[xmlsec] FW: Invalid Signature - possible whitespace handling problem

Edward Shallow ed.shallow at rogers.com
Thu Nov 20 12:09:52 PST 2003

Post-PostScript ...

Behaviour is very predictable. If any tabs or CRs or LFs are disturbed
within the SignedInfo element or any of its child elements, verification
fails. The rest of the signature elements are not affected by tab CR or LF
removal or insertion.

Knowing you, this is probably exactly what the specification call for. Is
this so ?


-----Original Message-----
From: Edward Shallow [mailto:ed.shallow at rogers.com] 
Sent: November 20, 2003 12:17 PM
To: 'xmlsec at aleksey.com'
Subject: FW: Invalid Signature - possible whitespace handling problem

PostScript ...

With respect to below, I forgot to mention that the SignatureValue's are
identical in both cases as well.


-----Original Message-----
From: Edward Shallow [mailto:ed.shallow at rogers.com]
Sent: November 20, 2003 12:15 PM
To: 'xmlsec at aleksey.com'
Subject: Invalid Signature - possible whitespace handling problem

Hi Aleksey,

    I have another weird one here. Here are 2 attached signed files. The one
with the .signed suffix verifies correctly, the other does not. See error
response below. They are identical in their post transform digest values.
i.e.  Lh3uTtblNX5tAzyHT7UfQTVlJNs=

    The only difference is that the actual <ds:Signature ...> block in the
good one has all white space preserved and intact. That is all tabs and
carriage returns are left intact. Exactly as XMLSec returns it. The bad
<ds:Signature ...> block has had xml white space handling performed on it
after it was returned from XMLSec, by InfoPath :( . That is carriage returns
and tabs have been removed and most of the lines are now strung out on 1

    *** This is the case for only the <ds:Signature ...> block ***, the
signed data are identical in every respect, as per digest values.

    The target of the sign operation is the same in both cases and excludes
the entire signatures section.

    Do you see an XMLSec Verify problem here. I tried using
xml:space="preserve" on the signature block to no avail.


Equivalent command line used on both files looks like this:

xmlsec verify --crypto mscrypto
xmlsec verify --crypto mscrypto

Verify results look like this:

C:\epmsigner-dev\XMLSec>xmlsec verify --crypto mscrypto
0:obj=rsa-sha1:subj=CryptVerifySignature:error=18:data do not
match:signature do not match;last error=-2146893818 (0x80090006);last error
msg=Invalid Signature.

SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "C:/epmsigner-dev/infopath/FFIEPMcompleted.xml"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: infopath.zip
Type: application/x-zip-compressed
Size: 63354 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20031120/2b32242c/infopath.bin

More information about the xmlsec mailing list