[xmlsec] Fail to verify symmetric sign

igor at das.ufsc.br igor at das.ufsc.br
Thu Mar 18 18:15:08 PDT 2010


Hello guys,

I'm using xmlsec1 for encryption and signing, but I'm having trouble
verifying the signature. I am signing only the Header of the SOAP message
using HMAC with the same AES key to encrypt the message.

Using the console, I can verify the signature with the following command:
xmlsec1 verify --hmackey aeskey.bin Server-Recv-XMLCifrado.data

My function in C that would verify the signature shows the following error:

func=xmlSecKeyDataHmacGetKlass:file=app.c:line=211:obj=unknown:subj=keyDataHmacId:error=9:feature
is not implemented:
func=xmlSecKeyReadBinaryFile:file=keys.c:line=1219:obj=unknown:subj=dataId
!= xmlSecKeyDataIdUnknown:error=100:assertion:
Error: failed to load des key from binary file "aeskey.bin"
func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=1091:obj=unknown:subj=dataSize
> 0:error=100:assertion:
func=xmlSecEncCtxBinaryEncrypt:file=xmlenc.c:line=333:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec
library function failed:dataSize=0
Error: encryption failed


I am using a function of the examples with a slight modification:

int
verify_file(const char* xml_file, const char* key_file) {
    xmlDocPtr doc = NULL;
    xmlNodePtr node = NULL;
    xmlSecDSigCtxPtr dsigCtx = NULL;
    int res = -1;

    assert(xml_file);
    assert(key_file);

    /* load file */
    doc = xmlParseFile(xml_file);
    if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
	fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
	goto done;
    }

    /* find start node */
    node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature,
xmlSecDSigNs);
    if(node == NULL) {
	fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
	goto done;
    }

    /* create signature context, we don't need keys manager in this
example */
    dsigCtx = xmlSecDSigCtxCreate(NULL);
    if(dsigCtx == NULL) {
        fprintf(stderr,"Error: failed to create signature context\n");
	goto done;
    }

    /* load AES key, assuming that there is not password */
    dsigCtx->signKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataHmacId,
key_file);
    if(dsigCtx->signKey == NULL) {
        fprintf(stderr,"Error: failed to load des key from binary file
\"%s\"\n", key_file);
	goto done;
    }

    /* set key name to the file name, this is just an example! */
    if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
    	fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n",
key_file);
	goto done;
    }

    /* Verify signature */
    if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
        fprintf(stderr,"Error: signature verify\n");
	goto done;
    }

    /* print verification result to stdout */
    if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
	fprintf(stdout, "Signature is OK\n");
    } else {
	fprintf(stdout, "Signature is INVALID\n");
    }

    /* success */
    res = 0;

done:
    /* cleanup */
    if(dsigCtx != NULL) {
	xmlSecDSigCtxDestroy(dsigCtx);
    }

    if(doc != NULL) {
	xmlFreeDoc(doc);
    }
    return(res);
}

Any help?

BR,
Igor



More information about the xmlsec mailing list