[xmlsec] [Fwd: HMACOutputLength and xmlsec]

Jonathan Wenocur Sat, 25 Jan 2003 08:53:12 -0800

Forgot to copy the list. Hope this helps, Aleksy. (Note I'm not on the xmlsec mailing list.)

-- Jonathan

-------- Original Message --------
Subject: HMACOutputLength and xmlsec
Date: Fri, 24 Jan 2003 13:15:08 -0500
From: Jonathan Wenocur <[EMAIL PROTECTED]>
To: Rich Salz <[EMAIL PROTECTED]>, Jonathan Wenocur <[EMAIL PROTECTED]>

The file simple-91.xml.signed is a version of simple-91.xml which we signed with secret1. xmlsec doesn't verify the sig because HMACOutputLength is 91, which is not evenly divisible by 8 (see xmlsec/src/hmac.c:xmlSecMacHmacReadNode() where res=atoi((char *)content) / 8).

I tried feeding the same input file into xmlsec to see how it signs it, the file is simple-91.xml.templ is the file I fed into xmlsec, and the signed output is simple-91.xml.templ.signed

You'll note that the difference between the two files is only in the last couple of characters of the base64 encoded SignatureValue. The base64 decoded value we output is:

0000000: d8 77 9e d9 ca 91 3a 6b 61 08 82 20 .w....:ka..
The base64 decoded value from xmlsec is:

0000000: d8 77 9e d9 ca 91 3a 6b 61 08 82

Which is the same signature but truncated down to 88 bits instead of 91 bits (assuming of course that the last few bits we add are correct).

-- Jonathan

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP:Body>
<echo xmlns="http://www.example.org";>
this
is
a
test
of
echoing
simple-91
</echo>
</SOAP:Body>
</SOAP:Envelope>

<?xml version="1.0" encoding="UTF-8"?>
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext";><SOAP:Header><wsse:Security><Signature
 xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";>
    <HMACOutputLength>91</HMACOutputLength>
  </SignatureMethod>
  <Reference URI="#Body">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>KlK8TF9wnLYvXz008MJV4umoHhE=</DigestValue>
  </Reference>
</SignedInfo>
    
<SignatureValue>gmtoF50KWNUTGQCg</SignatureValue><KeyInfo><KeyName>name:KEY</KeyName></KeyInfo></Signature></wsse:Security></SOAP:Header><SOAP:Body
 id="Body">
<echo xmlns="http://www.example.org";>
this
is
a
test
of
echoing
simple-91
</echo>
</SOAP:Body></SOAP:Envelope>

secret

<?xml version="1.0" encoding="UTF-8"?>
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext";><SOAP:Header><wsse:Security><Signature
 xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";>
    <HMACOutputLength>91</HMACOutputLength>
  </SignatureMethod>
  <Reference URI="#Body">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue></DigestValue>
  </Reference>
</SignedInfo>
    
<SignatureValue></SignatureValue><KeyInfo><KeyName>name:KEY</KeyName></KeyInfo></Signature></wsse:Security></SOAP:Header><SOAP:Body
 id="Body">
<echo xmlns="http://www.example.org";>
this
is
a
test
of
echoing
simple-91
</echo>
</SOAP:Body></SOAP:Envelope>

<?xml version="1.0" encoding="UTF-8"?>
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext";><SOAP:Header><wsse:Security><Signature
 xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";>
    <HMACOutputLength>91</HMACOutputLength>
  </SignatureMethod>
  <Reference URI="#Body">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>KlK8TF9wnLYvXz008MJV4umoHhE=</DigestValue>
  </Reference>
</SignedInfo>
    
<SignatureValue>gmtoF50KWNUTGQA=</SignatureValue><KeyInfo><KeyName>name:KEY</KeyName></KeyInfo></Signature></wsse:Security></SOAP:Header><SOAP:Body
 id="Body">
<echo xmlns="http://www.example.org";>
this
is
a
test
of
echoing
simple-91
</echo>
</SOAP:Body></SOAP:Envelope>

[xmlsec] [Fwd: HMACOutputLength and xmlsec]

Reply via email to