[From nobody Wed Oct 29 15:06:10 2008 X-Tomcat-ID: 13784148 References: <ObIY2ovFEHA.3984@TK2MSFTNGP10.phx.gbl> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit From: shawnfa@online.microsoft.com ("Shawn Farkas") Organization: Microsoft Date: Thu, 01 Apr 2004 00:40:55 GMT Subject: RE: problem verifying XML signature X-Tomcat-NG: microsoft.public.dotnet.security Message-ID: <i8GcJI4FEHA.660@cpmsftngxa06.phx.gbl> Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 Path: TK2MSFTNGP08.phx.gbl!cpmsftngxa06.phx.gbl Xref: TK2MSFTNGP08.phx.gbl microsoft.public.dotnet.security:6208 Hi Mark, The signature is in fact valid. Unfortunately, support for X509 cerficiates in v1.1 and v1.0 of the framework is not very good. The good news is that we've put a lot of effort into X509 for v2.0 of the framework. I've just tried to verify your signature using v2.0, and it does work as expected. There is a technical preview of v2.0 available for MSDN subscribers (check out http://msdn.microsoft.com/vs2005). I would also recommend checking out the Web Service Extensions for v1.1 of the framework. These include better support for certificates. (You may have to use the extensions to get the key from your certificate manually, then pass that key to the signature verification method) -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- >Date: Wed, 31 Mar 2004 10:28:53 +0200 >From: Marko Macek <mark@hermes.si> >User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >Subject: problem verifying XML signature >Content-Type: multipart/mixed; > boundary="------------010309010308020706040304" >Message-ID: <ObIY2ovFEHA.3984@TK2MSFTNGP10.phx.gbl> >Newsgroups: microsoft.public.dotnet.security >NNTP-Posting-Host: external-7.hermes.si 213.253.102.145 >Lines: 1 >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl >Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:5600 >X-Tomcat-NG: microsoft.public.dotnet.security > >Hello! > >I have a problem verifying a signature (attached xml) made with >Ubisignature. > >I have tried verifying the signature with Microsoft SignedXml class >(framework 1.1) and it dies like this: > >System.Security.Cryptography.CryptographicException: >Cryptographic service provider (CSP) for this implementation generated an >internal error while attempting to verify the signature. at >System.Security.Cryptography.RSACryptoServiceProvider.VerifyHash(Byte[] >rgbHash, String str, Byte[] rgbSignature) at >System.Security.Cryptography.RSAPKCS1SignatureDeformatter.VerifySignature(By >te[] rgbHash, Byte[] rgbSignature) at >System.Security.Cryptography.AsymmetricSignatureDeformatter.VerifySignature( >HashAlgorithm hash, Byte[] rgbSignature) at >System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorith >m key) at >System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(Asymme >tricAlgorithm& signingKey) at > > >I'm also tried to verify it using xmlsec (www.aleksey.com/xmlsec/). > >The of xmlsec output is: > >C:\work\xmlsec>xmlsec --verify --node-xpath >//*[@Id='DepositorSignature'] --trusted-der sigov-ca.crt --print-debug >podpis_mm3.xml = VERIFICATION CONTEXT >== Status: invalid >== flags: 0x00000000 >== flags2: 0x00000000 >== Id: "DepositorSignature" >== Key Info Read Ctx: >= KEY INFO READ CONTEXT >== flags: 0x00000000 >== flags2: 0x00000000 >== enabled key data: all >== RetrievalMethod level (cur/max): 0/1 >== TRANSFORMS CTX (status=0) >== flags: 0x00000000 >== flags2: 0x00000000 >== enabled transforms: all >=== uri: NULL >=== uri xpointer expr: NULL >== EncryptedKey level (cur/max): 0/1 >== Key Info Write Ctx: >= KEY INFO WRITE CONTEXT >== flags: 0x00000000 >== flags2: 0x00000000 >== enabled key data: all >== RetrievalMethod level (cur/max): 0/1 >== TRANSFORMS CTX (status=0) >== flags: 0x00000000 >== flags2: 0x00000000 >== enabled transforms: all >=== uri: NULL >=== uri xpointer expr: NULL >== EncryptedKey level (cur/max): 0/1 >== Signature Transform Ctx: >== TRANSFORMS CTX (status=2) >== flags: 0x00000000 >== flags2: 0x00000000 >== enabled transforms: all >=== uri: NULL >=== uri xpointer expr: NULL >=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >=== Transform: membuf-transform (href=NULL) >== Signature Method: >=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >== Signature Key: >== KEY >=== method: RSAKeyValue >=== key type: Public >=== key usage: 65535 >=== rsa key: size = 1023 >== SignedInfo References List: >=== list size: 1 >= REFERENCE VERIFICATION CONTEXT >== Status: succeeded >== URI: "" >== Reference Transform Ctx: >== TRANSFORMS CTX (status=2) >== flags: 0x00000000 >== flags2: 0x00000000 >== enabled transforms: all >=== uri: NULL >=== uri xpointer expr: NULL >=== Transform: enveloped-signature >(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >=== Transform: membuf-transform (href=NULL) >== Digest Method: >=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >== Manifest References List: >=== list size: 0 >func=:file=..\src\openssl\signatures.c:line=248:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data >do not match:signature do not match >FAIL >SignedInfo References (ok/all): 1/1 >Manifests References (ok/all): 0/0 >Error: failed to verify file "podpis_mm3.xml" >============================================================ > >One thing that I find odd is: > >=== rsa key: size = 1023 > >But Ubisignature and Java (apache) implementations verify the signature >as valid. > >Can anyone help? Is the signature valid or not? Where is the problem? > >The CA certificate is at http://www.sigov-ca.gov.si/sigov-ca.crt > >Thanks, >Mark > > > > > > ]