[xmlsec] Fwd: Re: Bad digest in #Manifest
Aleksey Sanin
aleksey at aleksey.com
Fri Apr 11 08:44:33 PDT 2014
Remove transforms section from the Manifest type reference:
<Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"
URI="#manifest">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
Otherwise you apply enveloped signature transform to the results of the
manifest and as the result you get empty node set/empty string.
Aleksey
On 4/11/14, 12:40 AM, François Plou wrote:
> Thanks for your answer.
> I tried it but I always get this incorrect digest.
>
> I modified the xml template according what I found in samples and
> according your previous mail (see acmt.007.001.02_1.skel.1sign.object2.xml).
> The xmlsec1 output still shows the bad digest for #manifest :
>
> = SIGNATURE CONTEXT
> == Status: succeeded
> == flags: 0x00000006
> == flags2: 0x00000000
> == Key Info Read Ctx:
> = KEY INFO READ CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: rsa
> ==== keyType: 0x00000002
> ==== keyUsage: 0x00000001
> ==== keyBitsSize: 0
> === list size: 0
> == Key Info Write Ctx:
> = KEY INFO WRITE CONTEXT
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled key data: all
> == RetrievalMethod level (cur/max): 0/1
> == TRANSFORMS CTX (status=0)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> == EncryptedKey level (cur/max): 0/1
> === KeyReq:
> ==== keyId: NULL
> ==== keyType: 0x00000001
> ==== keyUsage: 0xffffffff
> ==== keyBitsSize: 0
> === list size: 0
> == Signature Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Signature Method:
> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> == Signature Key:
> == KEY
> === method: RSAKeyValue
> === key type: Private
> === key usage: -1
> === rsa key: size = 2048
> == SignedInfo References List:
> === list size: 1
> *= REFERENCE CALCULATION CONTEXT**
> **== Status: succeeded**
> **== URI: "#manifest"**
> **== Type: "http://www.w3.org/2000/09/xmldsig#Manifest"**
> **== Reference Transform Ctx:**
> **== TRANSFORMS CTX (status=2)**
> **== flags: 0x00000000**
> **== flags2: 0x00000000**
> **== enabled transforms: all**
> **=== uri: **
> **=== uri xpointer expr: #manifest**
> **=== Transform: xpointer
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)**
> **=== Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)**
> **=== Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)**
> **=== Transform: membuf-transform (href=NULL)**
> **=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)**
> **=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)**
> **=== Transform: membuf-transform (href=NULL)**
> **== Digest Method:**
> **=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)**
> **== Result - start buffer:**
> **2jmj7l5rSw0yVb/vlWAYkK/YBwk=**
> **== Result - end buffer*
> == Manifest References List:
> === list size: 2
> = REFERENCE CALCULATION CONTEXT
> == Status: succeeded
> == URI: ""
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: NULL
> === uri xpointer expr: NULL
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
> <AcctOpngReq>
> <Refs>
> <MsgId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </MsgId>
> <PrcId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </PrcId>
> </Refs>
> <Acct>
> <Id>
> <Othr>
> <Id>NOREF2</Id>
> </Othr>
> </Id>
> <Tp>
> <Cd>CASH</Cd>
> </Tp>
> <Ccy>USD</Ccy>
> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
> <MnthlyTxNb>100</MnthlyTxNb>
> <AvrgBal>10000</AvrgBal>
> </Acct>
> <CtrctDts>
> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
> </CtrctDts>
> <UndrlygMstrAgrmt>
> <Ref>ABC/Acct/BBBBUS33</Ref>
> <Vrsn>1.0</Vrsn>
> </UndrlygMstrAgrmt>
> <AcctSvcrId>
> <FinInstnId>
> <BICFI>BBBBUS33</BICFI>
> </FinInstnId>
> </AcctSvcrId>
> <Org>
> <FullLglNm>ABC Corporation</FullLglNm>
> <CtryOfOpr>US</CtryOfOpr>
> <RegnDt>1999-09-01</RegnDt>
> <LglAdr>
> <StrtNm>Times Square</StrtNm>
> <BldgNb>7</BldgNb>
> <PstCd>NY 10036</PstCd>
> <TwnNm>New York</TwnNm>
> <Ctry>US</Ctry>
> </LglAdr>
> <OrgId>
> <Othr>
> <Id>01256485-85</Id>
> <SchmeNm>
> <Prtry>TAX</Prtry>
> </SchmeNm>
> </Othr>
> </OrgId>
> <MainMndtHldr>
> <Nm>Richard Jones</Nm>
> <PstlAdr>
> <AdrTp>HOME</AdrTp>
> <StrtNm>La Guardia Drive</StrtNm>
> <BldgNb>12</BldgNb>
> <PstCd>NJ 07054</PstCd>
> <TwnNm>Parsippany</TwnNm>
> <Ctry>US</Ctry>
> </PstlAdr>
> <Id>
> <DtAndPlcOfBirth>
> <BirthDt>1960-05-01</BirthDt>
> <CityOfBirth>New york</CityOfBirth>
> <CtryOfBirth>US</CtryOfBirth>
> </DtAndPlcOfBirth>
> </Id>
> </MainMndtHldr>
> </Org>
> <DgtlSgntr>
> <Pty>
> <Nm>fplou</Nm>
> </Pty>
> <Sgntr>
>
> </Sgntr>
> </DgtlSgntr>
> </AcctOpngReq>
> </Document>
> == PreDigest data - end buffer
> == Result - start buffer:
> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
> == Result - end buffer
> = REFERENCE CALCULATION CONTEXT
> == Status: succeeded
> == URI: "sign.sh"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri: sign.sh
> === uri xpointer expr: NULL
> === Transform: input-uri (href=NULL)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == PreDigest data - start buffer:
> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
> acmt.007.001.02_1.skel.1sign.object2.xml
>
> == PreDigest data - end buffer
> == Result - start buffer:
> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
> == Result - end buffer
> == Result - start buffer:
> x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH
> 1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD
> PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr
> zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye
> fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i
> KEvAz2lVM8oCsYgURmlGbA==
> == Result - end buffer
>
>
>
>
>
> The generated xml file :
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
> <AcctOpngReq>
> <Refs>
> <MsgId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </MsgId>
> <PrcId>
> <Id>ABC/090928/CCT001</Id>
> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
> </PrcId>
> </Refs>
> <Acct>
> <Id>
> <Othr>
> <Id>NOREF2</Id>
> </Othr>
> </Id>
> <Tp>
> <Cd>CASH</Cd>
> </Tp>
> <Ccy>USD</Ccy>
> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
> <MnthlyTxNb>100</MnthlyTxNb>
> <AvrgBal>10000</AvrgBal>
> </Acct>
> <CtrctDts>
> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
> </CtrctDts>
> <UndrlygMstrAgrmt>
> <Ref>ABC/Acct/BBBBUS33</Ref>
> <Vrsn>1.0</Vrsn>
> </UndrlygMstrAgrmt>
> <AcctSvcrId>
> <FinInstnId>
> <BICFI>BBBBUS33</BICFI>
> </FinInstnId>
> </AcctSvcrId>
> <Org>
> <FullLglNm>ABC Corporation</FullLglNm>
> <CtryOfOpr>US</CtryOfOpr>
> <RegnDt>1999-09-01</RegnDt>
> <LglAdr>
> <StrtNm>Times Square</StrtNm>
> <BldgNb>7</BldgNb>
> <PstCd>NY 10036</PstCd>
> <TwnNm>New York</TwnNm>
> <Ctry>US</Ctry>
> </LglAdr>
> <OrgId>
> <Othr>
> <Id>01256485-85</Id>
> <SchmeNm>
> <Prtry>TAX</Prtry>
> </SchmeNm>
> </Othr>
> </OrgId>
> <MainMndtHldr>
> <Nm>Richard Jones</Nm>
> <PstlAdr>
> <AdrTp>HOME</AdrTp>
> <StrtNm>La Guardia Drive</StrtNm>
> <BldgNb>12</BldgNb>
> <PstCd>NJ 07054</PstCd>
> <TwnNm>Parsippany</TwnNm>
> <Ctry>US</Ctry>
> </PstlAdr>
> <Id>
> <DtAndPlcOfBirth>
> <BirthDt>1960-05-01</BirthDt>
> <CityOfBirth>New york</CityOfBirth>
> <CtryOfBirth>US</CtryOfBirth>
> </DtAndPlcOfBirth>
> </Id>
> </MainMndtHldr>
> </Org>
> <DgtlSgntr>
> <Pty>
> <Nm>fplou</Nm>
> </Pty>
> <Sgntr>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference
> Type="http://www.w3.org/2000/09/xmldsig#Manifest" URI="#manifest">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</DigestValue>
> </Reference>
> </SignedInfo>
>
> <SignatureValue>x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH
> 1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD
> PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr
> zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye
> fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i
> KEvAz2lVM8oCsYgURmlGbA==</SignatureValue>
> <KeyInfo>
> <KeyValue>
> <RSAKeyValue>
> <Modulus>
> 6YkxawwM+ydRECsRK+t1ONIAI6ZHz1zZyohEdtqYso/2a5/nDTst4MKT4mFYr3Gp
> BlOgfSYxC0pUXWC3iSAIAbvcjNSQMSgeiAiJL4pbzX/5uYyBIXFHNdSuOQVyoSJB
> jDaPx19UyMqmZaLn5Flj7YVmpUyPAR1V4DHSmHGC4gDSqUHEphVHU/lnjnB+KEGm
> W03J6OzVjJi7bK/EmZjliOHZhgsNY1FmYesZsbI1GI/RsuBBA3NxvcAC0kXBUJ4n
> qHW7y7Ww8Yv77sFP/2g5s/fqW7HrnUnVh/xf3bs2a6EuriY4BI9M8YEmF0EGpbth
> ycR4QLM0jQPdGBEamqitFQ==
> </Modulus>
> <Exponent>
> AQAB
> </Exponent>
> </RSAKeyValue>
> </KeyValue>
> </KeyInfo>
> <Object>
> <Manifest Id="manifest">
> <Reference URI="">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
> </Reference>
> <Reference URI="sign.sh">
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
> </Reference>
> </Manifest>
> </Object>
> </Signature>
> </Sgntr>
> </DgtlSgntr>
> </AcctOpngReq>
> </Document>
>
> Regards
>
> François
>
> Le 10/04/2014 18:29, Aleksey Sanin a écrit :
>> To process manifests according to the xmldsig spec the ref type
>> should be specified:
>>
>> <Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"
>> URI="#Manifest">
>> ...
>> </>
>>
>> XMLSec package contains a few test vectors that show manifests usage.
>>
>> Best,
>>
>> Aleksey
>>
>> On 4/10/14, 5:40 AM, François Plou wrote:
>>> I found the problem, but don't know yet what really happens in the
>>> source code.
>>> I put some traces and I discovered that digest
>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer.
>>> If you execute the following command openssl dgst -sha1 -binary
>>> /dev/null | openssl enc -base64, you also get this digest.
>>>
>>> So it seems xmlsec1 can't process correctly the #Manifest part :
>>>
>>> <Object>
>>> <Manifest Id="Manifest">
>>> <Reference URI="">
>>> <Transforms>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>> </Transforms>
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <DigestValue></DigestValue>
>>> </Reference>
>>> <Reference URI="sign.sh">
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <DigestValue></DigestValue>
>>> </Reference>
>>> </Manifest>
>>> </Object>
>>>
>>>
>>> Regards.
>>>
>>> François
>>>
>>> Le 10/04/2014 11:31, François Plou a écrit :
>>>> Not really :-(
>>>>
>>>> The store-references option does not display the xml part who matches
>>>> the digest displayed :
>>>>
>>>> == Status: succeeded
>>>> == URI: "#Manifest"
>>>> == Reference Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri:
>>>> === uri xpointer expr: #Manifest
>>>> === Transform: xpointer
>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>> === Transform: enveloped-signature
>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>> === Transform: c14n
>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>> === Transform: membuf-transform (href=NULL)
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Digest Method:
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> == Result - start buffer:
>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>> == Result - end buffer
>>>> The #Manifest is processed and --store-references provides the digest
>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to
>>>> provide this digest.
>>>>
>>>> This digest does not match the one produced by Apache XML Security.
>>>> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the
>>>> following XML part :
>>>>
>>>> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
>>>> <Reference URI="">
>>>> <Transforms>
>>>> <Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
>>>> </Transforms>
>>>> <DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>>>
>>>> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
>>>> </Reference>
>>>> <Reference URI="sign.sh">
>>>> <DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>>>
>>>> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
>>>> </Reference>
>>>> </Manifest>
>>>>
>>>> So I am trying to figure what XML part is used by xmlsec1.
>>>>
>>>> Regards
>>>>
>>>> François
>>>>
>>>> Le 09/04/2014 20:12, Aleksey Sanin a écrit :
>>>>> This is exactly what --store-references option does :)
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 4/9/14, 10:15 AM, François Plou wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am trying to discover what xml part is digested to understand why I
>>>>>> got another digest value than the one calculated by java XmlDsig API.
>>>>>> To do that I try to add some trace in the code just before the digest
>>>>>> algorithm but I was unable yet to find the right position.
>>>>>> Could you provide me a clue where to add trace in the source code ?
>>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>> Francois
>>>>>>
>>>>>>
>>>>>> Le 07/04/2014 14:49, François Plou a écrit :
>>>>>>> Hi,
>>>>>>>
>>>>>>> Below is the result of --store-references option :
>>>>>>>
>>>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>>>>>> = SIGNATURE CONTEXT
>>>>>>> == Status: succeeded
>>>>>>> == flags: 0x00000006
>>>>>>> == flags2: 0x00000000
>>>>>>> == Key Info Read Ctx:
>>>>>>> = KEY INFO READ CONTEXT
>>>>>>> == flags: 0x00000000
>>>>>>> == flags2: 0x00000000
>>>>>>> == enabled key data: all
>>>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>>>> == TRANSFORMS CTX (status=0)
>>>>>>> == flags: 0x00000000
>>>>>>> == flags2: 0x00000000
>>>>>>> == enabled transforms: all
>>>>>>> === uri: NULL
>>>>>>> === uri xpointer expr: NULL
>>>>>>> == EncryptedKey level (cur/max): 0/1
>>>>>>> === KeyReq:
>>>>>>> ==== keyId: rsa
>>>>>>> ==== keyType: 0x00000002
>>>>>>> ==== keyUsage: 0x00000001
>>>>>>> ==== keyBitsSize: 0
>>>>>>> === list size: 0
>>>>>>> == Key Info Write Ctx:
>>>>>>> = KEY INFO WRITE CONTEXT
>>>>>>> == flags: 0x00000000
>>>>>>> == flags2: 0x00000000
>>>>>>> == enabled key data: all
>>>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>>>> == TRANSFORMS CTX (status=0)
>>>>>>> == flags: 0x00000000
>>>>>>> == flags2: 0x00000000
>>>>>>> == enabled transforms: all
>>>>>>> === uri: NULL
>>>>>>> === uri xpointer expr: NULL
>>>>>>> == EncryptedKey level (cur/max): 0/1
>>>>>>> === KeyReq:
>>>>>>> ==== keyId: NULL
>>>>>>> ==== keyType: 0x00000001
>>>>>>> ==== keyUsage: 0xffffffff
>>>>>>> ==== keyBitsSize: 0
>>>>>>> === list size: 0
>>>>>>> == Signature Transform Ctx:
>>>>>>> == TRANSFORMS CTX (status=2)
>>>>>>> == flags: 0x00000000
>>>>>>> == flags2: 0x00000000
>>>>>>> == enabled transforms: all
>>>>>>> === uri: NULL
>>>>>>> === uri xpointer expr: NULL
>>>>>>> === Transform: c14n
>>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>> == Signature Method:
>>>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>>>> == Signature Key:
>>>>>>> == KEY
>>>>>>> === method: RSAKeyValue
>>>>>>> === key type: Private
>>>>>>> === key usage: -1
>>>>>>> === rsa key: size = 2048
>>>>>>> == SignedInfo References List:
>>>>>>> === list size: 1
>>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>>> == Status: succeeded
>>>>>>> == URI: "#Manifest"
>>>>>>> == Reference Transform Ctx:
>>>>>>> == TRANSFORMS CTX (status=2)
>>>>>>> == flags: 0x00000000
>>>>>>> == flags2: 0x00000000
>>>>>>> == enabled transforms: all
>>>>>>> === uri:
>>>>>>> === uri xpointer expr: #Manifest
>>>>>>> === Transform: xpointer
>>>>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>>>>> === Transform: enveloped-signature
>>>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>>>> === Transform: c14n
>>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>> == Digest Method:
>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>> == Result - start buffer:
>>>>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>>> == Result - end buffer
>>>>>>> == Manifest References List:
>>>>>>> === list size: 2
>>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>>> == Status: succeeded
>>>>>>> == URI: ""
>>>>>>> == Reference Transform Ctx:
>>>>>>> == TRANSFORMS CTX (status=2)
>>>>>>> == flags: 0x00000000
>>>>>>> == flags2: 0x00000000
>>>>>>> == enabled transforms: all
>>>>>>> === uri: NULL
>>>>>>> === uri xpointer expr: NULL
>>>>>>> === Transform: enveloped-signature
>>>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>>>> === Transform: c14n
>>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>> == Digest Method:
>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>> == PreDigest data - start buffer:
>>>>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>>>>>> <AcctOpngReq>
>>>>>>> <Refs>
>>>>>>> <MsgId>
>>>>>>> <Id>ABC/090928/CCT001</Id>
>>>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>>>> </MsgId>
>>>>>>> <PrcId>
>>>>>>> <Id>ABC/090928/CCT001</Id>
>>>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>>>> </PrcId>
>>>>>>> </Refs>
>>>>>>> <Acct>
>>>>>>> <Id>
>>>>>>> <Othr>
>>>>>>> <Id>NOREF2</Id>
>>>>>>> </Othr>
>>>>>>> </Id>
>>>>>>> <Tp>
>>>>>>> <Cd>CASH</Cd>
>>>>>>> </Tp>
>>>>>>> <Ccy>USD</Ccy>
>>>>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>>>>>> <MnthlyTxNb>100</MnthlyTxNb>
>>>>>>> <AvrgBal>10000</AvrgBal>
>>>>>>> </Acct>
>>>>>>> <CtrctDts>
>>>>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>>>>>> </CtrctDts>
>>>>>>> <UndrlygMstrAgrmt>
>>>>>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>>>>>> <Vrsn>1.0</Vrsn>
>>>>>>> </UndrlygMstrAgrmt>
>>>>>>> <AcctSvcrId>
>>>>>>> <FinInstnId>
>>>>>>> <BICFI>BBBBUS33</BICFI>
>>>>>>> </FinInstnId>
>>>>>>> </AcctSvcrId>
>>>>>>> <Org>
>>>>>>> <FullLglNm>ABC Corporation</FullLglNm>
>>>>>>> <CtryOfOpr>US</CtryOfOpr>
>>>>>>> <RegnDt>1999-09-01</RegnDt>
>>>>>>> <LglAdr>
>>>>>>> <StrtNm>Times Square</StrtNm>
>>>>>>> <BldgNb>7</BldgNb>
>>>>>>> <PstCd>NY 10036</PstCd>
>>>>>>> <TwnNm>New York</TwnNm>
>>>>>>> <Ctry>US</Ctry>
>>>>>>> </LglAdr>
>>>>>>> <OrgId>
>>>>>>> <Othr>
>>>>>>> <Id>01256485-85</Id>
>>>>>>> <SchmeNm>
>>>>>>> <Prtry>TAX</Prtry>
>>>>>>> </SchmeNm>
>>>>>>> </Othr>
>>>>>>> </OrgId>
>>>>>>> <MainMndtHldr>
>>>>>>> <Nm>Richard Jones</Nm>
>>>>>>> <PstlAdr>
>>>>>>> <AdrTp>HOME</AdrTp>
>>>>>>> <StrtNm>La Guardia Drive</StrtNm>
>>>>>>> <BldgNb>12</BldgNb>
>>>>>>> <PstCd>NJ 07054</PstCd>
>>>>>>> <TwnNm>Parsippany</TwnNm>
>>>>>>> <Ctry>US</Ctry>
>>>>>>> </PstlAdr>
>>>>>>> <Id>
>>>>>>> <DtAndPlcOfBirth>
>>>>>>> <BirthDt>1960-05-01</BirthDt>
>>>>>>> <CityOfBirth>New york</CityOfBirth>
>>>>>>> <CtryOfBirth>US</CtryOfBirth>
>>>>>>> </DtAndPlcOfBirth>
>>>>>>> </Id>
>>>>>>> </MainMndtHldr>
>>>>>>> </Org>
>>>>>>> <DgtlSgntr>
>>>>>>> <Pty>
>>>>>>> <Nm>fplou</Nm>
>>>>>>> </Pty>
>>>>>>> <Sgntr>
>>>>>>>
>>>>>>> </Sgntr>
>>>>>>> </DgtlSgntr>
>>>>>>> </AcctOpngReq>
>>>>>>> </Document>
>>>>>>> == PreDigest data - end buffer
>>>>>>> == Result - start buffer:
>>>>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>>>>>> == Result - end buffer
>>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>>> == Status: succeeded
>>>>>>> == URI: "sign.sh"
>>>>>>> == Reference Transform Ctx:
>>>>>>> == TRANSFORMS CTX (status=2)
>>>>>>> == flags: 0x00000000
>>>>>>> == flags2: 0x00000000
>>>>>>> == enabled transforms: all
>>>>>>> === uri: sign.sh
>>>>>>> === uri xpointer expr: NULL
>>>>>>> === Transform: input-uri (href=NULL)
>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>> == Digest Method:
>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>> == PreDigest data - start buffer:
>>>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>>
>>>>>>> == PreDigest data - end buffer
>>>>>>> == Result - start buffer:
>>>>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>>>>>> == Result - end buffer
>>>>>>> == Result - start buffer:
>>>>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>>>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>>>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>>>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>>>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>>>>>> uD2ZSS1bWu236lKh1elKWw==
>>>>>>> == Result - end buffer
>>>>>>>
>>>>>>>
>>>>>>> François
>>>>>>>
>>>>>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>>>>>> Try "--store-references" option to see what exactly was signed. Just
>>>>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>>>>>> suspicious.
>>>>>>>>
>>>>>>>> Aleksey
>>>>>>>>
>>>>>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I am facing an issue trying to sign an xml document which makes
>>>>>>>>> reference to an external file.
>>>>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>>>>>> verified by
>>>>>>>>> tool like Apache XML Security.
>>>>>>>>> I am pretty sure there is something missing in the XML document I give
>>>>>>>>> to xmlsec but can't figure what.
>>>>>>>>>
>>>>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>>>> The output document is fpl.xml
>>>>>>>>>
>>>>>>>>> The digest which is not the same as the one computed by Apache XML
>>>>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>>>>>
>>>>>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>>>>>> (I built it manually).
>>>>>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>>>>>
>>>>>>>>> Do you have any idea what can be wrong in my
>>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>>>>>> transform ?
>>>>>>>>>
>>>>>>>>> Thanks for your help.
>>>>>>>>>
>>>>>>>>> Francois
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> xmlsec mailing list
>>>>>>>>> xmlsec at aleksey.com
>>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>>>
>>>>>> _______________________________________________
>>>>>> xmlsec mailing list
>>>>>> xmlsec at aleksey.com
>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>
>
More information about the xmlsec
mailing list