[xmlsec] Signing and verifying a XAdES template

Alfredo Esteban aedelatorre at gmail.com
Sun Nov 4 12:29:11 PST 2012

Hello Ken,

Thanks a lot for your help. I will study the UBL example, modify mine
and write here the results.


2012/11/3 G. Ken Holman <gkholman at cranesoftwrights.com>:
> At 2012-11-03 15:07 +0100, Alfredo Esteban wrote:
>> Hello,
>> I was verifying whether xmlsec supports XAdES signature (Does it?). As
>> you probably know, XAdES is an European extension of XMLsign.
>> I'm able to sign the attached XAdES template without errors but
>> xmlsec1 is not able to verify its own resulting signature:
>> > xmlsec1 --version
>> xmlsec1 1.2.18 (openssl)
>> > xmlsec1 sign --pkcs12 ../../certificado-ceres-alfredo-esteban.p12
>> > --output hola.xsig --pwd xxxxxxxxxxxxx ejemplo-xades-enveloped.xml
>> > xmlsec1 verify --trusted-der aet-cert.der ejemplo-xades-enveloped.xsig
>> > func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
>> > data:data and digest do not match
>> SignedInfo References (ok/all): 1/2
>> Manifests References (ok/all): 0/0
>> Error: failed to verify file "ejemplo-xades-enveloped.xsig"
>> Is it a bug? Any help is welcome.
> I think not.  I think it is an issue with your signature.
> I designed the XML scaffolding for OASIS UBL documents and I'm told there
> are a number of users of XAdES in Europe who are signing UBL documents using
> it.  An example is found here, and you can see a couple of XAdES fields
> under the ds:Object element:
> http://docs.oasis-open.org/ubl/prd2-UBL-2.1/xml/UBL-Invoice-2.0-Enveloped.xml
> I used xmlsec to sign and validate this document.  The environment that I
> publish to sign and to validate UBL documents can be found here:
>  http://www.CraneSoftwrights.com/resources/ubl/#digsig
> Looking at the example UBL Invoice cited above, comparing it to the document
> you attached to your post, I note that the UBL document has a <ds:Transform>
> element that tells the processor to ignore everything under
> <sig:UBLDocumentSignatures> when calculating the signature.  Thus, when the
> signature information is added by the signing process under the
> <sig:UBLDocumentSignatures> element, that added information does not change
> what is calculated to determine the signature information at validation
> time.
> If I've interpreted your situation correctly, the process that is
> calculating the signature for your XML is signing the entire document, and
> then you go and change what is signed by adding the signature information to
> the document without protecting it.  When the signature validation process
> acts on your document, it now contains the signature information which gets
> incorporated in the calculations and will never be correct.
> If, however, you included a <ds:Transform> element in your document in order
> to protect the signing process from incorporating the added signature, then
> the validation process will ignore the added signature and come to the same
> calculations as the signing process.
> At least that is what I think is going on.
> I hope this helps.
> . . . . . . . . . Ken
> --
> Contact us for world-wide XML consulting and instructor-led training
> Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
> Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/z/
> G. Ken Holman                   mailto:gkholman at CraneSoftwrights.com
> Google+ profile: https://plus.google.com/116832879756988317389/about
> Legal business disclaimers:    http://www.CraneSoftwrights.com/legal
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list