Version: xmlsec 1.2.11 (openssl) Command line: xmlsec --verify --dtd-file \dtd.xml \sobrefirmados_p1_28.xml
DTD file: (to fix ID issues) <?xml version="1.0" encoding="ISO-8859-1"?> <!ATTLIST Documento ID ID #IMPLIED> Console output: Loads of text like this: /sobrefirmados_p1_28.xml:125: element Exponent: validity error : No declaration for element Exponent /sobrefirmados_p1_28.xml:130: element X509Data: validity error : No declaration for element X509Data /sobrefirmados_p1_28.xml:131: element X509Certificate: validity error : No decla ration for element X509Certificate And at the end: func=xmlSecOpenSSLEvpDigestVerify:file=..\src\openssl\digests.c:line=229:obj =sha 1:subj=unknown:error=12:invalid data:data and digest do not match FAIL SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "\sobrefirmados_p1_28.xml" All of my files fail like these. The interesting bit is that the receiving end (a web service made by something like the IRS of Chile) validates all of these files, but I'm doing something wrong at my end. Thanks, Ivan Toledo MDC -----Mensaje original----- De: Aleksey Sanin [mailto:[EMAIL PROTECTED] Enviado el: MiƩrcoles, 19 de Marzo de 2008 13:39 Para: Ivan R. Toledo Ivanovic CC: xmlsec@aleksey.com Asunto: Re: [xmlsec] Question about signature verification What is the error you get from xmlsec command line tool? Aleksey Ivan R. Toledo Ivanovic wrote: > Hi. I've been trying to verify a signature with an X509 certificate > included in the KeyInfo node of the signature. > The XML file being verified contains many documents, each one with its > signature, and all of them wrapped & signed with the same cert. Tried > with just one document, does not work. > > It seems that xmlsec loads the keys from KeyInfo. Tried with loading > them manually using xmlSecKeyDataXmlRead, same result. > > The signature is marked as invalid (data and digest do not match). The > debug dump is as follows... > > *** snip *** > > = VERIFICATION CONTEXT > == Status: invalid > == flags: 0x00000000 > == flags2: 0x00000000 > == Key Info Read Ctx: > = KEY INFO READ CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) > == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all > === uri: NULL === uri xpointer expr: NULL == EncryptedKey level > (cur/max): 0/1 === KeyReq: > ==== keyId: NULL > ==== keyType: 0x00000000 > ==== keyUsage: 0xffffffff > ==== keyBitsSize: 0 > === list size: 0 > == Key Info Write Ctx: > = KEY INFO WRITE CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) > == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all > === uri: NULL === uri xpointer expr: NULL == EncryptedKey level > (cur/max): 0/1 === KeyReq: > ==== keyId: NULL > ==== keyType: 0x00000001 > ==== keyUsage: 0xffffffff > ==== keyBitsSize: 0 > === list size: 0 > == Signature Transform Ctx: > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: "c14n","exc-c14n","sha1","rsa-sha1" > === uri: NULL > === uri xpointer expr: NULL > === Transform: c14n > (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == Signature Method: > === Transform: rsa-sha1 > (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == SignedInfo References List: > === list size: 1 > = REFERENCE VERIFICATION CONTEXT > == Status: invalid > == URI: "#R96972300-KT34F476928" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: "c14n","exc-c14n","sha1","enveloped-signature" > === uri: > === uri xpointer expr: #R96972300-KT34F476928 === Transform: xpointer > (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > === Transform: c14n > (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: membuf-transform (href=NULL) == Digest Method: > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > == Manifest References List: > === list size: 0 > > *** snip *** > > For the URI (#R96972300-KT34F476928), i've used xmlAddID as suggested > in the FAQ. But the "reference verification context" is marked as invalid. > > The signature: > > *** snip *** > > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></Canonica > lizati > onMethod> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMeth > od> <Reference URI="#R96972300-KT34F476928"> <Transforms> <Transform > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></Transfor > m> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> > <DigestValue>+v9SPAlAeABcdiBAtniCVJ1tj50=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue>N1MEp1ckRxMgEQYfrqY4pdq/A4mazx/RhuZNS+IEzJkJueNiHIexU+ > Vh7Js8 > M09bOGKypbDdTZbVlgarKs61YDdncwIh9NIKX6+H0Lv8FPhHqGbOCe2yf2P6gzK1eGMTT9 > M09bOGKypbDdTZbVlgarKs61YDdncwIh9NIKX6+oC6DyD > IDeB9h3UE2z+4Aqt1WSupq7ZS14JzrTRFfA=</SignatureValue> > <KeyInfo> > <KeyValue> > <RSAKeyValue> > <Modulus>w9Jdm/e0BRYGm64tw/mx4O39DHPJbFWzE7WRwWMc2y8F/fg6pw71Hz12f3I6a > EpjH9e > 5Ic38hWql40iJ1DsAd/curVuW/PQNbb5wu31tCtAAaycodkFEDa2GoA8TLqE2InycIkg6a > QGIiZd DIkMJwCa1Nsb/uJPXBGkpTzPQu1k=</Modulus> > <Exponent>AQAB</Exponent> > </RSAKeyValue> > </KeyValue> > <X509Data> > <X509Certificate>MIIEkTCCA/qgAwIBAgIEAQAqmDANBgkqhkiG9w0BAQUFADCBtTELM > AkGA1U > EBhMCQ0wxHTAbBgNVBAgUFFJlZ2lvbiBNZXRyb3BvbGl0YW5hMREwDwYDVQQHFAhTYW50a > WFnbzE > UMBIGA1UEChQLRS1DRVJUQ0hJTEUxIDAeBgNVBAsUF0F1dG9yaWRhZCBDZXJ0aWZpY2Fkb > 3JhMRc > wFQYDVQQDFA5FLUNFUlRDSElMRSBDQTEjMCEGCSqGSIb3DQEJARYUZW1haWxAZS1jZXJ0Y > 2hpbGU > uY2wwHhcNMDcwOTAzMTQ1NzQxWhcNMDgwOTAyMDAwMDAwWjCBxzELMAkGA1UEBhMCQ0wxF > jAUBgN > VBAgUDU1ldHJvcG9saXRhbmExETAPBgNVBAcUCFNhbnRpYWdvMTAwLgYDVQQKFCdTb2MgQ > 29uY2V > jaW9uYXJpYSBBbWVyaWNvIFZlc3B1Y2lvbiBTdXIxEDAOBgNVBAsUB1Npc3RlbWExIzAhB > gNVBAM > UGk1hcmlvIFVsaXNlcyBUb2JhciBBcmF2ZW5hMSQwIgYJKoZIhvcNAQkBFhVtdG9iYXJAd > mVzcHV > jaW9zdXIuY2wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPSXZv3tAUWBpuuLcP5s > eDt/Qx > zyWxVsxO1kcFjHNsvBf34OqcO9R89dn9yOmhKYx/XuSHN/IVqpeNIidQ7AHf3Lq1blvz0D > W2+cLt > 9bQrQAGsnKHZBRA2thqAPEy6hNiJ8nCJIOmkBiImXQyJDCcAmtTbG/7iT1wRpKU8z0LtZA > gMBAAG > jggGYMIIBlDAjBgNVHREEHDAaoBgGCCsGAQQBwQEBoAwWCjA3NTEwNDgyLTAwCQYDVR0TB > AIwADA > 8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmUtY2VydGNoaWxlLmNsL2UtY2VydGNoa > WxlY2E > uY3JsMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTY5MjgxODAtNTAfBgNVHSMEGDAWg > BTgKP3 > S4GBPs0brGsz1CJEHcjodCDCB0AYDVR0gBIHIMIHFMIHCBggrBgEEAcNSBTCBtTAvBggrB > gEFBQc > CARYjaHR0cDovL3d3dy5lLWNlcnRjaGlsZS5jbC8yMDAwL0NQUy8wgYEGCCsGAQUFBwICM > HUac0V > sIHRpdHVsYXIgaGEgc2lkbyB2YWxpZG8gZW4gZm9ybWEgcHJlc2VuY2lhbCwgcXVlZGFuZ > G8gZWw > gQ2VydGlmaWNhZG8gcGFyYSB1c28gdHJpYnV0YXJpbywgcGFnb3MsIGNvbWVyY2lvIHkgb > 3Ryb3M > wCwYDVR0PBAQDAgTwMA0GCSqGSIb3DQEBBQUAA4GBAIFSEMePY0KMHqsDKilD8KUnoZqlI > wLYKMv > eG3Y+y92KtV2JIYZn0XLajhSlTgzzfS8R36BuFIeKfoA2tkrLmfGC581SRsM1HtPLdxKYS > eG3Y+uVwap5 > Jmpo9bkHpps15qDQU+kpCnFDsGuB5rE0AqtKkvG4+nppWxCfRhixicV6oZ4qd</X509Cer > Jmpo9bkHpps15qDQU+kpCnFDsGuB5rE0AqtKkvG4+tifica > te> > </X509Data> > </KeyInfo> > </Signature> > > *** snip *** > > Right now I don't know what else to do. The examples in the source > tarball work fine with certificates loaded from files, but this is not the case. > > The structure of the XML file is as follows: > > <?xml version="1.0" encoding="ISO-8859-1"?> <DTE > xmlns="http://www.sii.cl/SiiDte"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > version="1.0"><Documento > ID="R96972300-KT34F476928">......CONTENTS......</Documento><Signature > xmlns="http://www.w3.org/2000/09/xmldsig#";>.....CONTENTS.....</Signatu > re></D > TE> > > The "DTE" element is on the same line. > > > Any hints? > > Thanks, > Ivan Toledo > MovilData Chile > > _______________________________________________ > xmlsec mailing list > xmlsec@aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
