[xmlsec] [Fwd: Re: problem verifying XML signature]

Marko Macek marko.macek at hermes.si
Tue Apr 6 01:02:39 PDT 2004 

Hello!

 >The xmlsec output says that the Reference's digest was successfully
 >verified but after that the RSA signature verification for SignedInfo
 >element failed. There are only two options: the problem is in the key or
 >the problem is in the signed data. The 1023 keys size looks strange
 >and the first thing I would suggest you to try is to delete <KeyValue/>
 >child of <KeyInfo/> and see if this would make any difference.

I tried that and it fails with:


C:\work\xmlsec>xmlsec --verify --node-xpath 
//*[@Id='DepositorSignature'] --trus
ted-der sigov-ca.crt --print-debug pod1.xml
func=:file=..\src\openssl\x509.c:line=1203:obj=x509:subj=X509IssuerName:error=28
:node node found:node=X509SerialNumber
func=:file=..\src\openssl\x509.c:line=942:obj=x509:subj=X509IssuerSerial:error=1
:xmlsec library function failed:read node failed
func=:file=..\src\openssl\x509.c:line=674:obj=x509:subj=xmlSecOpenSSLX509DataNod
eRead:error=1:xmlsec library function failed:
func=:file=..\src\keyinfo.c:line=114:obj=x509:subj=xmlSecKeyDataXmlRead:error=1:
xmlsec library function failed:node=X509Data
func=:file=..\src\keys.c:line=968:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1
:xmlsec library function failed:node=KeyInfo
func=:file=..\src\xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key 
is no
t found:
func=:file=..\src\xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInf
oNode:error=1:xmlsec library function failed:
func=:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProc
essNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT


Then I removed X509SerialNumber and X509SubjectName too (looks like a 
bug searching for X509Certificate) and it succeeds...
So it seems to be the attached public key that is problematic. Am I right?


C:\work\xmlsec>xmlsec --verify --node-xpath 
//*[@Id='DepositorSignature'] --trus
ted-der sigov-ca.crt --print-debug pod1.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000000
== flags2: 0x00000000
== Id: "DepositorSignature"
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key usage: 65535
=== key not valid before: 993184544
=== key not valid after: 1150952744
=== rsa key: size = 1024
=== list size: 1
=== X509 Data:
==== Key Certificate:
==== Subject Name: 
/C=si/O=state-institutions/OU=web-certificates/OU=Government/
CN=Mateja Mikek/serialNumber=1234623914016
==== Issuer Name: /C=si/O=state-institutions/OU=sigov-ca
==== Issuer Serial: 3A5C7C96
==== Certificate:
==== Subject Name: 
/C=si/O=state-institutions/OU=web-certificates/OU=Government/
CN=Mateja Mikek/serialNumber=1234623914016
==== Issuer Name: /C=si/O=state-institutions/OU=sigov-ca
==== Issuer Serial: 3A5C7C96
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature 
(href=http://www.w3.org/2000/09/xmldsig#envel
oped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0


 >To verify that data are correct, you can use "--store-signature" option
 >in xmlsec. This would print out the data that xmlsec signs. IF you can
 >get same output from Ubisignature then you can compare it.

I haven't tried that.

I attached a reply from MS newsgroup if anyone is interested.

Regards,
Mark
-------------- next part --------------
An embedded message was scrubbed...
From: shawnfa at online.microsoft.com ("Shawn Farkas")
Subject: RE: problem verifying XML signature
Date: Thu, 01 Apr 2004 00:40:55 GMT
Size: 6272
Url: http://www.aleksey.com/pipermail/xmlsec/attachments/20040406/42120822/problemverifyingXMLsignature.eml

More information about the xmlsec mailing list