Hi everybody I am actually developing a software based on the German EBICS norm, which specifies that one's got to use <ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])"> as signature's URI.
So long so well, when I sign a xml file with xmlsec (using command line : "xmlsec sign --node-xpath //[EMAIL PROTECTED]'true'] --output $outputName --keys-file $keyfile") and then I verify it with xmlsec, (using command line : ""xmlsec verify --node-xpath //[EMAIL PROTECTED]'true'] --keys-file $keyfile $inputName") everything works perfect. But here comes the trouble : I'm actually working on the server side of the EBICS norm, and I'm testing my developments on the client side thanks to a software called Travic (which is commercialized in Germany and then, I can assume, works well). And when Travic sends me its signature... Verification fails... I keep getting this message : "error=18:data do not match:signature do not match FAIL SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file". It seems like the hash is ok (?), but not the signature. (Moreover, there's no problem with the client public key, has I can decipher text asymmetrical encrypted by this same key.) I read here http://www.w3.org/2007/xmlsec/ws/papers/10-ertel/ that the handling of this type of ("#xpointer) URI can be subject to two different handling, due to two interpretations (both right !) of the same norm, i.e : One interpretation says that the signed URI must remain unchanged: "#xpointer(//[EMAIL PROTECTED]'true'])", while the other one demands escaping which makes the URI look like this: "#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)" So the main question is : could it be this type of problem in my case, or is the problem that I'm facing due to another totally different cause? Thanks for your kind help! Sébastien Brossard [EMAIL PROTECTED] PS : By the way, here's the xml string that I try to verify : <?xml version="1.0" encoding="UTF-8"?> <ebicsNoPubKeyDigestsRequest Revision="1" Version="H001" xsi:schemaLocation="http://www.ebics.org/H001 http://www.ebics.org/H001/ebics_keymgmt_request.xsd" xmlns="http://www.ebics.org/H001" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <header authenticate="true"> <static> <HostID>EBICSFR</HostID> <Nonce>DB545BDC437B95999202C6EA69393A6E</Nonce> <Timestamp>2008-04-22T09:29:24.838Z</Timestamp> <PartnerID>SEB</PartnerID> <UserID>USERID</UserID> <OrderDetails> <OrderType>HPB</OrderType> <OrderAttribute>DZHNN</OrderAttribute> </OrderDetails> <SecurityMedium>0400</SecurityMedium> </static> <mutable/> </header> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>jyF+PD4mQ6P5q4krG/spn0tNc7w=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>EhinV8z06LDoNdeeYebT/Z9UGF0EZViPHexD6H2e5EgPWD8OBV1hYnro2KJ48N9WMyIf4UkZzKLWSIV4IfIcjtDYzUsLZFke6kL3BKGeFe2jAuAlGyHVD/MUxEU3Fsg6QkqknkQrybjiX1FA9SFdBzyjN8d/9qksRQZXmjkuBNM=</ds:SignatureValue> </Signature> <body/> </ebicsNoPubKeyDigestsRequest> And here's the public key of the client software : <?xml version="1.0" encoding="UTF-8"?> <Keys xmlns="http://www.aleksey.com/xmlsec/2002"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyValue> <RSAKeyValue> <Modulus>AMWVUq4RSou1Dy4VaNIEkIBLddfysftYsXI5Hg+bncOYuDQFlU31B2kqSyzYhXXelhvhkSXTgNuBGwnf1VFw+VbVR/kVjDhvt2vgPjfKpbXJEEmy8QxJpSpsUFW9DbVbWocnzkxEZJzM7VKKyBdKXiMWT3wdhRIrqxaLc/NX+S+H</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Keys>
_______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec