[xmlsec] Signing and validating fails

Peter p.weijenburg at beslistmail.nl
Thu Mar 6 00:21:32 PST 2014 

That's what the other party wants to receive. The digested Resource and
KeyInfo elements are placed into the SignedInfo element, which is then
signed as a whole.
Does XmlSec support this? And is what I'm doing basically correct for this
approach?

See also this image: http://nl.tinypic.com/r/nx3w1w/8

Thanks, Peter

-----Oorspronkelijk bericht-----
Van: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Verzonden: woensdag 5 maart 2014 17:45
Aan: Peter; xmlsec at aleksey.com
Onderwerp: Re: [xmlsec] Signing and validating fails

You should probably start from reading the XMLDsig spec...

I am not sure what are you trying to achieve by putting keyvalue element
into the signature and then signing it.

Aleksey

On 3/4/14, 11:42 PM, Peter wrote:
> Hi, I have a piece of XML I would like to sign.
> 
>  
> 
> The commands I use are:
> 
> xmlsec1 sign --privkey-pem key.pem --output signedfile.xml test.xml
> 
> xmlsec1 --verify signedfile.xml
> 
>  
> 
> The XML template (test.xml) to be signed is:
> 
>  
> 
> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
> Id="Signature001">
> 
> <dsig:SignedInfo>
> 
>   <dsig:CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></dsig:Can
> onicalizationMethod>
> 
>   <dsig:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></dsig:Signatur
> eMethod>
> 
>   <dsig:Reference URI="#KeyInfo001">
> 
>    <dsig:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod
> >
> 
>    <dsig:DigestValue></dsig:DigestValue>
> 
>   </dsig:Reference>
> 
>   <dsig:Reference URI="#Resource1">
> 
>    <dsig:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod
> >
> 
>    <dsig:DigestValue></dsig:DigestValue>
> 
>   </dsig:Reference>
> 
> </dsig:SignedInfo>
> 
> <dsig:SignatureValue></dsig:SignatureValue>
> 
> <dsig:KeyInfo Id="KeyInfo001">
> 
>   <dsig:KeyValue></dsig:KeyValue>
> 
> </dsig:KeyInfo>
> 
> <dsig:Object Id="Resource1">hello world</dsig:Object>
> 
> </dsig:Signature>
> 
>  
> 
>  
> 
> The verification outputs:
> 
> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:sub
> j=unknown:error=12:invalid
> data:data and digest do not match
> 
> FAIL
> 
> SignedInfo References (ok/all): 0/1
> 
> Manifests References (ok/all): 0/0
> 
> Error: failed to verify file "signedfile.xml"
> 
>  
> 
> I don't understand what I'm doing wrong. It's something with the C14N 
> I suppose, but what to do about it? Can anyone give me a hint?
> 
>  
> 
> Thanks, Peter
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list