Re: [xmlsec] RE: Can you Verify this signature ?

Tue, 08 Aug 2006 11:39:25 -0700 

Hi All,

I guess that problem is in iaik stuff.
The certificate "Distinguished Name"/Subject should be in conformance with RFC 3280 (obsoletes 2459). 
No idea why iaik stuff check agains RFC 2253.
There is no limitation for number of organization and organizational-unit attributes in subject. 


"Email" attribute in subject is not correct. Old openssl (version 
<=0.9.6) use this. It is corrected in openssl versions >= 0.9.7. I  
think that xmlsec require openssl >= 0.9.7, so problem should not exist.



Similar for "E" attribute used in microsoft crypto implementation. I'm 
sure that never will be corrected. Initial releases of xmlsec+mscrypto 
incorrectly print some attributes and in reverse order. Later this is fixed.



Roumen


Ed Shallow wrote:

Hi Andreas and Aleksey,

   Andreas, thanks for your prompt reply.

   I suspect it has something to do with the use of emailAddress in the
X509SubjectName. Konrad says this is incorrect and that I should be using
EMAIL instead of emailAddress. I think he is using IAIK also.

   I generated this certificate with OpenSSL.

   Aleksey, is emailAddress incorrect or non-standard ? If so, am I
introducing this improper use of emailAddress or is it XMLSec ?

Thanks,
Ed


 


-----Original Message-----

From: Andreas Kuehne [mailto:[EMAIL PROTECTED] 
Sent: August 7, 2006 6:34 AM

To: [EMAIL PROTECTED]
Subject: Re: Can you Verify this signature ?

Hi Ed !

Good to hear from you regarding 'real' business ! More than one year gone by
since our last effort to do some InterOp tests ...

And it took me some time to have my XMLDSig stuff up and running again. I'm
still working with plain old PKCS7 most of the time.

As you might remember I'm using the iaik stuff and upgraded to the current
version. I see a an interesting message from the verifier :

Exception in thread "main" javax.xml.crypto.MarshalException:
X509SubjectName '[EMAIL PROTECTED],CN=Universal Postal Union
Pilot EPM Timestamp,OU=Electronic Post Mark,O=For Test Use Only,O=Universal
Postal Union,L=Berne,ST=Berne,C=CH' is not RFC 2253 compliant.
        at
iaik.xml.crypto.dsig.keyinfo.X509DataImpl.unmarshalStructures(Unknown
Source)
        at iaik.xml.crypto.dom.DOMStructure.unmarshal(Unknown Source)
        at iaik.xml.crypto.dsig.keyinfo.X509DataImpl.<init>(Unknown Source)
        ...

Do you have any clue why it complains ? Does the double use of organisation
violate the RFC ? I can't extract any restrictions from the spec.

Greetings

Andreas


  

   Can I ask you for a small favor ?


   Could you please verify this signature using your XMLDSIG crypto 
toolkit as a sanity check ?


   It would be enormously appreciated.


   I have also included the trusted public root from which the UPUtsa 
signing certificate was issued.



Thanks loads,

Ed Shallow
Chief Architect
Canada Post Corporation
Electronic PostMarking Services
613-852-6410

    

<?xml version="1.0" encoding="UTF-8"?>

      

<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";

    

Id="PostMarkedReceiptSignature">

  

    <dsig:SignedInfo>
        <dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        <dsig:SignatureMethod

    

Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

  

        <dsig:Reference URI="#TstInfo">
            <dsig:DigestMethod

    

Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

  
<dsig:DigestValue>x0q4X69WBzlCQg3Qbu3BNzdHseY=</dsig:DigestValue>
  

        </dsig:Reference>
        <dsig:Reference URI="#Receipt">
            <dsig:DigestMethod

    

Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

  
<dsig:DigestValue>tH/s6vMnSs8pvi8LDKRghsEZnQE=</dsig:DigestValue>
  

        </dsig:Reference>
        <dsig:Reference URI="#PostMarkedData">
            <dsig:DigestMethod

    

Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

  
<dsig:DigestValue>iurDPcMJ2yYQQoOTVCpGUXeJ6rQ=</dsig:DigestValue>
  

        </dsig:Reference>
    </dsig:SignedInfo>

    
<dsig:SignatureValue>LQ8IbC0zduAdhop4/q1OwhOiPOdyUoSRtjO9IFUmIWtDUh8oq

DfkitMFXW9IFn4+
BIWO5y5QN4upnybOGqR7ng+2scqcqk/baoTczdBRCkSRRWa02ouR9guEv/3Btnvz
8q/Zgxt2nGKXUQBe+V03pjiRS5gOZ5xnkbvOT7+imPc=</dsig:SignatureValue>
    <dsig:KeyInfo>
        <dsig:KeyName>UPUtsa</dsig:KeyName>
        <dsig:X509Data>
        <X509Certificate


    

xmlns="http://www.w3.org/2000/09/xmldsig#";>MIIEXDCCA0SgAwIBAgIBBDANBgkqhkiG9
w0BAQUFADCB3jELMAkGA1UEBhMCQ0gx

  

DjAMBgNVBAgTBUJlcm5lMQ4wDAYDVQQHEwVCZXJuZTEfMB0GA1UEChMWVW5pdmVy
c2FsIFBvc3RhbCBVbmlvbjEaMBgGA1UEChMRRm9yIFRlc3QgVXNlIE9ubHkxHTAb
BgNVBAsTFEVsZWN0cm9uaWMgUG9zdCBNYXJrMTMwMQYDVQQDEypVbml2ZXJzYWwg
UG9zdGFsIFVuaW9uIFBpbG90IEVQTSBBdXRob3JpdHkxHjAcBgkqhkiG9w0BCQEW
D0NBQWRtaW5AdXB1LmludDAeFw0wNTAxMjUxOTU3NDFaFw0xMDAxMjQxOTU3NDFa
MIHeMQswCQYDVQQGEwJDSDEOMAwGA1UECBMFQmVybmUxDjAMBgNVBAcTBUJlcm5l
MR8wHQYDVQQKExZVbml2ZXJzYWwgUG9zdGFsIFVuaW9uMRowGAYDVQQKExFGb3Ig
VGVzdCBVc2UgT25seTEdMBsGA1UECxMURWxlY3Ryb25pYyBQb3N0IE1hcmsxMzAx
BgNVBAMTKlVuaXZlcnNhbCBQb3N0YWwgVW5pb24gUGlsb3QgRVBNIFRpbWVzdGFt
cDEeMBwGCSqGSIb3DQEJARYPQ0FBZG1pbkB1cHUuaW50MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDZcXRnH8LSa57tHZH5i4JsKN5MiTADOud2ThVKctheNd5B
wqP5JxkyK75jBVrFz5efJLOlpSbALtTwMzOuXn8C+UcdB1/Mu0gnTpgFaonMmKuk
xq9pi4u/7zlzmA+6vI6pUHu8RrBbHUa0PgM6OkgniZqIfkLjtD0Y9IzJpflczwID
AQABo4GmMIGjMAwGA1UdEwQFMAMCAQAwHQYDVR0OBBYEFBEFCs6yi4oBFWYGSCLY
+4lb0PrEMB8GA1UdIwQYMBaAFO0VydJTZFy9p5n9OT6icSir2KhQMC4GA1UdHwQn
MCUwI6AhoB+GHWh0dHA6Ly9jYTEudXB1LmludC9tYXN0ZXIuY3JsMAsGA1UdDwQE
AwIGwDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG9w0BAQUFAAOCAQEA
EiPjbN4zcLPOztr9WLSVB3C+e+qdl1xdzO9xu4tgtiXmeu6liSicWnRv8VNHJLyx
acSjCHM5rvn+ItVRCKcQf5l6aXab4XaIJFHCqjW6m09v0T0CNRawQaMYTx83iAcA
jot4dQ11kca4sL3nYIrxiBMPjwRjsLS/UvogLWjmwwx07lFrat5vLwGYPTjmxGyI
vngOIpc7Deg1xKhBXK4pBof4l0gukhZ0p98Xq181QcW2C/453kGCA307GY2+bsEe
9BvnoWPKk+udtb2+NHKgiFmh0arupWd0YI/szP2Zdim5XyVnXV+UuKW8Wi/83TBB
b2u1v4jWQWzHV/WfjdX2lg==</X509Certificate>
<X509SubjectName
xmlns="http://www.w3.org/2000/09/xmldsig#";>[EMAIL PROTECTED]

t,CN=Universal Postal Union Pilot EPM Timestamp,OU=Electronic Post 
Mark,O=For Test Use Only,O=Universal Postal 
Union,L=Berne,ST=Berne,C=CH</X509SubjectName>

<X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#";>

<X509IssuerName>[EMAIL PROTECTED],CN=Universal Postal Union 
Pilot EPM Authority,OU=Electronic Post Mark,O=For Test Use 
Only,O=Universal Postal Union,L=Berne,ST=Berne,C=CH</X509IssuerName>

<X509SerialNumber>4</X509SerialNumber>
</X509IssuerSerial>
</dsig:X509Data>
    </dsig:KeyInfo>
    <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
        <dss:TstInfo


    

xmlns:dss="http://www.docs.oasis-open.org/dss/oasis-dss-1.0-core-schema-cd-0
2.xsd" Id="TstInfo">

  

            <SerialNumber>100000005284</SerialNumber>
            <CreationTime>2006-8-3T15:22:11.431</CreationTime>
            <Policy/>
            <ErrorBound/>
            <Ordered/>

            <TSA>[EMAIL PROTECTED], CN=Universal Postal 
Union Pilot EPM Timestamp, OU=Electronic Post Mark, O=For Test Use 
Only, O=Universal Postal Union, L=Berne, S=Berne, C=CH</TSA>

        </dss:TstInfo>
    </dsig:Object>
    <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
        <epm:PostMarkedReceipt

    

xmlns:epm="http://www.upu.int/EPMService/schemas"; Id="Receipt">

  

            <Receipt>
                <TransactionKey>
                    <Locator>
                       <CountryCode>CA</CountryCode>
                       <Version>115</Version>
                       <ServiceProvider>epost</ServiceProvider>
                       <Environment>test</Environment>
                    </Locator>
                    <Key>123456789</Key>
                    <Sequence>1</Sequence>
                </TransactionKey>
                <Requester>Joe Public</Requester>
                <Operation>PostMark</Operation>

                <TSAX509SubjectName>[EMAIL PROTECTED], 
CN=Universal Postal Union Pilot EPM Timestamp, OU=Electronic Post 
Mark, O=For Test Use Only, O=Universal Postal Union, L=Berne, S=Berne,
    

C=CH</TSAX509SubjectName>

  

                <TimeStampValue>2006-8-3T12:49:23.188</TimeStampValue>
                <RevocationStatusQualifier>CRL

    

Checked</RevocationStatusQualifier>

  

                <TimeStampToken 
MimeType="application/pkcs7-signature">base64encoded TS token would go
    

here</TimeStampToken>

  

                <MessageImprint>optional for XMLDSIG</MessageImprint>
                <PostMarkImage>base64encoded graphic would go

    

here</PostMarkImage>

  

                <ReceiptMetadata>
                    <Name></Name>
                    <Value></Value>
                </ReceiptMetadata>
            </Receipt>
        </epm:PostMarkedReceipt>
    </dsig:Object>
    <dsig:Object xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
        <epm:PostMarkedContent

    

xmlns:epm="http://www.upu.int/EPMService/schemas";

  

Id="PostMarkedData">Here is a small plain text file without mark-up.
</epm:PostMarkedContent>
    </dsig:Object>
</dsig:Signature>


    




_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec


  


_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec






















					Reply via email to