[xmlsec] Fwd: Re: Bad digest in #Manifest
François Plou
fplou at webank.fr
Thu Apr 10 05:40:29 PDT 2014
I found the problem, but don't know yet what really happens in the
source code.
I put some traces and I discovered that digest
2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer.
If you execute the following command openssl dgst -sha1 -binary
/dev/null | openssl enc -base64, you also get this digest.
So it seems xmlsec1 can't process correctly the #Manifest part :
<Object>
<Manifest Id="Manifest">
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
<Reference URI="sign.sh">
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</Manifest>
</Object>
Regards.
François
Le 10/04/2014 11:31, François Plou a écrit :
> Not really :-(
>
> The store-references option does not display the xml part who matches
> the digest displayed :
>
> == Status: succeeded
> == URI: "#Manifest"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri:
> === uri xpointer expr: #Manifest
> === Transform: xpointer
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == Result - start buffer:
> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
> == Result - end buffer
> The #Manifest is processed and --store-references provides the digest
> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to
> provide this digest.
>
> This digest does not match the one produced by Apache XML Security.
> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the
> following XML part :
>
> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
> <Reference URI="">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
> </Reference>
> <Reference URI="sign.sh">
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
> </Reference>
> </Manifest>
>
> So I am trying to figure what XML part is used by xmlsec1.
>
> Regards
>
> François
>
> Le 09/04/2014 20:12, Aleksey Sanin a écrit :
>> This is exactly what --store-references option does :)
>>
>> Aleksey
>>
>> On 4/9/14, 10:15 AM, François Plou wrote:
>>> Hi,
>>>
>>> I am trying to discover what xml part is digested to understand why I
>>> got another digest value than the one calculated by java XmlDsig API.
>>> To do that I try to add some trace in the code just before the digest
>>> algorithm but I was unable yet to find the right position.
>>> Could you provide me a clue where to add trace in the source code ?
>>>
>>> Thanks for your help.
>>>
>>> Francois
>>>
>>>
>>> Le 07/04/2014 14:49, François Plou a écrit :
>>>> Hi,
>>>>
>>>> Below is the result of --store-references option :
>>>>
>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>>> = SIGNATURE CONTEXT
>>>> == Status: succeeded
>>>> == flags: 0x00000006
>>>> == flags2: 0x00000000
>>>> == Key Info Read Ctx:
>>>> = KEY INFO READ CONTEXT
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled key data: all
>>>> == RetrievalMethod level (cur/max): 0/1
>>>> == TRANSFORMS CTX (status=0)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> == EncryptedKey level (cur/max): 0/1
>>>> === KeyReq:
>>>> ==== keyId: rsa
>>>> ==== keyType: 0x00000002
>>>> ==== keyUsage: 0x00000001
>>>> ==== keyBitsSize: 0
>>>> === list size: 0
>>>> == Key Info Write Ctx:
>>>> = KEY INFO WRITE CONTEXT
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled key data: all
>>>> == RetrievalMethod level (cur/max): 0/1
>>>> == TRANSFORMS CTX (status=0)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> == EncryptedKey level (cur/max): 0/1
>>>> === KeyReq:
>>>> ==== keyId: NULL
>>>> ==== keyType: 0x00000001
>>>> ==== keyUsage: 0xffffffff
>>>> ==== keyBitsSize: 0
>>>> === list size: 0
>>>> == Signature Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> === Transform: c14n
>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Signature Method:
>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>> == Signature Key:
>>>> == KEY
>>>> === method: RSAKeyValue
>>>> === key type: Private
>>>> === key usage: -1
>>>> === rsa key: size = 2048
>>>> == SignedInfo References List:
>>>> === list size: 1
>>>> = REFERENCE CALCULATION CONTEXT
>>>> == Status: succeeded
>>>> == URI: "#Manifest"
>>>> == Reference Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri:
>>>> === uri xpointer expr: #Manifest
>>>> === Transform: xpointer
>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>> === Transform: enveloped-signature
>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>> === Transform: c14n
>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>> === Transform: membuf-transform (href=NULL)
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Digest Method:
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> == Result - start buffer:
>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>> == Result - end buffer
>>>> == Manifest References List:
>>>> === list size: 2
>>>> = REFERENCE CALCULATION CONTEXT
>>>> == Status: succeeded
>>>> == URI: ""
>>>> == Reference Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> === Transform: enveloped-signature
>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>> === Transform: c14n
>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>> === Transform: membuf-transform (href=NULL)
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Digest Method:
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> == PreDigest data - start buffer:
>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>>> <AcctOpngReq>
>>>> <Refs>
>>>> <MsgId>
>>>> <Id>ABC/090928/CCT001</Id>
>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>> </MsgId>
>>>> <PrcId>
>>>> <Id>ABC/090928/CCT001</Id>
>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>> </PrcId>
>>>> </Refs>
>>>> <Acct>
>>>> <Id>
>>>> <Othr>
>>>> <Id>NOREF2</Id>
>>>> </Othr>
>>>> </Id>
>>>> <Tp>
>>>> <Cd>CASH</Cd>
>>>> </Tp>
>>>> <Ccy>USD</Ccy>
>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>>> <MnthlyTxNb>100</MnthlyTxNb>
>>>> <AvrgBal>10000</AvrgBal>
>>>> </Acct>
>>>> <CtrctDts>
>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>>> </CtrctDts>
>>>> <UndrlygMstrAgrmt>
>>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>>> <Vrsn>1.0</Vrsn>
>>>> </UndrlygMstrAgrmt>
>>>> <AcctSvcrId>
>>>> <FinInstnId>
>>>> <BICFI>BBBBUS33</BICFI>
>>>> </FinInstnId>
>>>> </AcctSvcrId>
>>>> <Org>
>>>> <FullLglNm>ABC Corporation</FullLglNm>
>>>> <CtryOfOpr>US</CtryOfOpr>
>>>> <RegnDt>1999-09-01</RegnDt>
>>>> <LglAdr>
>>>> <StrtNm>Times Square</StrtNm>
>>>> <BldgNb>7</BldgNb>
>>>> <PstCd>NY 10036</PstCd>
>>>> <TwnNm>New York</TwnNm>
>>>> <Ctry>US</Ctry>
>>>> </LglAdr>
>>>> <OrgId>
>>>> <Othr>
>>>> <Id>01256485-85</Id>
>>>> <SchmeNm>
>>>> <Prtry>TAX</Prtry>
>>>> </SchmeNm>
>>>> </Othr>
>>>> </OrgId>
>>>> <MainMndtHldr>
>>>> <Nm>Richard Jones</Nm>
>>>> <PstlAdr>
>>>> <AdrTp>HOME</AdrTp>
>>>> <StrtNm>La Guardia Drive</StrtNm>
>>>> <BldgNb>12</BldgNb>
>>>> <PstCd>NJ 07054</PstCd>
>>>> <TwnNm>Parsippany</TwnNm>
>>>> <Ctry>US</Ctry>
>>>> </PstlAdr>
>>>> <Id>
>>>> <DtAndPlcOfBirth>
>>>> <BirthDt>1960-05-01</BirthDt>
>>>> <CityOfBirth>New york</CityOfBirth>
>>>> <CtryOfBirth>US</CtryOfBirth>
>>>> </DtAndPlcOfBirth>
>>>> </Id>
>>>> </MainMndtHldr>
>>>> </Org>
>>>> <DgtlSgntr>
>>>> <Pty>
>>>> <Nm>fplou</Nm>
>>>> </Pty>
>>>> <Sgntr>
>>>>
>>>> </Sgntr>
>>>> </DgtlSgntr>
>>>> </AcctOpngReq>
>>>> </Document>
>>>> == PreDigest data - end buffer
>>>> == Result - start buffer:
>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>>> == Result - end buffer
>>>> = REFERENCE CALCULATION CONTEXT
>>>> == Status: succeeded
>>>> == URI: "sign.sh"
>>>> == Reference Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: sign.sh
>>>> === uri xpointer expr: NULL
>>>> === Transform: input-uri (href=NULL)
>>>> === Transform: membuf-transform (href=NULL)
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Digest Method:
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> == PreDigest data - start buffer:
>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>
>>>> == PreDigest data - end buffer
>>>> == Result - start buffer:
>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>>> == Result - end buffer
>>>> == Result - start buffer:
>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>>> uD2ZSS1bWu236lKh1elKWw==
>>>> == Result - end buffer
>>>>
>>>>
>>>> François
>>>>
>>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>>> Try "--store-references" option to see what exactly was signed. Just
>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>>> suspicious.
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am facing an issue trying to sign an xml document which makes
>>>>>> reference to an external file.
>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>>> verified by
>>>>>> tool like Apache XML Security.
>>>>>> I am pretty sure there is something missing in the XML document I give
>>>>>> to xmlsec but can't figure what.
>>>>>>
>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>> The output document is fpl.xml
>>>>>>
>>>>>> The digest which is not the same as the one computed by Apache XML
>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>>
>>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>>> (I built it manually).
>>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>>
>>>>>> Do you have any idea what can be wrong in my
>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>>> transform ?
>>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>> Francois
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> xmlsec mailing list
>>>>>> xmlsec at aleksey.com
>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>
>>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140410/4831546f/attachment-0001.html>
More information about the xmlsec
mailing list