[xmlsec] signature verification failures using NSS with FIPS

Aleksey Sanin aleksey at aleksey.com
Tue Jun 23 09:14:35 PDT 2015 

This particular error means that the certificate verification failed

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/sslerr.html

SEC_ERROR_BAD_SIGNATURE 	-8182 	Peer's certificate has an invalid signature.

I didn't test in FIPS mode recently, but as far as I know it should
work fine for a subset of XMLDsig spec (e.g. you can't put keys into
signature for obvious reasons).

Aleksey

On 6/23/15 8:49 AM, Lara Blatchford wrote:
> Though I am able to generate signatures using RSA keys retrievedfroma
> FIPS-enabled NSS database, the signatures do
> 
> not verify. 
> 
> If FIPS is disabledon the database, the signature does verify.
> 
> A mail archive post fromWed, 05 Mar 2003 21:39:24indicated that FIPS
> modeisnot supported for the NSS library.
> 
> Why is this, and is there a plan to add support in the future?
> 
> Here is the error received when attempting to verify the database,as
> well as the signature portion of my XML document:
> 
> [nss]$ xmlsec1 --verify --crypto nss --crypto-config . 100_1_2003_doc.xml
> 
> func=xmlSecNssSignatureVerify:file=signatures.c:line=356:obj=rsa-sha512:subj=VFY_EndWithSignature:error=4:crypto
> library function failed:error code=-8182;last nss error=-8182 (0xFFFFE00A)
> 
> func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1804:obj=rsa-sha512:subj=xmlSecTransformVerify:error=1:xmlsec
> library function failed: ;last nss error=-8182 (0xFFFFE00A)
> 
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=401:obj=unknown:subj=xmlSecTransformVerifyNodeContent:error=1:xmlsec
> library function failed: ;last nss error=-8182 (0xFFFFE00A)
> 
> Error: signature failed
> 
> ERROR
> 
> SignedInfo References (ok/all): 1/1
> 
> Manifests References (ok/all): 0/0
> 
> Error: failed to verify file "100_1_2003_doc.xml"
> 
> [nss]$
> 
> [nss]$ modutil -chkfips true -dbdir .
> 
> FIPS mode enabled.
> 
> [nss]$
> 
>   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
>     <SignedInfo>
> 
>       <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
> 
>       <SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
> 
>       <Reference URI="#xpointer(/)">
> 
>         <Transforms>
> 
>           <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> 
>           <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
> 
>         </Transforms>
> 
>         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
> 
>        
> <DigestValue>DotbZXz+hs3PZpA2SflWZvtbT9LI0i7pUMGfx9g1isX92tD8FtQ09r3wVls3gRZr
> 
> mIkMbgPU4pbcV493Ks/j7g==</DigestValue>
> 
>       </Reference>
> 
>     </SignedInfo>
> 
>    
> <SignatureValue>ol+p5Jpj7mL+gl5UfeIemn4d+NBAgHpRKmUzl1/aJuJ82frs5WHep5zvVbdUcWNg
> 
> RTalqXo0D1TlbT6JzP54UnwCYSTk8L9ttROPKRWF+28sJzujigyVQ0QYDkGJLu3e
> 
> R7IunkvESUmoiBjDZlJXHoBkrWVIeazvV0qfouQHmFHxNxg8epLXsjXkUjNgyWUK
> 
> WFDqnS2h+qTNvuxYEOUcQaR1wDvSg/7KHCoEfShMLOY1avgs3ZEDfEX2Vn0GsN9w
> 
> Fy1smTmeBd+yHINe3HpkOJeG5h7zpCdTU2NSD1Bs3gWH4r/HSUNENswIKdpS58JJ
> 
> 6hLhncPMK28FiyLOefcCUYVfUu0i5nROcCZewbgOJws2fmn21GcXm9XlrUM7tNP+
> 
> 73FP2I0sdQU04mPbj2TcacGprw1ELd1zIJFDxGVYmQ9fQ1zoOpXr1O6C0iTxHrGk
> 
> 80KEwhTiuHwiLtSbc2I2F/fKWKqun/VQ1pKccN9b9jNaNPCFvzs87luuW3OKW7w3
> 
> DQiLJKQ8e9/b3sJEf9HYFNDmam75rm4E15rPvNr97jF5uZQ55dwQGp3tEPejbAtg
> 
> 6rkEifPTOMydGFT6G7nSKM+T3+mw051BovXgtuVkg4YxRGsv2ozWgwCKQv4kdrZ8
> 
> lfCpA4vij5HcFoOPsleth5twmY69GBMPnl0cgfmW7sA=</SignatureValue>
> 
>     <KeyInfo>
> 
> <KeyName>signingCert</KeyName>
> 
> <X509Data>
> 
> <X509Certificate>MIIEpzCCAo+gAwIBAgIBADANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtzaWdu
> 
> aW5nQ2VydDAgFw0xNTA2MjMxNTMwMzNaGA81MDU5MDIyMzE1MzAzM1owFjEUMBIG
> 
> A1UEAxMLc2lnbmluZ0NlcnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
> 
> AQDeKjUCmUAIis5nJ2xYkRo8OYoH853ebnLh+WxnjSy6vUzkKQGRsNgBWY0XJpgf
> 
> kugjZpUH1F6LaV/4e/jzvGp5fF+f42u9X9VPXYod07dzbJneJTdw+WcSw9v4oKzK
> 
> J/gqLvuz+MTT0GRN5M+E7tT7vjyz/D/n+mPpmd6TAUYnYTPI+6OMfbbD4pDu7Xyf
> 
> c8whVfLbRuIR0qC43V3dNAg6Hb0FqJH1VkQe83iTdhGM2G21ppQuxBZsMjsLvlvR
> 
> rAyt4Ma6q4AIMx/slyP0ZNrSo0HYqEVYo3+ZPjdHyzUDtKgmybO8yM/HXrXtQHVs
> 
> HolnHEQPNOuhFiOB8lkWUUuDjHshBAelmf05466qYK32MXXV27vpzwL5n6uw1C8D
> 
> qj/BJrvFCGRfhJMSJcRVR6CznWMByclvPH0YGoL/nwm3Y5d5/CzG6aE34FF+jExF
> 
> uCEb1/L48hVR+RtY7G9GyUigQ8lM0YzTDRIlEeWd1YZ5JJwQmaanw1qV+/8z/FMC
> 
> aRDrmNVWuIPBx3Hh8B+i6Lw8HJ+JqlDdR3dYPH0HGhwvsJrIG1PN1PHbfjkgxVh4
> 
> 70NJ85qyt/Dk9ulxNIYpEgiCCSSdVrWhg9iH+Wi23VUtKQADyqqXlPfv7cArYstH
> 
> d3O7ihgxK/fs9zt29RSP0IRPppr2JogjNEsb4qq+BOKO4wIDAQABMA0GCSqGSIb3
> 
> DQEBBQUAA4ICAQBVKULeDMz/HdA8Z2XmVOkv/OckVm/ZxjJYG4HnZQ3VR10Ih9Oq
> 
> gpJgRS0k1lpwFgQJMNV0kT2yxmlHWTuYrvQty7RXSFIbfANojCivJ+LnFYiJjqZi
> 
> WwQOT51NQ849MTwRV8ETHbWkuA3oEPRqJFVrM3Ww66IEPFLLWH7ybH3ij7TD/T9d
> 
> 1xuBk+5NC3Tn1ECLEhiKYZ8sVnSFtQqIXx3bYecwGc53ToUqrXMqei6zSkrxdz7N
> 
> xZ3vahhRoK0Pjd7foLVktQ279h/Sg6QtB5V8hLBhFouu7qRB3I02B/h8fGhfxf22
> 
> mMgtppQnOYpO27LUIo2OqzO9g7/dbvlyoRNIJ2iBQpJohKfHFEq9Bhn9jsurOVuV
> 
> F2+lgHOEWqPMAEa30mFzvkcauQlZJ2wK5TVWFt5jPlGj3Nq0rIelCjFqkEgaJTfU
> 
> Cvlgbt3hobr5nLeBpk3P4fsUe/m2FNiYLcoE+z4tTSdmZ0lMWBqQySfOm3WU5txR
> 
> e6YgfRnQOckuIWJJIcCvFgVBqeV+QKueWUG1EGCBw4LmcWibV+0GRgT8PYDsCsFL
> 
> H9AGwhAKDuZXGdhIM/88zL7FPfE8A0Cb0FnYtrWh93wz4K3CTZZrn3bG2xpctco0
> 
> E6mxACLMMkgy792ldum5QfOiLiA1KYe4ZvwS4/rJIlzdf7LQy/liBpT4Nw==</X509Certificate>
> 
> </X509Data>
> 
> </KeyInfo>
> 
>   </Signature>
> 
> Thanks you,
> 
> Lara
> 
> ~~~~~~~~~~~~~~
> 
> Lara Blatchford
> 
> Principal Engineer
> 
> Nteligen, LLC
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list