[xmlsec] Fwd: Re: Bad digest in #Manifest
François Plou
fplou at webank.fr
Thu Apr 24 09:38:31 PDT 2014
Thanks for your answer.
I will conduct some interoperability tests but right now the digest is good.
Regards.
François
Le 11/04/2014 17:44, Aleksey Sanin a écrit :
> Remove transforms section from the Manifest type reference:
>
> <Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"
> URI="#manifest">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue></DigestValue>
> </Reference>
>
> Otherwise you apply enveloped signature transform to the results of the
> manifest and as the result you get empty node set/empty string.
>
> Aleksey
>
> On 4/11/14, 12:40 AM, François Plou wrote:
>> Thanks for your answer.
>> I tried it but I always get this incorrect digest.
>>
>> I modified the xml template according what I found in samples and
>> according your previous mail (see acmt.007.001.02_1.skel.1sign.object2.xml).
>> The xmlsec1 output still shows the bad digest for #manifest :
>>
>> = SIGNATURE CONTEXT
>> == Status: succeeded
>> == flags: 0x00000006
>> == flags2: 0x00000000
>> == Key Info Read Ctx:
>> = KEY INFO READ CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: rsa
>> ==== keyType: 0x00000002
>> ==== keyUsage: 0x00000001
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Key Info Write Ctx:
>> = KEY INFO WRITE CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: NULL
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0xffffffff
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Signature Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Signature Method:
>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> == Signature Key:
>> == KEY
>> === method: RSAKeyValue
>> === key type: Private
>> === key usage: -1
>> === rsa key: size = 2048
>> == SignedInfo References List:
>> === list size: 1
>> *= REFERENCE CALCULATION CONTEXT**
>> **== Status: succeeded**
>> **== URI: "#manifest"**
>> **== Type: "http://www.w3.org/2000/09/xmldsig#Manifest"**
>> **== Reference Transform Ctx:**
>> **== TRANSFORMS CTX (status=2)**
>> **== flags: 0x00000000**
>> **== flags2: 0x00000000**
>> **== enabled transforms: all**
>> **=== uri: **
>> **=== uri xpointer expr: #manifest**
>> **=== Transform: xpointer
>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)**
>> **=== Transform: enveloped-signature
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)**
>> **=== Transform: c14n
>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)**
>> **=== Transform: membuf-transform (href=NULL)**
>> **=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)**
>> **=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)**
>> **=== Transform: membuf-transform (href=NULL)**
>> **== Digest Method:**
>> **=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)**
>> **== Result - start buffer:**
>> **2jmj7l5rSw0yVb/vlWAYkK/YBwk=**
>> **== Result - end buffer*
>> == Manifest References List:
>> === list size: 2
>> = REFERENCE CALCULATION CONTEXT
>> == Status: succeeded
>> == URI: ""
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> === Transform: enveloped-signature
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == PreDigest data - start buffer:
>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>> <AcctOpngReq>
>> <Refs>
>> <MsgId>
>> <Id>ABC/090928/CCT001</Id>
>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>> </MsgId>
>> <PrcId>
>> <Id>ABC/090928/CCT001</Id>
>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>> </PrcId>
>> </Refs>
>> <Acct>
>> <Id>
>> <Othr>
>> <Id>NOREF2</Id>
>> </Othr>
>> </Id>
>> <Tp>
>> <Cd>CASH</Cd>
>> </Tp>
>> <Ccy>USD</Ccy>
>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>> <MnthlyTxNb>100</MnthlyTxNb>
>> <AvrgBal>10000</AvrgBal>
>> </Acct>
>> <CtrctDts>
>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>> </CtrctDts>
>> <UndrlygMstrAgrmt>
>> <Ref>ABC/Acct/BBBBUS33</Ref>
>> <Vrsn>1.0</Vrsn>
>> </UndrlygMstrAgrmt>
>> <AcctSvcrId>
>> <FinInstnId>
>> <BICFI>BBBBUS33</BICFI>
>> </FinInstnId>
>> </AcctSvcrId>
>> <Org>
>> <FullLglNm>ABC Corporation</FullLglNm>
>> <CtryOfOpr>US</CtryOfOpr>
>> <RegnDt>1999-09-01</RegnDt>
>> <LglAdr>
>> <StrtNm>Times Square</StrtNm>
>> <BldgNb>7</BldgNb>
>> <PstCd>NY 10036</PstCd>
>> <TwnNm>New York</TwnNm>
>> <Ctry>US</Ctry>
>> </LglAdr>
>> <OrgId>
>> <Othr>
>> <Id>01256485-85</Id>
>> <SchmeNm>
>> <Prtry>TAX</Prtry>
>> </SchmeNm>
>> </Othr>
>> </OrgId>
>> <MainMndtHldr>
>> <Nm>Richard Jones</Nm>
>> <PstlAdr>
>> <AdrTp>HOME</AdrTp>
>> <StrtNm>La Guardia Drive</StrtNm>
>> <BldgNb>12</BldgNb>
>> <PstCd>NJ 07054</PstCd>
>> <TwnNm>Parsippany</TwnNm>
>> <Ctry>US</Ctry>
>> </PstlAdr>
>> <Id>
>> <DtAndPlcOfBirth>
>> <BirthDt>1960-05-01</BirthDt>
>> <CityOfBirth>New york</CityOfBirth>
>> <CtryOfBirth>US</CtryOfBirth>
>> </DtAndPlcOfBirth>
>> </Id>
>> </MainMndtHldr>
>> </Org>
>> <DgtlSgntr>
>> <Pty>
>> <Nm>fplou</Nm>
>> </Pty>
>> <Sgntr>
>>
>> </Sgntr>
>> </DgtlSgntr>
>> </AcctOpngReq>
>> </Document>
>> == PreDigest data - end buffer
>> == Result - start buffer:
>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>> == Result - end buffer
>> = REFERENCE CALCULATION CONTEXT
>> == Status: succeeded
>> == URI: "sign.sh"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: sign.sh
>> === uri xpointer expr: NULL
>> === Transform: input-uri (href=NULL)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == PreDigest data - start buffer:
>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>> acmt.007.001.02_1.skel.1sign.object2.xml
>>
>> == PreDigest data - end buffer
>> == Result - start buffer:
>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>> == Result - end buffer
>> == Result - start buffer:
>> x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH
>> 1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD
>> PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr
>> zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye
>> fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i
>> KEvAz2lVM8oCsYgURmlGbA==
>> == Result - end buffer
>>
>>
>>
>>
>>
>> The generated xml file :
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>> <AcctOpngReq>
>> <Refs>
>> <MsgId>
>> <Id>ABC/090928/CCT001</Id>
>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>> </MsgId>
>> <PrcId>
>> <Id>ABC/090928/CCT001</Id>
>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>> </PrcId>
>> </Refs>
>> <Acct>
>> <Id>
>> <Othr>
>> <Id>NOREF2</Id>
>> </Othr>
>> </Id>
>> <Tp>
>> <Cd>CASH</Cd>
>> </Tp>
>> <Ccy>USD</Ccy>
>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>> <MnthlyTxNb>100</MnthlyTxNb>
>> <AvrgBal>10000</AvrgBal>
>> </Acct>
>> <CtrctDts>
>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>> </CtrctDts>
>> <UndrlygMstrAgrmt>
>> <Ref>ABC/Acct/BBBBUS33</Ref>
>> <Vrsn>1.0</Vrsn>
>> </UndrlygMstrAgrmt>
>> <AcctSvcrId>
>> <FinInstnId>
>> <BICFI>BBBBUS33</BICFI>
>> </FinInstnId>
>> </AcctSvcrId>
>> <Org>
>> <FullLglNm>ABC Corporation</FullLglNm>
>> <CtryOfOpr>US</CtryOfOpr>
>> <RegnDt>1999-09-01</RegnDt>
>> <LglAdr>
>> <StrtNm>Times Square</StrtNm>
>> <BldgNb>7</BldgNb>
>> <PstCd>NY 10036</PstCd>
>> <TwnNm>New York</TwnNm>
>> <Ctry>US</Ctry>
>> </LglAdr>
>> <OrgId>
>> <Othr>
>> <Id>01256485-85</Id>
>> <SchmeNm>
>> <Prtry>TAX</Prtry>
>> </SchmeNm>
>> </Othr>
>> </OrgId>
>> <MainMndtHldr>
>> <Nm>Richard Jones</Nm>
>> <PstlAdr>
>> <AdrTp>HOME</AdrTp>
>> <StrtNm>La Guardia Drive</StrtNm>
>> <BldgNb>12</BldgNb>
>> <PstCd>NJ 07054</PstCd>
>> <TwnNm>Parsippany</TwnNm>
>> <Ctry>US</Ctry>
>> </PstlAdr>
>> <Id>
>> <DtAndPlcOfBirth>
>> <BirthDt>1960-05-01</BirthDt>
>> <CityOfBirth>New york</CityOfBirth>
>> <CtryOfBirth>US</CtryOfBirth>
>> </DtAndPlcOfBirth>
>> </Id>
>> </MainMndtHldr>
>> </Org>
>> <DgtlSgntr>
>> <Pty>
>> <Nm>fplou</Nm>
>> </Pty>
>> <Sgntr>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <CanonicalizationMethod
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>> <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <Reference
>> Type="http://www.w3.org/2000/09/xmldsig#Manifest" URI="#manifest">
>> <Transforms>
>> <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> </Transforms>
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</DigestValue>
>> </Reference>
>> </SignedInfo>
>>
>> <SignatureValue>x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH
>> 1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD
>> PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr
>> zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye
>> fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i
>> KEvAz2lVM8oCsYgURmlGbA==</SignatureValue>
>> <KeyInfo>
>> <KeyValue>
>> <RSAKeyValue>
>> <Modulus>
>> 6YkxawwM+ydRECsRK+t1ONIAI6ZHz1zZyohEdtqYso/2a5/nDTst4MKT4mFYr3Gp
>> BlOgfSYxC0pUXWC3iSAIAbvcjNSQMSgeiAiJL4pbzX/5uYyBIXFHNdSuOQVyoSJB
>> jDaPx19UyMqmZaLn5Flj7YVmpUyPAR1V4DHSmHGC4gDSqUHEphVHU/lnjnB+KEGm
>> W03J6OzVjJi7bK/EmZjliOHZhgsNY1FmYesZsbI1GI/RsuBBA3NxvcAC0kXBUJ4n
>> qHW7y7Ww8Yv77sFP/2g5s/fqW7HrnUnVh/xf3bs2a6EuriY4BI9M8YEmF0EGpbth
>> ycR4QLM0jQPdGBEamqitFQ==
>> </Modulus>
>> <Exponent>
>> AQAB
>> </Exponent>
>> </RSAKeyValue>
>> </KeyValue>
>> </KeyInfo>
>> <Object>
>> <Manifest Id="manifest">
>> <Reference URI="">
>> <Transforms>
>> <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> </Transforms>
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
>> </Reference>
>> <Reference URI="sign.sh">
>> <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
>> </Reference>
>> </Manifest>
>> </Object>
>> </Signature>
>> </Sgntr>
>> </DgtlSgntr>
>> </AcctOpngReq>
>> </Document>
>>
>> Regards
>>
>> François
>>
>> Le 10/04/2014 18:29, Aleksey Sanin a écrit :
>>> To process manifests according to the xmldsig spec the ref type
>>> should be specified:
>>>
>>> <Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"
>>> URI="#Manifest">
>>> ...
>>> </>
>>>
>>> XMLSec package contains a few test vectors that show manifests usage.
>>>
>>> Best,
>>>
>>> Aleksey
>>>
>>> On 4/10/14, 5:40 AM, François Plou wrote:
>>>> I found the problem, but don't know yet what really happens in the
>>>> source code.
>>>> I put some traces and I discovered that digest
>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer.
>>>> If you execute the following command openssl dgst -sha1 -binary
>>>> /dev/null | openssl enc -base64, you also get this digest.
>>>>
>>>> So it seems xmlsec1 can't process correctly the #Manifest part :
>>>>
>>>> <Object>
>>>> <Manifest Id="Manifest">
>>>> <Reference URI="">
>>>> <Transforms>
>>>> <Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>> </Transforms>
>>>> <DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>> <DigestValue></DigestValue>
>>>> </Reference>
>>>> <Reference URI="sign.sh">
>>>> <DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>> <DigestValue></DigestValue>
>>>> </Reference>
>>>> </Manifest>
>>>> </Object>
>>>>
>>>>
>>>> Regards.
>>>>
>>>> François
>>>>
>>>> Le 10/04/2014 11:31, François Plou a écrit :
>>>>> Not really :-(
>>>>>
>>>>> The store-references option does not display the xml part who matches
>>>>> the digest displayed :
>>>>>
>>>>> == Status: succeeded
>>>>> == URI: "#Manifest"
>>>>> == Reference Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri:
>>>>> === uri xpointer expr: #Manifest
>>>>> === Transform: xpointer
>>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>>> === Transform: enveloped-signature
>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>> === Transform: c14n
>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Digest Method:
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> == Result - start buffer:
>>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>> == Result - end buffer
>>>>> The #Manifest is processed and --store-references provides the digest
>>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to
>>>>> provide this digest.
>>>>>
>>>>> This digest does not match the one produced by Apache XML Security.
>>>>> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the
>>>>> following XML part :
>>>>>
>>>>> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
>>>>> <Reference URI="">
>>>>> <Transforms>
>>>>> <Transform
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
>>>>> </Transforms>
>>>>> <DigestMethod
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>>>>
>>>>> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
>>>>> </Reference>
>>>>> <Reference URI="sign.sh">
>>>>> <DigestMethod
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>>>>
>>>>> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
>>>>> </Reference>
>>>>> </Manifest>
>>>>>
>>>>> So I am trying to figure what XML part is used by xmlsec1.
>>>>>
>>>>> Regards
>>>>>
>>>>> François
>>>>>
>>>>> Le 09/04/2014 20:12, Aleksey Sanin a écrit :
>>>>>> This is exactly what --store-references option does :)
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 4/9/14, 10:15 AM, François Plou wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am trying to discover what xml part is digested to understand why I
>>>>>>> got another digest value than the one calculated by java XmlDsig API.
>>>>>>> To do that I try to add some trace in the code just before the digest
>>>>>>> algorithm but I was unable yet to find the right position.
>>>>>>> Could you provide me a clue where to add trace in the source code ?
>>>>>>>
>>>>>>> Thanks for your help.
>>>>>>>
>>>>>>> Francois
>>>>>>>
>>>>>>>
>>>>>>> Le 07/04/2014 14:49, François Plou a écrit :
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Below is the result of --store-references option :
>>>>>>>>
>>>>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>>>>>>> = SIGNATURE CONTEXT
>>>>>>>> == Status: succeeded
>>>>>>>> == flags: 0x00000006
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == Key Info Read Ctx:
>>>>>>>> = KEY INFO READ CONTEXT
>>>>>>>> == flags: 0x00000000
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == enabled key data: all
>>>>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>>>>> == TRANSFORMS CTX (status=0)
>>>>>>>> == flags: 0x00000000
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == enabled transforms: all
>>>>>>>> === uri: NULL
>>>>>>>> === uri xpointer expr: NULL
>>>>>>>> == EncryptedKey level (cur/max): 0/1
>>>>>>>> === KeyReq:
>>>>>>>> ==== keyId: rsa
>>>>>>>> ==== keyType: 0x00000002
>>>>>>>> ==== keyUsage: 0x00000001
>>>>>>>> ==== keyBitsSize: 0
>>>>>>>> === list size: 0
>>>>>>>> == Key Info Write Ctx:
>>>>>>>> = KEY INFO WRITE CONTEXT
>>>>>>>> == flags: 0x00000000
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == enabled key data: all
>>>>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>>>>> == TRANSFORMS CTX (status=0)
>>>>>>>> == flags: 0x00000000
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == enabled transforms: all
>>>>>>>> === uri: NULL
>>>>>>>> === uri xpointer expr: NULL
>>>>>>>> == EncryptedKey level (cur/max): 0/1
>>>>>>>> === KeyReq:
>>>>>>>> ==== keyId: NULL
>>>>>>>> ==== keyType: 0x00000001
>>>>>>>> ==== keyUsage: 0xffffffff
>>>>>>>> ==== keyBitsSize: 0
>>>>>>>> === list size: 0
>>>>>>>> == Signature Transform Ctx:
>>>>>>>> == TRANSFORMS CTX (status=2)
>>>>>>>> == flags: 0x00000000
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == enabled transforms: all
>>>>>>>> === uri: NULL
>>>>>>>> === uri xpointer expr: NULL
>>>>>>>> === Transform: c14n
>>>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>>> == Signature Method:
>>>>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>>>>> == Signature Key:
>>>>>>>> == KEY
>>>>>>>> === method: RSAKeyValue
>>>>>>>> === key type: Private
>>>>>>>> === key usage: -1
>>>>>>>> === rsa key: size = 2048
>>>>>>>> == SignedInfo References List:
>>>>>>>> === list size: 1
>>>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>>>> == Status: succeeded
>>>>>>>> == URI: "#Manifest"
>>>>>>>> == Reference Transform Ctx:
>>>>>>>> == TRANSFORMS CTX (status=2)
>>>>>>>> == flags: 0x00000000
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == enabled transforms: all
>>>>>>>> === uri:
>>>>>>>> === uri xpointer expr: #Manifest
>>>>>>>> === Transform: xpointer
>>>>>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>>>>>> === Transform: enveloped-signature
>>>>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>>>>> === Transform: c14n
>>>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>>> == Digest Method:
>>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>>> == Result - start buffer:
>>>>>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>>>> == Result - end buffer
>>>>>>>> == Manifest References List:
>>>>>>>> === list size: 2
>>>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>>>> == Status: succeeded
>>>>>>>> == URI: ""
>>>>>>>> == Reference Transform Ctx:
>>>>>>>> == TRANSFORMS CTX (status=2)
>>>>>>>> == flags: 0x00000000
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == enabled transforms: all
>>>>>>>> === uri: NULL
>>>>>>>> === uri xpointer expr: NULL
>>>>>>>> === Transform: enveloped-signature
>>>>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>>>>> === Transform: c14n
>>>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>>> == Digest Method:
>>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>>> == PreDigest data - start buffer:
>>>>>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>>>>>>> <AcctOpngReq>
>>>>>>>> <Refs>
>>>>>>>> <MsgId>
>>>>>>>> <Id>ABC/090928/CCT001</Id>
>>>>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>>>>> </MsgId>
>>>>>>>> <PrcId>
>>>>>>>> <Id>ABC/090928/CCT001</Id>
>>>>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>>>>> </PrcId>
>>>>>>>> </Refs>
>>>>>>>> <Acct>
>>>>>>>> <Id>
>>>>>>>> <Othr>
>>>>>>>> <Id>NOREF2</Id>
>>>>>>>> </Othr>
>>>>>>>> </Id>
>>>>>>>> <Tp>
>>>>>>>> <Cd>CASH</Cd>
>>>>>>>> </Tp>
>>>>>>>> <Ccy>USD</Ccy>
>>>>>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>>>>>>> <MnthlyTxNb>100</MnthlyTxNb>
>>>>>>>> <AvrgBal>10000</AvrgBal>
>>>>>>>> </Acct>
>>>>>>>> <CtrctDts>
>>>>>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>>>>>>> </CtrctDts>
>>>>>>>> <UndrlygMstrAgrmt>
>>>>>>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>>>>>>> <Vrsn>1.0</Vrsn>
>>>>>>>> </UndrlygMstrAgrmt>
>>>>>>>> <AcctSvcrId>
>>>>>>>> <FinInstnId>
>>>>>>>> <BICFI>BBBBUS33</BICFI>
>>>>>>>> </FinInstnId>
>>>>>>>> </AcctSvcrId>
>>>>>>>> <Org>
>>>>>>>> <FullLglNm>ABC Corporation</FullLglNm>
>>>>>>>> <CtryOfOpr>US</CtryOfOpr>
>>>>>>>> <RegnDt>1999-09-01</RegnDt>
>>>>>>>> <LglAdr>
>>>>>>>> <StrtNm>Times Square</StrtNm>
>>>>>>>> <BldgNb>7</BldgNb>
>>>>>>>> <PstCd>NY 10036</PstCd>
>>>>>>>> <TwnNm>New York</TwnNm>
>>>>>>>> <Ctry>US</Ctry>
>>>>>>>> </LglAdr>
>>>>>>>> <OrgId>
>>>>>>>> <Othr>
>>>>>>>> <Id>01256485-85</Id>
>>>>>>>> <SchmeNm>
>>>>>>>> <Prtry>TAX</Prtry>
>>>>>>>> </SchmeNm>
>>>>>>>> </Othr>
>>>>>>>> </OrgId>
>>>>>>>> <MainMndtHldr>
>>>>>>>> <Nm>Richard Jones</Nm>
>>>>>>>> <PstlAdr>
>>>>>>>> <AdrTp>HOME</AdrTp>
>>>>>>>> <StrtNm>La Guardia Drive</StrtNm>
>>>>>>>> <BldgNb>12</BldgNb>
>>>>>>>> <PstCd>NJ 07054</PstCd>
>>>>>>>> <TwnNm>Parsippany</TwnNm>
>>>>>>>> <Ctry>US</Ctry>
>>>>>>>> </PstlAdr>
>>>>>>>> <Id>
>>>>>>>> <DtAndPlcOfBirth>
>>>>>>>> <BirthDt>1960-05-01</BirthDt>
>>>>>>>> <CityOfBirth>New york</CityOfBirth>
>>>>>>>> <CtryOfBirth>US</CtryOfBirth>
>>>>>>>> </DtAndPlcOfBirth>
>>>>>>>> </Id>
>>>>>>>> </MainMndtHldr>
>>>>>>>> </Org>
>>>>>>>> <DgtlSgntr>
>>>>>>>> <Pty>
>>>>>>>> <Nm>fplou</Nm>
>>>>>>>> </Pty>
>>>>>>>> <Sgntr>
>>>>>>>>
>>>>>>>> </Sgntr>
>>>>>>>> </DgtlSgntr>
>>>>>>>> </AcctOpngReq>
>>>>>>>> </Document>
>>>>>>>> == PreDigest data - end buffer
>>>>>>>> == Result - start buffer:
>>>>>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>>>>>>> == Result - end buffer
>>>>>>>> = REFERENCE CALCULATION CONTEXT
>>>>>>>> == Status: succeeded
>>>>>>>> == URI: "sign.sh"
>>>>>>>> == Reference Transform Ctx:
>>>>>>>> == TRANSFORMS CTX (status=2)
>>>>>>>> == flags: 0x00000000
>>>>>>>> == flags2: 0x00000000
>>>>>>>> == enabled transforms: all
>>>>>>>> === uri: sign.sh
>>>>>>>> === uri xpointer expr: NULL
>>>>>>>> === Transform: input-uri (href=NULL)
>>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>>>>> === Transform: membuf-transform (href=NULL)
>>>>>>>> == Digest Method:
>>>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>>>>> == PreDigest data - start buffer:
>>>>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>>>
>>>>>>>> == PreDigest data - end buffer
>>>>>>>> == Result - start buffer:
>>>>>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>>>>>>> == Result - end buffer
>>>>>>>> == Result - start buffer:
>>>>>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>>>>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>>>>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>>>>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>>>>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>>>>>>> uD2ZSS1bWu236lKh1elKWw==
>>>>>>>> == Result - end buffer
>>>>>>>>
>>>>>>>>
>>>>>>>> François
>>>>>>>>
>>>>>>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>>>>>>> Try "--store-references" option to see what exactly was signed. Just
>>>>>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>>>>>>> suspicious.
>>>>>>>>>
>>>>>>>>> Aleksey
>>>>>>>>>
>>>>>>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I am facing an issue trying to sign an xml document which makes
>>>>>>>>>> reference to an external file.
>>>>>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>>>>>>> verified by
>>>>>>>>>> tool like Apache XML Security.
>>>>>>>>>> I am pretty sure there is something missing in the XML document I give
>>>>>>>>>> to xmlsec but can't figure what.
>>>>>>>>>>
>>>>>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>>>>> The output document is fpl.xml
>>>>>>>>>>
>>>>>>>>>> The digest which is not the same as the one computed by Apache XML
>>>>>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>>>>>>
>>>>>>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>>>>>>> (I built it manually).
>>>>>>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>>>>>>
>>>>>>>>>> Do you have any idea what can be wrong in my
>>>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>>>>>>> transform ?
>>>>>>>>>>
>>>>>>>>>> Thanks for your help.
>>>>>>>>>>
>>>>>>>>>> Francois
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> xmlsec mailing list
>>>>>>>>>> xmlsec at aleksey.com
>>>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> xmlsec mailing list
>>>>>>> xmlsec at aleksey.com
>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140424/bf132cc7/attachment-0001.html>
More information about the xmlsec
mailing list