[xmlsec] Verifying signature for enveloped signature with multiple signatures
Aleksey Sanin
aleksey at aleksey.com
Tue Dec 18 08:10:54 PST 2012
Section 3.2 in the FAQ
http://www.aleksey.com/xmlsec/faq.html
Aleksey
On 12/18/12 7:20 AM, Magnus R wrote:
> Hello again,
>
> I made a mistake in the question:
>
> It is not the call to xmlSecDSigCtxCreate() that fails.
> Instead, it is the call to xmlSecDSigCtxVerify() that fails.
>
>
>
> Here is the code:
> ==============
>
> std::cout << "Will find start node" << std::endl;
>
> // find start node
> xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc),
> xmlSecNodeSignature, xmlSecDSigNs);
> if(node == NULL)
> {
> throw std::string("Start node not found in XML file");
> }
>
> std::cout << "-Found this node: \"" << node->name << "\"" << std::endl;
>
> // create signature context
> xmlSecDSigCtxPtr dsigCtx = xmlSecDSigCtxCreate(mngr);
> if(dsigCtx == NULL)
> {
> throw std::string("failed to create signature context");
> }
>
> std::cout << "Will verify signature" << std::endl;
>
> // Verify signature
> if(xmlSecDSigCtxVerify(dsigCtx, node) < 0)
> {
> fprintf(stderr,"Error: signature verify\n");
> return false;
> }
>
> ===============================
>
> Regards
> /Magnus
>
>
> ------------------------------------------------------------------------
> From: magnus_qwerty at hotmail.com
> To: xmlsec at aleksey.com
> Date: Tue, 18 Dec 2012 14:37:38 +0100
> Subject: [xmlsec] Verifying signature for enveloped signature with
> multiple signatures
>
> Hello,
> I have a question regarding signature verification for enveloped signatures.
> The question seems related to previous discussions in the forum:
>
> http://www.aleksey.com/pipermail/xmlsec/2010/008910.html
> http://www.aleksey.com/pipermail/xmlsec/2010/008911.html
> http://www.aleksey.com/pipermail/xmlsec/2012/009340.html
> http://www.aleksey.com/pipermail/xmlsec/2012/009341.html
>
> But even with help of the previous posts I have not been able to verify
> my xml file.
> I have tried the command line application "xmlsec1", as well as writing
> code,
> but it seems the same problem happens in both cases, so I will show the
> code below,
> which is similar to the "verify3.c" example application shipped with the
> xmlsec library.
>
>
> The relevant code part looks like this (written in C++):
> ==================================================
> std::cout << "Will find start node" << std::endl;
>
> // find start node
> xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc),
> xmlSecNodeSignature, xmlSecDSigNs);
> if(node == NULL)
> {
> throw std::string("Start node not found in XML file");
> }
>
> std::cout << "-Found this node: \"" << node->name << "\"" << std::endl;
>
> // create signature context
> xmlSecDSigCtxPtr dsigCtx = xmlSecDSigCtxCreate(mngr);
> if(dsigCtx == NULL)
> {
> throw std::string("failed to create signature context");
> }
> ==================================================
>
>
> When I run the application i get the following output:
>
> -----------------------------------
> Will verify file
> Will load file: signedmod.xml
> Will find start node
> -Found this node: "Signature"
> Will verify signature
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> library function failed:expr=xpointer(id('SignedRouting'))
> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
> library function failed:transform=xpointer
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
> library function failed:
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> library function failed:node=Reference
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature verify
> -----------------------------------
>
>
> The XML input XML file is shown at the end of this email.
> (also see the attached file signedxml.xml)
>
>
> As can be seen from the output, the call to xmlSecFindNode() succeeds,
> and the node found is "Signature":
> -Found this node: "Signature"
>
> However, after this the call to xmlSecDSigCtxCreate() fails.
>
> My guess it that first the "Signature" node is (correctly) found,
> but since this is an enveloped signature rather than an enveloping
> signature, the call fails.
>
> I have looked through the example XML files at the xmlsec online
> verifier web page:
> http://www.aleksey.com/xmlsec/xmldsig-verifier.html
>
> In those examples, the "Signature" tag is the outermost tag, with
> everything else contained in it.
> However, in my case, the "Signature" tag is embedded in other tags that
> should be included in the signature.
>
> I guess the problem is that the "Signature" tag is found, but not
> everything needed to verify the
> signature is contained in that tag. Instead, some information is outside
> of the tag.
>
> So the question is, how should I solve this?
> Can you give some hints how I should implement the signature
> verification for my XML document?
>
> The XML document will always have the same structure/XML schema, so it
> would be possible to
> hard code search paths etc rather than making the solution generic
> enough for all kinds of documents.
>
>
> Regards
> /Magnus
>
>
>
>
> +++++++++++++++++++++++++++++++++
> <soap:Envelope xmlns:myapp="http://www.mycompany.com/myapp"
> xmlns:soap="http://www.w3.org/2001/12/soap-envelope">
> <soap:Header>
> <myapp:Routing Filename="testfile.docx" ID="SignedRouting">
> <myapp:Transforms>
> <myapp:Transform Order="1" Type="Base64"></myapp:Transform>
> </myapp:Transforms>
> </myapp:Routing>
> <myapp:MyWorker ID="SignedMyWorker"></myapp:MyWorker>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <Reference URI="#SignedRouting">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <DigestValue>RHhNanfgz950DdpZUZeX3zNdvmY=</DigestValue>
> </Reference>
>
> <Reference URI="#SignedBody">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <DigestValue>jdfsfsdlfkjsdflkjsdflkjdsf</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>poisdufsoifusdofiusdoifusdfpuidsf</SignatureValue>
> <KeyInfo>
> <KeyValue>
> <RSAKeyValue>
> <Modulus>ksfhsdkhfsdkjfhskdhf</Modulus>
> <Exponent>AQAB</Exponent>
> </RSAKeyValue>
> </KeyValue></KeyInfo>
> </Signature>
> </soap:Header>
> <soap:Body ID="SignedBody">
> <myapp:FileData>
> <![CDATA[UEIUYIUYUIYUIYUIYUIY
> ]]>
> </myapp:FileData>
> </soap:Body>
> </soap:Envelope>
> +++++++++++++++++++++++++++++++++
>
>
> _______________________________________________ xmlsec mailing list
> xmlsec at aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list