[xmlsec] Signing and verifying a XAdES template
aedelatorre at gmail.com
Sat Nov 10 17:06:09 PST 2012
Ken was right. I fixed the problem adding transform nodes. But this is not
a XAdES signature yet. I'm workint on it.
I'm attaching the resulting xml. I can sign and verify it using xmlsec.
2012/11/4 Alfredo Esteban <aedelatorre at gmail.com>
> Hello Ken,
> Thanks a lot for your help. I will study the UBL example, modify mine
> and write here the results.
> 2012/11/3 G. Ken Holman <gkholman at cranesoftwrights.com>:
> > At 2012-11-03 15:07 +0100, Alfredo Esteban wrote:
> >> Hello,
> >> I was verifying whether xmlsec supports XAdES signature (Does it?). As
> >> you probably know, XAdES is an European extension of XMLsign.
> >> I'm able to sign the attached XAdES template without errors but
> >> xmlsec1 is not able to verify its own resulting signature:
> >> > xmlsec1 --version
> >> xmlsec1 1.2.18 (openssl)
> >> > xmlsec1 sign --pkcs12 ../../certificado-ceres-alfredo-esteban.p12
> >> > --output hola.xsig --pwd xxxxxxxxxxxxx ejemplo-xades-enveloped.xml
> >> > xmlsec1 verify --trusted-der aet-cert.der ejemplo-xades-enveloped.xsig
> >> >
> >> > data:data and digest do not match
> >> FAIL
> >> SignedInfo References (ok/all): 1/2
> >> Manifests References (ok/all): 0/0
> >> Error: failed to verify file "ejemplo-xades-enveloped.xsig"
> >> Is it a bug? Any help is welcome.
> > I think not. I think it is an issue with your signature.
> > I designed the XML scaffolding for OASIS UBL documents and I'm told there
> > are a number of users of XAdES in Europe who are signing UBL documents
> > it. An example is found here, and you can see a couple of XAdES fields
> > under the ds:Object element:
> > I used xmlsec to sign and validate this document. The environment that I
> > publish to sign and to validate UBL documents can be found here:
> > http://www.CraneSoftwrights.com/resources/ubl/#digsig
> > Looking at the example UBL Invoice cited above, comparing it to the
> > you attached to your post, I note that the UBL document has a
> > element that tells the processor to ignore everything under
> > <sig:UBLDocumentSignatures> when calculating the signature. Thus, when
> > signature information is added by the signing process under the
> > <sig:UBLDocumentSignatures> element, that added information does not
> > what is calculated to determine the signature information at validation
> > time.
> > If I've interpreted your situation correctly, the process that is
> > calculating the signature for your XML is signing the entire document,
> > then you go and change what is signed by adding the signature
> information to
> > the document without protecting it. When the signature validation
> > acts on your document, it now contains the signature information which
> > incorporated in the calculations and will never be correct.
> > If, however, you included a <ds:Transform> element in your document in
> > to protect the signing process from incorporating the added signature,
> > the validation process will ignore the added signature and come to the
> > calculations as the signing process.
> > At least that is what I think is going on.
> > I hope this helps.
> > . . . . . . . . . Ken
> > --
> > Contact us for world-wide XML consulting and instructor-led training
> > Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
> > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/
> > G. Ken Holman mailto:gkholman at CraneSoftwrights.com
> > Google+ profile: https://plus.google.com/116832879756988317389/about
> > Legal business disclaimers: http://www.CraneSoftwrights.com/legal
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3709 bytes
Desc: not available
More information about the xmlsec