<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
I am trying to discover what xml part is digested to understand
why I got another digest value than the one calculated by java
XmlDsig API.<br>
To do that I try to add some trace in the code just before the
digest algorithm but I was unable yet to find the right position.<br>
Could you provide me a clue where to add trace in the source code
?<br>
<br>
Thanks for your help.<br>
<br>
Francois<br>
<div class="moz-signature">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<br>
<div class="moz-signature">
<div class="moz-signature">
<div class="moz-signature">
<div class="moz-signature"><br>
</div>
</div>
</div>
</div>
</div>
Le 07/04/2014 14:49, François Plou a écrit :<br>
</div>
<blockquote cite="mid:53429EF7.1030302@webank.fr" type="cite">
<br>
Hi,
<br>
<br>
Below is the result of --store-references option :
<br>
<br>
xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
<br>
--store-references acmt.007.001.02_1.skel.1sign.object2.xml
<br>
Enter password for "/home/fplou/CA/fplousign.key" file:
<br>
= SIGNATURE CONTEXT
<br>
== Status: succeeded
<br>
== flags: 0x00000006
<br>
== flags2: 0x00000000
<br>
== Key Info Read Ctx:
<br>
= KEY INFO READ CONTEXT
<br>
== flags: 0x00000000
<br>
== flags2: 0x00000000
<br>
== enabled key data: all
<br>
== RetrievalMethod level (cur/max): 0/1
<br>
== TRANSFORMS CTX (status=0)
<br>
== flags: 0x00000000
<br>
== flags2: 0x00000000
<br>
== enabled transforms: all
<br>
=== uri: NULL
<br>
=== uri xpointer expr: NULL
<br>
== EncryptedKey level (cur/max): 0/1
<br>
=== KeyReq:
<br>
==== keyId: rsa
<br>
==== keyType: 0x00000002
<br>
==== keyUsage: 0x00000001
<br>
==== keyBitsSize: 0
<br>
=== list size: 0
<br>
== Key Info Write Ctx:
<br>
= KEY INFO WRITE CONTEXT
<br>
== flags: 0x00000000
<br>
== flags2: 0x00000000
<br>
== enabled key data: all
<br>
== RetrievalMethod level (cur/max): 0/1
<br>
== TRANSFORMS CTX (status=0)
<br>
== flags: 0x00000000
<br>
== flags2: 0x00000000
<br>
== enabled transforms: all
<br>
=== uri: NULL
<br>
=== uri xpointer expr: NULL
<br>
== EncryptedKey level (cur/max): 0/1
<br>
=== KeyReq:
<br>
==== keyId: NULL
<br>
==== keyType: 0x00000001
<br>
==== keyUsage: 0xffffffff
<br>
==== keyBitsSize: 0
<br>
=== list size: 0
<br>
== Signature Transform Ctx:
<br>
== TRANSFORMS CTX (status=2)
<br>
== flags: 0x00000000
<br>
== flags2: 0x00000000
<br>
== enabled transforms: all
<br>
=== uri: NULL
<br>
=== uri xpointer expr: NULL
<br>
=== Transform: c14n
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
<br>
=== Transform: rsa-sha1
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>)
<br>
=== Transform: base64
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
<br>
=== Transform: membuf-transform (href=NULL)
<br>
== Signature Method:
<br>
=== Transform: rsa-sha1
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>)
<br>
== Signature Key:
<br>
== KEY
<br>
=== method: RSAKeyValue
<br>
=== key type: Private
<br>
=== key usage: -1
<br>
=== rsa key: size = 2048
<br>
== SignedInfo References List:
<br>
=== list size: 1
<br>
= REFERENCE CALCULATION CONTEXT
<br>
== Status: succeeded
<br>
== URI: "#Manifest"
<br>
== Reference Transform Ctx:
<br>
== TRANSFORMS CTX (status=2)
<br>
== flags: 0x00000000
<br>
== flags2: 0x00000000
<br>
== enabled transforms: all
<br>
=== uri:
<br>
=== uri xpointer expr: #Manifest
<br>
=== Transform: xpointer
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmldsig-more/xptr">http://www.w3.org/2001/04/xmldsig-more/xptr</a>)
<br>
=== Transform: enveloped-signature
<br>
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
<br>
=== Transform: c14n
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
<br>
=== Transform: membuf-transform (href=NULL)
<br>
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
<br>
=== Transform: base64
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
<br>
=== Transform: membuf-transform (href=NULL)
<br>
== Digest Method:
<br>
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
<br>
== Result - start buffer:
<br>
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
<br>
== Result - end buffer
<br>
== Manifest References List:
<br>
=== list size: 2
<br>
= REFERENCE CALCULATION CONTEXT
<br>
== Status: succeeded
<br>
== URI: ""
<br>
== Reference Transform Ctx:
<br>
== TRANSFORMS CTX (status=2)
<br>
== flags: 0x00000000
<br>
== flags2: 0x00000000
<br>
== enabled transforms: all
<br>
=== uri: NULL
<br>
=== uri xpointer expr: NULL
<br>
=== Transform: enveloped-signature
<br>
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>)
<br>
=== Transform: c14n
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>)
<br>
=== Transform: membuf-transform (href=NULL)
<br>
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
<br>
=== Transform: base64
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
<br>
=== Transform: membuf-transform (href=NULL)
<br>
== Digest Method:
<br>
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
<br>
== PreDigest data - start buffer:
<br>
<Document
xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
<br>
<AcctOpngReq>
<br>
<Refs>
<br>
<MsgId>
<br>
<Id>ABC/090928/CCT001</Id>
<br>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
<br>
</MsgId>
<br>
<PrcId>
<br>
<Id>ABC/090928/CCT001</Id>
<br>
<CreDtTm>2010-09-28T14:07:00</CreDtTm>
<br>
</PrcId>
<br>
</Refs>
<br>
<Acct>
<br>
<Id>
<br>
<Othr>
<br>
<Id>NOREF2</Id>
<br>
</Othr>
<br>
</Id>
<br>
<Tp>
<br>
<Cd>CASH</Cd>
<br>
</Tp>
<br>
<Ccy>USD</Ccy>
<br>
<MnthlyRcvdVal>200000</MnthlyRcvdVal>
<br>
<MnthlyTxNb>100</MnthlyTxNb>
<br>
<AvrgBal>10000</AvrgBal>
<br>
</Acct>
<br>
<CtrctDts>
<br>
<TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
<br>
</CtrctDts>
<br>
<UndrlygMstrAgrmt>
<br>
<Ref>ABC/Acct/BBBBUS33</Ref>
<br>
<Vrsn>1.0</Vrsn>
<br>
</UndrlygMstrAgrmt>
<br>
<AcctSvcrId>
<br>
<FinInstnId>
<br>
<BICFI>BBBBUS33</BICFI>
<br>
</FinInstnId>
<br>
</AcctSvcrId>
<br>
<Org>
<br>
<FullLglNm>ABC
Corporation</FullLglNm>
<br>
<CtryOfOpr>US</CtryOfOpr>
<br>
<RegnDt>1999-09-01</RegnDt>
<br>
<LglAdr>
<br>
<StrtNm>Times
Square</StrtNm>
<br>
<BldgNb>7</BldgNb>
<br>
<PstCd>NY
10036</PstCd>
<br>
<TwnNm>New
York</TwnNm>
<br>
<Ctry>US</Ctry>
<br>
</LglAdr>
<br>
<OrgId>
<br>
<Othr>
<br>
<Id>01256485-85</Id>
<br>
<SchmeNm>
<br>
<Prtry>TAX</Prtry>
<br>
</SchmeNm>
<br>
</Othr>
<br>
</OrgId>
<br>
<MainMndtHldr>
<br>
<Nm>Richard Jones</Nm>
<br>
<PstlAdr>
<br>
<AdrTp>HOME</AdrTp>
<br>
<StrtNm>La Guardia
Drive</StrtNm>
<br>
<BldgNb>12</BldgNb>
<br>
<PstCd>NJ
07054</PstCd>
<br>
<TwnNm>Parsippany</TwnNm>
<br>
<Ctry>US</Ctry>
<br>
</PstlAdr>
<br>
<Id>
<br>
<DtAndPlcOfBirth>
<br>
<BirthDt>1960-05-01</BirthDt>
<br>
<CityOfBirth>New york</CityOfBirth>
<br>
<CtryOfBirth>US</CtryOfBirth>
<br>
</DtAndPlcOfBirth>
<br>
</Id>
<br>
</MainMndtHldr>
<br>
</Org>
<br>
<DgtlSgntr>
<br>
<Pty>
<br>
<Nm>fplou</Nm>
<br>
</Pty>
<br>
<Sgntr>
<br>
<br>
</Sgntr>
<br>
</DgtlSgntr>
<br>
</AcctOpngReq>
<br>
</Document>
<br>
== PreDigest data - end buffer
<br>
== Result - start buffer:
<br>
vSK1aioRUa7Gz2jLpN9LFqFeXSI=
<br>
== Result - end buffer
<br>
= REFERENCE CALCULATION CONTEXT
<br>
== Status: succeeded
<br>
== URI: "sign.sh"
<br>
== Reference Transform Ctx:
<br>
== TRANSFORMS CTX (status=2)
<br>
== flags: 0x00000000
<br>
== flags2: 0x00000000
<br>
== enabled transforms: all
<br>
=== uri: sign.sh
<br>
=== uri xpointer expr: NULL
<br>
=== Transform: input-uri (href=NULL)
<br>
=== Transform: membuf-transform (href=NULL)
<br>
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
<br>
=== Transform: base64
(href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#base64">http://www.w3.org/2000/09/xmldsig#base64</a>)
<br>
=== Transform: membuf-transform (href=NULL)
<br>
== Digest Method:
<br>
=== Transform: sha1 (href=<a class="moz-txt-link-freetext" href="http://www.w3.org/2000/09/xmldsig#sha1">http://www.w3.org/2000/09/xmldsig#sha1</a>)
<br>
== PreDigest data - start buffer:
<br>
xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
<br>
acmt.007.001.02_1.skel.1sign.object2.xml
<br>
<br>
== PreDigest data - end buffer
<br>
== Result - start buffer:
<br>
4JgfakTfEbqzVpb+lP8vAWsD0u8=
<br>
== Result - end buffer
<br>
== Result - start buffer:
<br>
oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
<br>
2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
<br>
UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
<br>
h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
<br>
8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
<br>
uD2ZSS1bWu236lKh1elKWw==
<br>
== Result - end buffer
<br>
<br>
<br>
François
<br>
<br>
On 03/04/2014 18:37, Aleksey Sanin wrote:
<br>
<blockquote type="cite">Try "--store-references" option to see
what exactly was signed. Just
<br>
looking at the file, the DigestValue inside the #Manifest
subtree looks
<br>
suspicious.
<br>
<br>
Aleksey
<br>
<br>
On 4/3/14, 5:46 AM, François Plou wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
I am facing an issue trying to sign an xml document which
makes
<br>
reference to an external file.
<br>
xmlsec1 gives me a digest for the URI=#Manifest which is not
verified by
<br>
tool like Apache XML Security.
<br>
I am pretty sure there is something missing in the XML
document I give
<br>
to xmlsec but can't figure what.
<br>
<br>
I sign the document named
acmt.007.001.02_1.skel.1sign.object2.xml.
<br>
The command I use is : xmlsec1 -- sign --output fpl.xml
--privkey <key>
<br>
acmt.007.001.02_1.skel.1sign.object2.xml
<br>
The output document is fpl.xml
<br>
<br>
The digest which is not the same as the one computed by Apache
XML
<br>
Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
<br>
Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
<br>
<br>
I found that the expecting digest match the manifest3.xml file
enclosed
<br>
(I built it manually).
<br>
So it seems xmlsec is not creating the same manifest part.
<br>
<br>
Do you have any idea what can be wrong in my
<br>
acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to
add a
<br>
transform ?
<br>
<br>
Thanks for your help.
<br>
<br>
Francois
<br>
<br>
<br>
<br>
_______________________________________________
<br>
xmlsec mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<br>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
<br>
<br>
</blockquote>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
</body>
</html>