I have a problem verifying a signature (attached xml) made with Ubisignature.
I'm trying to verify it using xmlsec and MS .NET SignedXml that we use on the server.
The of xmlsec output is:
C:\work\xmlsec>xmlsec --verify --node-xpath
//[EMAIL PROTECTED]'DepositorSignature'] --trusted-der sigov-ca.crt --print-debug
podpis_mm3.xml
= VERIFICATION CONTEXT
== Status: invalid
== flags: 0x00000000
== flags2: 0x00000000
== Id: "DepositorSignature"
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key usage: 65535
=== rsa key: size = 1023
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
func=:file=..\src\openssl\signatures.c:line=248:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data
do not match:signature do not match FAIL SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "podpis_mm3.xml" ============================================================
One thing that I find odd is:
=== rsa key: size = 1023
I have also tried verifying the signature with Microsoft SignedXml class (framework 1.1) and it dies like this:
System.Security.Cryptography.CryptographicException: Cryptographic service provider (CSP) for this implementation generated an internal error while attempting to verify the signature. at System.Security.Cryptography.RSACryptoServiceProvider.VerifyHash(Byte[] rgbHash, String str, Byte[] rgbSignature) at System.Security.Cryptography.RSAPKCS1SignatureDeformatter.VerifySignature(By te[] rgbHash, Byte[] rgbSignature) at System.Security.Cryptography.AsymmetricSignatureDeformatter.VerifySignature( HashAlgorithm hash, Byte[] rgbSignature) at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorith m key) at System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(Asymme tricAlgorithm& signingKey) at
But Ubisignature and Java (apache) implementations verify the signature as valid.
Can anyone help? Is the signature valid or not? Where is the problem?
The CA certificate is at http://www.sigov-ca.gov.si/sigov-ca.crt
Thanks, Mark
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <Envelope xmlns="http://edavki.durs.si/Documents/Schemas/EDP_Pri_1.xsd"; xmlns:edp="http://edavki.durs.si/Documents/Schemas/EDP-Common-1.xsd";><edp:Header><edp:taxpayer><edp:taxNumber>20763808</edp:taxNumber><edp:taxpayerType>FO</edp:taxpayerType><edp:name>Priimek_2.07638e+007 Ime_2.07638e+007</edp:name><edp:address1>ROBLEKOVO NASELJE 011</edp:address1><edp:city>RADOVLJICA</edp:city></edp:taxpayer></edp:Header><edp:Signatures><edp:DepositorSignature><edp:Depositor><edp:timestamp>2004-03-23T16:52:19</edp:timestamp><edp:name>Priimek_2.07638e+007 Ime_2.07638e+007</edp:name></edp:Depositor><hslsig:Presentation xmlns:hslsig="urn:schemas-hermes-softlab-com:2003/09/Signatures"><hslsig:DisplayTransformDigest transform="http://edavki.durs.si/Documents/Transforms/EDP_Pri_1.2-deposit-sl.xslt"; digestAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"; digest="mdyN1NOm7/6P0XynHMGvpluwebU="/><hslsig:SigningComponent name="urn:hermes-softlab-com:2003-09/hslDigSigX" version="1.1.1.17"/></hslsig:Presentation><Signature Id="DepositorSignature" xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>XUNUoigZl+VDK2hZvlPLH0tqE1I=</DigestValue></Reference></SignedInfo><SignatureValue>eCyKYoZ6yQ50JhBn7ZB4EkFrbm3g44XsLdgJwuoVn9S6fJnkZZSeEw5/Rl7FrdG7256iKNb4O8h9 buml58kCXS27ZW9QO20Eml9LreGS9R4kr6ikVic0oYeEFXIIAdvQA+T7OBZ9OHKi/WntQjWXePLU CWea2TFpBhUsBTZ0FZQ=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>QXEKJlC/YvEd/Pi4qLjKLjzuDsAOL3zjHg1xDnbzvCQFPa7WKQiGvovpDRa51f6FgeOA6P2Oswqc aYBdVBfvyJ5L2un2f/U8Rm+hBuCH6XsJLXZmZ9EkuruK7ExDc5Tf/8T6xRCkn8d8s1zLdTLmWhqj VxEsBkH6EO05fcdOXuA=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue><X509Data><X509Certificate>MIIEyjCCA7KgAwIBAgIEOlx8ljANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJzaTEbMBkGA1UE ChMSc3RhdGUtaW5zdGl0dXRpb25zMREwDwYDVQQLEwhzaWdvdi1jYTAeFw0wMTA2MjIwNTM1NDRa Fw0wNjA2MjIwNjA1NDRaMIGHMQswCQYDVQQGEwJzaTEbMBkGA1UEChMSc3RhdGUtaW5zdGl0dXRp b25zMRkwFwYDVQQLExB3ZWItY2VydGlmaWNhdGVzMRMwEQYDVQQLEwpHb3Zlcm5tZW50MSswEwYD VQQDEwxNYXRlamEgTWlrZWswFAYDVQQFEw0xMjM0NjIzOTE0MDE2MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDgXk7HfTntEPpBBiwRV6MaWuYydctcs3zHn6QQxfrE/9+Uc0NM7Iq7uiTRZ2Z2 LQl76YfgBqFvRjz1f/bp2kueyO8XVF2AaZwKs4796IDjgYX+1bkWDemLvoYIKdauPQUkvPN2DnEN HuN8Lw7ADu48Lsq4qLj4/B3xYr9QJgpxQQIDAQABo4ICCTCCAgUwCwYDVR0PBAQDAgWgMCsGA1Ud EAQkMCKADzIwMDEwNjIyMDUzNTQ0WoEPMjAwNjA2MjIwNjA1NDRaMBEGCWCGSAGG+EIBAQQEAwIF oDAzBglghkgBhvhCAQIEJhYkaHR0cHM6Ly93d3cuc2lnb3YtY2EuZ292LnNpL2NkYS1jZ2kvMEQG CWCGSAGG+EIBAwQ3FjVjbGllbnRjZ2k/YWN0aW9uPWNoZWNrUmV2b2NhdGlvbiYmQ1JMPWNuPUNS TDImc2VyaWFsPTA7BglghkgBhvhCAQ0ELhYsU2x1emJlbm8gc3BsZXRubyBkaWdpdGFsbm8gcG90 cmRpbG8gU0lHT1YtQ0EwFwYDVR0gBBAwDjAMBgorBgEEAa9ZAQEBMB4GA1UdEQQXMBWBE21hdGVq YS5taWtla0Bnb3Yuc2kwXwYDVR0fBFgwVjBUoFKgUKROMEwxCzAJBgNVBAYTAnNpMRswGQYDVQQK ExJzdGF0ZS1pbnN0aXR1dGlvbnMxETAPBgNVBAsTCHNpZ292LWNhMQ0wCwYDVQQDEwRDUkwyMB8G A1UdIwQYMBaAFB741FNrs4MG6QQGVwL5pb/GWDxyMB0GA1UdDgQWBBTI4CjynCv/qJHAtdxoQ6ru 1OnIEDAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAobBFY1LjADAgOoMA0GCSqGSIb3DQEBBQUA A4IBAQCJBGrJslkPqCAwgtG39hf/R0byy3Rwo4ZMqSLkFh5AqqIpEha6PS6LHnAwgsMwnNXgq+10 FNcN9yqCBp3y4At1tBtlYg44z0c3A/O1M8KXR+XEPLhvO1HpdXeR3Vr57oCet5Rdhl2gr7fGI7DJ m6A3Ct1hoAb6lJWolCk2Z76CVYVH2c3eQRumYoVAk5nEceNO6YVRE4xf+hlcIDaAffAxGaNr55Eh 6yco+F63z9vezOxmSC5GuyZELWmXedDeBm+sBo9+TPtuHwMLD9bY5VCprfNEvYlSWw19XlqgSCGm DFflQyK97Dijm8IeM5lXW0WdE2rtUbOnDkO9PkJO2qzc</X509Certificate><X509IssuerSerial><X509SerialNumber>3A5C7C96</X509SerialNumber><X509IssuerName>C=si, O=state-institutions, OU=sigov-ca</X509IssuerName></X509IssuerSerial><X509SubjectName>C=si, O=state-institutions, OU=web-certificates, OU=Government, CN=Mateja Mikek + 2.5.4.5=1234623914016</X509SubjectName></X509Data></KeyInfo></Signature></edp:DepositorSignature></edp:Signatures><body><edp:bodyContent/><EDP-Pri><publishPersonalData>false</publishPersonalData></EDP-Pri></body></Envelope>
