[xmlsec] XMLSEC Question: "signature does not verify" always

Aleksey Sanin aleksey at aleksey.com
Wed Nov 25 18:40:51 PST 2020 

It is not possible to debug it w/o having the signer along. I would 
check how c14n is performed on both sides.

Aleksey

On 11/24/20 2:58 PM, Márk BARTOS wrote:
> Hello,
> 
> I apologize if this is not the right place to ask.
> 
> I'd like to ask for pointers why signature verification always fails. 
> (xmlsec/xmlsec-openssl 1.2.31)
> With this error:
> func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha256:subj=unknown:error=18:data 
> do not match:details=EVP_VerifyFinal: signature does not verify
> 
> Since my data (from 3rdparty, known to be good) is detached I use xmlsec 
> io callbacks to read the data.
> I know here there is no error, since if I intentionally leave the last 
> byte, the digests do not match, and the verification exits sooner with 
> that error.
> 
> I also know the CA cert I use verifies the embedded cert because if I 
> set a known bad cert the verification again exits very soon with the 
> "unable to verify known issuer" error.
> 
> Thus I do not understand what I am missing. Could you provide some pointers?
> 
> Thank you.
> 
> Signatures.xml:
> <?xml version="1.0"encoding="UTF-8"?>
> <asic:XAdESSignatures xmlns:asic="http://uri.etsi.org/02918/v1.2.1# 
> <http://uri.etsi.org/02918/v1.2.1#>">
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig# 
> <http://www.w3.org/2000/09/xmldsig#>"Id="Signature-1">
> <SignedInfo Id="Signature-1__SignedInfo-1">
> <CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# 
> <http://www.w3.org/2001/10/xml-exc-c14n#>"></CanonicalizationMethod>
> <SignatureMethod 
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 
> <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256>"></SignatureMethod>
> <Reference 
> Id="Signature-1__Reference-1"Type="http://uri.etsi.org/01903#SignedProperties 
> <http://uri.etsi.org/01903#SignedProperties>"URI="#Signature-1__SignedProperties-1">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# 
> <http://www.w3.org/2001/10/xml-exc-c14n#>"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 
> <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod>
> <DigestValue>qIYr8zG/J0LWT8H3/WzaX+kMBkWdlOIgVOezVmyRzm8=</DigestValue>
> </Reference>
> <Reference Id="Signature-1__Reference-2"URI="pack_other_1.csv">
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 
> <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod>
> <DigestValue>XyV+GBMP3La9CPNW9Cze75tKFIfymZKujciJmXTmMUk=</DigestValue>
> </Reference>
> <Reference Id="Signature-1__Reference-3"URI="pack_mobile_1.csv">
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 
> <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod>
> <DigestValue>lVFUCp2gUnfLagRujP5ZsT9uvm7gmAZzppnvuqo6vp0=</DigestValue>
> </Reference>
> <Reference Id="Signature-1__Reference-4"URI="pack_fix_1.csv">
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 
> <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod>
> <DigestValue>c/GS40xgZnkj//07+uC7wPPBa7a7xvvXlgcTJekuqGI=</DigestValue>
> </Reference>
> <Reference Id="Signature-1__Reference-5"URI="pack_location_1.csv">
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 
> <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod>
> <DigestValue>uupcGpfOSSNFpZKiqr7jGYKr8gds422ZNLCMw+9YNWY=</DigestValue>
> </Reference>
> <Reference Id="Signature-1__Reference-6"URI="pack_fix_2.csv">
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 
> <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod>
> <DigestValue>C27xuWDL+IpkQHo1A7mKNGBQEDnYwsWmnohgPu+Oib0=</DigestValue>
> </Reference>
> <Reference Id="Signature-1__Reference-7"URI="pack_mobile_2.csv">
> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 
> <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod>
> <DigestValue>1QyKiZ8V5bNszzMMJm38cQ3LvZ96zW8++U3+5a7zui0=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue Id="Signature-1__SignatureValue-1">
> omitted
> </SignatureValue>
> <KeyInfo Id="Signature-1__KeyInfo-1">
> <X509Data>
> <X509Certificate>
> omitted
> </X509Certificate>
> </X509Data>
> </KeyInfo>
> 
> <Object Id="Signature-1__Object-1">
> <QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.3.2# 
> <http://uri.etsi.org/01903/v1.3.2#>"Id="Signature-1__QualifyingProperties-1"Target="#Signature-1">
> <SignedProperties Id="Signature-1__SignedProperties-1">
> <SignedSignatureProperties>
> <SigningTime>2020-11-11T11:17:35Z</SigningTime>
> <SigningCertificate>
> <Cert>
> <CertDigest>
> <DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig# 
> <http://www.w3.org/2000/09/xmldsig#>"Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 
> <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod>
> <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig# 
> <http://www.w3.org/2000/09/xmldsig#>">omitted</DigestValue>
> </CertDigest>
> <IssuerSerial>
> <X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig# 
> <http://www.w3.org/2000/09/xmldsig#>">omitted</X509IssuerName>
> <X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig# 
> <http://www.w3.org/2000/09/xmldsig#>">omitted</X509SerialNumber>
> </IssuerSerial>
> </Cert>
> </SigningCertificate>
> <SignaturePolicyIdentifier>
> <SignaturePolicyImplied></SignaturePolicyImplied>
> </SignaturePolicyIdentifier>
> </SignedSignatureProperties>
> <SignedDataObjectProperties>
> <DataObjectFormat ObjectReference="#Signature-1__Reference-2">
> <MimeType>text/csv</MimeType>
> </DataObjectFormat>
> <DataObjectFormat ObjectReference="#Signature-1__Reference-3">
> <MimeType>text/csv</MimeType>
> </DataObjectFormat>
> <DataObjectFormat ObjectReference="#Signature-1__Reference-4">
> <MimeType>text/csv</MimeType>
> </DataObjectFormat>
> <DataObjectFormat ObjectReference="#Signature-1__Reference-5">
> <MimeType>text/csv</MimeType>
> </DataObjectFormat>
> <DataObjectFormat ObjectReference="#Signature-1__Reference-6">
> <MimeType>text/csv</MimeType>
> </DataObjectFormat>
> <DataObjectFormat ObjectReference="#Signature-1__Reference-7">
> <MimeType>text/csv</MimeType>
> </DataObjectFormat>
> </SignedDataObjectProperties>
> </SignedProperties>
> </QualifyingProperties>
> </Object>
> </Signature>
> </asic:XAdESSignatures>
> 
> Best regards,
> 
> Márk
> 
> /This e-mail and any attachments is intended solely for the addressee. 
> If you are not the addressee please do not read, print, re-transmit, 
> store or act in reliance on it or any attachments. Instead, please email 
> it back to the sender and then immediately permanently delete it. Any 
> disclosure, reproduction, distribution or other use of this message or 
> any attachments by an individual or entity other than the intended 
> recipient is prohibited./

More information about the xmlsec mailing list