[xmlsec] Fwd: Re: Bad digest in #Manifest
Aleksey Sanin
aleksey at aleksey.com
Thu Apr 10 09:29:38 PDT 2014
To process manifests according to the xmldsig spec the ref type
should be specified:
<Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"
URI="#Manifest">
...
</>
XMLSec package contains a few test vectors that show manifests usage.
Best,
Aleksey
On 4/10/14, 5:40 AM, François Plou wrote:
> I found the problem, but don't know yet what really happens in the
> source code.
> I put some traces and I discovered that digest
> 2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer.
> If you execute the following command openssl dgst -sha1 -binary
> /dev/null | openssl enc -base64, you also get this digest.
>
> So it seems xmlsec1 can't process correctly the #Manifest part :
>
> <Object>
> <Manifest Id="Manifest">
> <Reference URI="">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue></DigestValue>
> </Reference>
> <Reference URI="sign.sh">
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue></DigestValue>
> </Reference>
> </Manifest>
> </Object>
>
>
> Regards.
>
> François
>
> Le 10/04/2014 11:31, François Plou a écrit :
>> Not really :-(
>>
>> The store-references option does not display the xml part who matches
>> the digest displayed :
>>
>> == Status: succeeded
>> == URI: "#Manifest"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri:
>> === uri xpointer expr: #Manifest
>> === Transform: xpointer
>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: enveloped-signature
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>> === Transform: c14n
>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == Result - start buffer:
>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>> == Result - end buffer
>> The #Manifest is processed and --store-references provides the digest
>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to
>> provide this digest.
>>
>> This digest does not match the one produced by Apache XML Security.
>> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the
>> following XML part :
>>
>> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
>> <Reference URI="">
>> <Transforms>
>> <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
>> </Transforms>
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>
>> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
>> </Reference>
>> <Reference URI="sign.sh">
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>
>> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
>> </Reference>
>> </Manifest>
>>
>> So I am trying to figure what XML part is used by xmlsec1.
>>
>> Regards
>>
>> François
>>
>> Le 09/04/2014 20:12, Aleksey Sanin a écrit :
>>> This is exactly what --store-references option does :)
>>>
>>> Aleksey
>>>
>>> On 4/9/14, 10:15 AM, François Plou wrote:
>>>> Hi,
>>>>
>>>> I am trying to discover what xml part is digested to understand why I
>>>> got another digest value than the one calculated by java XmlDsig API.
>>>> To do that I try to add some trace in the code just before the digest
>>>> algorithm but I was unable yet to find the right position.
>>>> Could you provide me a clue where to add trace in the source code ?
>>>>
>>>> Thanks for your help.
>>>>
>>>> Francois
>>>>
>>>>
>>>> Le 07/04/2014 14:49, François Plou a écrit :
>>>>> Hi,
>>>>>
>>>>> Below is the result of --store-references option :
>>>>>
>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>>>> = SIGNATURE CONTEXT
>>>>> == Status: succeeded
>>>>> == flags: 0x00000006
>>>>> == flags2: 0x00000000
>>>>> == Key Info Read Ctx:
>>>>> = KEY INFO READ CONTEXT
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled key data: all
>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>> == TRANSFORMS CTX (status=0)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> == EncryptedKey level (cur/max): 0/1
>>>>> === KeyReq:
>>>>> ==== keyId: rsa
>>>>> ==== keyType: 0x00000002
>>>>> ==== keyUsage: 0x00000001
>>>>> ==== keyBitsSize: 0
>>>>> === list size: 0
>>>>> == Key Info Write Ctx:
>>>>> = KEY INFO WRITE CONTEXT
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled key data: all
>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>> == TRANSFORMS CTX (status=0)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> == EncryptedKey level (cur/max): 0/1
>>>>> === KeyReq:
>>>>> ==== keyId: NULL
>>>>> ==== keyType: 0x00000001
>>>>> ==== keyUsage: 0xffffffff
>>>>> ==== keyBitsSize: 0
>>>>> === list size: 0
>>>>> == Signature Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> === Transform: c14n
>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Signature Method:
>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>> == Signature Key:
>>>>> == KEY
>>>>> === method: RSAKeyValue
>>>>> === key type: Private
>>>>> === key usage: -1
>>>>> === rsa key: size = 2048
>>>>> == SignedInfo References List:
>>>>> === list size: 1
>>>>> = REFERENCE CALCULATION CONTEXT
>>>>> == Status: succeeded
>>>>> == URI: "#Manifest"
>>>>> == Reference Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri:
>>>>> === uri xpointer expr: #Manifest
>>>>> === Transform: xpointer
>>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>>> === Transform: enveloped-signature
>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>> === Transform: c14n
>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Digest Method:
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> == Result - start buffer:
>>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>> == Result - end buffer
>>>>> == Manifest References List:
>>>>> === list size: 2
>>>>> = REFERENCE CALCULATION CONTEXT
>>>>> == Status: succeeded
>>>>> == URI: ""
>>>>> == Reference Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> === Transform: enveloped-signature
>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>> === Transform: c14n
>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Digest Method:
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> == PreDigest data - start buffer:
>>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>>>> <AcctOpngReq>
>>>>> <Refs>
>>>>> <MsgId>
>>>>> <Id>ABC/090928/CCT001</Id>
>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>> </MsgId>
>>>>> <PrcId>
>>>>> <Id>ABC/090928/CCT001</Id>
>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>> </PrcId>
>>>>> </Refs>
>>>>> <Acct>
>>>>> <Id>
>>>>> <Othr>
>>>>> <Id>NOREF2</Id>
>>>>> </Othr>
>>>>> </Id>
>>>>> <Tp>
>>>>> <Cd>CASH</Cd>
>>>>> </Tp>
>>>>> <Ccy>USD</Ccy>
>>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>>>> <MnthlyTxNb>100</MnthlyTxNb>
>>>>> <AvrgBal>10000</AvrgBal>
>>>>> </Acct>
>>>>> <CtrctDts>
>>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>>>> </CtrctDts>
>>>>> <UndrlygMstrAgrmt>
>>>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>>>> <Vrsn>1.0</Vrsn>
>>>>> </UndrlygMstrAgrmt>
>>>>> <AcctSvcrId>
>>>>> <FinInstnId>
>>>>> <BICFI>BBBBUS33</BICFI>
>>>>> </FinInstnId>
>>>>> </AcctSvcrId>
>>>>> <Org>
>>>>> <FullLglNm>ABC Corporation</FullLglNm>
>>>>> <CtryOfOpr>US</CtryOfOpr>
>>>>> <RegnDt>1999-09-01</RegnDt>
>>>>> <LglAdr>
>>>>> <StrtNm>Times Square</StrtNm>
>>>>> <BldgNb>7</BldgNb>
>>>>> <PstCd>NY 10036</PstCd>
>>>>> <TwnNm>New York</TwnNm>
>>>>> <Ctry>US</Ctry>
>>>>> </LglAdr>
>>>>> <OrgId>
>>>>> <Othr>
>>>>> <Id>01256485-85</Id>
>>>>> <SchmeNm>
>>>>> <Prtry>TAX</Prtry>
>>>>> </SchmeNm>
>>>>> </Othr>
>>>>> </OrgId>
>>>>> <MainMndtHldr>
>>>>> <Nm>Richard Jones</Nm>
>>>>> <PstlAdr>
>>>>> <AdrTp>HOME</AdrTp>
>>>>> <StrtNm>La Guardia Drive</StrtNm>
>>>>> <BldgNb>12</BldgNb>
>>>>> <PstCd>NJ 07054</PstCd>
>>>>> <TwnNm>Parsippany</TwnNm>
>>>>> <Ctry>US</Ctry>
>>>>> </PstlAdr>
>>>>> <Id>
>>>>> <DtAndPlcOfBirth>
>>>>> <BirthDt>1960-05-01</BirthDt>
>>>>> <CityOfBirth>New york</CityOfBirth>
>>>>> <CtryOfBirth>US</CtryOfBirth>
>>>>> </DtAndPlcOfBirth>
>>>>> </Id>
>>>>> </MainMndtHldr>
>>>>> </Org>
>>>>> <DgtlSgntr>
>>>>> <Pty>
>>>>> <Nm>fplou</Nm>
>>>>> </Pty>
>>>>> <Sgntr>
>>>>>
>>>>> </Sgntr>
>>>>> </DgtlSgntr>
>>>>> </AcctOpngReq>
>>>>> </Document>
>>>>> == PreDigest data - end buffer
>>>>> == Result - start buffer:
>>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>>>> == Result - end buffer
>>>>> = REFERENCE CALCULATION CONTEXT
>>>>> == Status: succeeded
>>>>> == URI: "sign.sh"
>>>>> == Reference Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: sign.sh
>>>>> === uri xpointer expr: NULL
>>>>> === Transform: input-uri (href=NULL)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Digest Method:
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> == PreDigest data - start buffer:
>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>
>>>>> == PreDigest data - end buffer
>>>>> == Result - start buffer:
>>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>>>> == Result - end buffer
>>>>> == Result - start buffer:
>>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>>>> uD2ZSS1bWu236lKh1elKWw==
>>>>> == Result - end buffer
>>>>>
>>>>>
>>>>> François
>>>>>
>>>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>>>> Try "--store-references" option to see what exactly was signed. Just
>>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>>>> suspicious.
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am facing an issue trying to sign an xml document which makes
>>>>>>> reference to an external file.
>>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>>>> verified by
>>>>>>> tool like Apache XML Security.
>>>>>>> I am pretty sure there is something missing in the XML document I give
>>>>>>> to xmlsec but can't figure what.
>>>>>>>
>>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>> The output document is fpl.xml
>>>>>>>
>>>>>>> The digest which is not the same as the one computed by Apache XML
>>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>>>
>>>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>>>> (I built it manually).
>>>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>>>
>>>>>>> Do you have any idea what can be wrong in my
>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>>>> transform ?
>>>>>>>
>>>>>>> Thanks for your help.
>>>>>>>
>>>>>>> Francois
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> xmlsec mailing list
>>>>>>> xmlsec at aleksey.com
>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>
>
More information about the xmlsec
mailing list