Re: [xmlsec] problem with ?

Tue, 22 Apr 2008 07:34:51 -0700 

xmlsec --node-xpath selects the start *Signature* node. It has
nothing to do with xpointer in the Reference URI.

Aleksey

Sebastien BROSSARD wrote:

Hi everybody
I am actually developing a software based on the German EBICS norm, which specifies that one’s got to use 

<ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])">

as signature’s URI.


So long so well, when I sign a xml file with xmlsec
(using command line : “xmlsec sign --node-xpath //[EMAIL PROTECTED]'true'] --output $outputName --keys-file $keyfile”) 

and then I verify it with xmlsec,
(using command line : “"xmlsec verify --node-xpath //[EMAIL PROTECTED]'true'] --keys-file $keyfile $inputName”) 

everything works perfect.
But here comes the trouble : I’m actually working on the server side of the EBICS norm, and I’m testing my developments on the client side thanks to a software called Travic (which is commercialized in Germany and then, I can assume, works well).
And when Travic sends me its signature… Verification fails… I keep getting this message :
“error=18:data do not match:signature do not match FAIL SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file”. 


It seems like the hash is ok (?), but not the signature.
(Moreover, there’s no problem with the client public key, has I can decipher text asymmetrical encrypted by this same key.)
I read here http://www.w3.org/2007/xmlsec/ws/papers/10-ertel/ that the handling of this type of ("#xpointer) URI can be subject to two different handling, due to two interpretations (both right !) of the same norm, i.e : 


One interpretation says that the signed URI must remain unchanged:

"#xpointer(//[EMAIL PROTECTED]'true'])",

while the other one demands escaping which makes the URI look like this:

"#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)"
So the main question is : could it be this type of problem in my case, or is the problem that I’m facing due to another totally different cause? 


Thanks for your kind help!


Sébastien Brossard

[EMAIL PROTECTED]


PS :

By the way, here’s the xml string that I try to verify :


<?xml version="1.0" encoding="UTF-8"?>
<ebicsNoPubKeyDigestsRequest Revision="1" Version="H001" xsi:schemaLocation="http://www.ebics.org/H001 http://www.ebics.org/H001/ebics_keymgmt_request.xsd"; xmlns="http://www.ebics.org/H001"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> 

  <header authenticate="true">

    <static>

      <HostID>EBICSFR</HostID>

      <Nonce>DB545BDC437B95999202C6EA69393A6E</Nonce>

      <Timestamp>2008-04-22T09:29:24.838Z</Timestamp>

      <PartnerID>SEB</PartnerID>

      <UserID>USERID</UserID>

      <OrderDetails>

        <OrderType>HPB</OrderType>

        <OrderAttribute>DZHNN</OrderAttribute>

      </OrderDetails>

      <SecurityMedium>0400</SecurityMedium>

    </static>

    <mutable/>

  </header>

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>

    <ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 

      <ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])">

        <ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 

        </ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 

        <ds:DigestValue>jyF+PD4mQ6P5q4krG/spn0tNc7w=</ds:DigestValue>

      </ds:Reference>
</ds:SignedInfo> <ds:SignatureValue>EhinV8z06LDoNdeeYebT/Z9UGF0EZViPHexD6H2e5EgPWD8OBV1hYnro2KJ48N9WMyIf4UkZzKLWSIV4IfIcjtDYzUsLZFke6kL3BKGeFe2jAuAlGyHVD/MUxEU3Fsg6QkqknkQrybjiX1FA9SFdBzyjN8d/9qksRQZXmjkuBNM=</ds:SignatureValue> 

  </Signature>

  <body/>

</ebicsNoPubKeyDigestsRequest>


And here’s the public key of the client software :


<?xml version="1.0" encoding="UTF-8"?>

<Keys xmlns="http://www.aleksey.com/xmlsec/2002";>

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>

<KeyValue>

<RSAKeyValue>

<Modulus>AMWVUq4RSou1Dy4VaNIEkIBLddfysftYsXI5Hg+bncOYuDQFlU31B2kqSyzYhXXelhvhkSXTgNuBGwnf1VFw+VbVR/kVjDhvt2vgPjfKpbXJEEmy8QxJpSpsUFW9DbVbWocnzkxEZJzM7VKKyBdKXiMWT3wdhRIrqxaLc/NX+S+H</Modulus>

<Exponent>AQAB</Exponent>

</RSAKeyValue>

</KeyValue>

</KeyInfo>

</Keys>



------------------------------------------------------------------------

_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec

_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to