[xmlsec] xmlsec1 can't verify a signature (problem with --id-attr or --node-id ?)
pfx
pf.prologue at gmail.com
Fri Nov 7 04:31:55 PST 2014
Hi!
I have a signed xml file with Xades information
I try to verify the signature with:
$ xmlsec1 --verify --id-attr:Id Bordereau --id-attr:Id Signature
--id-attr:Id SignedProperties --node-id IDC1141029105800p0100 test.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
data:data and digest do not match
FAIL
SignedInfo References (ok/all): 1/2
The first part of the signature is validate by xmlsec1
but it seems that xmlsec1 can't access to the second part (Xades
information)
If I use the "--store-references" flags, I can see the "PreDigest data"
of the first part, but xmlsec1 never displays the "PreDigest data" of
the second part
Here an extract of the file
<Bordereau Id="*B01201462*">
<BlocBordereau>
...
<ds:Signature Id="IDC1141029105800p0100">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#*B01201462*">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m24cE8pHsEwYBbVnCcUGUT49i3g=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#*IDC1141029105800p0100_SP*">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>OgLDEJDln8+bp7jX1pxs5j/0poM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
...
<ds:Object Id="IDC1141029105800p0100_QI">
<xad:QualifyingProperties
Target="IDC1141029105800p0100">
<xad:SignedProperties
Id="*IDC1141029105800p0100_SP*">
<xad:SignedSignatureProperties>
<xad:SigningTime>2014-10-29T09:58:00.191Z</xad:SigningTime>
</ds:Signature>
</Bordereau>
And an extract of the output
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#B01201462"
[...]
=== uri:
=== uri xpointer expr: #B01201462
=== Transform: xpointer
(href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<Bordereau Id="B01201462"><BlocBordereau><Exer
V="2014"></Exer>.........</Bordereau>
== PreDigest data - end buffer
= REFERENCE VERIFICATION CONTEXT
== Status: invalid
== URI: "#IDC1141029105800p0100_SP"
[...]
=== uri:
=== uri xpointer expr: #IDC1141029105800p0100_SP
=== Transform: xpointer
(href=http://www.w3.org/2001/04/xmldsig-more/xptr)
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=> No PreDigest data here !
where is my mistake ?
I use xmlsec 1.2.18 (openssl)
(here the full xml file and xmlsec output => http://dl.free.fr/ekDbPkF63)
Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20141107/c21b48dd/attachment.html>
More information about the xmlsec
mailing list