[xmlsec] problem with <ds:Reference URI="#xpointer(//*[@authenticate='true'])"> ?

Sebastien BROSSARD sebastien.brossard at turbosa.banquepopulaire.fr
Tue Apr 22 05:37:31 PDT 2008

Hi everybody

I am actually developing a software based on the German EBICS norm, which specifies that one's got to use
<ds:Reference URI="#xpointer(//*[@authenticate='true'])">
as signature's URI.

So long so well, when I sign a xml file with xmlsec
(using command line : "xmlsec sign --node-xpath //*[@authenticate='true'] --output $outputName --keys-file  $keyfile")
and then I verify it with xmlsec,
(using command line : ""xmlsec verify --node-xpath //*[@authenticate='true'] --keys-file $keyfile $inputName")
everything works perfect.

But here comes the trouble : I'm actually working on the server side of the EBICS norm, and I'm testing my developments on the client side thanks to a software called Travic  (which is commercialized in Germany and then, I can assume, works well).
And when Travic sends me its signature... Verification fails... I keep getting this message :
"error=18:data do not match:signature do not match FAIL SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file".

It seems like the hash is ok (?), but not the signature.
(Moreover, there's no problem with the client public key, has I can decipher text asymmetrical encrypted by this same key.)

I read here http://www.w3.org/2007/xmlsec/ws/papers/10-ertel/ that the handling of this type of ("#xpointer) URI  can be subject to two different handling, due to two interpretations (both right !) of the same norm, i.e :

One interpretation says that the signed URI must remain unchanged:
while the other one demands escaping which makes the URI look like this:

So the main question is : could it be this type of problem in my case, or is the problem that I'm facing due to another totally different cause?

Thanks for your kind help!

Sébastien Brossard
sebastien.brossard at turbosa.banquepopulaire.fr

PS :
By the way, here's the xml string that I try to verify :

<?xml version="1.0" encoding="UTF-8"?>
<ebicsNoPubKeyDigestsRequest Revision="1" Version="H001" xsi:schemaLocation="http://www.ebics.org/H001 http://www.ebics.org/H001/ebics_keymgmt_request.xsd" xmlns="http://www.ebics.org/H001" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <header authenticate="true">
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#xpointer(//*[@authenticate='true'])">
          <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    </ds:SignedInfo>    <ds:SignatureValue>EhinV8z06LDoNdeeYebT/Z9UGF0EZViPHexD6H2e5EgPWD8OBV1hYnro2KJ48N9WMyIf4UkZzKLWSIV4IfIcjtDYzUsLZFke6kL3BKGeFe2jAuAlGyHVD/MUxEU3Fsg6QkqknkQrybjiX1FA9SFdBzyjN8d/9qksRQZXmjkuBNM=</ds:SignatureValue>

And here's the public key of the client software :

<?xml version="1.0" encoding="UTF-8"?>
<Keys xmlns="http://www.aleksey.com/xmlsec/2002">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080422/253e1328/attachment-0002.htm

More information about the xmlsec mailing list