[xmlsec] Fwd: Re: Bad digest in #Manifest

François Plou fplou at webank.fr
Thu Apr 10 02:31:13 PDT 2014


Not really :-(

The store-references option does not display the xml part who matches 
the digest displayed :

== Status: succeeded
== URI: "#Manifest"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri:
=== uri xpointer expr: #Manifest
=== Transform: xpointer
(href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n
(href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Result - start buffer:
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
== Result - end buffer

The #Manifest is processed and --store-references provides the digest 
2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to provide 
this digest.

This digest does not match the one produced by Apache XML Security. 
Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the following 
XML part :

<Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
                             <Reference URI="">
                             <Transforms>
                                 <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
                             </Transforms>
                             <DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
                             </Reference>
                             <Reference URI="sign.sh">
                                 <DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
                             </Reference>
                         </Manifest>

So I am trying to figure what XML part is used by xmlsec1.

Regards

François

Le 09/04/2014 20:12, Aleksey Sanin a écrit :
> This is exactly what  --store-references  option does :)
>
> Aleksey
>
> On 4/9/14, 10:15 AM, François Plou wrote:
>> Hi,
>>
>> I am trying to discover what xml part is digested to understand why I
>> got another digest value than the one calculated by java XmlDsig API.
>> To do that I try to add some trace in the code just before the digest
>> algorithm but I was unable yet to find the right position.
>> Could you provide me a clue where to add trace in the source code ?
>>
>> Thanks for your help.
>>
>> Francois
>>
>>
>> Le 07/04/2014 14:49, François Plou a écrit :
>>> Hi,
>>>
>>> Below is the result of --store-references option :
>>>
>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>> = SIGNATURE CONTEXT
>>> == Status: succeeded
>>> == flags: 0x00000006
>>> == flags2: 0x00000000
>>> == Key Info Read Ctx:
>>> = KEY INFO READ CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: rsa
>>> ==== keyType: 0x00000002
>>> ==== keyUsage: 0x00000001
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> == Key Info Write Ctx:
>>> = KEY INFO WRITE CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: NULL
>>> ==== keyType: 0x00000001
>>> ==== keyUsage: 0xffffffff
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> == Signature Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> === Transform: c14n
>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Signature Method:
>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>> == Signature Key:
>>> == KEY
>>> === method: RSAKeyValue
>>> === key type: Private
>>> === key usage: -1
>>> === rsa key: size = 2048
>>> == SignedInfo References List:
>>> === list size: 1
>>> = REFERENCE CALCULATION CONTEXT
>>> == Status: succeeded
>>> == URI: "#Manifest"
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri:
>>> === uri xpointer expr: #Manifest
>>> === Transform: xpointer
>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>> === Transform: enveloped-signature
>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>> === Transform: c14n
>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>> === Transform: membuf-transform (href=NULL)
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == Result - start buffer:
>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>> == Result - end buffer
>>> == Manifest References List:
>>> === list size: 2
>>> = REFERENCE CALCULATION CONTEXT
>>> == Status: succeeded
>>> == URI: ""
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> === Transform: enveloped-signature
>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>> === Transform: c14n
>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>> === Transform: membuf-transform (href=NULL)
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == PreDigest data - start buffer:
>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>>          <AcctOpngReq>
>>>                  <Refs>
>>>                          <MsgId>
>>> <Id>ABC/090928/CCT001</Id>
>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>                          </MsgId>
>>>                          <PrcId>
>>> <Id>ABC/090928/CCT001</Id>
>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>                          </PrcId>
>>>                  </Refs>
>>>                  <Acct>
>>>                          <Id>
>>>                                  <Othr>
>>> <Id>NOREF2</Id>
>>>                                  </Othr>
>>>                          </Id>
>>>                          <Tp>
>>>                                  <Cd>CASH</Cd>
>>>                          </Tp>
>>>                          <Ccy>USD</Ccy>
>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>> <MnthlyTxNb>100</MnthlyTxNb>
>>> <AvrgBal>10000</AvrgBal>
>>>                  </Acct>
>>>                  <CtrctDts>
>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>>                  </CtrctDts>
>>>                  <UndrlygMstrAgrmt>
>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>>                          <Vrsn>1.0</Vrsn>
>>>                  </UndrlygMstrAgrmt>
>>>                  <AcctSvcrId>
>>>                          <FinInstnId>
>>> <BICFI>BBBBUS33</BICFI>
>>>                          </FinInstnId>
>>>                  </AcctSvcrId>
>>>                  <Org>
>>>                          <FullLglNm>ABC Corporation</FullLglNm>
>>> <CtryOfOpr>US</CtryOfOpr>
>>> <RegnDt>1999-09-01</RegnDt>
>>>                          <LglAdr>
>>>                                  <StrtNm>Times Square</StrtNm>
>>> <BldgNb>7</BldgNb>
>>>                                  <PstCd>NY 10036</PstCd>
>>>                                  <TwnNm>New York</TwnNm>
>>> <Ctry>US</Ctry>
>>>                          </LglAdr>
>>>                          <OrgId>
>>>                                  <Othr>
>>> <Id>01256485-85</Id>
>>>                                          <SchmeNm>
>>> <Prtry>TAX</Prtry>
>>>                                          </SchmeNm>
>>>                                  </Othr>
>>>                          </OrgId>
>>>                          <MainMndtHldr>
>>>                                  <Nm>Richard Jones</Nm>
>>>                                  <PstlAdr>
>>> <AdrTp>HOME</AdrTp>
>>>                                          <StrtNm>La Guardia Drive</StrtNm>
>>> <BldgNb>12</BldgNb>
>>>                                          <PstCd>NJ 07054</PstCd>
>>> <TwnNm>Parsippany</TwnNm>
>>> <Ctry>US</Ctry>
>>>                                  </PstlAdr>
>>>                                  <Id>
>>> <DtAndPlcOfBirth>
>>> <BirthDt>1960-05-01</BirthDt>
>>> <CityOfBirth>New york</CityOfBirth>
>>> <CtryOfBirth>US</CtryOfBirth>
>>> </DtAndPlcOfBirth>
>>>                                  </Id>
>>>                          </MainMndtHldr>
>>>                  </Org>
>>>                  <DgtlSgntr>
>>>                          <Pty>
>>> <Nm>fplou</Nm>
>>>                          </Pty>
>>>                          <Sgntr>
>>>
>>>                          </Sgntr>
>>>                  </DgtlSgntr>
>>>          </AcctOpngReq>
>>> </Document>
>>> == PreDigest data - end buffer
>>> == Result - start buffer:
>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>> == Result - end buffer
>>> = REFERENCE CALCULATION CONTEXT
>>> == Status: succeeded
>>> == URI: "sign.sh"
>>> == Reference Transform Ctx:
>>> == TRANSFORMS CTX (status=2)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: sign.sh
>>> === uri xpointer expr: NULL
>>> === Transform: input-uri (href=NULL)
>>> === Transform: membuf-transform (href=NULL)
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>> === Transform: membuf-transform (href=NULL)
>>> == Digest Method:
>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> == PreDigest data - start buffer:
>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>
>>> == PreDigest data - end buffer
>>> == Result - start buffer:
>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>> == Result - end buffer
>>> == Result - start buffer:
>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>> uD2ZSS1bWu236lKh1elKWw==
>>> == Result - end buffer
>>>
>>>
>>> François
>>>
>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>> Try "--store-references" option to see what exactly was signed. Just
>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>> suspicious.
>>>>
>>>> Aleksey
>>>>
>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>> Hi,
>>>>>
>>>>> I am facing an issue trying to sign an xml document which makes
>>>>> reference to an external file.
>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>> verified by
>>>>> tool like Apache XML Security.
>>>>> I am pretty sure there is something missing in the XML document I give
>>>>> to xmlsec but can't figure what.
>>>>>
>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>> The output document is fpl.xml
>>>>>
>>>>> The digest which is not the same as the one computed by Apache XML
>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>
>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>> (I built it manually).
>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>
>>>>> Do you have any idea what can be wrong in my
>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>> transform ?
>>>>>
>>>>> Thanks for your help.
>>>>>
>>>>> Francois
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140410/b88bc0ba/attachment-0001.html>


More information about the xmlsec mailing list