[xmlsec] Signing and validating fails
Aleksey Sanin
aleksey at aleksey.com
Thu Mar 6 08:26:44 PST 2014
http://www.w3.org/TR/xmldsig-core/#sec-CoreGeneration
Sections 3.1.1 and 3.1.2. Basically you first *sign* an empty KeyValue
and then then insert data there thus invalidating the signature.
Aleksey
On 3/6/14, 12:21 AM, Peter wrote:
> That's what the other party wants to receive. The digested Resource and
> KeyInfo elements are placed into the SignedInfo element, which is then
> signed as a whole.
> Does XmlSec support this? And is what I'm doing basically correct for this
> approach?
>
> See also this image: http://nl.tinypic.com/r/nx3w1w/8
>
> Thanks, Peter
>
> -----Oorspronkelijk bericht-----
> Van: Aleksey Sanin [mailto:aleksey at aleksey.com]
> Verzonden: woensdag 5 maart 2014 17:45
> Aan: Peter; xmlsec at aleksey.com
> Onderwerp: Re: [xmlsec] Signing and validating fails
>
> You should probably start from reading the XMLDsig spec...
>
> I am not sure what are you trying to achieve by putting keyvalue element
> into the signature and then signing it.
>
> Aleksey
>
> On 3/4/14, 11:42 PM, Peter wrote:
>> Hi, I have a piece of XML I would like to sign.
>>
>>
>>
>> The commands I use are:
>>
>> xmlsec1 sign --privkey-pem key.pem --output signedfile.xml test.xml
>>
>> xmlsec1 --verify signedfile.xml
>>
>>
>>
>> The XML template (test.xml) to be signed is:
>>
>>
>>
>> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
>> Id="Signature001">
>>
>> <dsig:SignedInfo>
>>
>> <dsig:CanonicalizationMethod
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></dsig:Can
>> onicalizationMethod>
>>
>> <dsig:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></dsig:Signatur
>> eMethod>
>>
>> <dsig:Reference URI="#KeyInfo001">
>>
>> <dsig:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod
>>>
>>
>> <dsig:DigestValue></dsig:DigestValue>
>>
>> </dsig:Reference>
>>
>> <dsig:Reference URI="#Resource1">
>>
>> <dsig:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod
>>>
>>
>> <dsig:DigestValue></dsig:DigestValue>
>>
>> </dsig:Reference>
>>
>> </dsig:SignedInfo>
>>
>> <dsig:SignatureValue></dsig:SignatureValue>
>>
>> <dsig:KeyInfo Id="KeyInfo001">
>>
>> <dsig:KeyValue></dsig:KeyValue>
>>
>> </dsig:KeyInfo>
>>
>> <dsig:Object Id="Resource1">hello world</dsig:Object>
>>
>> </dsig:Signature>
>>
>>
>>
>>
>>
>> The verification outputs:
>>
>> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:sub
>> j=unknown:error=12:invalid
>> data:data and digest do not match
>>
>> FAIL
>>
>> SignedInfo References (ok/all): 0/1
>>
>> Manifests References (ok/all): 0/0
>>
>> Error: failed to verify file "signedfile.xml"
>>
>>
>>
>> I don't understand what I'm doing wrong. It's something with the C14N
>> I suppose, but what to do about it? Can anyone give me a hint?
>>
>>
>>
>> Thanks, Peter
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list