[xmlsec] XMLsec-openssl signature verification failure

Frederic HEULIN fheulin at influe.com
Mon Aug 27 08:23:38 PDT 2007 

Hi,

i've compiled xmlsec (1.2.10) against :
 - libiconv 1.11
 - libxml2  2.6.28
 - libxslt  1.1.20
 - openssl  9_7_c
on :
 - Linux (GLibc 2.3.2, GCC 3.2.2-5, Red Hat, 2.4.20) 
 - HPUX  (HP-UX B.11.00 U 9000/800, aCC: HP ANSI C++ B3910B A.03.25)

I'm using xmlsec as in the verify1 test case,
cause i need to ignore the KeyInfo part of the signature.
(I have not tested the Adopt way atm.)

The only difference I have with verify1 test case is that i need to Register
Input Callbacks to handle "cid:" references.

All references seems OK.
Certificate loading seems OK. (All certifcates I have tested are self-signed btw)
Keyinfo skipping seems OK.

But Whatever the message I give as input to my application :
 - if i put the wrong certificate, openssl complains of a padding problem,
 - if i give the right certificate :
   - xmlsec complains that "data do not match:signature do not match"
   - which gives at openssl level : "rsa routines:RSA_verify:bad signature"

If I understand well the second case :
 - my references are good, so my message (parts pointed by reference) has (have) not been modified
 - my certificate is good (differences in results between good and bad certificate)
 - but my signature is invalid so only the signedinfo part or signature value
 have been modified thus invalidating the whole signature !
The latter is wrong cause I have tried with certified/verified messages in entry
and I have the same errors.

Here's the debug output of the DSigCtx :

= VERIFICATION CONTEXT
== Status: invalid
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key name:
/home/fredd/DEVEL/CURRENT/ssl/certs/partner1.cer
=== key usage: -1
=== rsa key: size = 1024
=== list size: 1
=== X509 Data:
==== Certificate:
==== Subject Name: /C=.../CN=partner1
==== Issuer Name: /C=...
==== Issuer Serial: 0
== SignedInfo References List:
=== list size: 2
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: xpath (href=http://www.w3.org/TR/1999/REC-xpath-19991116)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "cid:payload-1-contid000069d446d2c55f00023bd2"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: cid:payload-1-contid000069d446d2c55f00023bd2
=== uri xpointer expr: NULL
=== Transform: input-uri (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0


Any ideas on where am I wrong ?
Shall I give you more details ? Which ones ?

Thanks in advances for any help,
Frederic HEULIN

More information about the xmlsec mailing list