[xmlsec] Fwd: Re: Bad digest in #Manifest

Aleksey Sanin aleksey at aleksey.com
Wed Apr 9 11:12:01 PDT 2014


This is exactly what  --store-references  option does :)

Aleksey

On 4/9/14, 10:15 AM, François Plou wrote:
> Hi,
> 
> I am trying to discover what xml part is digested to understand why I
> got another digest value than the one calculated by java XmlDsig API.
> To do that I try to add some trace in the code just before the digest
> algorithm but I was unable yet to find the right position.
> Could you provide me a clue where to add trace in the source code ?
> 
> Thanks for your help.
> 
> Francois
> 
> 
> Le 07/04/2014 14:49, François Plou a écrit :
>>
>> Hi,
>>
>> Below is the result of --store-references option :
>>
>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>> Enter password for "/home/fplou/CA/fplousign.key" file:
>> = SIGNATURE CONTEXT
>> == Status: succeeded
>> == flags: 0x00000006
>> == flags2: 0x00000000
>> == Key Info Read Ctx:
>> = KEY INFO READ CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: rsa
>> ==== keyType: 0x00000002
>> ==== keyUsage: 0x00000001
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Key Info Write Ctx:
>> = KEY INFO WRITE CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: NULL
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0xffffffff
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Signature Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> === Transform: c14n
>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Signature Method:
>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> == Signature Key:
>> == KEY
>> === method: RSAKeyValue
>> === key type: Private
>> === key usage: -1
>> === rsa key: size = 2048
>> == SignedInfo References List:
>> === list size: 1
>> = REFERENCE CALCULATION CONTEXT
>> == Status: succeeded
>> == URI: "#Manifest"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri:
>> === uri xpointer expr: #Manifest
>> === Transform: xpointer
>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: enveloped-signature
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>> === Transform: c14n
>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == Result - start buffer:
>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>> == Result - end buffer
>> == Manifest References List:
>> === list size: 2
>> = REFERENCE CALCULATION CONTEXT
>> == Status: succeeded
>> == URI: ""
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> === Transform: enveloped-signature
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>> === Transform: c14n
>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == PreDigest data - start buffer:
>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>         <AcctOpngReq>
>>                 <Refs>
>>                         <MsgId>
>> <Id>ABC/090928/CCT001</Id>
>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>                         </MsgId>
>>                         <PrcId>
>> <Id>ABC/090928/CCT001</Id>
>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>                         </PrcId>
>>                 </Refs>
>>                 <Acct>
>>                         <Id>
>>                                 <Othr>
>> <Id>NOREF2</Id>
>>                                 </Othr>
>>                         </Id>
>>                         <Tp>
>>                                 <Cd>CASH</Cd>
>>                         </Tp>
>>                         <Ccy>USD</Ccy>
>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>> <MnthlyTxNb>100</MnthlyTxNb>
>> <AvrgBal>10000</AvrgBal>
>>                 </Acct>
>>                 <CtrctDts>
>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>                 </CtrctDts>
>>                 <UndrlygMstrAgrmt>
>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>                         <Vrsn>1.0</Vrsn>
>>                 </UndrlygMstrAgrmt>
>>                 <AcctSvcrId>
>>                         <FinInstnId>
>> <BICFI>BBBBUS33</BICFI>
>>                         </FinInstnId>
>>                 </AcctSvcrId>
>>                 <Org>
>>                         <FullLglNm>ABC Corporation</FullLglNm>
>> <CtryOfOpr>US</CtryOfOpr>
>> <RegnDt>1999-09-01</RegnDt>
>>                         <LglAdr>
>>                                 <StrtNm>Times Square</StrtNm>
>> <BldgNb>7</BldgNb>
>>                                 <PstCd>NY 10036</PstCd>
>>                                 <TwnNm>New York</TwnNm>
>> <Ctry>US</Ctry>
>>                         </LglAdr>
>>                         <OrgId>
>>                                 <Othr>
>> <Id>01256485-85</Id>
>>                                         <SchmeNm>
>> <Prtry>TAX</Prtry>
>>                                         </SchmeNm>
>>                                 </Othr>
>>                         </OrgId>
>>                         <MainMndtHldr>
>>                                 <Nm>Richard Jones</Nm>
>>                                 <PstlAdr>
>> <AdrTp>HOME</AdrTp>
>>                                         <StrtNm>La Guardia Drive</StrtNm>
>> <BldgNb>12</BldgNb>
>>                                         <PstCd>NJ 07054</PstCd>
>> <TwnNm>Parsippany</TwnNm>
>> <Ctry>US</Ctry>
>>                                 </PstlAdr>
>>                                 <Id>
>> <DtAndPlcOfBirth>
>> <BirthDt>1960-05-01</BirthDt>
>> <CityOfBirth>New york</CityOfBirth>
>> <CtryOfBirth>US</CtryOfBirth>
>> </DtAndPlcOfBirth>
>>                                 </Id>
>>                         </MainMndtHldr>
>>                 </Org>
>>                 <DgtlSgntr>
>>                         <Pty>
>> <Nm>fplou</Nm>
>>                         </Pty>
>>                         <Sgntr>
>>
>>                         </Sgntr>
>>                 </DgtlSgntr>
>>         </AcctOpngReq>
>> </Document>
>> == PreDigest data - end buffer
>> == Result - start buffer:
>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>> == Result - end buffer
>> = REFERENCE CALCULATION CONTEXT
>> == Status: succeeded
>> == URI: "sign.sh"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: sign.sh
>> === uri xpointer expr: NULL
>> === Transform: input-uri (href=NULL)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == PreDigest data - start buffer:
>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>> acmt.007.001.02_1.skel.1sign.object2.xml
>>
>> == PreDigest data - end buffer
>> == Result - start buffer:
>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>> == Result - end buffer
>> == Result - start buffer:
>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>> uD2ZSS1bWu236lKh1elKWw==
>> == Result - end buffer
>>
>>
>> François
>>
>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>> Try "--store-references" option to see what exactly was signed. Just
>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>> suspicious.
>>>
>>> Aleksey
>>>
>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>> Hi,
>>>>
>>>> I am facing an issue trying to sign an xml document which makes
>>>> reference to an external file.
>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>> verified by
>>>> tool like Apache XML Security.
>>>> I am pretty sure there is something missing in the XML document I give
>>>> to xmlsec but can't figure what.
>>>>
>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>> The output document is fpl.xml
>>>>
>>>> The digest which is not the same as the one computed by Apache XML
>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>
>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>> (I built it manually).
>>>> So it seems xmlsec is not creating the same manifest part.
>>>>
>>>> Do you have any idea what can be wrong in my
>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>> transform ?
>>>>
>>>> Thanks for your help.
>>>>
>>>> Francois
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>
>>
>>
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list