[xmlsec] Problem with ver 0.0.11

Aleksey Sanin aleksey at aleksey.com
Sun Dec 8 18:07:25 PST 2002

This is not a surprise for me at all. You are signing *everything* in 
the document
includingthe <dsig:Signature> node subtree. Which means that you never get
it verified:
    -  when you are signing the <dsig:SignatureValue> is not yet calculated
    (i.e. empty)
    - when you are verifying the <dsig:SignatureValue> has a non-empty value
    and, of course, the digest is *different*

Probably, you want to add an enveloped transform

	  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />

To exclude <dsig:Signature> subtree.


kltsai wrote:

>Hi aleksey and igor:
>	I am sorry to make such a big mistake. In fact, I downloaded
>v0.0.10 from Mr. Igor's site. But I still have some problem with he
><?xml version="1.0"?>
><Data1 Id="anchor1">
><Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="kenny at a.b.c">
>    <SignedInfo>
>      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
>      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
>      <Reference URI="#xpointer(/)">
>        <Transforms>
>          <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
>        </Transforms>
>        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>        <DigestValue></DigestValue>
>      </Reference>
>    </SignedInfo>
>    <SignatureValue/>
>    <KeyInfo>
>    <KeyValue/>
>    </KeyInfo>
>  </Signature></IFX>
>And it causes the following message:
>C:\temp\xmlsec-0.0.11\TestApp\Debug>testapp verify kltsai6.xml
> (c:\temp\xmlsec-0.0.11\src\xmldsig.c:1493): error 51: invalid reference :
>= Status:
>== Signatures ok: 0
>== Signatures fail: 1
>== SignedInfo Ref ok: 0
>== SignedInfo Ref fail: 1
>== Manifest Ref ok: 0
>== Manifest Ref fail: 0
>Error: operation failed
>I debug into the sourse code, and find it means verification stage gets
>different digestvalue from DigestValue node. It doesn't stand for xmlSec
>does not recognize reference node. I am still trying to find out the
>problem. Does anyone have any idea about my problem? Thanks in
>							kltsai

More information about the xmlsec mailing list