Re: [xmlsec] Question about signature verification
What is the error you get from xmlsec command line tool? Aleksey Ivan R. Toledo Ivanovic wrote: Hi. I've been trying to verify a signature with an X509 certificate included in the KeyInfo node of the signature. The XML file being verified contains many documents, each one with its signature, and all of them wrapped & signed with the same cert. Tried with just one document, does not work. It seems that xmlsec loads the keys from KeyInfo. Tried with loading them manually using xmlSecKeyDataXmlRead, same result. The signature is marked as invalid (data and digest do not match). The debug dump is as follows... *** snip *** = VERIFICATION CONTEXT == Status: invalid == flags: 0x == flags2: 0x == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x == flags2: 0x == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: keyId: NULL keyType: 0x keyUsage: 0x keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x == flags2: 0x == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: keyId: NULL keyType: 0x0001 keyUsage: 0x keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: "c14n","exc-c14n","sha1","rsa-sha1" === uri: NULL === uri xpointer expr: NULL === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: invalid == URI: "#R96972300-KT34F476928" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x == flags2: 0x == enabled transforms: "c14n","exc-c14n","sha1","enveloped-signature" === uri: === uri xpointer expr: #R96972300-KT34F476928 === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == Manifest References List: === list size: 0 *** snip *** For the URI (#R96972300-KT34F476928), i've used xmlAddID as suggested in the FAQ. But the "reference verification context" is marked as invalid. The signature: *** snip *** http://www.w3.org/2000/09/xmldsig#";> http://www.w3.org/TR/2001/REC-xml-c14n-20010315";> http://www.w3.org/2000/09/xmldsig#rsa-sha1";> http://www.w3.org/TR/2001/REC-xml-c14n-20010315";> http://www.w3.org/2000/09/xmldsig#sha1";> +v9SPAlAeABcdiBAtniCVJ1tj50= N1MEp1ckRxMgEQYfrqY4pdq/A4mazx/RhuZNS+IEzJkJueNiHIexU+Vh7Js8 M09bOGKypbDdTZbVlgarKs61YDdncwIh9NIKX6+H0Lv8FPhHqGbOCe2yf2P6gzK1eGMTT9oC6DyD IDeB9h3UE2z+4Aqt1WSupq7ZS14JzrTRFfA= w9Jdm/e0BRYGm64tw/mx4O39DHPJbFWzE7WRwWMc2y8F/fg6pw71Hz12f3I6aEpjH9e 5Ic38hWql40iJ1DsAd/curVuW/PQNbb5wu31tCtAAaycodkFEDa2GoA8TLqE2InycIkg6aQGIiZd DIkMJwCa1Nsb/uJPXBGkpTzPQu1k= AQAB MIIEkTCCA/qgAwIBAgIEAQAqmDANBgkqhkiG9w0BAQUFADCBtTELMAkGA1U EBhMCQ0wxHTAbBgNVBAgUFFJlZ2lvbiBNZXRyb3BvbGl0YW5hMREwDwYDVQQHFAhTYW50aWFnbzE UMBIGA1UEChQLRS1DRVJUQ0hJTEUxIDAeBgNVBAsUF0F1dG9yaWRhZCBDZXJ0aWZpY2Fkb3JhMRc wFQYDVQQDFA5FLUNFUlRDSElMRSBDQTEjMCEGCSqGSIb3DQEJARYUZW1haWxAZS1jZXJ0Y2hpbGU uY2wwHhcNMDcwOTAzMTQ1NzQxWhcNMDgwOTAyMDAwMDAwWjCBxzELMAkGA1UEBhMCQ0wxFjAUBgN VBAgUDU1ldHJvcG9saXRhbmExETAPBgNVBAcUCFNhbnRpYWdvMTAwLgYDVQQKFCdTb2MgQ29uY2V jaW9uYXJpYSBBbWVyaWNvIFZlc3B1Y2lvbiBTdXIxEDAOBgNVBAsUB1Npc3RlbWExIzAhBgNVBAM UGk1hcmlvIFVsaXNlcyBUb2JhciBBcmF2ZW5hMSQwIgYJKoZIhvcNAQkBFhVtdG9iYXJAdmVzcHV jaW9zdXIuY2wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPSXZv3tAUWBpuuLcP5seDt/Qx zyWxVsxO1kcFjHNsvBf34OqcO9R89dn9yOmhKYx/XuSHN/IVqpeNIidQ7AHf3Lq1blvz0DW2+cLt 9bQrQAGsnKHZBRA2thqAPEy6hNiJ8nCJIOmkBiImXQyJDCcAmtTbG/7iT1wRpKU8z0LtZAgMBAAG jggGYMIIBlDAjBgNVHREEHDAaoBgGCCsGAQQBwQEBoAwWCjA3NTEwNDgyLTAwCQYDVR0TBAIwADA 8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmUtY2VydGNoaWxlLmNsL2UtY2VydGNoaWxlY2E uY3JsMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTY5MjgxODAtNTAfBgNVHSMEGDAWgBTgKP3 S4GBPs0brGsz1CJEHcjodCDCB0AYDVR0gBIHIMIHFMIHCBggrBgEEAcNSBTCBtTAvBggrBgEFBQc CARYjaHR0cDovL3d3dy5lLWNlcnRjaGlsZS5jbC8yMDAwL0NQUy8wgYEGCCsGAQUFBwICMHUac0V sIHRpdHVsYXIgaGEgc2lkbyB2YWxpZG8gZW4gZm9ybWEgcHJlc2VuY2lhbCwgcXVlZGFuZG8gZWw gQ2VydGlmaWNhZG8gcGFyYSB1c28gdHJpYnV0YXJpbywgcGFnb3MsIGNvbWVyY2lvIHkgb3Ryb3M
RE: [xmlsec] Question about signature verification
Version: xmlsec 1.2.11 (openssl) Command line: xmlsec --verify --dtd-file \dtd.xml \sobrefirmados_p1_28.xml DTD file: (to fix ID issues) Console output: Loads of text like this: /sobrefirmados_p1_28.xml:125: element Exponent: validity error : No declaration for element Exponent /sobrefirmados_p1_28.xml:130: element X509Data: validity error : No declaration for element X509Data /sobrefirmados_p1_28.xml:131: element X509Certificate: validity error : No decla ration for element X509Certificate And at the end: func=xmlSecOpenSSLEvpDigestVerify:file=..\src\openssl\digests.c:line=229:obj =sha 1:subj=unknown:error=12:invalid data:data and digest do not match FAIL SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "\sobrefirmados_p1_28.xml" All of my files fail like these. The interesting bit is that the receiving end (a web service made by something like the IRS of Chile) validates all of these files, but I'm doing something wrong at my end. Thanks, Ivan Toledo MDC -Mensaje original- De: Aleksey Sanin [mailto:[EMAIL PROTECTED] Enviado el: MiƩrcoles, 19 de Marzo de 2008 13:39 Para: Ivan R. Toledo Ivanovic CC: xmlsec@aleksey.com Asunto: Re: [xmlsec] Question about signature verification What is the error you get from xmlsec command line tool? Aleksey Ivan R. Toledo Ivanovic wrote: > Hi. I've been trying to verify a signature with an X509 certificate > included in the KeyInfo node of the signature. > The XML file being verified contains many documents, each one with its > signature, and all of them wrapped & signed with the same cert. Tried > with just one document, does not work. > > It seems that xmlsec loads the keys from KeyInfo. Tried with loading > them manually using xmlSecKeyDataXmlRead, same result. > > The signature is marked as invalid (data and digest do not match). The > debug dump is as follows... > > *** snip *** > > = VERIFICATION CONTEXT > == Status: invalid > == flags: 0x > == flags2: 0x > == Key Info Read Ctx: > = KEY INFO READ CONTEXT > == flags: 0x > == flags2: 0x > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) > == flags: 0x == flags2: 0x == enabled transforms: all > === uri: NULL === uri xpointer expr: NULL == EncryptedKey level > (cur/max): 0/1 === KeyReq: > keyId: NULL > keyType: 0x > keyUsage: 0x > keyBitsSize: 0 > === list size: 0 > == Key Info Write Ctx: > = KEY INFO WRITE CONTEXT > == flags: 0x > == flags2: 0x > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) > == flags: 0x == flags2: 0x == enabled transforms: all > === uri: NULL === uri xpointer expr: NULL == EncryptedKey level > (cur/max): 0/1 === KeyReq: > keyId: NULL > keyType: 0x0001 > keyUsage: 0x > keyBitsSize: 0 > === list size: 0 > == Signature Transform Ctx: > == TRANSFORMS CTX (status=0) > == flags: 0x > == flags2: 0x > == enabled transforms: "c14n","exc-c14n","sha1","rsa-sha1" > === uri: NULL > === uri xpointer expr: NULL > === Transform: c14n > (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == Signature Method: > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == SignedInfo References List: > === list size: 1 > = REFERENCE VERIFICATION CONTEXT > == Status: invalid > == URI: "#R96972300-KT34F476928" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x > == flags2: 0x > == enabled transforms: "c14n","exc-c14n","sha1","enveloped-signature" > === uri: > === uri xpointer expr: #R96972300-KT34F476928 === Transform: xpointer > (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > === Transform: c14n > (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: membuf-transform (href=NULL) == Digest Method: > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > == Manifest References List: > === list size: 0 > > *** snip *** > > For the URI (#R96972300-KT34F476928), i've used xmlAddID as suggested > in the FAQ. But the "reference verification context" is marked as invalid. > > The signature: > > *** snip *** > > http://www.w3.org/2000/09/xmldsig#";> > > Algorithm="http://www.w3.o
Re: [xmlsec] Question about signature verification
Loads of text like this: /sobrefirmados_p1_28.xml:125: element Exponent: validity error : No declaration for element Exponent /sobrefirmados_p1_28.xml:130: element X509Data: validity error : No declaration for element X509Data /sobrefirmados_p1_28.xml:131: element X509Certificate: validity error : No decla ration for element X509Certificate Your file does not match the DTD And at the end: func=xmlSecOpenSSLEvpDigestVerify:file=..\src\openssl\digests.c:line=229:obj =sha 1:subj=unknown:error=12:invalid data:data and digest do not match FAIL SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "\sobrefirmados_p1_28.xml" The file have been changed by someone. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Question about signature verification - message to STDERR seems to indicate failre, but it returns success?
Are you using the xml file from the example or some other file? If it is a custom file, then it would be helpful if you can share it. Thanks Aleksey James Olsen wrote: Hello, I have am xml document and x509 public key that I'm trying to verify the signature on. I've compiled the unmodified verify3 example program that is in the xmlsec tarball and it is the program I'm using to try to verify the signature. Here is the output: func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match Signature is OK I admit I'm very new to the security mechanism and I don't have a solid understanding of the specifications. However, it seems to me if there is invalid data (the data and digest do not match) then the signature verification should be considered a failure. How should the results of verify3 be interpreted? Was the signature verification really a success with that error? ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Question about signature verification - message to STDERR seems to indicate failre, but it returns success?
Thank you for replying. Your question made me wonder if the problem might be my data, Check if your document has Manifest elements. The digest failure on the Manifest element does not invalidate the signature http://www.w3.org/TR/xmldsig-core/#sec-o-Manifest When I try to sign a document, using the supplied example "sign3", here's what I get: I'll try to reproduce this problem though I don't think I've seen it before. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Question about signature verification - message to STDERR seems to indicate failre, but it returns success?
Could you please run 'make check' in the top level xmlsec folder? I want to make sure that all the tests pass. Aleksey James Olsen wrote: Hello Aleksey, AS> Check if your document has Manifest elements. The digest failure on AS> the Manifest element does not invalidate the signature AS> http://www.w3.org/TR/xmldsig-core/#sec-o-Manifest Thank you for the tip; I'm currently using the documents provided in the examples folder within the xmlsec tarball. Here is the command line I'm using (all files from the tarball): ./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml I compiled the same tarball on a linux box, and I was able to properly sign the same xml file using the same files. The issue would seem to be either the architecture (different endian, 64-bit vs. 32-bit) or a supporting library, such as openssl. However, I admit I'm very inexperienced at C/C++, especially on the unix platform so I am only guessing at what the problem(s) might be. Thank you for your time. I will post again if I discover anything else. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec