[xmlsec] Fwd: Re: Bad digest in #Manifest
François Plou
fplou at webank.fr
Fri Apr 11 00:40:04 PDT 2014
Thanks for your answer.
I tried it but I always get this incorrect digest.
I modified the xml template according what I found in samples and
according your previous mail (see acmt.007.001.02_1.skel.1sign.object2.xml).
The xmlsec1 output still shows the bad digest for #manifest :
= SIGNATURE CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000002
==== keyUsage: 0x00000001
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Private
=== key usage: -1
=== rsa key: size = 2048
== SignedInfo References List:
=== list size: 1
*= REFERENCE CALCULATION CONTEXT**
**== Status: succeeded**
**== URI: "#manifest"**
**== Type: "http://www.w3.org/2000/09/xmldsig#Manifest"**
**== Reference Transform Ctx:**
**== TRANSFORMS CTX (status=2)**
**== flags: 0x00000000**
**== flags2: 0x00000000**
**== enabled transforms: all**
**=== uri: **
**=== uri xpointer expr: #manifest**
**=== Transform: xpointer
(href=http://www.w3.org/2001/04/xmldsig-more/xptr)**
**=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)**
**=== Transform: c14n
(href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)**
**=== Transform: membuf-transform (href=NULL)**
**=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)**
**=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)**
**=== Transform: membuf-transform (href=NULL)**
**== Digest Method:**
**=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)**
**== Result - start buffer:**
**2jmj7l5rSw0yVb/vlWAYkK/YBwk=**
**== Result - end buffer*
== Manifest References List:
=== list size: 2
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF2</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
== PreDigest data - end buffer
== Result - start buffer:
vSK1aioRUa7Gz2jLpN9LFqFeXSI=
== Result - end buffer
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: "sign.sh"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: sign.sh
=== uri xpointer expr: NULL
=== Transform: input-uri (href=NULL)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
acmt.007.001.02_1.skel.1sign.object2.xml
== PreDigest data - end buffer
== Result - start buffer:
4JgfakTfEbqzVpb+lP8vAWsD0u8=
== Result - end buffer
== Result - start buffer:
x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH
1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD
PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr
zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye
fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i
KEvAz2lVM8oCsYgURmlGbA==
== Result - end buffer
The generated xml file :
<?xml version="1.0" encoding="UTF-8"?>
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<AcctOpngReq>
<Refs>
<MsgId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</MsgId>
<PrcId>
<Id>ABC/090928/CCT001</Id>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
</PrcId>
</Refs>
<Acct>
<Id>
<Othr>
<Id>NOREF2</Id>
</Othr>
</Id>
<Tp>
<Cd>CASH</Cd>
</Tp>
<Ccy>USD</Ccy>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<MnthlyTxNb>100</MnthlyTxNb>
<AvrgBal>10000</AvrgBal>
</Acct>
<CtrctDts>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
</CtrctDts>
<UndrlygMstrAgrmt>
<Ref>ABC/Acct/BBBBUS33</Ref>
<Vrsn>1.0</Vrsn>
</UndrlygMstrAgrmt>
<AcctSvcrId>
<FinInstnId>
<BICFI>BBBBUS33</BICFI>
</FinInstnId>
</AcctSvcrId>
<Org>
<FullLglNm>ABC Corporation</FullLglNm>
<CtryOfOpr>US</CtryOfOpr>
<RegnDt>1999-09-01</RegnDt>
<LglAdr>
<StrtNm>Times Square</StrtNm>
<BldgNb>7</BldgNb>
<PstCd>NY 10036</PstCd>
<TwnNm>New York</TwnNm>
<Ctry>US</Ctry>
</LglAdr>
<OrgId>
<Othr>
<Id>01256485-85</Id>
<SchmeNm>
<Prtry>TAX</Prtry>
</SchmeNm>
</Othr>
</OrgId>
<MainMndtHldr>
<Nm>Richard Jones</Nm>
<PstlAdr>
<AdrTp>HOME</AdrTp>
<StrtNm>La Guardia Drive</StrtNm>
<BldgNb>12</BldgNb>
<PstCd>NJ 07054</PstCd>
<TwnNm>Parsippany</TwnNm>
<Ctry>US</Ctry>
</PstlAdr>
<Id>
<DtAndPlcOfBirth>
<BirthDt>1960-05-01</BirthDt>
<CityOfBirth>New york</CityOfBirth>
<CtryOfBirth>US</CtryOfBirth>
</DtAndPlcOfBirth>
</Id>
</MainMndtHldr>
</Org>
<DgtlSgntr>
<Pty>
<Nm>fplou</Nm>
</Pty>
<Sgntr>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference
Type="http://www.w3.org/2000/09/xmldsig#Manifest" URI="#manifest">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH
1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD
PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr
zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye
fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i
KEvAz2lVM8oCsYgURmlGbA==</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
6YkxawwM+ydRECsRK+t1ONIAI6ZHz1zZyohEdtqYso/2a5/nDTst4MKT4mFYr3Gp
BlOgfSYxC0pUXWC3iSAIAbvcjNSQMSgeiAiJL4pbzX/5uYyBIXFHNdSuOQVyoSJB
jDaPx19UyMqmZaLn5Flj7YVmpUyPAR1V4DHSmHGC4gDSqUHEphVHU/lnjnB+KEGm
W03J6OzVjJi7bK/EmZjliOHZhgsNY1FmYesZsbI1GI/RsuBBA3NxvcAC0kXBUJ4n
qHW7y7Ww8Yv77sFP/2g5s/fqW7HrnUnVh/xf3bs2a6EuriY4BI9M8YEmF0EGpbth
ycR4QLM0jQPdGBEamqitFQ==
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
<Object>
<Manifest Id="manifest">
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
</Reference>
<Reference URI="sign.sh">
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
</Reference>
</Manifest>
</Object>
</Signature>
</Sgntr>
</DgtlSgntr>
</AcctOpngReq>
</Document>
Regards
François
Le 10/04/2014 18:29, Aleksey Sanin a écrit :
> To process manifests according to the xmldsig spec the ref type
> should be specified:
>
> <Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"
> URI="#Manifest">
> ...
> </>
>
> XMLSec package contains a few test vectors that show manifests usage.
>
> Best,
>
> Aleksey
>
> On 4/10/14, 5:40 AM, François Plou wrote:
>> I found the problem, but don't know yet what really happens in the
>> source code.
>> I put some traces and I discovered that digest
>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer.
>> If you execute the following command openssl dgst -sha1 -binary
>> /dev/null | openssl enc -base64, you also get this digest.
>>
>> So it seems xmlsec1 can't process correctly the #Manifest part :
>>
>> <Object>
>> <Manifest Id="Manifest">
>> <Reference URI="">
>> <Transforms>
>> <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> </Transforms>
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue></DigestValue>
>> </Reference>
>> <Reference URI="sign.sh">
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue></DigestValue>
>> </Reference>
>> </Manifest>
>> </Object>
>>
>>
>> Regards.
>>
>> François
>>
>> Le 10/04/2014 11:31, François Plou a écrit :
>>> Not really :-(
>>>
>>> The store-references option does not display the xml part who matches
>>> the digest displayed :
>>>
>>> == Status: succeeded
>>> == URI: "#Manifest"
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri:
>>> === uri xpointer expr: #Manifest
>>> === Transform: xpointer
>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>> === Transform: enveloped-signature
>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>> === Transform: c14n
>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>> === Transform: membuf-transform (href=NULL)
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == Result - start buffer:
>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>> == Result - end buffer
>>> The #Manifest is processed and --store-references provides the digest
>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to
>>> provide this digest.
>>>
>>> This digest does not match the one produced by Apache XML Security.
>>> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the
>>> following XML part :
>>>
>>> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
>>> <Reference URI="">
>>> <Transforms>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
>>> </Transforms>
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>>
>>> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
>>> </Reference>
>>> <Reference URI="sign.sh">
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>>
>>> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
>>> </Reference>
>>> </Manifest>
>>>
>>> So I am trying to figure what XML part is used by xmlsec1.
>>>
>>> Regards
>>>
>>> François
>>>
>>> Le 09/04/2014 20:12, Aleksey Sanin a écrit :
>>>> This is exactly what --store-references option does :)
>>>>
>>>> Aleksey
>>>>
>>>> On 4/9/14, 10:15 AM, François Plou wrote:
>>>>> Hi,
>>>>>
>>>>> I am trying to discover what xml part is digested to understand why I
>>>>> got another digest value than the one calculated by java XmlDsig API.
>>>>> To do that I try to add some trace in the code just before the digest
>>>>> algorithm but I was unable yet to find the right position.
>>>>> Could you provide me a clue where to add trace in the source code ?
>>>>>
>>>>> Thanks for your help.
>>>>>
>>>>> Francois
>>>>>
>>>>>
>>>>> Le 07/04/2014 14:49, François Plou a écrit :
>>>>>> Hi,
>>>>>>
>>>>>> Below is the result of --store-references option :
>>>>>>
>>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>>>>> = SIGNATURE CONTEXT
>>>>>> == Status: succeeded
>>>>>> == flags: 0x00000006
>>>>>> == flags2: 0x00000000
>>>>>> == Key Info Read Ctx:
>>>>>> = KEY INFO READ CONTEXT
>>>>>> == flags: 0x00000000
>>>>>> == flags2: 0x00000000
>>>>>> == enabled key data: all
>>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>>> == TRANSFORMS CTX (status=0)
>>>>>> == flags: 0x00000000
>>>>>> == flags2: 0x00000000
>>>>>> == enabled transforms: all
>>>>>> === uri: NULL
>>>>>> === uri xpointer expr: NULL
>>>>>> == EncryptedKey level (cur/max): 0/1
>>>>>> === KeyReq:
>>>>>> ==== keyId: rsa
>>>>>> ==== keyType: 0x00000002
>>>>>> ==== keyUsage: 0x00000001
>>>>>> ==== keyBitsSize: 0
>>>>>> === list size: 0
>>>>>> == Key Info Write Ctx:
>>>>>> = KEY INFO WRITE CONTEXT
>>>>>> == flags: 0x00000000
>>>>>> == flags2: 0x00000000
>>>>>> == enabled key data: all
>>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>>> == TRANSFORMS CTX (status=0)
>>>>>> == flags: 0x00000000
>>>>>> == flags2: 0x00000000
>>>>>> == enabled transforms: all
>>>>>> === uri: NULL
>>>>>> === uri xpointer expr: NULL
>>>>>> == EncryptedKey level (cur/max): 0/1
>>>>>> === KeyReq:
>>>>>> ==== keyId: NULL
>>>>>> ==== keyType: 0x00000001
>>>>>> ==== keyUsage: 0xffffffff
>>>>>> ==== keyBitsSize: 0
>>>>>> === list size: 0
>>>>>> == Signature Transform Ctx:
>>>>>> == TRANSFORMS CTX (status=2)
>>>>>> == flags: 0x00000000
>>>>>> == flags2: 0x00000000
>>>>>> == enabled transforms: all
>>>>>> === uri: NULL
>>>>>> === uri xpointer expr: NULL
>>>>>> === Transform: c14n
>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>> == Signature Method:
>>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>>> == Signature Key:
>>>>>> == KEY
>>>>>> === method: RSAKeyValue
>>>>>> === key type: Private
>>>>>> === key usage: -1
>>>>>> === rsa key: size = 2048
>>>>>> == SignedInfo References List:
>>>>>> === list size: 1
>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>> == Status: succeeded
>>>>>> == URI: "#Manifest"
>>>>>> == Reference Transform Ctx:
>>>>>> == TRANSFORMS CTX (status=2)
>>>>>> == flags: 0x00000000
>>>>>> == flags2: 0x00000000
>>>>>> == enabled transforms: all
>>>>>> === uri:
>>>>>> === uri xpointer expr: #Manifest
>>>>>> === Transform: xpointer
>>>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>>>> === Transform: enveloped-signature
>>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>>> === Transform: c14n
>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>> == Digest Method:
>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>> == Result - start buffer:
>>>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>> == Result - end buffer
>>>>>> == Manifest References List:
>>>>>> === list size: 2
>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>> == Status: succeeded
>>>>>> == URI: ""
>>>>>> == Reference Transform Ctx:
>>>>>> == TRANSFORMS CTX (status=2)
>>>>>> == flags: 0x00000000
>>>>>> == flags2: 0x00000000
>>>>>> == enabled transforms: all
>>>>>> === uri: NULL
>>>>>> === uri xpointer expr: NULL
>>>>>> === Transform: enveloped-signature
>>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>>> === Transform: c14n
>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>> == Digest Method:
>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>> == PreDigest data - start buffer:
>>>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>>>>> <AcctOpngReq>
>>>>>> <Refs>
>>>>>> <MsgId>
>>>>>> <Id>ABC/090928/CCT001</Id>
>>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>>> </MsgId>
>>>>>> <PrcId>
>>>>>> <Id>ABC/090928/CCT001</Id>
>>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>>> </PrcId>
>>>>>> </Refs>
>>>>>> <Acct>
>>>>>> <Id>
>>>>>> <Othr>
>>>>>> <Id>NOREF2</Id>
>>>>>> </Othr>
>>>>>> </Id>
>>>>>> <Tp>
>>>>>> <Cd>CASH</Cd>
>>>>>> </Tp>
>>>>>> <Ccy>USD</Ccy>
>>>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>>>>> <MnthlyTxNb>100</MnthlyTxNb>
>>>>>> <AvrgBal>10000</AvrgBal>
>>>>>> </Acct>
>>>>>> <CtrctDts>
>>>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>>>>> </CtrctDts>
>>>>>> <UndrlygMstrAgrmt>
>>>>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>>>>> <Vrsn>1.0</Vrsn>
>>>>>> </UndrlygMstrAgrmt>
>>>>>> <AcctSvcrId>
>>>>>> <FinInstnId>
>>>>>> <BICFI>BBBBUS33</BICFI>
>>>>>> </FinInstnId>
>>>>>> </AcctSvcrId>
>>>>>> <Org>
>>>>>> <FullLglNm>ABC Corporation</FullLglNm>
>>>>>> <CtryOfOpr>US</CtryOfOpr>
>>>>>> <RegnDt>1999-09-01</RegnDt>
>>>>>> <LglAdr>
>>>>>> <StrtNm>Times Square</StrtNm>
>>>>>> <BldgNb>7</BldgNb>
>>>>>> <PstCd>NY 10036</PstCd>
>>>>>> <TwnNm>New York</TwnNm>
>>>>>> <Ctry>US</Ctry>
>>>>>> </LglAdr>
>>>>>> <OrgId>
>>>>>> <Othr>
>>>>>> <Id>01256485-85</Id>
>>>>>> <SchmeNm>
>>>>>> <Prtry>TAX</Prtry>
>>>>>> </SchmeNm>
>>>>>> </Othr>
>>>>>> </OrgId>
>>>>>> <MainMndtHldr>
>>>>>> <Nm>Richard Jones</Nm>
>>>>>> <PstlAdr>
>>>>>> <AdrTp>HOME</AdrTp>
>>>>>> <StrtNm>La Guardia Drive</StrtNm>
>>>>>> <BldgNb>12</BldgNb>
>>>>>> <PstCd>NJ 07054</PstCd>
>>>>>> <TwnNm>Parsippany</TwnNm>
>>>>>> <Ctry>US</Ctry>
>>>>>> </PstlAdr>
>>>>>> <Id>
>>>>>> <DtAndPlcOfBirth>
>>>>>> <BirthDt>1960-05-01</BirthDt>
>>>>>> <CityOfBirth>New york</CityOfBirth>
>>>>>> <CtryOfBirth>US</CtryOfBirth>
>>>>>> </DtAndPlcOfBirth>
>>>>>> </Id>
>>>>>> </MainMndtHldr>
>>>>>> </Org>
>>>>>> <DgtlSgntr>
>>>>>> <Pty>
>>>>>> <Nm>fplou</Nm>
>>>>>> </Pty>
>>>>>> <Sgntr>
>>>>>>
>>>>>> </Sgntr>
>>>>>> </DgtlSgntr>
>>>>>> </AcctOpngReq>
>>>>>> </Document>
>>>>>> == PreDigest data - end buffer
>>>>>> == Result - start buffer:
>>>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>>>>> == Result - end buffer
>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>> == Status: succeeded
>>>>>> == URI: "sign.sh"
>>>>>> == Reference Transform Ctx:
>>>>>> == TRANSFORMS CTX (status=2)
>>>>>> == flags: 0x00000000
>>>>>> == flags2: 0x00000000
>>>>>> == enabled transforms: all
>>>>>> === uri: sign.sh
>>>>>> === uri xpointer expr: NULL
>>>>>> === Transform: input-uri (href=NULL)
>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>> == Digest Method:
>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>> == PreDigest data - start buffer:
>>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>
>>>>>> == PreDigest data - end buffer
>>>>>> == Result - start buffer:
>>>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>>>>> == Result - end buffer
>>>>>> == Result - start buffer:
>>>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>>>>> uD2ZSS1bWu236lKh1elKWw==
>>>>>> == Result - end buffer
>>>>>>
>>>>>>
>>>>>> François
>>>>>>
>>>>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>>>>> Try "--store-references" option to see what exactly was signed. Just
>>>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>>>>> suspicious.
>>>>>>>
>>>>>>> Aleksey
>>>>>>>
>>>>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I am facing an issue trying to sign an xml document which makes
>>>>>>>> reference to an external file.
>>>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>>>>> verified by
>>>>>>>> tool like Apache XML Security.
>>>>>>>> I am pretty sure there is something missing in the XML document I give
>>>>>>>> to xmlsec but can't figure what.
>>>>>>>>
>>>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>>> The output document is fpl.xml
>>>>>>>>
>>>>>>>> The digest which is not the same as the one computed by Apache XML
>>>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>>>>
>>>>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>>>>> (I built it manually).
>>>>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>>>>
>>>>>>>> Do you have any idea what can be wrong in my
>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>>>>> transform ?
>>>>>>>>
>>>>>>>> Thanks for your help.
>>>>>>>>
>>>>>>>> Francois
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> xmlsec mailing list
>>>>>>>> xmlsec at aleksey.com
>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>>
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140411/68d672b4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: acmt.007.001.02_1.skel.1sign.object2.xml
Type: text/xml
Size: 3020 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140411/68d672b4/attachment-0001.xml>
More information about the xmlsec
mailing list