[xmlsec] Verifying signature for enveloped signature with multiple signatures

Magnus R magnus_qwerty at hotmail.com
Tue Dec 18 05:37:38 PST 2012 

Hello, 
I have a question regarding signature verification for enveloped signatures.
The question seems related to previous discussions in the forum:

http://www.aleksey.com/pipermail/xmlsec/2010/008910.html
http://www.aleksey.com/pipermail/xmlsec/2010/008911.html
http://www.aleksey.com/pipermail/xmlsec/2012/009340.html
http://www.aleksey.com/pipermail/xmlsec/2012/009341.html

But even with help of the previous posts I have not been able to verify my xml file.
I have tried the command line application "xmlsec1", as well as writing code, 
but it seems the same problem happens in both cases, so I will show the code below,
which is similar to the "verify3.c" example application shipped with the xmlsec library.


The relevant code part looks like this (written in C++):
==================================================
    std::cout << "Will find start node" << std::endl;

    // find start node
    xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
    if(node == NULL)
    {
        throw std::string("Start node not found in XML file");
    }

    std::cout << "-Found this node: \"" << node->name << "\"" << std::endl;

    // create signature context
    xmlSecDSigCtxPtr dsigCtx = xmlSecDSigCtxCreate(mngr);
    if(dsigCtx == NULL)
    {
        throw std::string("failed to create signature context");
    }
==================================================


When I run the application i get the following output:

-----------------------------------
Will verify file
Will load file: signedmod.xml
Will find start node
-Found this node: "Signature"
Will verify signature
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('SignedRouting'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: 
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: 
Error: signature verify
-----------------------------------


The XML input XML file is shown at the end of this email. 
(also see the attached file signedxml.xml)


As can be seen from the output, the call to xmlSecFindNode() succeeds, and the node found is "Signature":
      -Found this node: "Signature"

However, after this the call to xmlSecDSigCtxCreate() fails. 

My guess it that first the "Signature" node is (correctly) found, 
but since this is an enveloped signature rather than an enveloping signature, the call fails. 

I have looked through the example XML files at the xmlsec online verifier web page:
http://www.aleksey.com/xmlsec/xmldsig-verifier.html

In those examples, the "Signature" tag is the outermost tag, with everything else contained in it.
However, in my case, the "Signature" tag is embedded in other tags that should be included in the signature. 

I guess the problem is that the "Signature" tag is found, but not everything needed to verify the
signature is contained in that tag. Instead, some information is outside of the tag.

So the question is, how should I solve this? 
Can you give some hints how I should implement the signature verification for my XML document?

The XML document will always have the same structure/XML schema, so it would be possible to
hard code search paths etc rather than making the solution generic enough for all kinds of documents. 


Regards
/Magnus




+++++++++++++++++++++++++++++++++
<soap:Envelope xmlns:myapp="http://www.mycompany.com/myapp" xmlns:soap="http://www.w3.org/2001/12/soap-envelope">
  <soap:Header>
    <myapp:Routing Filename="testfile.docx" ID="SignedRouting">
      <myapp:Transforms>
        <myapp:Transform Order="1" Type="Base64"></myapp:Transform>
      </myapp:Transforms>
    </myapp:Routing>
    <myapp:MyWorker ID="SignedMyWorker"></myapp:MyWorker>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="#SignedRouting">
       <Transforms>
         <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
       </Transforms>
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
       <DigestValue>RHhNanfgz950DdpZUZeX3zNdvmY=</DigestValue>
      </Reference>

      <Reference URI="#SignedBody">
       <Transforms>
        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
       </Transforms>
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
       <DigestValue>jdfsfsdlfkjsdflkjsdflkjdsf</DigestValue>
      </Reference>
     </SignedInfo>
   <SignatureValue>poisdufsoifusdofiusdoifusdfpuidsf</SignatureValue>
   <KeyInfo>
     <KeyValue>
       <RSAKeyValue>
         <Modulus>ksfhsdkhfsdkjfhskdhf</Modulus>
         <Exponent>AQAB</Exponent>
       </RSAKeyValue>
     </KeyValue></KeyInfo>
    </Signature>
   </soap:Header>
  <soap:Body ID="SignedBody">
    <myapp:FileData>
      <![CDATA[UEIUYIUYUIYUIYUIYUIY
]]>
    </myapp:FileData>
  </soap:Body>
</soap:Envelope>
+++++++++++++++++++++++++++++++++

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20121218/09a38d1e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signedmod.xml
Type: application/xml
Size: 1538 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20121218/09a38d1e/attachment.xml>

More information about the xmlsec mailing list