[xmlsec] xmlsec1 can't verify a signature (problem with --id-attr or --node-id ?)

pfx pf.prologue at gmail.com
Tue Nov 11 23:17:30 PST 2014


Thank you for that clarification

Le 11/11/2014 03:10, Aleksey Sanin a écrit :
> The element with Id="IDC1141029105800p0100_SP" is located INSIDE the
> <ds:Signature> node. Thus when the <ds:Signature> node is removed
> by the enveloped transform all its children (including the element
> with Id="IDC1141029105800p0100_SP") are removed as well. Thus the
> empty output is correct.
>
> Best,
>
> Aleksey
>
> On 11/10/14 7:32 AM, pfx wrote:
>> I'm not sure ... Even if the signature is not valid, xmlsec can displays
>> the PreDidest data
>>
>> After a lot of debug, I found the reason (but not the solution)
>>
>> The file I want to check is strange ...
>>
>> It contains 2 references in <ds:SignedInfo>
>>
>> The first reference is correct (#B01201438 references an id of a parent
>> element)
>>
>>                      <ds:Reference URI="#B01201438">
>>                          <ds:Transforms>
>>                              <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>                              <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>                          </ds:Transforms>
>>                          [...]
>>
>> The second reference also contains a <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> (#IDC1141029105704p0100_SP references a Xades SignedProperties element
>> => Signature/Object/QualifyingProperties/SignedProperties, therefore
>> it's a child element of ds:Signature)
>>
>>                      <ds:Reference URI="#IDC1141029105704p0100_SP">
>>                          <ds:Transforms>
>>                              <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>                              <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>                          </ds:Transforms>
>>                          [...]
>>
>> When xmlsec processes this reference, the output of C14N is empty
>> If I remove the <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>, the
>> output of C14N is correct
>> my knowledge is that  "enveloped-signature" removes the node "Signature"
>> from the tree of signed data
>>
>> I do not understand the side effect of "enveloped-signature". In the
>> best case, xmlsec should ignore the additional  <ds:Transform ...
>> enveloped-signature"/> (ie returns the whole sub tree)
>>
>> what is your opinion ?
>>
>> Le 07/11/2014 17:25, Aleksey Sanin a écrit :
>>> Well, according to the output.txt file, xmlsec simply stops on the
>>> first failed Reference element since the signature will not be valid
>>> anyway (see while() loop at the end of the
>>> xmlSecDSigCtxProcessSignedInfoNode() function).
>>>
>>> Aleksey
>>>
>>> On 11/7/14 4:31 AM, pfx wrote:
>>>> Hi!
>>>>
>>>> I have a signed xml file with Xades information
>>>> I try to verify the signature with:
>>>>
>>>> $ xmlsec1 --verify --id-attr:Id Bordereau --id-attr:Id Signature
>>>> --id-attr:Id SignedProperties --node-id IDC1141029105800p0100 test.xml
>>>> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
>>>> data:data and digest do not match
>>>> FAIL
>>>> SignedInfo References (ok/all): 1/2
>>>>
>>>> The first part of the signature is validate by xmlsec1
>>>> but it seems that xmlsec1 can't access to the second part (Xades
>>>> information)
>>>>
>>>> If I use the "--store-references" flags, I can see the "PreDigest data"
>>>> of the first part, but xmlsec1 never displays the "PreDigest data" of
>>>> the second part
>>>>
>>>> Here an extract of the file
>>>>          <Bordereau Id="*B01201462*">
>>>>              <BlocBordereau>
>>>>              ...
>>>>              <ds:Signature Id="IDC1141029105800p0100">
>>>>                  <ds:SignedInfo>
>>>>                      <ds:CanonicalizationMethod
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>>                      <ds:SignatureMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>>                      <ds:Reference URI="#*B01201462*">
>>>>                          <ds:Transforms>
>>>>                              <ds:Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>>                              <ds:Transform
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>>                          </ds:Transforms>
>>>>                          <ds:DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>>                         
>>>> <ds:DigestValue>m24cE8pHsEwYBbVnCcUGUT49i3g=</ds:DigestValue>
>>>>                      </ds:Reference>
>>>>                      <ds:Reference URI="#*IDC1141029105800p0100_SP*">
>>>>                          <ds:Transforms>
>>>>                              <ds:Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>>                              <ds:Transform
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>>                          </ds:Transforms>
>>>>                          <ds:DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>>                         
>>>> <ds:DigestValue>OgLDEJDln8+bp7jX1pxs5j/0poM=</ds:DigestValue>
>>>>                      </ds:Reference>
>>>>                  </ds:SignedInfo>
>>>>                  ...
>>>>                  <ds:Object Id="IDC1141029105800p0100_QI">
>>>>                      <xad:QualifyingProperties
>>>> Target="IDC1141029105800p0100">
>>>>                          <xad:SignedProperties
>>>> Id="*IDC1141029105800p0100_SP*">
>>>>                              <xad:SignedSignatureProperties>
>>>>                                 
>>>> <xad:SigningTime>2014-10-29T09:58:00.191Z</xad:SigningTime>
>>>>              </ds:Signature>
>>>>          </Bordereau>
>>>>
>>>> And an extract of the output
>>>>      = REFERENCE VERIFICATION CONTEXT
>>>>      == Status: succeeded
>>>>      == URI: "#B01201462"
>>>> [...]
>>>>      === uri:
>>>>      === uri xpointer expr: #B01201462
>>>>      === Transform: xpointer
>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>>      === Transform: enveloped-signature
>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>      === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>>>      === Transform: membuf-transform (href=NULL)
>>>>      === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>      === Transform: membuf-transform (href=NULL)
>>>>      == Digest Method:
>>>>      === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>      == PreDigest data - start buffer:
>>>>      <Bordereau Id="B01201462"><BlocBordereau><Exer
>>>> V="2014"></Exer>.........</Bordereau>
>>>>      == PreDigest data - end buffer
>>>>      = REFERENCE VERIFICATION CONTEXT
>>>>      == Status: invalid
>>>>      == URI: "#IDC1141029105800p0100_SP"
>>>> [...]
>>>>      === uri:
>>>>      === uri xpointer expr: #IDC1141029105800p0100_SP
>>>>      === Transform: xpointer
>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>>      === Transform: enveloped-signature
>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>      === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>>>      === Transform: membuf-transform (href=NULL)
>>>>      === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>      === Transform: membuf-transform (href=NULL)
>>>>      == Digest Method:
>>>>      === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> => No PreDigest data here !
>>>>
>>>> where is my mistake ?
>>>>
>>>> I use xmlsec 1.2.18 (openssl)
>>>> (here the full xml file and xmlsec output => http://dl.free.fr/ekDbPkF63)
>>>>
>>>> Regards,
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>



More information about the xmlsec mailing list