Hi. I've been trying to verify a signature with an X509 certificate included in the KeyInfo node of the signature. The XML file being verified contains many documents, each one with its signature, and all of them wrapped & signed with the same cert. Tried with just one document, does not work.
It seems that xmlsec loads the keys from KeyInfo. Tried with loading them manually using xmlSecKeyDataXmlRead, same result. The signature is marked as invalid (data and digest do not match). The debug dump is as follows... *** snip *** = VERIFICATION CONTEXT == Status: invalid == flags: 0x00000000 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000000 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: "c14n","exc-c14n","sha1","rsa-sha1" === uri: NULL === uri xpointer expr: NULL === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: invalid == URI: "#R96972300-KT34F476928" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: "c14n","exc-c14n","sha1","enveloped-signature" === uri: === uri xpointer expr: #R96972300-KT34F476928 === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == Manifest References List: === list size: 0 *** snip *** For the URI (#R96972300-KT34F476928), i've used xmlAddID as suggested in the FAQ. But the "reference verification context" is marked as invalid. The signature: *** snip *** <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonicalizati onMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod> <Reference URI="#R96972300-KT34F476928"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> <DigestValue>+v9SPAlAeABcdiBAtniCVJ1tj50=</DigestValue> </Reference> </SignedInfo> <SignatureValue>N1MEp1ckRxMgEQYfrqY4pdq/A4mazx/RhuZNS+IEzJkJueNiHIexU+Vh7Js8 M09bOGKypbDdTZbVlgarKs61YDdncwIh9NIKX6+H0Lv8FPhHqGbOCe2yf2P6gzK1eGMTT9oC6DyD IDeB9h3UE2z+4Aqt1WSupq7ZS14JzrTRFfA=</SignatureValue> <KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>w9Jdm/e0BRYGm64tw/mx4O39DHPJbFWzE7WRwWMc2y8F/fg6pw71Hz12f3I6aEpjH9e 5Ic38hWql40iJ1DsAd/curVuW/PQNbb5wu31tCtAAaycodkFEDa2GoA8TLqE2InycIkg6aQGIiZd DIkMJwCa1Nsb/uJPXBGkpTzPQu1k=</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> <X509Data> <X509Certificate>MIIEkTCCA/qgAwIBAgIEAQAqmDANBgkqhkiG9w0BAQUFADCBtTELMAkGA1U EBhMCQ0wxHTAbBgNVBAgUFFJlZ2lvbiBNZXRyb3BvbGl0YW5hMREwDwYDVQQHFAhTYW50aWFnbzE UMBIGA1UEChQLRS1DRVJUQ0hJTEUxIDAeBgNVBAsUF0F1dG9yaWRhZCBDZXJ0aWZpY2Fkb3JhMRc wFQYDVQQDFA5FLUNFUlRDSElMRSBDQTEjMCEGCSqGSIb3DQEJARYUZW1haWxAZS1jZXJ0Y2hpbGU uY2wwHhcNMDcwOTAzMTQ1NzQxWhcNMDgwOTAyMDAwMDAwWjCBxzELMAkGA1UEBhMCQ0wxFjAUBgN VBAgUDU1ldHJvcG9saXRhbmExETAPBgNVBAcUCFNhbnRpYWdvMTAwLgYDVQQKFCdTb2MgQ29uY2V jaW9uYXJpYSBBbWVyaWNvIFZlc3B1Y2lvbiBTdXIxEDAOBgNVBAsUB1Npc3RlbWExIzAhBgNVBAM UGk1hcmlvIFVsaXNlcyBUb2JhciBBcmF2ZW5hMSQwIgYJKoZIhvcNAQkBFhVtdG9iYXJAdmVzcHV jaW9zdXIuY2wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPSXZv3tAUWBpuuLcP5seDt/Qx zyWxVsxO1kcFjHNsvBf34OqcO9R89dn9yOmhKYx/XuSHN/IVqpeNIidQ7AHf3Lq1blvz0DW2+cLt 9bQrQAGsnKHZBRA2thqAPEy6hNiJ8nCJIOmkBiImXQyJDCcAmtTbG/7iT1wRpKU8z0LtZAgMBAAG jggGYMIIBlDAjBgNVHREEHDAaoBgGCCsGAQQBwQEBoAwWCjA3NTEwNDgyLTAwCQYDVR0TBAIwADA 8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmUtY2VydGNoaWxlLmNsL2UtY2VydGNoaWxlY2E uY3JsMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTY5MjgxODAtNTAfBgNVHSMEGDAWgBTgKP3 S4GBPs0brGsz1CJEHcjodCDCB0AYDVR0gBIHIMIHFMIHCBggrBgEEAcNSBTCBtTAvBggrBgEFBQc CARYjaHR0cDovL3d3dy5lLWNlcnRjaGlsZS5jbC8yMDAwL0NQUy8wgYEGCCsGAQUFBwICMHUac0V sIHRpdHVsYXIgaGEgc2lkbyB2YWxpZG8gZW4gZm9ybWEgcHJlc2VuY2lhbCwgcXVlZGFuZG8gZWw gQ2VydGlmaWNhZG8gcGFyYSB1c28gdHJpYnV0YXJpbywgcGFnb3MsIGNvbWVyY2lvIHkgb3Ryb3M wCwYDVR0PBAQDAgTwMA0GCSqGSIb3DQEBBQUAA4GBAIFSEMePY0KMHqsDKilD8KUnoZqlIwLYKMv eG3Y+y92KtV2JIYZn0XLajhSlTgzzfS8R36BuFIeKfoA2tkrLmfGC581SRsM1HtPLdxKYSuVwap5 Jmpo9bkHpps15qDQU+kpCnFDsGuB5rE0AqtKkvG4+nppWxCfRhixicV6oZ4qd</X509Certifica te> </X509Data> </KeyInfo> </Signature> *** snip *** Right now I don't know what else to do. The examples in the source tarball work fine with certificates loaded from files, but this is not the case. The structure of the XML file is as follows: <?xml version="1.0" encoding="ISO-8859-1"?> <DTE xmlns="http://www.sii.cl/SiiDte" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0"><Documento ID="R96972300-KT34F476928">......CONTENTS......</Documento><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">.....CONTENTS.....</Signature></D TE> The "DTE" element is on the same line. Any hints? Thanks, Ivan Toledo MovilData Chile _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec