[xmlsec] xmlsec1 can't verify a signature (problem with --id-attr or --node-id ?)

pfx pf.prologue at gmail.com
Fri Nov 7 04:31:55 PST 2014


Hi!

I have a signed xml file with Xades information
I try to verify the signature with:

$ xmlsec1 --verify --id-attr:Id Bordereau --id-attr:Id Signature 
--id-attr:Id SignedProperties --node-id IDC1141029105800p0100 test.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid 
data:data and digest do not match
FAIL
SignedInfo References (ok/all): 1/2

The first part of the signature is validate by xmlsec1
but it seems that xmlsec1 can't access to the second part (Xades 
information)

If I use the "--store-references" flags, I can see the "PreDigest data" 
of the first part, but xmlsec1 never displays the "PreDigest data" of 
the second part

Here an extract of the file
         <Bordereau Id="*B01201462*">
             <BlocBordereau>
             ...
             <ds:Signature Id="IDC1141029105800p0100">
                 <ds:SignedInfo>
                     <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                     <ds:Reference URI="#*B01201462*">
                         <ds:Transforms>
                             <ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                             <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                         </ds:Transforms>
                         <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m24cE8pHsEwYBbVnCcUGUT49i3g=</ds:DigestValue>
                     </ds:Reference>
                     <ds:Reference URI="#*IDC1141029105800p0100_SP*">
                         <ds:Transforms>
                             <ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                             <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                         </ds:Transforms>
                         <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>OgLDEJDln8+bp7jX1pxs5j/0poM=</ds:DigestValue>
                     </ds:Reference>
                 </ds:SignedInfo>
                 ...
                 <ds:Object Id="IDC1141029105800p0100_QI">
                     <xad:QualifyingProperties 
Target="IDC1141029105800p0100">
                         <xad:SignedProperties 
Id="*IDC1141029105800p0100_SP*">
                             <xad:SignedSignatureProperties>
<xad:SigningTime>2014-10-29T09:58:00.191Z</xad:SigningTime>
             </ds:Signature>
         </Bordereau>

And an extract of the output
     = REFERENCE VERIFICATION CONTEXT
     == Status: succeeded
     == URI: "#B01201462"
[...]
     === uri:
     === uri xpointer expr: #B01201462
     === Transform: xpointer 
(href=http://www.w3.org/2001/04/xmldsig-more/xptr)
     === Transform: enveloped-signature 
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
     === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
     === Transform: membuf-transform (href=NULL)
     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
     === Transform: membuf-transform (href=NULL)
     == Digest Method:
     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
     == PreDigest data - start buffer:
     <Bordereau Id="B01201462"><BlocBordereau><Exer 
V="2014"></Exer>.........</Bordereau>
     == PreDigest data - end buffer
     = REFERENCE VERIFICATION CONTEXT
     == Status: invalid
     == URI: "#IDC1141029105800p0100_SP"
[...]
     === uri:
     === uri xpointer expr: #IDC1141029105800p0100_SP
     === Transform: xpointer 
(href=http://www.w3.org/2001/04/xmldsig-more/xptr)
     === Transform: enveloped-signature 
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
     === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
     === Transform: membuf-transform (href=NULL)
     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
     === Transform: membuf-transform (href=NULL)
     == Digest Method:
     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=> No PreDigest data here !

where is my mistake ?

I use xmlsec 1.2.18 (openssl)
(here the full xml file and xmlsec output => http://dl.free.fr/ekDbPkF63)

Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20141107/c21b48dd/attachment.html>


More information about the xmlsec mailing list