[xmlsec] error on signature verification

Aleksey Sanin aleksey at aleksey.com
Tue Apr 27 16:02:45 PDT 2010 

The xmlsec1 utility tries to find the ds:Signature element
in the sub-tree specified by --node-id or --node-name
parameter. The document you have looks as follows (irrelevant
pieces are removed):

<EnvioDTE>
	<SetDTE ID="DTE1272374641984">
	 	<DTE>
			<Documento ID="F185T33">
			</Document>
			<ds:Signature>
			</ds:SignedInfo>
		</DTE>
	</SetDTE>
	<ds:Signature>
	</ds:Signature>
</EnvioDTE>

I am not exactly sure why the first command verified something
(I would expect it to do nothing since there are no signature nodes
in the subtree). But the second command correctly finds the
first signature element in the subtree specified by the --node-id
or --node-name parameter (BTW, you just need one parameter :) ).

For documents with multiple signatures, I strongly recommend to
put ID attribute directly into <ds:Signature> node. This way you
can easily specify the right signature node to sign or verify.

Regarding the error about xpointer(), please read section 3.4
from FAQ

http://www.aleksey.com/xmlsec/faq.html

Aleksey




On 4/27/2010 3:15 PM, path at bshellz.net wrote:
>   Aleksey,
>
>   I'm trying to validate the attached document, so I'm using
>   two command lines to verify both signatures:
>
>   xmlsec1 --verify --print-debug \
> --print-crypto-error-msgs \
> --id-attr:ID 'http://www.sii.cl/SiiDte:Documento' \
> --node-name 'http://www.sii.cl/SiiDte:Documento' \
> --node-id 'F185T33' \
> documento-20100427.1.xml 2>&1
>
> xmlsec1 --verify --print-debug \
> --print-crypto-error-msgs \
> --id-attr:ID 'http://www.sii.cl/SiiDte:SetDTE' \
> --node-name 'http://www.sii.cl/SiiDte:SetDTE' \
> --node-id 'DTE1272374641984' \
> documento-20100427.1.xml 2>&1
>
> With first one, the signature is validated and it's ok, but the second one seems to try to verify the
> first '#F185T33' instead of the second one '#DTE1272374641984', and I get this error message:
>
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 0/1
> Manifests References (ok/all): 0/0
> Error: failed to verify file "documento-20100427.1.xml"
> = VERIFICATION CONTEXT
> == Status: unknown
>
> And the trace seems to be looking at the   first URI:
>
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> library function failed:expr=xpointer(id('F185T33'))
> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
> library function failed:
>
> Thanks in advance,
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list