[xmlsec] xmlsec1 can't verify a signature (problem with --id-attr or --node-id ?)

Aleksey Sanin aleksey at aleksey.com
Mon Nov 10 18:10:07 PST 2014 

The element with Id="IDC1141029105800p0100_SP" is located INSIDE the
<ds:Signature> node. Thus when the <ds:Signature> node is removed
by the enveloped transform all its children (including the element
with Id="IDC1141029105800p0100_SP") are removed as well. Thus the
empty output is correct.

Best,

Aleksey

On 11/10/14 7:32 AM, pfx wrote:
> I'm not sure ... Even if the signature is not valid, xmlsec can displays
> the PreDidest data
> 
> After a lot of debug, I found the reason (but not the solution)
> 
> The file I want to check is strange ...
> 
> It contains 2 references in <ds:SignedInfo>
> 
> The first reference is correct (#B01201438 references an id of a parent
> element)
> 
>                     <ds:Reference URI="#B01201438">
>                         <ds:Transforms>
>                             <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                             <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                         </ds:Transforms>
>                         [...]
> 
> The second reference also contains a <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> (#IDC1141029105704p0100_SP references a Xades SignedProperties element
> => Signature/Object/QualifyingProperties/SignedProperties, therefore
> it's a child element of ds:Signature)
> 
>                     <ds:Reference URI="#IDC1141029105704p0100_SP">
>                         <ds:Transforms>
>                             <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                             <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                         </ds:Transforms>
>                         [...]
> 
> When xmlsec processes this reference, the output of C14N is empty
> If I remove the <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>, the
> output of C14N is correct
> my knowledge is that  "enveloped-signature" removes the node "Signature"
> from the tree of signed data
> 
> I do not understand the side effect of "enveloped-signature". In the
> best case, xmlsec should ignore the additional  <ds:Transform ...
> enveloped-signature"/> (ie returns the whole sub tree)
> 
> what is your opinion ?
> 
> Le 07/11/2014 17:25, Aleksey Sanin a écrit :
>> Well, according to the output.txt file, xmlsec simply stops on the
>> first failed Reference element since the signature will not be valid
>> anyway (see while() loop at the end of the
>> xmlSecDSigCtxProcessSignedInfoNode() function).
>>
>> Aleksey
>>
>> On 11/7/14 4:31 AM, pfx wrote:
>>> Hi!
>>>
>>> I have a signed xml file with Xades information
>>> I try to verify the signature with:
>>>
>>> $ xmlsec1 --verify --id-attr:Id Bordereau --id-attr:Id Signature
>>> --id-attr:Id SignedProperties --node-id IDC1141029105800p0100 test.xml
>>> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
>>> data:data and digest do not match
>>> FAIL
>>> SignedInfo References (ok/all): 1/2
>>>
>>> The first part of the signature is validate by xmlsec1
>>> but it seems that xmlsec1 can't access to the second part (Xades
>>> information)
>>>
>>> If I use the "--store-references" flags, I can see the "PreDigest data"
>>> of the first part, but xmlsec1 never displays the "PreDigest data" of
>>> the second part
>>>
>>> Here an extract of the file
>>>         <Bordereau Id="*B01201462*">
>>>             <BlocBordereau>
>>>             ...
>>>             <ds:Signature Id="IDC1141029105800p0100">
>>>                 <ds:SignedInfo>
>>>                     <ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>                     <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>                     <ds:Reference URI="#*B01201462*">
>>>                         <ds:Transforms>
>>>                             <ds:Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>                             <ds:Transform
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>                         </ds:Transforms>
>>>                         <ds:DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>                        
>>> <ds:DigestValue>m24cE8pHsEwYBbVnCcUGUT49i3g=</ds:DigestValue>
>>>                     </ds:Reference>
>>>                     <ds:Reference URI="#*IDC1141029105800p0100_SP*">
>>>                         <ds:Transforms>
>>>                             <ds:Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>                             <ds:Transform
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>                         </ds:Transforms>
>>>                         <ds:DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>                        
>>> <ds:DigestValue>OgLDEJDln8+bp7jX1pxs5j/0poM=</ds:DigestValue>
>>>                     </ds:Reference>
>>>                 </ds:SignedInfo>
>>>                 ...
>>>                 <ds:Object Id="IDC1141029105800p0100_QI">
>>>                     <xad:QualifyingProperties
>>> Target="IDC1141029105800p0100">
>>>                         <xad:SignedProperties
>>> Id="*IDC1141029105800p0100_SP*">
>>>                             <xad:SignedSignatureProperties>
>>>                                
>>> <xad:SigningTime>2014-10-29T09:58:00.191Z</xad:SigningTime>
>>>             </ds:Signature>
>>>         </Bordereau>
>>>
>>> And an extract of the output
>>>     = REFERENCE VERIFICATION CONTEXT
>>>     == Status: succeeded
>>>     == URI: "#B01201462"
>>> [...]
>>>     === uri:
>>>     === uri xpointer expr: #B01201462
>>>     === Transform: xpointer
>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>     === Transform: enveloped-signature
>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>     === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>>     === Transform: membuf-transform (href=NULL)
>>>     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>     === Transform: membuf-transform (href=NULL)
>>>     == Digest Method:
>>>     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>     == PreDigest data - start buffer:
>>>     <Bordereau Id="B01201462"><BlocBordereau><Exer
>>> V="2014"></Exer>.........</Bordereau>
>>>     == PreDigest data - end buffer
>>>     = REFERENCE VERIFICATION CONTEXT
>>>     == Status: invalid
>>>     == URI: "#IDC1141029105800p0100_SP"
>>> [...]
>>>     === uri:
>>>     === uri xpointer expr: #IDC1141029105800p0100_SP
>>>     === Transform: xpointer
>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>>     === Transform: enveloped-signature
>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>>     === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
>>>     === Transform: membuf-transform (href=NULL)
>>>     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>>     === Transform: membuf-transform (href=NULL)
>>>     == Digest Method:
>>>     === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>> => No PreDigest data here !
>>>
>>> where is my mistake ?
>>>
>>> I use xmlsec 1.2.18 (openssl)
>>> (here the full xml file and xmlsec output => http://dl.free.fr/ekDbPkF63)
>>>
>>> Regards,
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list