[xmlsec] invalid data:data and digest do not match
weizhong qiang
weizhongqiang at gmail.com
Thu Oct 9 16:07:44 PDT 2008
Hello,
Now I understand what you meant.
But unfortunately, I can not get the Pre-digest value from signer, because I
got the message from the service which is developed by other project and not
well supported.
But I run (I was wrong in the former mail, uri should be used for
namespace):
xmlsec1 --verify --trusted-pem 1f0e8352.0 --id-attr:ID
urn:oasis:names:tc:SAML:2.0:assertion:Assertion --store-references
assertion11.xml
I got the message, and I can not see anything wrong from the message
(PreDigest data) in verification side. Can you see anything wrong?
Thanks a lot
Weizhong Qiang
*********************
xmlsec1 --verify --trusted-pem 1f0e8352.0 --id-attr:ID
urn:oasis:names:tc:SAML:2.0:assertion:Assertion --store-references
assertion11.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: invalid
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000000
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: invalid
== URI: "#_80310c3e-3ee4-425f-aee0-226729374b95"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #_80310c3e-3ee4-425f-aee0-226729374b95
=== Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature (href=
http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_80310c3e-3ee4-425f-aee0-226729374b95"
IssueInstant="2008-10-09T22:58:25.448Z"
Version="2.0"><saml:Issuer>CN=Weizhong
Qiang,OU=fys.uio.no,O=NorduGrid,O=Grid</saml:Issuer><saml:Subject><saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=test,O=UiO,ST=Oslo,C=NO</saml:NameID><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml:SubjectConfirmationData><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#
"><ds:X509Data><ds:X509Certificate>MIICozCCAgygAwIBAgIBATANBgkqhkiG9w0BAQQFADA3MQswCQYDVQQGEwJOTzENMAsGA1UECBME
T3NsbzEMMAoGA1UEChMDVWlPMQswCQYDVQQDEwJDQTAeFw0wNzExMDYxNTE4NDlaFw0wODExMDUx
NTE4NDlaMDkxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIEwRPc2xvMQwwCgYDVQQKEwNVaU8xDTALBgNV
BAMTBHRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMUZpDYNYNuoqohEkP4w/MnGAiXV
sZUSPuFChL2HT2sE7VQ2/RsFKRyAFXNaBIPcpoJF2uTv6Llc0G9F5v4G5ZyZiiexgl3HtnmiMcgW
ie/d5XfYf0o+2xhofdsgxb5d2DRFyUVxkKnBRYSSebR9wsdlwtlduSDxsN22CFITqL3FAgMBAAGj
gbwwgbkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFGtX2cUVfSVs1xLKLwwscpNon2duMF8GA1UdIwRYMFaAFLg5jUhGbh+u
jBIx6kabFY+E5JrWoTukOTA3MQswCQYDVQQGEwJOTzENMAsGA1UECBMET3NsbzEMMAoGA1UEChMD
VWlPMQswCQYDVQQDEwJDQYIBADANBgkqhkiG9w0BAQQFAAOBgQAIrqV+I9YbXvpsRvwJLOFIVIuX
Cy8l5RjfSrd4UG3oX3c0nmr5oe93XomAJ525ULOGSh5w8kmfGA96yUi2LRmdM9ZQyyVWLDagU0dt
mdcJm2CedeRxI+ShtIE3PRc/OTEjz/dvY6gD/jiHDUr/IcooHMSApIuDZXWvSNWSql0Swg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions
NotBefore="2008-10-09T22:58:25.448Z"
NotOnOrAfter="2008-10-10T09:58:25.448Z"></saml:Conditions><saml:AttributeStatement><saml:Attribute
Name="Degree"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">PhD</saml:AttributeValue></saml:Attribute><saml:Attribute
Name="http://voms.forge.cnaf.infn.it/group"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">/knowarc</saml:AttributeValue><saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">/knowarc/UiO</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
== PreDigest data - end buffer
== Manifest References List:
=== list size: 0
Error: failed to verify file "assertion11.xml"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20081010/2868722a/attachment-0002.htm
More information about the xmlsec
mailing list