[xmlsec] problem with <ds:Reference URI="#xpointer(//*[@authenticate='true'])"> ?

Aleksey Sanin aleksey at aleksey.com
Tue Apr 22 07:33:27 PDT 2008


xmlsec --node-xpath selects the start *Signature* node. It has
nothing to do with xpointer in the Reference URI.

Aleksey

Sebastien BROSSARD wrote:
> Hi everybody
> 
>  
> 
> I am actually developing a software based on the German EBICS norm, 
> which specifies that one’s got to use
> 
> <ds:Reference URI="#xpointer(//*[@authenticate='true'])">
> 
> as signature’s URI.
> 
>  
> 
> So long so well, when I sign a xml file with xmlsec
> 
> (using command line : “xmlsec sign --node-xpath 
> //*[@authenticate='true'] --output $outputName --keys-file  $keyfile”)
> 
> and then I verify it with xmlsec,
> 
> (using command line : “"xmlsec verify --node-xpath 
> //*[@authenticate='true'] --keys-file $keyfile $inputName”)
> 
> everything works perfect.
> 
>  
> 
> But here comes the trouble : I’m actually working on the server side of 
> the EBICS norm, and I’m testing my developments on the client side 
> thanks to a software called Travic  (which is commercialized in Germany 
> and then, I can assume, works well).
> 
> And when Travic sends me its signature… Verification fails… I keep 
> getting this message :
> 
> “error=18:data do not match:signature do not match FAIL SignedInfo 
> References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: 
> failed to verify file”.
> 
>  
> 
> It seems like the hash is ok (?), but not the signature.
> 
> (Moreover, there’s no problem with the client public key, has I can 
> decipher text asymmetrical encrypted by this same key.)
> 
>  
> 
> I read here http://www.w3.org/2007/xmlsec/ws/papers/10-ertel/ that the 
> handling of this type of ("#xpointer) URI  can be subject to two 
> different handling, due to two interpretations (both right !) of the 
> same norm, i.e :
> 
>  
> 
> One interpretation says that the signed URI must remain unchanged:
> 
> "#xpointer(//*[@authenticate='true'])",
> 
> while the other one demands escaping which makes the URI look like this:
> 
> "#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)"
> 
>  
> 
> So the main question is : could it be this type of problem in my case, 
> or is the problem that I’m facing due to another totally different cause?
> 
>  
> 
>  
> 
> Thanks for your kind help!
> 
>  
> 
>  
> 
> Sébastien Brossard
> 
> sebastien.brossard at turbosa.banquepopulaire.fr
> 
>  
> 
>  
> 
> PS :
> 
> By the way, here’s the xml string that I try to verify :
> 
>  
> 
> <?xml version="1.0" encoding="UTF-8"?>
> 
> <ebicsNoPubKeyDigestsRequest Revision="1" Version="H001" 
> xsi:schemaLocation="http://www.ebics.org/H001 
> http://www.ebics.org/H001/ebics_keymgmt_request.xsd" 
> xmlns="http://www.ebics.org/H001" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 
>   <header authenticate="true">
> 
>     <static>
> 
>       <HostID>EBICSFR</HostID>
> 
>       <Nonce>DB545BDC437B95999202C6EA69393A6E</Nonce>
> 
>       <Timestamp>2008-04-22T09:29:24.838Z</Timestamp>
> 
>       <PartnerID>SEB</PartnerID>
> 
>       <UserID>USERID</UserID>
> 
>       <OrderDetails>
> 
>         <OrderType>HPB</OrderType>
> 
>         <OrderAttribute>DZHNN</OrderAttribute>
> 
>       </OrderDetails>
> 
>       <SecurityMedium>0400</SecurityMedium>
> 
>     </static>
> 
>     <mutable/>
> 
>   </header>
> 
>   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
>     <ds:SignedInfo>
> 
>       <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> 
>       <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> 
>       <ds:Reference URI="#xpointer(//*[@authenticate='true'])">
> 
>         <ds:Transforms>
> 
>           <ds:Transform 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> 
>         </ds:Transforms>
> 
>         <ds:DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> 
>         <ds:DigestValue>jyF+PD4mQ6P5q4krG/spn0tNc7w=</ds:DigestValue>
> 
>       </ds:Reference>
> 
>     </ds:SignedInfo>    
> <ds:SignatureValue>EhinV8z06LDoNdeeYebT/Z9UGF0EZViPHexD6H2e5EgPWD8OBV1hYnro2KJ48N9WMyIf4UkZzKLWSIV4IfIcjtDYzUsLZFke6kL3BKGeFe2jAuAlGyHVD/MUxEU3Fsg6QkqknkQrybjiX1FA9SFdBzyjN8d/9qksRQZXmjkuBNM=</ds:SignatureValue>
> 
>   </Signature>
> 
>   <body/>
> 
> </ebicsNoPubKeyDigestsRequest>
> 
>  
> 
> And here’s the public key of the client software :
> 
>  
> 
> <?xml version="1.0" encoding="UTF-8"?>
> 
> <Keys xmlns="http://www.aleksey.com/xmlsec/2002">
> 
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 
> <KeyValue>
> 
> <RSAKeyValue>
> 
> <Modulus>AMWVUq4RSou1Dy4VaNIEkIBLddfysftYsXI5Hg+bncOYuDQFlU31B2kqSyzYhXXelhvhkSXTgNuBGwnf1VFw+VbVR/kVjDhvt2vgPjfKpbXJEEmy8QxJpSpsUFW9DbVbWocnzkxEZJzM7VKKyBdKXiMWT3wdhRIrqxaLc/NX+S+H</Modulus>
> 
> <Exponent>AQAB</Exponent>
> 
> </RSAKeyValue>
> 
> </KeyValue>
> 
> </KeyInfo>
> 
> </Keys>
> 
>  
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list