[xmlsec] Fwd: Re: Bad digest in #Manifest

Aleksey Sanin aleksey at aleksey.com
Thu Apr 10 09:26:36 PDT 2014


"== PreDigest data - start buffer: " element gives you the data right
before the hash is calculated

Aleksey

On 4/10/14, 2:31 AM, François Plou wrote:
> Not really :-(
> 
> The store-references option does not display the xml part who matches
> the digest displayed :
> 
> == Status: succeeded
> == URI: "#Manifest"
> == Reference Transform Ctx:
> == TRANSFORMS CTX (status=2)
> == flags: 0x00000000
> == flags2: 0x00000000
> == enabled transforms: all
> === uri:
> === uri xpointer expr: #Manifest
> === Transform: xpointer
> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> === Transform: enveloped-signature
> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
> === Transform: c14n
> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> === Transform: membuf-transform (href=NULL)
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
> === Transform: membuf-transform (href=NULL)
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> == Result - start buffer:
> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
> == Result - end buffer
> 
> The #Manifest is processed and --store-references provides the digest
> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to provide
> this digest.
> 
> This digest does not match the one produced by Apache XML Security.
> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the following
> XML part :
> 
> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
>                             <Reference URI="">
>                             <Transforms>
>                                 <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
>                             </Transforms>
>                             <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>                            
> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
>                             </Reference>
>                             <Reference URI="sign.sh">
>                                 <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>                                
> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
>                             </Reference>
>                         </Manifest>
> 
> So I am trying to figure what XML part is used by xmlsec1.
> 
> Regards
> 
> François
> 
> Le 09/04/2014 20:12, Aleksey Sanin a écrit :
>> This is exactly what  --store-references  option does :)
>>
>> Aleksey
>>
>> On 4/9/14, 10:15 AM, François Plou wrote:
>>> Hi,
>>>
>>> I am trying to discover what xml part is digested to understand why I
>>> got another digest value than the one calculated by java XmlDsig API.
>>> To do that I try to add some trace in the code just before the digest
>>> algorithm but I was unable yet to find the right position.
>>> Could you provide me a clue where to add trace in the source code ?
>>>
>>> Thanks for your help.
>>>
>>> Francois
>>>
>>>
>>> Le 07/04/2014 14:49, François Plou a écrit :
>>>> Hi,
>>>>
>>>> Below is the result of --store-references option :
>>>>
>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>>> = SIGNATURE CONTEXT
>>>> == Status: succeeded
>>>> == flags: 0x00000006
>>>> == flags2: 0x00000000
>>>> == Key Info Read Ctx:
>>>> = KEY INFO READ CONTEXT
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled key data: all
>>>> == RetrievalMethod level (cur/max): 0/1
>>>> == TRANSFORMS CTX (status=0)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> == EncryptedKey level (cur/max): 0/1
>>>> === KeyReq:
>>>> ==== keyId: rsa
>>>> ==== keyType: 0x00000002
>>>> ==== keyUsage: 0x00000001
>>>> ==== keyBitsSize: 0
>>>> === list size: 0
>>>> == Key Info Write Ctx:
>>>> = KEY INFO WRITE CONTEXT
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled key data: all
>>>> == RetrievalMethod level (cur/max): 0/1
>>>> == TRANSFORMS CTX (status=0)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> == EncryptedKey level (cur/max): 0/1
>>>> === KeyReq:
>>>> ==== keyId: NULL
>>>> ==== keyType: 0x00000001
>>>> ==== keyUsage: 0xffffffff
>>>> ==== keyBitsSize: 0
>>>> === list size: 0
>>>> == Signature Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> === Transform: c14n
>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Signature Method:
>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>> == Signature Key:
>>>> == KEY
>>>> === method: RSAKeyValue
>>>> === key type: Private
>>>> === key usage: -1
>>>> === rsa key: size = 2048
>>>> == SignedInfo References List:
>>>> === list size: 1
>>>> = REFERENCE CALCULATION CONTEXT
>>>> == Status: succeeded
>>>> == URI: "#Manifest"
>>>> == Reference Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri:
>>>> === uri xpointer expr: #Manifest
>>>> === Transform: xpointer
>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>> === Transform: enveloped-signature
>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>> === Transform: c14n
>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>> === Transform: membuf-transform (href=NULL)
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Digest Method:
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> == Result - start buffer:
>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>> == Result - end buffer
>>>> == Manifest References List:
>>>> === list size: 2
>>>> = REFERENCE CALCULATION CONTEXT
>>>> == Status: succeeded
>>>> == URI: ""
>>>> == Reference Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: NULL
>>>> === uri xpointer expr: NULL
>>>> === Transform: enveloped-signature
>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>> === Transform: c14n
>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>> === Transform: membuf-transform (href=NULL)
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Digest Method:
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> == PreDigest data - start buffer:
>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>>>         <AcctOpngReq>
>>>>                 <Refs>
>>>>                         <MsgId>
>>>> <Id>ABC/090928/CCT001</Id>
>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>                         </MsgId>
>>>>                         <PrcId>
>>>> <Id>ABC/090928/CCT001</Id>
>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>                         </PrcId>
>>>>                 </Refs>
>>>>                 <Acct>
>>>>                         <Id>
>>>>                                 <Othr>
>>>> <Id>NOREF2</Id>
>>>>                                 </Othr>
>>>>                         </Id>
>>>>                         <Tp>
>>>>                                 <Cd>CASH</Cd>
>>>>                         </Tp>
>>>>                         <Ccy>USD</Ccy>
>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>>> <MnthlyTxNb>100</MnthlyTxNb>
>>>> <AvrgBal>10000</AvrgBal>
>>>>                 </Acct>
>>>>                 <CtrctDts>
>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>>>                 </CtrctDts>
>>>>                 <UndrlygMstrAgrmt>
>>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>>>                         <Vrsn>1.0</Vrsn>
>>>>                 </UndrlygMstrAgrmt>
>>>>                 <AcctSvcrId>
>>>>                         <FinInstnId>
>>>> <BICFI>BBBBUS33</BICFI>
>>>>                         </FinInstnId>
>>>>                 </AcctSvcrId>
>>>>                 <Org>
>>>>                         <FullLglNm>ABC Corporation</FullLglNm>
>>>> <CtryOfOpr>US</CtryOfOpr>
>>>> <RegnDt>1999-09-01</RegnDt>
>>>>                         <LglAdr>
>>>>                                 <StrtNm>Times Square</StrtNm>
>>>> <BldgNb>7</BldgNb>
>>>>                                 <PstCd>NY 10036</PstCd>
>>>>                                 <TwnNm>New York</TwnNm>
>>>> <Ctry>US</Ctry>
>>>>                         </LglAdr>
>>>>                         <OrgId>
>>>>                                 <Othr>
>>>> <Id>01256485-85</Id>
>>>>                                         <SchmeNm>
>>>> <Prtry>TAX</Prtry>
>>>>                                         </SchmeNm>
>>>>                                 </Othr>
>>>>                         </OrgId>
>>>>                         <MainMndtHldr>
>>>>                                 <Nm>Richard Jones</Nm>
>>>>                                 <PstlAdr>
>>>> <AdrTp>HOME</AdrTp>
>>>>                                         <StrtNm>La Guardia Drive</StrtNm>
>>>> <BldgNb>12</BldgNb>
>>>>                                         <PstCd>NJ 07054</PstCd>
>>>> <TwnNm>Parsippany</TwnNm>
>>>> <Ctry>US</Ctry>
>>>>                                 </PstlAdr>
>>>>                                 <Id>
>>>> <DtAndPlcOfBirth>
>>>> <BirthDt>1960-05-01</BirthDt>
>>>> <CityOfBirth>New york</CityOfBirth>
>>>> <CtryOfBirth>US</CtryOfBirth>
>>>> </DtAndPlcOfBirth>
>>>>                                 </Id>
>>>>                         </MainMndtHldr>
>>>>                 </Org>
>>>>                 <DgtlSgntr>
>>>>                         <Pty>
>>>> <Nm>fplou</Nm>
>>>>                         </Pty>
>>>>                         <Sgntr>
>>>>
>>>>                         </Sgntr>
>>>>                 </DgtlSgntr>
>>>>         </AcctOpngReq>
>>>> </Document>
>>>> == PreDigest data - end buffer
>>>> == Result - start buffer:
>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>>> == Result - end buffer
>>>> = REFERENCE CALCULATION CONTEXT
>>>> == Status: succeeded
>>>> == URI: "sign.sh"
>>>> == Reference Transform Ctx:
>>>> == TRANSFORMS CTX (status=2)
>>>> == flags: 0x00000000
>>>> == flags2: 0x00000000
>>>> == enabled transforms: all
>>>> === uri: sign.sh
>>>> === uri xpointer expr: NULL
>>>> === Transform: input-uri (href=NULL)
>>>> === Transform: membuf-transform (href=NULL)
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>> === Transform: membuf-transform (href=NULL)
>>>> == Digest Method:
>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>> == PreDigest data - start buffer:
>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>
>>>> == PreDigest data - end buffer
>>>> == Result - start buffer:
>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>>> == Result - end buffer
>>>> == Result - start buffer:
>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>>> uD2ZSS1bWu236lKh1elKWw==
>>>> == Result - end buffer
>>>>
>>>>
>>>> François
>>>>
>>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>>> Try "--store-references" option to see what exactly was signed. Just
>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>>> suspicious.
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am facing an issue trying to sign an xml document which makes
>>>>>> reference to an external file.
>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>>> verified by
>>>>>> tool like Apache XML Security.
>>>>>> I am pretty sure there is something missing in the XML document I give
>>>>>> to xmlsec but can't figure what.
>>>>>>
>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>> The output document is fpl.xml
>>>>>>
>>>>>> The digest which is not the same as the one computed by Apache XML
>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>>
>>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>>> (I built it manually).
>>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>>
>>>>>> Do you have any idea what can be wrong in my
>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>>> transform ?
>>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>> Francois
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> xmlsec mailing list
>>>>>> xmlsec at aleksey.com
>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list