[xmlsec] xmlsec1 can't verify a signature (problem with --id-attr or --node-id ?)

Aleksey Sanin aleksey at aleksey.com
Fri Nov 7 08:25:34 PST 2014


Well, according to the output.txt file, xmlsec simply stops on the
first failed Reference element since the signature will not be valid
anyway (see while() loop at the end of the
xmlSecDSigCtxProcessSignedInfoNode() function).

Aleksey

On 11/7/14 4:31 AM, pfx wrote:
> Hi!
> 
> I have a signed xml file with Xades information
> I try to verify the signature with:
> 
> $ xmlsec1 --verify --id-attr:Id Bordereau --id-attr:Id Signature
> --id-attr:Id SignedProperties --node-id IDC1141029105800p0100 test.xml
> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
> data:data and digest do not match
> FAIL
> SignedInfo References (ok/all): 1/2
> 
> The first part of the signature is validate by xmlsec1
> but it seems that xmlsec1 can't access to the second part (Xades
> information)
> 
> If I use the "--store-references" flags, I can see the "PreDigest data"
> of the first part, but xmlsec1 never displays the "PreDigest data" of
> the second part
> 
> Here an extract of the file
>         <Bordereau Id="*B01201462*">
>             <BlocBordereau>
>             ...
>             <ds:Signature Id="IDC1141029105800p0100">
>                 <ds:SignedInfo>
>                     <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                     <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>                     <ds:Reference URI="#*B01201462*">
>                         <ds:Transforms>
>                             <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                             <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                         </ds:Transforms>
>                         <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                        
> <ds:DigestValue>m24cE8pHsEwYBbVnCcUGUT49i3g=</ds:DigestValue>
>                     </ds:Reference>
>                     <ds:Reference URI="#*IDC1141029105800p0100_SP*">
>                         <ds:Transforms>
>                             <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                             <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                         </ds:Transforms>
>                         <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                        
> <ds:DigestValue>OgLDEJDln8+bp7jX1pxs5j/0poM=</ds:DigestValue>
>                     </ds:Reference>
>                 </ds:SignedInfo>
>                 ...
>                 <ds:Object Id="IDC1141029105800p0100_QI">
>                     <xad:QualifyingProperties
> Target="IDC1141029105800p0100">
>                         <xad:SignedProperties
> Id="*IDC1141029105800p0100_SP*">
>                             <xad:SignedSignatureProperties>
>                                
> <xad:SigningTime>2014-10-29T09:58:00.191Z</xad:SigningTime>
>             </ds:Signature>
>         </Bordereau>
> 
> And an extract of the output
>     = REFERENCE VERIFICATION CONTEXT
>     == Status: succeeded
>     == URI: "#B01201462"
> [...]
>     === uri:
>     === uri xpointer expr: #B01201462
>     === Transform: xpointer
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>     === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>     === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>     === Transform: membuf-transform (href=NULL)
>     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>     === Transform: membuf-transform (href=NULL)
>     == Digest Method:
>     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>     == PreDigest data - start buffer:
>     <Bordereau Id="B01201462"><BlocBordereau><Exer
> V="2014"></Exer>.........</Bordereau>
>     == PreDigest data - end buffer
>     = REFERENCE VERIFICATION CONTEXT
>     == Status: invalid
>     == URI: "#IDC1141029105800p0100_SP"
> [...]
>     === uri:
>     === uri xpointer expr: #IDC1141029105800p0100_SP
>     === Transform: xpointer
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>     === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>     === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>     === Transform: membuf-transform (href=NULL)
>     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>     === Transform: membuf-transform (href=NULL)
>     == Digest Method:
>     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> => No PreDigest data here !
> 
> where is my mistake ?
> 
> I use xmlsec 1.2.18 (openssl)
> (here the full xml file and xmlsec output => http://dl.free.fr/ekDbPkF63)
> 
> Regards,
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list