfoMQaczp2jX
> IeBygiLSpcRzwRa5K0PGMt0MtEyKacwdqy6bKMP28hz2qCwRTGeBhG9+rnwjkiZlXSMBnIb3x8Gb
> VKX9Mehr4xPpHI4wIp0cNiG01ZILqAGk1GKCTbE/4FnZZzTMKSnFtBp3ZzpXkzTiwrrf615G7JwG
> O6vu</X509Certificate>
> </X509Data>
> </KeyInfo>
> <Object>
> <etsi:QualifyingProperties
> xmlns:etsi="http://uri.etsi.org/01903/v1.2.2#" Target="#Firma"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <etsi:SignedProperties Id="SignedProperties">
> <etsi:SignedSignatureProperties>
> <etsi:SigningTime>2010-04-29T13:27:58+01:00</etsi:SigningTime>
> <etsi:SignaturePolicyIdentifier>
> <etsi:SignaturePolicyId>
> <etsi:SigPolicyId>
> <etsi:Identifier>http://www.aeat.es/firma/SignaturePolicyV1.pdf</etsi:Identifier>
>
> </etsi:SigPolicyId>
> <etsi:SigPolicyHash>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <ds:DigestValue>Dmi29y1d6Np/ARK0xKGu/CyA4ZU=</ds:DigestValue>
> </etsi:SigPolicyHash>
> </etsi:SignaturePolicyId>
> </etsi:SignaturePolicyIdentifier>
> </etsi:SignedSignatureProperties>
> <etsi:SignedDataObjectProperties>
> <etsi:DataObjectFormat ObjectReference="#RemesaMensajeLigeroFirmaGlobal">
> <etsi:Description>descripcion</etsi:Description>
> <etsi:MimeType>mime</etsi:MimeType>
> <etsi:Encoding>ulyimo</etsi:Encoding>
> </etsi:DataObjectFormat>
> </etsi:SignedDataObjectProperties>
> </etsi:SignedProperties>
> </etsi:QualifyingProperties>
> </Object>
> </Signature>
> </ape:RemesaMensajeLigeroFirmaGlobal>
>
> What we understand from the error message is that there's a problem when
> resolving the first URI Reference. Is it mandatory that the Reference
> element that contains the enveloped transformation  declared its URI
> attribute as "" ?
> As fas as I know there shouldn't be any problem in including a URI value
> within the Reference element that contains the enveloped transform,
> isn't it?
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list