[xmlsec] Fwd: Re: Bad digest in #Manifest

Aleksey Sanin aleksey at aleksey.com
Thu Apr 10 09:29:38 PDT 2014


To process manifests according to the xmldsig spec the ref type
should be specified:

  <Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"
URI="#Manifest">
  ...
  </>

XMLSec package contains a few test vectors that show manifests usage.

Best,

Aleksey

On 4/10/14, 5:40 AM, François Plou wrote:
> I found the problem, but don't know yet what really happens in the
> source code.
> I put some traces and I discovered that digest
> 2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer.
> If you execute the following command openssl dgst -sha1 -binary
> /dev/null | openssl enc -base64, you also get this digest.
> 
> So it seems xmlsec1 can't process correctly the #Manifest part :
> 
>                     <Object>
>                         <Manifest Id="Manifest">
>                             <Reference URI="">
>                             <Transforms>
>                                 <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                             </Transforms>
>                             <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                             <DigestValue></DigestValue>
>                             </Reference>
>                             <Reference URI="sign.sh">
>                                 <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                                 <DigestValue></DigestValue>
>                             </Reference>
>                         </Manifest>
>                     </Object>
> 
> 
> Regards.
> 
> François
> 
> Le 10/04/2014 11:31, François Plou a écrit :
>> Not really :-(
>>
>> The store-references option does not display the xml part who matches
>> the digest displayed :
>>
>> == Status: succeeded
>> == URI: "#Manifest"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri:
>> === uri xpointer expr: #Manifest
>> === Transform: xpointer
>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: enveloped-signature
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>> === Transform: c14n
>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: membuf-transform (href=NULL)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == Result - start buffer:
>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>> == Result - end buffer
>> The #Manifest is processed and --store-references provides the digest
>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to
>> provide this digest.
>>
>> This digest does not match the one produced by Apache XML Security.
>> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the
>> following XML part :
>>
>> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Manifest">
>>                             <Reference URI="">
>>                             <Transforms>
>>                                 <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
>>                             </Transforms>
>>                             <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>                            
>> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue>
>>                             </Reference>
>>                             <Reference URI="sign.sh">
>>                                 <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>>                                
>> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue>
>>                             </Reference>
>>                         </Manifest>
>>
>> So I am trying to figure what XML part is used by xmlsec1.
>>
>> Regards
>>
>> François
>>
>> Le 09/04/2014 20:12, Aleksey Sanin a écrit :
>>> This is exactly what  --store-references  option does :)
>>>
>>> Aleksey
>>>
>>> On 4/9/14, 10:15 AM, François Plou wrote:
>>>> Hi,
>>>>
>>>> I am trying to discover what xml part is digested to understand why I
>>>> got another digest value than the one calculated by java XmlDsig API.
>>>> To do that I try to add some trace in the code just before the digest
>>>> algorithm but I was unable yet to find the right position.
>>>> Could you provide me a clue where to add trace in the source code ?
>>>>
>>>> Thanks for your help.
>>>>
>>>> Francois
>>>>
>>>>
>>>> Le 07/04/2014 14:49, François Plou a écrit :
>>>>> Hi,
>>>>>
>>>>> Below is the result of --store-references option :
>>>>>
>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml
>>>>> Enter password for "/home/fplou/CA/fplousign.key" file:
>>>>> = SIGNATURE CONTEXT
>>>>> == Status: succeeded
>>>>> == flags: 0x00000006
>>>>> == flags2: 0x00000000
>>>>> == Key Info Read Ctx:
>>>>> = KEY INFO READ CONTEXT
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled key data: all
>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>> == TRANSFORMS CTX (status=0)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> == EncryptedKey level (cur/max): 0/1
>>>>> === KeyReq:
>>>>> ==== keyId: rsa
>>>>> ==== keyType: 0x00000002
>>>>> ==== keyUsage: 0x00000001
>>>>> ==== keyBitsSize: 0
>>>>> === list size: 0
>>>>> == Key Info Write Ctx:
>>>>> = KEY INFO WRITE CONTEXT
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled key data: all
>>>>> == RetrievalMethod level (cur/max): 0/1
>>>>> == TRANSFORMS CTX (status=0)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> == EncryptedKey level (cur/max): 0/1
>>>>> === KeyReq:
>>>>> ==== keyId: NULL
>>>>> ==== keyType: 0x00000001
>>>>> ==== keyUsage: 0xffffffff
>>>>> ==== keyBitsSize: 0
>>>>> === list size: 0
>>>>> == Signature Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> === Transform: c14n
>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Signature Method:
>>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>>>> == Signature Key:
>>>>> == KEY
>>>>> === method: RSAKeyValue
>>>>> === key type: Private
>>>>> === key usage: -1
>>>>> === rsa key: size = 2048
>>>>> == SignedInfo References List:
>>>>> === list size: 1
>>>>> = REFERENCE CALCULATION CONTEXT
>>>>> == Status: succeeded
>>>>> == URI: "#Manifest"
>>>>> == Reference Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri:
>>>>> === uri xpointer expr: #Manifest
>>>>> === Transform: xpointer
>>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>>> === Transform: enveloped-signature
>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>> === Transform: c14n
>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Digest Method:
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> == Result - start buffer:
>>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>> == Result - end buffer
>>>>> == Manifest References List:
>>>>> === list size: 2
>>>>> = REFERENCE CALCULATION CONTEXT
>>>>> == Status: succeeded
>>>>> == URI: ""
>>>>> == Reference Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: NULL
>>>>> === uri xpointer expr: NULL
>>>>> === Transform: enveloped-signature
>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>>> === Transform: c14n
>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Digest Method:
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> == PreDigest data - start buffer:
>>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02">
>>>>>         <AcctOpngReq>
>>>>>                 <Refs>
>>>>>                         <MsgId>
>>>>> <Id>ABC/090928/CCT001</Id>
>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>>                         </MsgId>
>>>>>                         <PrcId>
>>>>> <Id>ABC/090928/CCT001</Id>
>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm>
>>>>>                         </PrcId>
>>>>>                 </Refs>
>>>>>                 <Acct>
>>>>>                         <Id>
>>>>>                                 <Othr>
>>>>> <Id>NOREF2</Id>
>>>>>                                 </Othr>
>>>>>                         </Id>
>>>>>                         <Tp>
>>>>>                                 <Cd>CASH</Cd>
>>>>>                         </Tp>
>>>>>                         <Ccy>USD</Ccy>
>>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal>
>>>>> <MnthlyTxNb>100</MnthlyTxNb>
>>>>> <AvrgBal>10000</AvrgBal>
>>>>>                 </Acct>
>>>>>                 <CtrctDts>
>>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt>
>>>>>                 </CtrctDts>
>>>>>                 <UndrlygMstrAgrmt>
>>>>> <Ref>ABC/Acct/BBBBUS33</Ref>
>>>>>                         <Vrsn>1.0</Vrsn>
>>>>>                 </UndrlygMstrAgrmt>
>>>>>                 <AcctSvcrId>
>>>>>                         <FinInstnId>
>>>>> <BICFI>BBBBUS33</BICFI>
>>>>>                         </FinInstnId>
>>>>>                 </AcctSvcrId>
>>>>>                 <Org>
>>>>>                         <FullLglNm>ABC Corporation</FullLglNm>
>>>>> <CtryOfOpr>US</CtryOfOpr>
>>>>> <RegnDt>1999-09-01</RegnDt>
>>>>>                         <LglAdr>
>>>>>                                 <StrtNm>Times Square</StrtNm>
>>>>> <BldgNb>7</BldgNb>
>>>>>                                 <PstCd>NY 10036</PstCd>
>>>>>                                 <TwnNm>New York</TwnNm>
>>>>> <Ctry>US</Ctry>
>>>>>                         </LglAdr>
>>>>>                         <OrgId>
>>>>>                                 <Othr>
>>>>> <Id>01256485-85</Id>
>>>>>                                         <SchmeNm>
>>>>> <Prtry>TAX</Prtry>
>>>>>                                         </SchmeNm>
>>>>>                                 </Othr>
>>>>>                         </OrgId>
>>>>>                         <MainMndtHldr>
>>>>>                                 <Nm>Richard Jones</Nm>
>>>>>                                 <PstlAdr>
>>>>> <AdrTp>HOME</AdrTp>
>>>>>                                         <StrtNm>La Guardia Drive</StrtNm>
>>>>> <BldgNb>12</BldgNb>
>>>>>                                         <PstCd>NJ 07054</PstCd>
>>>>> <TwnNm>Parsippany</TwnNm>
>>>>> <Ctry>US</Ctry>
>>>>>                                 </PstlAdr>
>>>>>                                 <Id>
>>>>> <DtAndPlcOfBirth>
>>>>> <BirthDt>1960-05-01</BirthDt>
>>>>> <CityOfBirth>New york</CityOfBirth>
>>>>> <CtryOfBirth>US</CtryOfBirth>
>>>>> </DtAndPlcOfBirth>
>>>>>                                 </Id>
>>>>>                         </MainMndtHldr>
>>>>>                 </Org>
>>>>>                 <DgtlSgntr>
>>>>>                         <Pty>
>>>>> <Nm>fplou</Nm>
>>>>>                         </Pty>
>>>>>                         <Sgntr>
>>>>>
>>>>>                         </Sgntr>
>>>>>                 </DgtlSgntr>
>>>>>         </AcctOpngReq>
>>>>> </Document>
>>>>> == PreDigest data - end buffer
>>>>> == Result - start buffer:
>>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI=
>>>>> == Result - end buffer
>>>>> = REFERENCE CALCULATION CONTEXT
>>>>> == Status: succeeded
>>>>> == URI: "sign.sh"
>>>>> == Reference Transform Ctx:
>>>>> == TRANSFORMS CTX (status=2)
>>>>> == flags: 0x00000000
>>>>> == flags2: 0x00000000
>>>>> == enabled transforms: all
>>>>> === uri: sign.sh
>>>>> === uri xpointer expr: NULL
>>>>> === Transform: input-uri (href=NULL)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
>>>>> === Transform: membuf-transform (href=NULL)
>>>>> == Digest Method:
>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>>> == PreDigest data - start buffer:
>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key
>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>
>>>>> == PreDigest data - end buffer
>>>>> == Result - start buffer:
>>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8=
>>>>> == Result - end buffer
>>>>> == Result - start buffer:
>>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF
>>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI
>>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn
>>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd
>>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX
>>>>> uD2ZSS1bWu236lKh1elKWw==
>>>>> == Result - end buffer
>>>>>
>>>>>
>>>>> François
>>>>>
>>>>> On 03/04/2014 18:37, Aleksey Sanin wrote:
>>>>>> Try "--store-references" option to see what exactly was signed. Just
>>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks
>>>>>> suspicious.
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 4/3/14, 5:46 AM, François Plou wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am facing an issue trying to sign an xml document which makes
>>>>>>> reference to an external file.
>>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not
>>>>>>> verified by
>>>>>>> tool like Apache XML Security.
>>>>>>> I am pretty sure there is something missing in the XML document I give
>>>>>>> to xmlsec but can't figure what.
>>>>>>>
>>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml.
>>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key>
>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml
>>>>>>> The output document is fpl.xml
>>>>>>>
>>>>>>> The digest which is not the same as the one computed by Apache XML
>>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
>>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I=
>>>>>>>
>>>>>>> I found that the expecting digest match the manifest3.xml file enclosed
>>>>>>> (I built it manually).
>>>>>>> So it seems xmlsec is not creating the same manifest part.
>>>>>>>
>>>>>>> Do you have any idea what can be wrong in my
>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a
>>>>>>> transform ?
>>>>>>>
>>>>>>> Thanks for your help.
>>>>>>>
>>>>>>> Francois
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> xmlsec mailing list
>>>>>>> xmlsec at aleksey.com
>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>
> 


More information about the xmlsec mailing list