[xmlsec] Fwd: Re: Bad digest in #Manifest
François Plou
fplou at webank.fr
Thu Apr 10 02:31:13 PDT 2014
Not really :-(
The store-references option does not display the xml part who matches
the digest displayed :
== Status: succeeded
== URI: "#Manifest"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #Manifest
=== Transform: xpointer
(href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n
(href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Result - start buffer:
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
== Result - end buffer
The #Manifest is processed and --store-references provides the digest
2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to provide
this digest.
This digest does not match the one produced by Apache XML Security.
Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the following
XML part :
<Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
</Reference>
<Reference URI="sign.sh">
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
</Reference>
</Manifest>
So I am trying to figure what XML part is used by xmlsec1.
Regards
François
Le 09/04/2014 20:12, Aleksey Sanin a écrit :
> This is exactly what --store-references option does :)
>
> Aleksey
>
> On 4/9/14, 10:15 AM, François Plou wrote:
>> Hi,
>>
>> I am trying to discover what xml part is digested to understand why I
>> got another digest value than the one calculated by java XmlDsig API.
>> To do that I try to add some trace in the code just before the digest
>> algorithm but I was unable yet to find the right position.
>> Could you provide me a clue where to add trace in the source code ?
>>
>> Thanks for your help.
>>
>> Francois
>>
>>
>> Le 07/04/2014 14:49, François Plou a écrit :
>>> Hi,
>>>
>>> Below is the result of --store-references option :
>>>
>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>> = SIGNATURE CONTEXT
>>> == Status: succeeded
>>> == flags: 0x00000006
>>> == flags2: 0x00000000
>>> == Key Info Read Ctx:
>>> = KEY INFO READ CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: rsa
>>> ==== keyType: 0x00000002
>>> ==== keyUsage: 0x00000001
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> == Key Info Write Ctx:
>>> = KEY INFO WRITE CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: NULL
>>> ==== keyType: 0x00000001
>>> ==== keyUsage: 0xffffffff
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> == Signature Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> === Transform: c14n
>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Signature Method:
>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>> == Signature Key:
>>> == KEY
>>> === method: RSAKeyValue
>>> === key type: Private
>>> === key usage: -1
>>> === rsa key: size = 2048
>>> == SignedInfo References List:
>>> === list size: 1
>>> = REFERENCE CALCULATION CONTEXT
>>> == Status: succeeded
>>> == URI: "#Manifest"
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri:
>>> === uri xpointer expr: #Manifest
>>> === Transform: xpointer
>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>> === Transform: enveloped-signature
>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>> === Transform: c14n
>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>> === Transform: membuf-transform (href=NULL)
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == Result - start buffer:
>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>> == Result - end buffer
>>> == Manifest References List:
>>> === list size: 2
>>> = REFERENCE CALCULATION CONTEXT
>>> == Status: succeeded
>>> == URI: ""
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> === Transform: enveloped-signature
>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>> === Transform: c14n
>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>> === Transform: membuf-transform (href=NULL)
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == PreDigest data - start buffer:
>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>> <AcctOpngReq>
>>> <Refs>
>>> <MsgId>
>>> <Id>ABC/090928/CCT001</Id>
>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>> </MsgId>
>>> <PrcId>
>>> <Id>ABC/090928/CCT001</Id>
>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>> </PrcId>
>>> </Refs>
>>> <Acct>
>>> <Id>
>>> <Othr>
>>> <Id>NOREF2</Id>
>>> </Othr>
>>> </Id>
>>> <Tp>
>>> <Cd>CASH</Cd>
>>> </Tp>
>>> <Ccy>USD</Ccy>
>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>> <MnthlyTxNb>100</MnthlyTxNb>
>>> <AvrgBal>10000</AvrgBal>
>>> </Acct>
>>> <CtrctDts>
>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>> </CtrctDts>
>>> <UndrlygMstrAgrmt>
>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>> <Vrsn>1.0</Vrsn>
>>> </UndrlygMstrAgrmt>
>>> <AcctSvcrId>
>>> <FinInstnId>
>>> <BICFI>BBBBUS33</BICFI>
>>> </FinInstnId>
>>> </AcctSvcrId>
>>> <Org>
>>> <FullLglNm>ABC Corporation</FullLglNm>
>>> <CtryOfOpr>US</CtryOfOpr>
>>> <RegnDt>1999-09-01</RegnDt>
>>> <LglAdr>
>>> <StrtNm>Times Square</StrtNm>
>>> <BldgNb>7</BldgNb>
>>> <PstCd>NY 10036</PstCd>
>>> <TwnNm>New York</TwnNm>
>>> <Ctry>US</Ctry>
>>> </LglAdr>
>>> <OrgId>
>>> <Othr>
>>> <Id>01256485-85</Id>
>>> <SchmeNm>
>>> <Prtry>TAX</Prtry>
>>> </SchmeNm>
>>> </Othr>
>>> </OrgId>
>>> <MainMndtHldr>
>>> <Nm>Richard Jones</Nm>
>>> <PstlAdr>
>>> <AdrTp>HOME</AdrTp>
>>> <StrtNm>La Guardia Drive</StrtNm>
>>> <BldgNb>12</BldgNb>
>>> <PstCd>NJ 07054</PstCd>
>>> <TwnNm>Parsippany</TwnNm>
>>> <Ctry>US</Ctry>
>>> </PstlAdr>
>>> <Id>
>>> <DtAndPlcOfBirth>
>>> <BirthDt>1960-05-01</BirthDt>
>>> <CityOfBirth>New york</CityOfBirth>
>>> <CtryOfBirth>US</CtryOfBirth>
>>> </DtAndPlcOfBirth>
>>> </Id>
>>> </MainMndtHldr>
>>> </Org>
>>> <DgtlSgntr>
>>> <Pty>
>>> <Nm>fplou</Nm>
>>> </Pty>
>>> <Sgntr>
>>>
>>> </Sgntr>
>>> </DgtlSgntr>
>>> </AcctOpngReq>
>>> </Document>
>>> == PreDigest data - end buffer
>>> == Result - start buffer:
>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>> == Result - end buffer
>>> = REFERENCE CALCULATION CONTEXT
>>> == Status: succeeded
>>> == URI: "sign.sh"
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: sign.sh
>>> === uri xpointer expr: NULL
>>> === Transform: input-uri (href=NULL)
>>> === Transform: membuf-transform (href=NULL)
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == PreDigest data - start buffer:
>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>
>>> == PreDigest data - end buffer
>>> == Result - start buffer:
>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>> == Result - end buffer
>>> == Result - start buffer:
>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>> uD2ZSS1bWu236lKh1elKWw==
>>> == Result - end buffer
>>>
>>>
>>> François
>>>
>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>> Try "--store-references" option to see what exactly was signed. Just
>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>> suspicious.
>>>>
>>>> Aleksey
>>>>
>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>> Hi,
>>>>>
>>>>> I am facing an issue trying to sign an xml document which makes
>>>>> reference to an external file.
>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>> verified by
>>>>> tool like Apache XML Security.
>>>>> I am pretty sure there is something missing in the XML document I give
>>>>> to xmlsec but can't figure what.
>>>>>
>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>> The output document is fpl.xml
>>>>>
>>>>> The digest which is not the same as the one computed by Apache XML
>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>
>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>> (I built it manually).
>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>
>>>>> Do you have any idea what can be wrong in my
>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>> transform ?
>>>>>
>>>>> Thanks for your help.
>>>>>
>>>>> Francois
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140410/b88bc0ba/attachment-0001.html>
More information about the xmlsec
mailing list