[xmlsec] Problem in verifying XML signature

Aleksey Sanin aleksey at aleksey.com
Tue May 4 01:13:36 PDT 2004 

This is really strange because this error means that digest did
match but signature over <SignedInfo/> element failed. Try to
verify the signature with xmlsec command line utility and use
"--store-signatures" to print out the buffer right before signing.
At least this would show if anything is wrong with <SignedInfo/>
element canonicalization.


I recall that someone reported problems verifying RSA signatures
because of some broken Java implementation that did not follow
the spec for writing RSA signature value. Search the archive for
more details.

Aleksey


aLexwU wrote:
> Hello,
>  
>     There is one strange case.
>     By using xmlSec, I was failed to verify XML signature with error 
> 'signature do not match' returned.
>     But it can be successful verifyed by using other software. 
> (http://www.infomosaic.net/XMLSign/SecureXMLVerifyWS.htm)
>  
>     I modified the example code (verify3.c) to do this task.
>     The message is 3-D secure message, I add the needed code according 
> the FAQ 3.1, 3.2. 
>     I've successful to verify other messages. But just only this one is 
> failed .
>  
>     Do I lost something?
>  
>     Thanks.
>  
> aLexwU.
>  
>  
> testing message:
>  
> <ThreeDSecure>
>   <Message id="PAReq20040504000723bMiUUBqRm">
>     <PARes id="PARes11333">
>       <version>1.0.2</version>
>       <Merchant>
>         <acqBIN>11111111111</acqBIN>
>         <merID>12AB,cd/34-EF  -g,5/H-67</merID>
>       </Merchant>
>       <Purchase>
>         <xid>MTkzOTExMzkwMDEyMzQ1Njc4OTA=</xid>
>         <date>20030919 12:10:43</date>
>         <purchAmount>123456</purchAmount>
>         <currency>840</currency>
>         <exponent>2</exponent>
>       </Purchase>
>       <pan>0000000000000771</pan>
>       <TX>
>         <time>20030919 14:19:18</time>
>         <status>Y</status>
>         <cavv>AAABASOUYINCIYFQKZRgAAAAAAA=</cavv>
>         <eci>05</eci>
>         <cavvAlgorithm>1</cavvAlgorithm>
>       </TX>
>     </PARes>
>     <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>       <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>         <CanonicalizationMethod 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod 
> <http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>>
>         <SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod 
> <http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>>
>         <Reference URI="#PARes11333">
>           <DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod 
> <http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>>
>           <DigestValue>10gmc514zBMGZy2Rh75QBIqt748=</DigestValue>
>         </Reference>
>       </SignedInfo>
>       
> <SignatureValue>jaFSdIFgkz349SwKU++mPbZLs0ImjWnMLSjPwQ4IOfpm/S+jIJkjMzbDgLMomqBwlhnvGijozscCSZXHot0D8qo1Hk1tF5h/QzJHZlo1h6+GW1j3odDmrK7Oyq5FpNYO9k7AOylSmifNccaWkdLQmuQQymWZibIuai4D9C5bdBJeWi5MawNa3GRiHH0qSQ2azIGTIlcHCkAhSkScY/qI83u/AYdSGm85wkCl88dYNN5RDJcNE0XyilbRh3Ug8MnIAaax428sJ9AQQ/kUyEBUFQEVxJjufZCruVwIE3Mgj/XA/9ZXXm04N/Ez/+BPno7I/k5In+CmCFDN7bBDkDDyOg==</SignatureValue>
>       <KeyInfo>
>         <X509Data>
> <X509Certificate>
> MIIDDjCCAnegAwIBAgIUFb4qZmymJ2NbpeCaz6//yCSjRAswDQYJKoZIhvcN
> AQEFBQAwRzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxFTATBgNV
> BAsTDENhcmFkYXMgTGFiczEPMA0GA1UEAxMGQ1RIIENBMB4XDTAzMDkxMjEy
> NTcyNFoXDTA1MDkxMTEyNTcyNFowgakxCzAJBgNVBAYTAlBMMREwDwYDVQQI
> EwhNYXpvd3N6ZTERMA8GA1UEBxMIV2Fyc3phd2ExFTATBgNVBAoTDFBvbENh
> cmQgUy5BLjEgMB4GA1UECxMXWmVzcG9sIE5vd3ljaCBQcm9kdWt0b3cxFzAV
> BgNVBAMTDnBvbGNhcmQuY29tLnBsMSIwIAYJKoZIhvcNAQkBFhN3b2p1QHBv
> bGNhcmQuY29tLnBsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
> oO9E0U20S89DUnKMEGvZBNIjVN+eILVuAIWe7IvPBxff+sJGSAJMGaXcGudI
> Xwb9SktQlyAz1A9zPf6nebfQO74O3IdOnK7BEBFP4rj1DcSV/uUU6n8hfHAJ
> XPnvwet0oYRmvImnLSLYFzXqMO3c+wPd94HZ8sA1p20eQQREPRlV7VcO2nz7
> BuXjfhf5x1wGF7EPxXwZD+MUnja01khKBXz7IFLOdhfD/pkzHiEPY/v2GxKg
> Si5uNUwQBQC0f9uOTFavliU3yXpVYsPq8Qx+470bMRcINbBd1BHknFO3v05O
> aLSS6qNUXllucGvGUzBwdT2kDLvHPHgX+1OChMsgWQIDAQABoxAwDjAMBgNV
> HRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBAEsduNjOZ2Ji9Hkh+k4sJVIp
> 7Y6eNeKn2x7EsbRMTZXrCrTKLLqGLWHZIlX9/oPn9DvnVZ/t3YMFSuuaDHdl
> U+g/dG4Ldup5j9ejFMOJAK9sq7MsSTzxYZ5AT23/i0fNraERgohxp2zugn2a
> XzQVMTyMd/Ce7H7dP4xtz+Fv8mCQ</X509Certificate>
> <X509Certificate>
> MIICMjCCAZugAwIBAgIVAJoV+yURqXHF8zXECfEhRqpwzCMwMA0GCSqGSIb3
> DQEBBQUAMEkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMRUwEwYD
> VQQLEwxDYXJhZGFzIExhYnMxETAPBgNVBAMTCENUSCBST09UMB4XDTAzMDgx
> OTE0MjI1MVoXDTExMDgxNzE0MjI1MVowSTELMAkGA1UEBhMCVVMxEDAOBgNV
> BAoTB0NhcmFkYXMxFTATBgNVBAsTDENhcmFkYXMgTGFiczERMA8GA1UEAxMI
> Q1RIIFJPT1QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIrpC9h6fesI
> 1FnpSHH+dP+JaY3FitHMW9LHBLpdCSEzAVe6VJOZO7Ycw49iDKkhPCrSZk/5
> 9RXD+3+vYqukFL0FLfG2GFTA1c9YU94dqBovrmwbMP7HYN82PmQtifzGMeS9
> d7znDx+AqlDU1eXCZMVdHSsz/qneP8LSydrMaU/RAgMBAAGjFjAUMBIGA1Ud
> EwEB/wQIMAYBAf8CAQEwDQYJKoZIhvcNAQEFBQADgYEAZdRIyN/SSPQ3bLun
> DVKxanOLDiXfczxGMnQZWK47fQfWdbqqEINrcObagSw44Ba9pFZ796DXn5XP
> ZOkLuhrgLSwVVVqkUWLeUaRPEFGDXQMk9XqrbCpivQix1Hr+9DgWWiqg0snC
> 7JkD6rieQ8NIuj+bD83vnuhOW/nLEuLSfxk=</X509Certificate>
> </X509Data>
>       </KeyInfo>
>     </Signature>
>   </Message>
> </ThreeDSecure>
>

More information about the xmlsec mailing list