[xmlsec] Fwd: Re: Bad digest in #Manifest
François Plou
fplou at webank.fr
Wed Apr 9 10:15:56 PDT 2014
Hi,
I am trying to discover what xml part is digested to understand why I
got another digest value than the one calculated by java XmlDsig API.
To do that I try to add some trace in the code just before the digest
algorithm but I was unable yet to find the right position.
Could you provide me a clue where to add trace in the source code ?
Thanks for your help.
Francois
Le 07/04/2014 14:49, François Plou a écrit :
>
> Hi,
>
> Below is the result of --store-references option :
>
> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
> Enter password for "/home/fplou/CA/fplousign.key" file:
> = SIGNATURE CONTEXT
> == Status: succeeded
> == flags: 0x00000006
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000002
> ==== keyUsage: 0x00000001
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Signature Method:
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Private
> === key usage: -1
> === rsa key: size = 2048
> == SignedInfo References List:
> === list size: 1
> = REFERENCE CALCULATION CONTEXT
> == Status: succeeded
> == URI: "#Manifest"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri:
> === uri xpointer expr: #Manifest
> === Transform: xpointer
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == Result - start buffer:
> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
> == Result - end buffer
> == Manifest References List:
> === list size: 2
> = REFERENCE CALCULATION CONTEXT
> == Status: succeeded
> == URI: ""
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
> <AcctOpngReq>
> <Refs>
> <MsgId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </MsgId>
> <PrcId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </PrcId>
> </Refs>
> <Acct>
> <Id>
> <Othr>
> <Id>NOREF2</Id>
> </Othr>
> </Id>
> <Tp>
> <Cd>CASH</Cd>
> </Tp>
> <Ccy>USD</Ccy>
> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
> <MnthlyTxNb>100</MnthlyTxNb>
> <AvrgBal>10000</AvrgBal>
> </Acct>
> <CtrctDts>
> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
> </CtrctDts>
> <UndrlygMstrAgrmt>
> <Ref>ABC/Acct/BBBBUS33</Ref>
> <Vrsn>1.0</Vrsn>
> </UndrlygMstrAgrmt>
> <AcctSvcrId>
> <FinInstnId>
> <BICFI>BBBBUS33</BICFI>
> </FinInstnId>
> </AcctSvcrId>
> <Org>
> <FullLglNm>ABC Corporation</FullLglNm>
> <CtryOfOpr>US</CtryOfOpr>
> <RegnDt>1999-09-01</RegnDt>
> <LglAdr>
> <StrtNm>Times Square</StrtNm>
> <BldgNb>7</BldgNb>
> <PstCd>NY 10036</PstCd>
> <TwnNm>New York</TwnNm>
> <Ctry>US</Ctry>
> </LglAdr>
> <OrgId>
> <Othr>
> <Id>01256485-85</Id>
> <SchmeNm>
> <Prtry>TAX</Prtry>
> </SchmeNm>
> </Othr>
> </OrgId>
> <MainMndtHldr>
> <Nm>Richard Jones</Nm>
> <PstlAdr>
> <AdrTp>HOME</AdrTp>
> <StrtNm>La Guardia Drive</StrtNm>
> <BldgNb>12</BldgNb>
> <PstCd>NJ 07054</PstCd>
> <TwnNm>Parsippany</TwnNm>
> <Ctry>US</Ctry>
> </PstlAdr>
> <Id>
> <DtAndPlcOfBirth>
> <BirthDt>1960-05-01</BirthDt>
> <CityOfBirth>New york</CityOfBirth>
> <CtryOfBirth>US</CtryOfBirth>
> </DtAndPlcOfBirth>
> </Id>
> </MainMndtHldr>
> </Org>
> <DgtlSgntr>
> <Pty>
> <Nm>fplou</Nm>
> </Pty>
> <Sgntr>
>
> </Sgntr>
> </DgtlSgntr>
> </AcctOpngReq>
> </Document>
> == PreDigest data - end buffer
> == Result - start buffer:
> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
> == Result - end buffer
> = REFERENCE CALCULATION CONTEXT
> == Status: succeeded
> == URI: "sign.sh"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: sign.sh
> === uri xpointer expr: NULL
> === Transform: input-uri (href=NULL)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
> acmt.007.001.02_1.skel.1sign.object2.xml
>
> == PreDigest data - end buffer
> == Result - start buffer:
> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
> == Result - end buffer
> == Result - start buffer:
> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
> uD2ZSS1bWu236lKh1elKWw==
> == Result - end buffer
>
>
> François
>
> On 03/04/2014 18:37, Aleksey Sanin wrote:
>> Try "--store-references" option to see what exactly was signed. Just
>> looking at the file, the DigestValue inside the #Manifest subtree looks
>> suspicious.
>>
>> Aleksey
>>
>> On 4/3/14, 5:46 AM, François Plou wrote:
>>> Hi,
>>>
>>> I am facing an issue trying to sign an xml document which makes
>>> reference to an external file.
>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>> verified by
>>> tool like Apache XML Security.
>>> I am pretty sure there is something missing in the XML document I give
>>> to xmlsec but can't figure what.
>>>
>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>> The output document is fpl.xml
>>>
>>> The digest which is not the same as the one computed by Apache XML
>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>
>>> I found that the expecting digest match the manifest3.xml file enclosed
>>> (I built it manually).
>>> So it seems xmlsec is not creating the same manifest part.
>>>
>>> Do you have any idea what can be wrong in my
>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>> transform ?
>>>
>>> Thanks for your help.
>>>
>>> Francois
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140409/fbff2d33/attachment-0001.html>
More information about the xmlsec
mailing list