[xmlsec] Trouble signing message with xmlSecTmplReferenceAddTransform type xmlSecTransformExclC14NId

Aleksey Sanin aleksey at aleksey.com
Wed Nov 21 06:11:14 PST 2012 

You probably want *both* enveloped and exclC14N transforms. Otherwise,
you will be modifying the signed data when you add signature and this
is why you get the digest mismatch error.

Best,

Aleksey

On 11/20/12 3:38 AM, Tim Tassonis wrote:
> Hello List
> 
> I have to create a signed soap message to an application that expects a
> reference with transport xmlSecTransformExclC14NId and not enveloped
> transport.
> 
> I always get an error "invalid data:data and digest do not match".
> 
> What I did was:
> 
> signNode = xmlSecTmplSignatureCreateNsPref(doc, \
>                                            xmlSecTransformExclC14NId, \
>                                            xmlSecTransformRsaSha1Id, \
>                                            NULL, \
>                                            "ds");
> 
> xmlAddChild(xmlDocGetRootElement(doc), signNode);
> 
> refNode = xmlSecTmplSignatureAddReference(signNode, \
>                                           xmlSecTransformSha512Id, \
>                                           NULL, \
>                                           NULL, \
>                                           NULL);
> 
> xmlSecTmplReferenceAddTransform(refNode,xmlSecTransformExclC14NId);
> 
> /*
> xmlSecTmplReferenceAddTransform(refNode,xmlSecTransformEnvelopedId);
> */
> 
> keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
> 
> xmlSecTmplKeyInfoAddX509Data(keyInfoNode);
> 
> dsigCtx = xmlSecDSigCtxCreate(NULL);
> dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, \
>                                           xmlSecKeyDataFormatPem, \
>                                           key_pass, \
>                                           NULL, \
>                                           NULL);
> xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey,crt_file,xmlSecKeyDataFormatPem);
> 
> 
> xmlSecKeySetName(dsigCtx->signKey, "private.key");
> 
> xmlSecDSigCtxSign(dsigCtx, signNode);
> 
> (I do originally have all the checks for success of the operations in
> place, I just removed them for brevity of this mail).
> 
> 
> If I change xmlSecTransformExclC14NId to xmlSecTransformEnvelopedId in
> xmlSecTmplReferenceAddTransform, verify3 reports success (but my
> application doesn't accept it), but otherwise both verify3 and the
> application report "invalid data:data and digest do not match".
> 
> What am I doing wrong here?
> 
> 
> Kind regards
> Tim
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list