Hi Andreas and Aleksey, Andreas, thanks for your prompt reply.
I suspect it has something to do with the use of emailAddress in the X509SubjectName. Konrad says this is incorrect and that I should be using EMAIL instead of emailAddress. I think he is using IAIK also. I generated this certificate with OpenSSL. Aleksey, is emailAddress incorrect or non-standard ? If so, am I introducing this improper use of emailAddress or is it XMLSec ? Thanks, Ed -----Original Message----- From: Andreas Kuehne [mailto:[EMAIL PROTECTED] Sent: August 7, 2006 6:34 AM To: [EMAIL PROTECTED] Subject: Re: Can you Verify this signature ? Hi Ed ! Good to hear from you regarding 'real' business ! More than one year gone by since our last effort to do some InterOp tests ... And it took me some time to have my XMLDSig stuff up and running again. I'm still working with plain old PKCS7 most of the time. As you might remember I'm using the iaik stuff and upgraded to the current version. I see a an interesting message from the verifier : Exception in thread "main" javax.xml.crypto.MarshalException: X509SubjectName '[EMAIL PROTECTED],CN=Universal Postal Union Pilot EPM Timestamp,OU=Electronic Post Mark,O=For Test Use Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH' is not RFC 2253 compliant. at iaik.xml.crypto.dsig.keyinfo.X509DataImpl.unmarshalStructures(Unknown Source) at iaik.xml.crypto.dom.DOMStructure.unmarshal(Unknown Source) at iaik.xml.crypto.dsig.keyinfo.X509DataImpl.<init>(Unknown Source) ... Do you have any clue why it complains ? Does the double use of organisation violate the RFC ? I can't extract any restrictions from the spec. Greetings Andreas > Can I ask you for a small favor ? > > Could you please verify this signature using your XMLDSIG crypto > toolkit as a sanity check ? > > It would be enormously appreciated. > > I have also included the trusted public root from which the UPUtsa > signing certificate was issued. > > > Thanks loads, > > Ed Shallow > Chief Architect > Canada Post Corporation > Electronic PostMarking Services > 613-852-6410 > > <?xml version="1.0" encoding="UTF-8"?> > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"; Id="PostMarkedReceiptSignature"> > <dsig:SignedInfo> > <dsig:CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <dsig:Reference URI="#TstInfo"> > <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <dsig:DigestValue>x0q4X69WBzlCQg3Qbu3BNzdHseY=</dsig:DigestValue> > </dsig:Reference> > <dsig:Reference URI="#Receipt"> > <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <dsig:DigestValue>tH/s6vMnSs8pvi8LDKRghsEZnQE=</dsig:DigestValue> > </dsig:Reference> > <dsig:Reference URI="#PostMarkedData"> > <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <dsig:DigestValue>iurDPcMJ2yYQQoOTVCpGUXeJ6rQ=</dsig:DigestValue> > </dsig:Reference> > </dsig:SignedInfo> > > <dsig:SignatureValue>LQ8IbC0zduAdhop4/q1OwhOiPOdyUoSRtjO9IFUmIWtDUh8oq > DfkitMFXW9IFn4+ > BIWO5y5QN4upnybOGqR7ng+2scqcqk/baoTczdBRCkSRRWa02ouR9guEv/3Btnvz > 8q/Zgxt2nGKXUQBe+V03pjiRS5gOZ5xnkbvOT7+imPc=</dsig:SignatureValue> > <dsig:KeyInfo> > <dsig:KeyName>UPUtsa</dsig:KeyName> > <dsig:X509Data> > <X509Certificate > xmlns="http://www.w3.org/2000/09/xmldsig#";>MIIEXDCCA0SgAwIBAgIBBDANBgkqhkiG9 w0BAQUFADCB3jELMAkGA1UEBhMCQ0gx > DjAMBgNVBAgTBUJlcm5lMQ4wDAYDVQQHEwVCZXJuZTEfMB0GA1UEChMWVW5pdmVy > c2FsIFBvc3RhbCBVbmlvbjEaMBgGA1UEChMRRm9yIFRlc3QgVXNlIE9ubHkxHTAb > BgNVBAsTFEVsZWN0cm9uaWMgUG9zdCBNYXJrMTMwMQYDVQQDEypVbml2ZXJzYWwg > UG9zdGFsIFVuaW9uIFBpbG90IEVQTSBBdXRob3JpdHkxHjAcBgkqhkiG9w0BCQEW > D0NBQWRtaW5AdXB1LmludDAeFw0wNTAxMjUxOTU3NDFaFw0xMDAxMjQxOTU3NDFa > MIHeMQswCQYDVQQGEwJDSDEOMAwGA1UECBMFQmVybmUxDjAMBgNVBAcTBUJlcm5l > MR8wHQYDVQQKExZVbml2ZXJzYWwgUG9zdGFsIFVuaW9uMRowGAYDVQQKExFGb3Ig > VGVzdCBVc2UgT25seTEdMBsGA1UECxMURWxlY3Ryb25pYyBQb3N0IE1hcmsxMzAx > BgNVBAMTKlVuaXZlcnNhbCBQb3N0YWwgVW5pb24gUGlsb3QgRVBNIFRpbWVzdGFt > cDEeMBwGCSqGSIb3DQEJARYPQ0FBZG1pbkB1cHUuaW50MIGfMA0GCSqGSIb3DQEB > AQUAA4GNADCBiQKBgQDZcXRnH8LSa57tHZH5i4JsKN5MiTADOud2ThVKctheNd5B > wqP5JxkyK75jBVrFz5efJLOlpSbALtTwMzOuXn8C+UcdB1/Mu0gnTpgFaonMmKuk > xq9pi4u/7zlzmA+6vI6pUHu8RrBbHUa0PgM6OkgniZqIfkLjtD0Y9IzJpflczwID > AQABo4GmMIGjMAwGA1UdEwQFMAMCAQAwHQYDVR0OBBYEFBEFCs6yi4oBFWYGSCLY > +4lb0PrEMB8GA1UdIwQYMBaAFO0VydJTZFy9p5n9OT6icSir2KhQMC4GA1UdHwQn > MCUwI6AhoB+GHWh0dHA6Ly9jYTEudXB1LmludC9tYXN0ZXIuY3JsMAsGA1UdDwQE > AwIGwDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG9w0BAQUFAAOCAQEA > EiPjbN4zcLPOztr9WLSVB3C+e+qdl1xdzO9xu4tgtiXmeu6liSicWnRv8VNHJLyx > acSjCHM5rvn+ItVRCKcQf5l6aXab4XaIJFHCqjW6m09v0T0CNRawQaMYTx83iAcA > jot4dQ11kca4sL3nYIrxiBMPjwRjsLS/UvogLWjmwwx07lFrat5vLwGYPTjmxGyI > vngOIpc7Deg1xKhBXK4pBof4l0gukhZ0p98Xq181QcW2C/453kGCA307GY2+bsEe > 9BvnoWPKk+udtb2+NHKgiFmh0arupWd0YI/szP2Zdim5XyVnXV+UuKW8Wi/83TBB > b2u1v4jWQWzHV/WfjdX2lg==</X509Certificate> > <X509SubjectName > xmlns="http://www.w3.org/2000/09/xmldsig#";>[EMAIL PROTECTED] > t,CN=Universal Postal Union Pilot EPM Timestamp,OU=Electronic Post > Mark,O=For Test Use Only,O=Universal Postal > Union,L=Berne,ST=Berne,C=CH</X509SubjectName> > <X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#";> > <X509IssuerName>[EMAIL PROTECTED],CN=Universal Postal Union > Pilot EPM Authority,OU=Electronic Post Mark,O=For Test Use > Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH</X509IssuerName> > <X509SerialNumber>4</X509SerialNumber> > </X509IssuerSerial> > </dsig:X509Data> > </dsig:KeyInfo> > <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> > <dss:TstInfo > xmlns:dss="http://www.docs.oasis-open.org/dss/oasis-dss-1.0-core-schema-cd-0 2.xsd" Id="TstInfo"> > <SerialNumber>100000005284</SerialNumber> > <CreationTime>2006-8-3T15:22:11.431</CreationTime> > <Policy/> > <ErrorBound/> > <Ordered/> > <TSA>[EMAIL PROTECTED], CN=Universal Postal > Union Pilot EPM Timestamp, OU=Electronic Post Mark, O=For Test Use > Only, O=Universal Postal Union, L=Berne, S=Berne, C=CH</TSA> > </dss:TstInfo> > </dsig:Object> > <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> > <epm:PostMarkedReceipt xmlns:epm="http://www.upu.int/EPMService/schemas"; Id="Receipt"> > <Receipt> > <TransactionKey> > <Locator> > <CountryCode>CA</CountryCode> > <Version>115</Version> > <ServiceProvider>epost</ServiceProvider> > <Environment>test</Environment> > </Locator> > <Key>123456789</Key> > <Sequence>1</Sequence> > </TransactionKey> > <Requester>Joe Public</Requester> > <Operation>PostMark</Operation> > <TSAX509SubjectName>[EMAIL PROTECTED], > CN=Universal Postal Union Pilot EPM Timestamp, OU=Electronic Post > Mark, O=For Test Use Only, O=Universal Postal Union, L=Berne, S=Berne, C=CH</TSAX509SubjectName> > <TimeStampValue>2006-8-3T12:49:23.188</TimeStampValue> > <RevocationStatusQualifier>CRL Checked</RevocationStatusQualifier> > <TimeStampToken > MimeType="application/pkcs7-signature">base64encoded TS token would go here</TimeStampToken> > <MessageImprint>optional for XMLDSIG</MessageImprint> > <PostMarkImage>base64encoded graphic would go here</PostMarkImage> > <ReceiptMetadata> > <Name></Name> > <Value></Value> > </ReceiptMetadata> > </Receipt> > </epm:PostMarkedReceipt> > </dsig:Object> > <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> > <epm:PostMarkedContent xmlns:epm="http://www.upu.int/EPMService/schemas"; > Id="PostMarkedData">Here is a small plain text file without mark-up. > </epm:PostMarkedContent> > </dsig:Object> > </dsig:Signature> > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
