[xmlsec] online xml signature verifier

Aleksey Sanin aleksey at aleksey.com
Fri Feb 18 07:57:43 PST 2011 

1) "RESULT: Signature is INVALID"
The signature is invalid. Make sure you don't modify signed XML
(note: spaces *are* significant!)

2) "failed:expr=xpointer(id(...))"
Read FAQ at http://www.aleksey.com/xmlsec/faq.html

Aleksey



On 2/17/11 8:33 AM, Joseph McDonald wrote:
> Hi Aleksey,
> Thanks for making your signature verification tool!
>
> I tried entering your xml at
> http://www.aleksey.com/xmlsec/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml
> into your tool at: http://www.aleksey.com/xmlsec/xmldsig-verifier.html
>
> and it said:
> func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=dsa-sha1:subj=EVP_VerifyFinal:error=18:data
> do not match:signature do not match
> RESULT: Signature is INVALID
>
> Do I need to do something else to make it work?
>
> anyways, I'm trying to validate my signature using your "fake" root
> certificate and entering the xml below.  and I get:
>
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> library function
> failed:expr=xpointer(id('Id-bc50e5ed-5dbd-428c-a8e6-0d9a9e918d46'))
>
> Do you know why it can't find that id?  I'm new to xml and having
> probs getting this signature thing working, and help you can give
> would be appreciated.
> thanks,
> -joe
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>                 xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>                 xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>    <soap:Header>
>      <wsMessageHeader
> xmlns="http://integration.sprint.com/common/header/WSMessageHeader/v2">
>        <trackingMessageHeader>
>          <applicationId>joe 1234</applicationId>
>          <applicationUserId>test</applicationUserId>
>          <consumerId>7UL</consumerId>
>          <messageId>123</messageId>
>          <conversationId>123</conversationId>
>          <timeToLive>0</timeToLive>
>          <messageDateTimeStamp>2011-02-17T16:02:22Z</messageDateTimeStamp>
>        </trackingMessageHeader>
>      </wsMessageHeader>
>      <wsse:Security soap:mustUnderstand="1">
>        <wsu:Timestamp wsu:Id="Id-11c2d4cf-9d89-4ea3-82b6-9a2b62d35ebd">
>          <wsu:Created>2011-02-17T16:02:22Z</wsu:Created>
>          <wsu:Expires>2011-02-17T16:03:22Z</wsu:Expires>
>        </wsu:Timestamp>
>        <wsse:BinarySecurityToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>
> wsu:Id="SecurityToken-1935a68f-f5c0-435a-9b94-a87f11a56dc7">MIIETTCCA7agAwIBAgIJANaOuOCRgiz3MA0GCSqGSIb3DQEBBQUAMIG8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3VyaXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEeMBwGA1UECxMVVGVzdCBSb290IENlcnRpZmljYXRlMRYwFAYDVQQDEw1BbGVrc2V5IFNhbmluMSEwHwYJKoZIhvcNAQkBFhJ4bWxzZWNAYWxla3NleS5jb20wHhcNMDUwNzEwMDIyOTAxWhcNMTUwNzA4MDIyOTAxWjCBvDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExPTA7BgNVBAoTNFhNTCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtzZXkuY29tL3htbHNlYykxHjAcBgNVBAsTFVRlc3QgUm9vdCBDZXJ0aWZpY2F0ZTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDayaFajJxOdVU+8EjwO31S2XqNmYxxbHfiUJO3w2h57OPUkKAcKe5Gvt9hJbPTb3C4blPScOke2RexKnXS7pAXXbxFlgUlZ0QK0K2pdl559OSmrtH3mPP9BJvvDMlxkcNj9/EeD+yGd8GN/yT6PTDh8G/4lszOXL+tyKIkC4Ys/wIDAQABo4IBUzCCAU8wDAYDVR0TBAUwAwEB/zAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNpG
6Wvmr9M9quUhS1LtymYo4P6FMIHxBgNVHSMEgekwgeaAFNpG6Wvmr9M9quUhS1LtymYo4P6FoYHCpIG/MIG8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3VyaXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEeMBwGA1UECxMVVGVzdCBSb290IENlcnRpZmljYXRlMRYwFAYDVQQDEw1BbGVrc2V5IFNhbmluMSEwHwYJKoZIhvcNAQkBFhJ4bWxzZWNAYWxla3NleS5jb22CCQDWjrjgkYIs9zANBgkqhkiG9w0BAQUFAAOBgQBUXbdOTQwArcNrbxavzARp2JGOnzo6WzTm+OFSXC0F08YwT8jWbht97e8lNNVOBU4Y/38ReZqYC9OqFofG1/O9AdQ58WL/FWg8DgP5MJPTT9kRU3FU01jUiX2+kbdnghZAOJm0ziRNxfNPwIIWPKYXyXEKQQzrnxyFey1hP7cg6A==</wsse:BinarySecurityToken>
>        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>                      Id="Signature-41">
>          <ds:SignedInfo>
>            <ds:CanonicalizationMethod
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>            <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>            <ds:Reference URI="#Id-bc50e5ed-5dbd-428c-a8e6-0d9a9e918d46">
>              <ds:Transforms>
>                <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>              </ds:Transforms>
>              <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>              <ds:DigestValue>sGCuH2K/SkH7pfIiG5xe48a5ZiU=</ds:DigestValue>
>            </ds:Reference>
>            <ds:Reference URI="#Id-11c2d4cf-9d89-4ea3-82b6-9a2b62d35ebd">
>              <ds:Transforms>
>                <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>              </ds:Transforms>
>              <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>              <ds:DigestValue>FOlH08ZTTFiFhZVwwH3K5+yy7Qw=</ds:DigestValue>
>            </ds:Reference>
>          </ds:SignedInfo>
>          <ds:SignatureValue>
> uMcwb17LCttQKvp68kQ9IRCy5tqEtC8h/SuwT7OoSkTUzDxJ65J0/WRLPCzZ
> xZqxhWRolkClMeewrF9Cs5uN+z1ED89TjAdhZ6CDTxVch2q+WUJTUzJABrsm
> jdmgGK//hEmq8dRhtXdTilrgg3R4rllGaIcv9R1TSdqM8in36kY=
>              </ds:SignatureValue>
>          <ds:KeyInfo>
>            <wsse:SecurityTokenReference>
>              <wsse:Reference
> URI="#SecurityToken-1935a68f-f5c0-435a-9b94-a87f11a56dc7"
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
> />
>            </wsse:SecurityTokenReference>
>          </ds:KeyInfo>
>        </ds:Signature>
>      </wsse:Security>
>    </soap:Header>
>    <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>               wsu:Id="Id-bc50e5ed-5dbd-428c-a8e6-0d9a9e918d46">
>      <queryCsa xmlns="http://integration.sprint.com/interfaces/QueryCsa/v1/QueryCsaEnvelope.xsd">
>        <geoCode>ExactAddress</geoCode>
>        <street>6500 Sprint Parkway</street>
>        <city>Overland Park</city>
>        <state>KS</state>
>        <zip>
>          <uspsPostalCd>66251</uspsPostalCd>
>        </zip>
>      </queryCsa>
>    </soap:Body>
> </soap:Envelope>

More information about the xmlsec mailing list