Re: [xmlsec] RetrievalMethod with local URI?

[Aleksey Sanin]

Ops, sorry I am wrong. The correct pointer is

    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <KeyValue>
             <DSAKeyValue Id="foo">                                                              
                ...
              </DSAKeyValue>
        </KeyValue>
    </KeyInfo>

And there is a bug in xmlsec :( Thanks for finding it!

Aleksey


Aleksey Sanin wrote:

Thanks, the file made it clear: you have a mistake in your file.
The reference URI in RetrievalMethod should point to the
KeyValue, not the KeyInfo. It is not clear rom the spec but take
a look at the XML DSig archive:
    http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001JanMar/0068.html

The correct file in your case should look like this one:

    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <KeyValue Id="foo">
             <DSAKeyValue>                                                              
                ...
              </DSAKeyValue>
        </KeyValue>
    </KeyInfo>


Aleksey

John Belmonte wrote:

Aleksey Sanin wrote:

How do you verify signature? Do you use xmlsec application or your code?

Sorry about that, I'm using the xmlsec application.  That's what I meant by "xmlsec tool".

I'll attach the actual xml.  To verify, I run:

    xmlsec verify <file>


-John

<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="urn:envelope">
  <Data>
    Hello, World!
  </Data>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>VweSIbNEl2P2r6lm+OL7hVJTwt8=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>HfKV8YVy6s+YIEejVAXMW1wUlq8KXQH+XNMQmwDOkdzMMnIvgTOtUw==</SignatureValue>
    <KeyInfo>
      <RetrievalMethod URI="#foo"/>
    </KeyInfo>
  </Signature>
  <KeyInfo Id="foo" xmlns="http://www.w3.org/2000/09/xmldsig#">
    <KeyValue>
      <DSAKeyValue>
        <P>
        iqx200qTk5ojXcvGRmTXtwLmBwDrmWoBfl0L1VzxQm0BDjmnVgoCIiyeeYQH7YDB
        iuP7f2AcJrocqaBa4pi+hG1pu/WfAyc2sc9dPavAqDo99ywL58dhE3blIL/bXhy7
        MH4NzXY7196xTCuZyMBnZQ3qxUReghREd22m2YmFe60=
        </P>
        <Q>
        nAIxeeJw9cjPjjD5NPT4X4I1eqU=
        </Q>
        <G>
        Wai06HIyzWrDJzaMtPeYbi3DXlIf0N9eBgEcDDvK77ikG8+9A9iw6ymStZJdummy
        MpBEKh7rSQ9GfaGvrBUyUlS34qaH7dvMfTHPWV9y1xaSysjuUT7U0dOxeBQw4uDF
        sQXwcJS+UT/twnWlYBf1L5OdNy4mq0wib6pfevWsLEo=
        </G>
        <Y>
        Oux1jjrB5ZYxIk1HHCBw5razG03KNhsHPDSU7ibHjWz+PonMTH6Tbcs32mCMaaOG
        k1YKuPpTwemHhr0JbR2DbyLJzCBdLUe9Czr2UF70euSr+SHPvSluqMByRmS3mNKL
        tUaYERHYl8dqzOEHTfD1D0QY2aCzAXrpYt56UEwMCoM=
        </Y>
      </DSAKeyValue>
    </KeyValue>
  </KeyInfo>
</Envelope>