[xmlsec] RE: Can you Verify this signature ?

Roumen Petrov xmlsec at roumenpetrov.info
Tue Aug 8 11:20:21 PDT 2006 

Hi All,

I guess that problem is in iaik stuff.
The certificate "Distinguished Name"/Subject should be in conformance 
with RFC 3280 (obsoletes 2459).
No idea why iaik stuff check agains RFC 2253.
There is no limitation for number of organization and 
organizational-unit attributes in subject.

"Email" attribute in subject is not correct. Old openssl (version 
<=0.9.6) use this. It is corrected in openssl versions >= 0.9.7. I  
think that xmlsec require openssl >= 0.9.7, so problem should not exist.

Similar for "E" attribute used in microsoft crypto implementation. I'm 
sure that never will be corrected. Initial releases of xmlsec+mscrypto 
incorrectly print some attributes and in reverse order. Later this is fixed.


Roumen


Ed Shallow wrote:
> Hi Andreas and Aleksey,
>
>    Andreas, thanks for your prompt reply.
>
>    I suspect it has something to do with the use of emailAddress in the
> X509SubjectName. Konrad says this is incorrect and that I should be using
> EMAIL instead of emailAddress. I think he is using IAIK also.
>
>    I generated this certificate with OpenSSL.
>
>    Aleksey, is emailAddress incorrect or non-standard ? If so, am I
> introducing this improper use of emailAddress or is it XMLSec ?
>
> Thanks,
> Ed
>
>  
>
> -----Original Message-----
> From: Andreas Kuehne [mailto:akuehne at yahoo.com] 
> Sent: August 7, 2006 6:34 AM
> To: ed.shallow at rogers.com
> Subject: Re: Can you Verify this signature ?
>
> Hi Ed !
>
> Good to hear from you regarding 'real' business ! More than one year gone by
> since our last effort to do some InterOp tests ...
>
> And it took me some time to have my XMLDSig stuff up and running again. I'm
> still working with plain old PKCS7 most of the time.
>
> As you might remember I'm using the iaik stuff and upgraded to the current
> version. I see a an interesting message from the verifier :
>
> Exception in thread "main" javax.xml.crypto.MarshalException:
> X509SubjectName 'emailAddress=CAAdmin at upu.int,CN=Universal Postal Union
> Pilot EPM Timestamp,OU=Electronic Post Mark,O=For Test Use Only,O=Universal
> Postal Union,L=Berne,ST=Berne,C=CH' is not RFC 2253 compliant.
>         at
> iaik.xml.crypto.dsig.keyinfo.X509DataImpl.unmarshalStructures(Unknown
> Source)
>         at iaik.xml.crypto.dom.DOMStructure.unmarshal(Unknown Source)
>         at iaik.xml.crypto.dsig.keyinfo.X509DataImpl.<init>(Unknown Source)
>         ...
>
> Do you have any clue why it complains ? Does the double use of organisation
> violate the RFC ? I can't extract any restrictions from the spec.
>
> Greetings
>
> Andreas
>
>   
>>    Can I ask you for a small favor ?
>>
>>    Could you please verify this signature using your XMLDSIG crypto 
>> toolkit as a sanity check ?
>>
>>    It would be enormously appreciated.
>>
>>    I have also included the trusted public root from which the UPUtsa 
>> signing certificate was issued.
>>
>>
>> Thanks loads,
>>
>> Ed Shallow
>> Chief Architect
>> Canada Post Corporation
>> Electronic PostMarking Services
>> 613-852-6410
>>     
>>> <?xml version="1.0" encoding="UTF-8"?>
>>>       
>> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
>>     
> Id="PostMarkedReceiptSignature">
>   
>>     <dsig:SignedInfo>
>>         <dsig:CanonicalizationMethod
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>         <dsig:SignatureMethod
>>     
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>   
>>         <dsig:Reference URI="#TstInfo">
>>             <dsig:DigestMethod
>>     
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>   
> <dsig:DigestValue>x0q4X69WBzlCQg3Qbu3BNzdHseY=</dsig:DigestValue>
>   
>>         </dsig:Reference>
>>         <dsig:Reference URI="#Receipt">
>>             <dsig:DigestMethod
>>     
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>   
> <dsig:DigestValue>tH/s6vMnSs8pvi8LDKRghsEZnQE=</dsig:DigestValue>
>   
>>         </dsig:Reference>
>>         <dsig:Reference URI="#PostMarkedData">
>>             <dsig:DigestMethod
>>     
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>   
> <dsig:DigestValue>iurDPcMJ2yYQQoOTVCpGUXeJ6rQ=</dsig:DigestValue>
>   
>>         </dsig:Reference>
>>     </dsig:SignedInfo>
>>     
>> <dsig:SignatureValue>LQ8IbC0zduAdhop4/q1OwhOiPOdyUoSRtjO9IFUmIWtDUh8oq
>> DfkitMFXW9IFn4+
>> BIWO5y5QN4upnybOGqR7ng+2scqcqk/baoTczdBRCkSRRWa02ouR9guEv/3Btnvz
>> 8q/Zgxt2nGKXUQBe+V03pjiRS5gOZ5xnkbvOT7+imPc=</dsig:SignatureValue>
>>     <dsig:KeyInfo>
>>         <dsig:KeyName>UPUtsa</dsig:KeyName>
>>         <dsig:X509Data>
>>         <X509Certificate
>>
>>     
> xmlns="http://www.w3.org/2000/09/xmldsig#">MIIEXDCCA0SgAwIBAgIBBDANBgkqhkiG9
> w0BAQUFADCB3jELMAkGA1UEBhMCQ0gx
>   
>> DjAMBgNVBAgTBUJlcm5lMQ4wDAYDVQQHEwVCZXJuZTEfMB0GA1UEChMWVW5pdmVy
>> c2FsIFBvc3RhbCBVbmlvbjEaMBgGA1UEChMRRm9yIFRlc3QgVXNlIE9ubHkxHTAb
>> BgNVBAsTFEVsZWN0cm9uaWMgUG9zdCBNYXJrMTMwMQYDVQQDEypVbml2ZXJzYWwg
>> UG9zdGFsIFVuaW9uIFBpbG90IEVQTSBBdXRob3JpdHkxHjAcBgkqhkiG9w0BCQEW
>> D0NBQWRtaW5AdXB1LmludDAeFw0wNTAxMjUxOTU3NDFaFw0xMDAxMjQxOTU3NDFa
>> MIHeMQswCQYDVQQGEwJDSDEOMAwGA1UECBMFQmVybmUxDjAMBgNVBAcTBUJlcm5l
>> MR8wHQYDVQQKExZVbml2ZXJzYWwgUG9zdGFsIFVuaW9uMRowGAYDVQQKExFGb3Ig
>> VGVzdCBVc2UgT25seTEdMBsGA1UECxMURWxlY3Ryb25pYyBQb3N0IE1hcmsxMzAx
>> BgNVBAMTKlVuaXZlcnNhbCBQb3N0YWwgVW5pb24gUGlsb3QgRVBNIFRpbWVzdGFt
>> cDEeMBwGCSqGSIb3DQEJARYPQ0FBZG1pbkB1cHUuaW50MIGfMA0GCSqGSIb3DQEB
>> AQUAA4GNADCBiQKBgQDZcXRnH8LSa57tHZH5i4JsKN5MiTADOud2ThVKctheNd5B
>> wqP5JxkyK75jBVrFz5efJLOlpSbALtTwMzOuXn8C+UcdB1/Mu0gnTpgFaonMmKuk
>> xq9pi4u/7zlzmA+6vI6pUHu8RrBbHUa0PgM6OkgniZqIfkLjtD0Y9IzJpflczwID
>> AQABo4GmMIGjMAwGA1UdEwQFMAMCAQAwHQYDVR0OBBYEFBEFCs6yi4oBFWYGSCLY
>> +4lb0PrEMB8GA1UdIwQYMBaAFO0VydJTZFy9p5n9OT6icSir2KhQMC4GA1UdHwQn
>> MCUwI6AhoB+GHWh0dHA6Ly9jYTEudXB1LmludC9tYXN0ZXIuY3JsMAsGA1UdDwQE
>> AwIGwDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG9w0BAQUFAAOCAQEA
>> EiPjbN4zcLPOztr9WLSVB3C+e+qdl1xdzO9xu4tgtiXmeu6liSicWnRv8VNHJLyx
>> acSjCHM5rvn+ItVRCKcQf5l6aXab4XaIJFHCqjW6m09v0T0CNRawQaMYTx83iAcA
>> jot4dQ11kca4sL3nYIrxiBMPjwRjsLS/UvogLWjmwwx07lFrat5vLwGYPTjmxGyI
>> vngOIpc7Deg1xKhBXK4pBof4l0gukhZ0p98Xq181QcW2C/453kGCA307GY2+bsEe
>> 9BvnoWPKk+udtb2+NHKgiFmh0arupWd0YI/szP2Zdim5XyVnXV+UuKW8Wi/83TBB
>> b2u1v4jWQWzHV/WfjdX2lg==</X509Certificate>
>> <X509SubjectName
>> xmlns="http://www.w3.org/2000/09/xmldsig#">emailAddress=CAAdmin at upu.in
>> t,CN=Universal Postal Union Pilot EPM Timestamp,OU=Electronic Post 
>> Mark,O=For Test Use Only,O=Universal Postal 
>> Union,L=Berne,ST=Berne,C=CH</X509SubjectName>
>> <X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <X509IssuerName>emailAddress=CAAdmin at upu.int,CN=Universal Postal Union 
>> Pilot EPM Authority,OU=Electronic Post Mark,O=For Test Use 
>> Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH</X509IssuerName>
>> <X509SerialNumber>4</X509SerialNumber>
>> </X509IssuerSerial>
>> </dsig:X509Data>
>>     </dsig:KeyInfo>
>>     <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>>         <dss:TstInfo
>>
>>     
> xmlns:dss="http://www.docs.oasis-open.org/dss/oasis-dss-1.0-core-schema-cd-0
> 2.xsd" Id="TstInfo">
>   
>>             <SerialNumber>100000005284</SerialNumber>
>>             <CreationTime>2006-8-3T15:22:11.431</CreationTime>
>>             <Policy/>
>>             <ErrorBound/>
>>             <Ordered/>
>>             <TSA>emailAddress=CAAdmin at upu.int, CN=Universal Postal 
>> Union Pilot EPM Timestamp, OU=Electronic Post Mark, O=For Test Use 
>> Only, O=Universal Postal Union, L=Berne, S=Berne, C=CH</TSA>
>>         </dss:TstInfo>
>>     </dsig:Object>
>>     <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>>         <epm:PostMarkedReceipt
>>     
> xmlns:epm="http://www.upu.int/EPMService/schemas" Id="Receipt">
>   
>>             <Receipt>
>>                 <TransactionKey>
>>                     <Locator>
>>                        <CountryCode>CA</CountryCode>
>>                        <Version>115</Version>
>>                        <ServiceProvider>epost</ServiceProvider>
>>                        <Environment>test</Environment>
>>                     </Locator>
>>                     <Key>123456789</Key>
>>                     <Sequence>1</Sequence>
>>                 </TransactionKey>
>>                 <Requester>Joe Public</Requester>
>>                 <Operation>PostMark</Operation>
>>                 <TSAX509SubjectName>emailAddress=CAAdmin at upu.int, 
>> CN=Universal Postal Union Pilot EPM Timestamp, OU=Electronic Post 
>> Mark, O=For Test Use Only, O=Universal Postal Union, L=Berne, S=Berne,
>>     
> C=CH</TSAX509SubjectName>
>   
>>                 <TimeStampValue>2006-8-3T12:49:23.188</TimeStampValue>
>>                 <RevocationStatusQualifier>CRL
>>     
> Checked</RevocationStatusQualifier>
>   
>>                 <TimeStampToken 
>> MimeType="application/pkcs7-signature">base64encoded TS token would go
>>     
> here</TimeStampToken>
>   
>>                 <MessageImprint>optional for XMLDSIG</MessageImprint>
>>                 <PostMarkImage>base64encoded graphic would go
>>     
> here</PostMarkImage>
>   
>>                 <ReceiptMetadata>
>>                     <Name></Name>
>>                     <Value></Value>
>>                 </ReceiptMetadata>
>>             </Receipt>
>>         </epm:PostMarkedReceipt>
>>     </dsig:Object>
>>     <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>>         <epm:PostMarkedContent
>>     
> xmlns:epm="http://www.upu.int/EPMService/schemas"
>   
>> Id="PostMarkedData">Here is a small plain text file without mark-up.
>> </epm:PostMarkedContent>
>>     </dsig:Object>
>> </dsig:Signature>
>>
>>     
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>

More information about the xmlsec mailing list