xmlsec --node-xpath selects the start *Signature* node. It has
nothing to do with xpointer in the Reference URI.
Aleksey
Sebastien BROSSARD wrote:
Hi everybody
I am actually developing a software based on the German EBICS norm,
which specifies that one’s got to use
<ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])">
as signature’s URI.
So long so well, when I sign a xml file with xmlsec
(using command line : “xmlsec sign --node-xpath
//[EMAIL PROTECTED]'true'] --output $outputName --keys-file $keyfile”)
and then I verify it with xmlsec,
(using command line : “"xmlsec verify --node-xpath
//[EMAIL PROTECTED]'true'] --keys-file $keyfile $inputName”)
everything works perfect.
But here comes the trouble : I’m actually working on the server side of
the EBICS norm, and I’m testing my developments on the client side
thanks to a software called Travic (which is commercialized in Germany
and then, I can assume, works well).
And when Travic sends me its signature… Verification fails… I keep
getting this message :
“error=18:data do not match:signature do not match FAIL SignedInfo
References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error:
failed to verify file”.
It seems like the hash is ok (?), but not the signature.
(Moreover, there’s no problem with the client public key, has I can
decipher text asymmetrical encrypted by this same key.)
I read here http://www.w3.org/2007/xmlsec/ws/papers/10-ertel/ that the
handling of this type of ("#xpointer) URI can be subject to two
different handling, due to two interpretations (both right !) of the
same norm, i.e :
One interpretation says that the signed URI must remain unchanged:
"#xpointer(//[EMAIL PROTECTED]'true'])",
while the other one demands escaping which makes the URI look like this:
"#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)"
So the main question is : could it be this type of problem in my case,
or is the problem that I’m facing due to another totally different cause?
Thanks for your kind help!
Sébastien Brossard
[EMAIL PROTECTED]
PS :
By the way, here’s the xml string that I try to verify :
<?xml version="1.0" encoding="UTF-8"?>
<ebicsNoPubKeyDigestsRequest Revision="1" Version="H001"
xsi:schemaLocation="http://www.ebics.org/H001
http://www.ebics.org/H001/ebics_keymgmt_request.xsd"
xmlns="http://www.ebics.org/H001"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<header authenticate="true">
<static>
<HostID>EBICSFR</HostID>
<Nonce>DB545BDC437B95999202C6EA69393A6E</Nonce>
<Timestamp>2008-04-22T09:29:24.838Z</Timestamp>
<PartnerID>SEB</PartnerID>
<UserID>USERID</UserID>
<OrderDetails>
<OrderType>HPB</OrderType>
<OrderAttribute>DZHNN</OrderAttribute>
</OrderDetails>
<SecurityMedium>0400</SecurityMedium>
</static>
<mutable/>
</header>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>jyF+PD4mQ6P5q4krG/spn0tNc7w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>EhinV8z06LDoNdeeYebT/Z9UGF0EZViPHexD6H2e5EgPWD8OBV1hYnro2KJ48N9WMyIf4UkZzKLWSIV4IfIcjtDYzUsLZFke6kL3BKGeFe2jAuAlGyHVD/MUxEU3Fsg6QkqknkQrybjiX1FA9SFdBzyjN8d/9qksRQZXmjkuBNM=</ds:SignatureValue>
</Signature>
<body/>
</ebicsNoPubKeyDigestsRequest>
And here’s the public key of the client software :
<?xml version="1.0" encoding="UTF-8"?>
<Keys xmlns="http://www.aleksey.com/xmlsec/2002">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>AMWVUq4RSou1Dy4VaNIEkIBLddfysftYsXI5Hg+bncOYuDQFlU31B2kqSyzYhXXelhvhkSXTgNuBGwnf1VFw+VbVR/kVjDhvt2vgPjfKpbXJEEmy8QxJpSpsUFW9DbVbWocnzkxEZJzM7VKKyBdKXiMWT3wdhRIrqxaLc/NX+S+H</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Keys>
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec