[xmlsec] Signing and verifying a XAdES template

Alfredo Esteban aedelatorre at gmail.com
Sat Nov 10 17:06:09 PST 2012


Hello,

Ken was right. I fixed the problem adding transform nodes. But this is not
a XAdES signature yet. I'm workint on it.

I'm attaching the resulting xml. I can sign and verify it using xmlsec.

Alfredo


2012/11/4 Alfredo Esteban <aedelatorre at gmail.com>

> Hello Ken,
>
> Thanks a lot for your help. I will study the UBL example, modify mine
> and write here the results.
>
> Alfredo
>
> 2012/11/3 G. Ken Holman <gkholman at cranesoftwrights.com>:
> > At 2012-11-03 15:07 +0100, Alfredo Esteban wrote:
> >>
> >> Hello,
> >>
> >> I was verifying whether xmlsec supports XAdES signature (Does it?). As
> >> you probably know, XAdES is an European extension of XMLsign.
> >>
> >> I'm able to sign the attached XAdES template without errors but
> >> xmlsec1 is not able to verify its own resulting signature:
> >>
> >> > xmlsec1 --version
> >> xmlsec1 1.2.18 (openssl)
> >>
> >> > xmlsec1 sign --pkcs12 ../../certificado-ceres-alfredo-esteban.p12
> >> > --output hola.xsig --pwd xxxxxxxxxxxxx ejemplo-xades-enveloped.xml
> >>
> >> > xmlsec1 verify --trusted-der aet-cert.der ejemplo-xades-enveloped.xsig
> >> >
> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
> >> > data:data and digest do not match
> >> FAIL
> >> SignedInfo References (ok/all): 1/2
> >> Manifests References (ok/all): 0/0
> >> Error: failed to verify file "ejemplo-xades-enveloped.xsig"
> >>
> >> Is it a bug? Any help is welcome.
> >
> >
> > I think not.  I think it is an issue with your signature.
> >
> > I designed the XML scaffolding for OASIS UBL documents and I'm told there
> > are a number of users of XAdES in Europe who are signing UBL documents
> using
> > it.  An example is found here, and you can see a couple of XAdES fields
> > under the ds:Object element:
> >
> >
> >
> http://docs.oasis-open.org/ubl/prd2-UBL-2.1/xml/UBL-Invoice-2.0-Enveloped.xml
> >
> > I used xmlsec to sign and validate this document.  The environment that I
> > publish to sign and to validate UBL documents can be found here:
> >
> >  http://www.CraneSoftwrights.com/resources/ubl/#digsig
> >
> > Looking at the example UBL Invoice cited above, comparing it to the
> document
> > you attached to your post, I note that the UBL document has a
> <ds:Transform>
> > element that tells the processor to ignore everything under
> > <sig:UBLDocumentSignatures> when calculating the signature.  Thus, when
> the
> > signature information is added by the signing process under the
> > <sig:UBLDocumentSignatures> element, that added information does not
> change
> > what is calculated to determine the signature information at validation
> > time.
> >
> > If I've interpreted your situation correctly, the process that is
> > calculating the signature for your XML is signing the entire document,
> and
> > then you go and change what is signed by adding the signature
> information to
> > the document without protecting it.  When the signature validation
> process
> > acts on your document, it now contains the signature information which
> gets
> > incorporated in the calculations and will never be correct.
> >
> > If, however, you included a <ds:Transform> element in your document in
> order
> > to protect the signing process from incorporating the added signature,
> then
> > the validation process will ignore the added signature and come to the
> same
> > calculations as the signing process.
> >
> > At least that is what I think is going on.
> >
> > I hope this helps.
> >
> > . . . . . . . . . Ken
> >
> >
> > --
> > Contact us for world-wide XML consulting and instructor-led training
> > Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
> > Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/z/
> > G. Ken Holman                   mailto:gkholman at CraneSoftwrights.com
> > Google+ profile: https://plus.google.com/116832879756988317389/about
> > Legal business disclaimers:    http://www.CraneSoftwrights.com/legal
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20121111/dd02a86a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ejemplo-xades-enveloped.xml
Type: text/xml
Size: 3709 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20121111/dd02a86a/attachment.xml>


More information about the xmlsec mailing list