[xmlsec] Verifying fails to find KeyInfo

Aleksey Sanin aleksey at aleksey.com
Fri Aug 10 13:01:45 PDT 2007 

Since passing key directly in the signature is not the
safest way to do it, "by default" it might have been
disabled (sorry, I can not check the sources code right
now because I am traveling and I have very limited
internet access). Search for enabledKeyData (e.g. here
http://www.aleksey.com/xmlsec/api/xmlsec-notes-contexts.html
) for examples of how to remove this limitation.

Aleksey



Alexander Alderweireldt wrote:
> Hi all,
> 
> I have problems with verifying a signature, using its keyvalue in keyinfo.
> When I verify the signature with the same pem file I used to sign it, it
> works like a charm.
> 
> I recently added :
> 
> [code]
> // add <dsig:KeyInfo/> node to signature
> keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
> // adds <dsig:KeyValue/> node to the <dsig:KeyInfo/> node
> xmlSecTmplKeyInfoAddKeyValue(keyInfoNode);
> [/code]
> 
> to the signature generation so I didn't need the pem file to verify the
> signature. But I now get the error that xmlSecDSigCtxProcessKeyInfoNode
> can't find the key ?
> Can anyone give me a hint or a pointer what I do wrong ?
> 
> Many thnx !!!
> Alex
> 
> 
> [Errors]
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> is not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature verify
> [/Errors]
> 
> [verify_C_code]
> int verify_file(char* xmlMessage)
> {
>   xmlDocPtr doc = NULL;
>   xmlNodePtr node = NULL;
>   xmlSecDSigCtxPtr dsigCtx = NULL;
>   char* key_file   = "key.pem";
>   const xmlChar* ids[] = {BAD_CAST "Id", NULL };
>   int res = -1;
> 
>   doc = xmlParseDoc((xmlChar *) xmlMessage) ;
> 
>   if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
>     fprintf(stderr, "Error: unable to parse file \"%s\"\n", xmlMessage);
>     goto done;
>   }
> 
>   /* find start node */
>   node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature,
> xmlSecDSigNs);
>   if(node == NULL) {
>     fprintf(stdout, "Error: start node not found in \"%s\"\n", xmlMessage);
>     goto done;
>   }
> 
>   /* create signature context */
>   dsigCtx = xmlSecDSigCtxCreate(NULL);
>   if(dsigCtx == NULL) {
>     fprintf(stdout,"Error: failed to create signature context\n");
>     goto done;
>   }
> 
>   /* load public key | currently trying to verify through keyinfo*/
> //  dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file,
> xmlSecKeyDataFormatPem, NULL, NULL, NULL);
> //  if(dsigCtx->signKey == NULL) {
> //    fprintf(stdout,"Error: failed to load public pem key from \"%s\"\n",
> key_file);
> //    goto done;
> //  }
> 
>   /* Verify signature */
>   if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
>     fprintf(stdout,"Error: signature verify\n");
>     goto done;
>   }
> 
>   /* print verification result to stdout */
>   if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
>     fprintf(stdout, "Test : Signature is OK!!\n\n");
>   } else {
>     fprintf(stdout, "Test : Signature is INVALID\n\n");
>   }
> 
>   /* success */
>   res = 1;
> 
>  done:
>   /* cleanup */
>   if(dsigCtx != NULL) {
>     xmlSecDSigCtxDestroy(dsigCtx);
>   }
> 
>   if(doc != NULL) {
>     xmlFreeDoc(doc);
>   }
> 
>   return(res);
> }
> [/verify_C_code]
> 
> [signed_XML]
> <?xml version="1.0" encoding="UTF-8"?>
> <tsp:TimeStampResponse xmlns:xades="http://uri.etsi.org/01903/v1.1.1#"
> xmlns:tsp="http://www.esat.kuleuven.ac.be/~kwouters/2002/08/xmltsp#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> Type="http://localhost/studjob1/timestampserver/timestampserver.wsdl"
> CertReq="true"
> xsi:schemaLocation="http://www.esat.kuleuven.ac.be/~kwouters/2002/08/xmltsp#TimeStampSchema.xsd">
> 
>         <tsp:Status>
>                 <tsp:MajorStatus Code="0">Time-stamp
> Granted..</tsp:MajorStatus>
>         </tsp:Status>
> 
>         <tsp:TimeStampToken>
>                 <tsp:MessageImprints xml:id="ImprintID">
>                         <tsp:DigestAlgValue Id="DigestID1">
>                                 <xades:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
>                                 <xades:DigestValue>YTJhMzE5OWJiOTA1MDI3MWJkNTQwODljOTM2NGM3MzM1OTBlOWYxOQ==</xades:DigestValue>
>                         </tsp:DigestAlgValue>
>                         <tsp:DigestAlgValue Id="DigestID2">
>                                 <xades:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
>                                 <xades:DigestValue>NzJiNzQ2ODhmODZiZGE2Yjk2ZWQzMjg1YzlkMjUxZDU4Y2MyOGMyMQ==</xades:DigestValue>
>                         </tsp:DigestAlgValue>
>                 </tsp:MessageImprints>
>                 <tsp:TSTInfo xml:id="TSTInfoID">
>                         <xades:SignaturePolicyIdentifier>
>                                 <xades:SignaturePolicyImplied/>
>                         </xades:SignaturePolicyIdentifier>
>                         <tsp:SerialNumber>666</tsp:SerialNumber>
>                         <tsp:GenTime>2007-08-02T8:33:30</tsp:GenTime>
>                 </tsp:TSTInfo>
>                 <tsp:bindingInfo Algorithm="LinearLinking-URI-HS91"
> xml:id="BindingID">
>                         <tsp:DigestAlgValue>
>                                 <xades:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
>                                 <xades:DigestValue>OUIzQjBDOUM1QjI5MjI5OEFFMEY3OTA2MEZERkYyRTg3OUY2NkY5RHJpLmUx</xades:DigestValue>
>                         </tsp:DigestAlgValue>
>                 </tsp:bindingInfo>
>         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#ImprintID">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
> <DigestValue>JNUyEMSnMC9v1ysZkgLIVyGOcZE=</DigestValue>
> </Reference>
> <Reference URI="#TSTInfoID">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
> <DigestValue>bVK6SI09ea9MJO31WamnkH4Fw64=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>kicg8f+ttAsNsn19wAmZtiXOxzxnLam9fmHgFBZohXp97tPDlmM3zRhiAPfFycL9
> H02zvxu22sm9NJICtNKim71Zpz0waCVsjfsGf/TchEIxbBtIjKYEWVTHaFMrKsdb
> 3ijG4PMWXS/3cCJN2fuyFbWp+afIjmSkBNyzArWFD54=</SignatureValue>
> <KeyInfo>
> <KeyValue>
> <RSAKeyValue>
> <Modulus>
> 4HTQeETBkM7f1/1PHI3eshgOrZ1axHFmrjsN4Vf1hmDUNgoJ/sMMrPnj2HVA3fIT
> vRMb3Cd6Eb4gvapPHnMuB/xlyEbwIMj+L5gNfWfhxbaIKbN3jcp2n7oD2dlInnKr
> 3lJYEqC9u0jUUZJJr0VtDl0bOPNIalw1YVoodGI1vTs=
> </Modulus>
> <Exponent>
> AQAB
> </Exponent>
> </RSAKeyValue>
> </KeyValue>
> <KeyName/>
> </KeyInfo>
> </Signature></tsp:TimeStampToken>
> </tsp:TimeStampResponse>
> [signed_XML]
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list