[xmlsec] Re: Implementing WS-Security using XMLSec...

Aleksey Sanin aleksey at aleksey.com
Tue Jun 3 08:28:54 PDT 2003 

First of all, I would appreciate if you would use xmlsec mailing list
for any question about xmlsec library (this reply is copied to the list, 
btw).

It seems that your <Reference/> element contains URI with Id attribute.
And I am not sure I understand how you got the error you describe 
without a DTD.
Most likely you should have something like this instead:

func=xmlSecXPathDataExecute:file=xpath.c:line=250:obj=unknown:subj=xmlXPtrEval:
error=5:libxml2 library function failed:
expr=xpointer(id('wssecurity_body_id_3550107555769326699_1054623170226'))

Please read section 3.2 from the FAQ 
(http://www.aleksey.com/xmlsec/faq.html)
for explanation "why".

Assuming you add a correct DTD, the signature seems to be trivial 
(Reference with an ID
type URI plus one exc C14N transform) and I would be really surprised if 
xmlsec does
a wrong thing here. Unfortunately, there is no easy way to determine why 
digests do not
match. In xmlsec you can use '--print-all' option to get the binary 
stream just before
digesting. The best you can do is to compare this data with similar ones 
from WebSphere
(if you would be able to get same data from WebSphere). Read 
documentation or search
mailing list. There were several similar problems before.

And if you want me to guess, I would bet that you have different digests 
because
something introduced spaces and/or end of lines when you've dumped XML 
document
to file.


Aleksey


arvasoft at attbi.com wrote:

>Hi Alexsey,
>
>I am implementing WS-Security using XMLSec. Currently, I am trying to
>validate signatures generated by Websphere, but am running into a problem
>where the Digests generated by Websphere and that by XMLSec are different.
>This causes the following error
>
>func=:file=..\src\openssl\digests.c:line=164:obj=sha1:subj=unknown:error=12:
>inva
>lid data:data and digest do not match
>Signature is INVALID
>
>I would really appreciate your help on resolving this issue.
>
>Thanks,
>
>Regards,
>
>-Venky
>
>
>PS: I am attaching the following files:
>
>  1. original Websphere signed document
>  2. a modified version of the xml document that I am using for the test, I
>have
>     copied the X509 from <wsse:BinarySecurityToken> to <X509Certificate> in
>     <KeyInfo>.
>  3. cacert.pem the trusted root that I use
>  
>
>------------------------------------------------------------------------
>
><?xml version="1.0" encoding="UTF-8"?>
><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>  <soapenv:Header>
>    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
>      <wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3" wsu:Id="wssecurity_binary_security_token_id_3491871345588805218_1054623170226" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
>        MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
>        BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
>        IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
>        MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
>        A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
>        cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
>        hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
>        ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
>        aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
>        eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
>        VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
>        YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
>        FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
>        MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
>        b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
>        ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
>        cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
>        QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
>        FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583
>      </wsse:BinarySecurityToken>
>      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>        <SignedInfo>
>          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>          <Reference URI="#wssecurity_body_id_3550107555769326699_1054623170226">
>            <Transforms>
>              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>            </Transforms>
>            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>            <DigestValue>5zj77bM9zGNVvLBIdy6yho/IZ+g=</DigestValue>
>          </Reference>
>        </SignedInfo>
>        <SignatureValue>
>          vU35ynJzQdJ7zu09Gitf4hcsoG6OT/qYW1MTcvAigjNxKfgdZYN90BASwwpPN5LxaL
>          sEi+f8OXpAYM5aPMlLH1rht+es1xPkq6lrG5JbGcUJtNbSG0LfLhcoWfV4aak1pXdC
>          vczRurJyoDEpImeYNsFr6ItLaRciTTTA7qaSCKw=
>        </SignatureValue>
>        <KeyInfo>
>          <wsse:SecurityTokenReference>
>            <wsse:Reference URI="#wssecurity_binary_security_token_id_3491871345588805218_1054623170226"/>
>          </wsse:SecurityTokenReference>
>        </KeyInfo>
>      </Signature>
>    </wsse:Security>
>  </soapenv:Header>
> <soapenv:Body wsu:Id="wssecurity_body_id_3550107555769326699_1054623170226" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
>  <getGreetingResponse xmlns="http://Sample8.wsdk.ibm.com">
>   <getGreetingReturn xmlns="">Hello venky. How are you?</getGreetingReturn>
>  </getGreetingResponse>
> </soapenv:Body>
></soapenv:Envelope>
>
>------------------------------------------------------------------------
>
><?xml version="1.0" encoding="UTF-8"?>
><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>  <soapenv:Header>
>    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
>      <wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3" wsu:Id="wssecurity_binary_security_token_id_3491871345588805218_1054623170226" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
>        MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
>        BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
>        IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
>        MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
>        A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
>        cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
>        hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
>        ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
>        aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
>        eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
>        VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
>        YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
>        FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
>        MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
>        b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
>        ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
>        cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
>        QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
>        FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583
>      </wsse:BinarySecurityToken>
>      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>        <SignedInfo>
>          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>          <Reference URI="#wssecurity_body_id_3550107555769326699_1054623170226">
>            <Transforms>
>              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>            </Transforms>
>            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>            <DigestValue>5zj77bM9zGNVvLBIdy6yho/IZ+g=</DigestValue>
>          </Reference>
>        </SignedInfo>
>        <SignatureValue>
>          vU35ynJzQdJ7zu09Gitf4hcsoG6OT/qYW1MTcvAigjNxKfgdZYN90BASwwpPN5LxaL
>          sEi+f8OXpAYM5aPMlLH1rht+es1xPkq6lrG5JbGcUJtNbSG0LfLhcoWfV4aak1pXdC
>          vczRurJyoDEpImeYNsFr6ItLaRciTTTA7qaSCKw=
>        </SignatureValue>
>        <KeyInfo>
>          <X509Data>
>            <X509Certificate>MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
>        BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
>        IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
>        MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
>        A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
>        cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
>        hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
>        ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
>        aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
>        eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
>        VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
>        YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
>        FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
>        MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
>        b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
>        ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
>        cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
>        QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
>        FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583</X509Certificate>
>          </X509Data>
>        </KeyInfo>
>      </Signature>
>    </wsse:Security>
>  </soapenv:Header>
> <soapenv:Body wsu:Id="wssecurity_body_id_3550107555769326699_1054623170226" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
>  <getGreetingResponse xmlns="http://Sample8.wsdk.ibm.com">
>   <getGreetingReturn xmlns="">Hello venky. How are you?</getGreetingReturn>
>  </getGreetingResponse>
> </soapenv:Body>
></soapenv:Envelope>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20030603/42304d8f/attachment.htm

More information about the xmlsec mailing list