I've generated a signature and tried to use the online verifier in aleksey.com. This service says that the signature is broken (the reference validation is OK, but the crypto validation over the c14n'ed signedInfo fails). I've also tested with Apache XMLDSig and it works OK.
I've tried to manually repeat every step (first of all c14-ize the signedInfo subtree (obtaining the same subtree serialized in a byte[] as this subtree is "manually" pre-c14n'ed) and after that applying the hash function over that byte[], obtaining consistent results).
Could you give me some light about that?.
Thank you very much in advance,
Carlos
<?xml version="1.0" encoding="UTF-8" ?> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod><ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"; URI="#SignedProperties"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>w6qEtOB0evDzEzVyQfJR4+plZsg=</ds:DigestValue></ds:Reference></ds:SignedInfo> <ds:SignatureValue> MZqIrFRnqClE5iDYtkgmhkaAHFeTJ5C0rJ0CNAtyg1dMP+9+Yv+wksaG2zPj7V/nbXuJF09+A3tP FnR2HsEqVzSWwc4XL9E0Oxn/CvSuHrSGoKlqp1wwJ2oBMTGWk+UiEvGRQMNhuxsz6oiaqBru92a4 5+VZw2cnka//+sRPC2c= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIGTzCCBbigAwIBAgIDEAAHMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYDVQQGEwJFUzEPMA0GA1UE CBMGTWFkcmlkMQ8wDQYDVQQHEwZNYWRyaWQxEzARBgNVBAoTCk5lZ29uYXRpb24xHjAcBgNVBAsT FUNlcnRpZmljYXRlIEF1dGhvcml0eTEuMCwGA1UEAxMlREVNTyBOZWdvbmF0aW9uIENlcnRpZmlj YXRlIEF1dGhvcml0eTEnMCUGCSqGSIb3DQEJARYYdGVzdGNlcnRzQG5lZ29uYXRpb24uY29tMB4X DTA2MDgwODE3MTcyNFoXDTA3MDgwODE3MTcyNFowgb4xCzAJBgNVBAYTAlVLMQ8wDQYDVQQIEwZM b25kb24xDzANBgNVBAcTBkxvbmRvbjESMBAGA1UEChMJQUNNRSBJbmMuMSkwJwYDVQQKEyAxYTFk NTNlOGYyNjkxZWVjZjNhMDg2MTE5OWIzNDBjNDERMA8GA1UECxMIRGlyZWN0b3IxEzARBgNVBAMT CkpvaG4gU21pdGgxJjAkBgkqhkiG9w0BCQEWF2pvaG4uc21pdGhAYWNtZV9pbmMuY29tMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtkFT0PDUdrJU8f2dsi8+1VSYxcIjEOmabx/4NTUXJiY+O 9OZqB20hgQgt2LxaCgPoF22J0MRVxXWF/pMS+VI9Rb+CIkMaHHHVKyW8TjzPJoG2DHI4zM2tdaGN ACLbk4CTYbABgYDMzocTh5VsyyEyJueFCCNdeGLa53v8vdfW0QIDAQABo4IDWDCCA1QwCQYDVR0T BAIwADARBglghkgBhvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUF BwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQU/7myzJX7gUVMuOnLFT9q/aE7P5UwgfIGA1UdIwSB6jCB 54AUiaC1F1PDbw/+hcWqZaYPhkjdxmChgcOkgcAwgb0xCzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZN YWRyaWQxDzANBgNVBAcTBk1hZHJpZDETMBEGA1UEChMKTmVnb25hdGlvbjEeMBwGA1UECxMVQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5MS4wLAYDVQQDEyVERU1PIE5lZ29uYXRpb24gQ2VydGlmaWNhdGUg QXV0aG9yaXR5MScwJQYJKoZIhvcNAQkBFhh0ZXN0Y2VydHNAbmVnb25hdGlvbi5jb22CCQCoUGHB NoYugTAiBgNVHREEGzAZgRdqb2huLnNtaXRoQGFjbWVfaW5jLmNvbTAjBgNVHRIEHDAagRh0ZXN0 Y2VydHNAbmVnb25hdGlvbi5jb20wdwYIKwYBBQUHAQEEazBpMEIGCCsGAQUFBzAChjZodHRwczov L2Rldi50cmFjdGlzLmNvbS9kZW1vY2EvY2FjZXJ0L2hyY3NiX2NhY2VydC5jcnQwIwYIKwYBBQUH MAGGF2h0dHA6Ly9vY3NwLnRyYWN0aXMuY29tMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHBzOi8vZGV2 LnRyYWN0aXMuY29tL2RlbW9jYS9jYWNybC9ocmNzYl9jYWNybC5jcmwwWAYJYIZIAYb4QgENBEsW SVRyYWN0aXMgRGVtbyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkvT3BlblNTTCBHZW5lcmF0ZWQgUGVy c29uYWwgQ2VydGlmaWNhdGUwLgYJYIZIAYb4QgECBCEWH2h0dHBzOi8vZGV2LnRyYWN0aXMuY29t L2RlbW9jYS8wIwYJYIZIAYb4QgEDBBYWFG5zX3Jldm9rZV9xdWVyeS5waHA/MDkGCWCGSAGG+EIB CAQsFipodHRwczovL2Rldi50cmFjdGlzLmNvbS9kZW1vY2EvcG9saWN5Lmh0bWwwDQYJKoZIhvcN AQEFBQADgYEAjdg//jjlZd1ixzGe421UaAb2KT5upkQe+hNwjj+e8EOU0a+uHK6LYbOSnGB65NFK GtRSXmX4yL19DqxTjX1FGhEwngFeby6CNCGUL3GC7vXVVEpfCRu1GtTT3yTT4EZwryFU46Qrujqb jjn6+eGEBATCJ0o9DJv9YVheb5s6QZw= </ds:X509Certificate> <ds:X509Certificate> MIIEODCCA6GgAwIBAgIJAKhQYcE2hi6BMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYDVQQGEwJFUzEP MA0GA1UECBMGTWFkcmlkMQ8wDQYDVQQHEwZNYWRyaWQxEzARBgNVBAoTCk5lZ29uYXRpb24xHjAc BgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEuMCwGA1UEAxMlREVNTyBOZWdvbmF0aW9uIENl cnRpZmljYXRlIEF1dGhvcml0eTEnMCUGCSqGSIb3DQEJARYYdGVzdGNlcnRzQG5lZ29uYXRpb24u Y29tMB4XDTA2MDcyNTIwNTg0OFoXDTE2MDcyNDIwNTg0OFowgb0xCzAJBgNVBAYTAkVTMQ8wDQYD VQQIEwZNYWRyaWQxDzANBgNVBAcTBk1hZHJpZDETMBEGA1UEChMKTmVnb25hdGlvbjEeMBwGA1UE CxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MS4wLAYDVQQDEyVERU1PIE5lZ29uYXRpb24gQ2VydGlm aWNhdGUgQXV0aG9yaXR5MScwJQYJKoZIhvcNAQkBFhh0ZXN0Y2VydHNAbmVnb25hdGlvbi5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJkBtCZLyw0DZZbKIT/ZGppTqZLLr9rVOvIjbZmx ZAkwCqd8lC2U4nU/aYO/LZ+bP8/GbWsUqQ0fMyBqtvGX2Z0qrTzs8/pvojZaz+W/KkL83uj1Ga76 p5lCBq7jGFDyjNquPHOofjyA7He87kR6MslBYzpsyxZOGgFffTsyEOAhAgMBAAGjggE8MIIBODAM BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHQYDVR0OBBYEFImg tRdTw28P/oXFqmWmD4ZI3cZgMCMGA1UdEQQcMBqBGHRlc3RjZXJ0c0BuZWdvbmF0aW9uLmNvbTBG BgNVHR8EPzA9MDugOaA3hjVodHRwczovL2Rldi50cmFjdGlzLmNvbS9kZW1vY2EvaW5kZXgucGhw P3N0YWdlPWRsX2NybDBBBglghkgBhvhCAQ0ENBYyUEhQa2kvT3BlblNTTCBHZW5lcmF0ZWQgUm9v dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwOQYJYIZIAYb4QgEIBCwWKmh0dHBzOi8vZGV2LnRyYWN0 aXMuY29tL2RlbW9jYS9wb2xpY3kuaHRtbDANBgkqhkiG9w0BAQUFAAOBgQBDwztdDAWLOAJpSJcm JzzWB4kbacaWT7bgNXVrjVpjN+7uQYWuNcPAarCJQeK4Mj58JPW5iDPlKdLE+DTqc0JXIYs6tVQK rIbXmZLjgFy7D99+0JLtGgFwNW8dYi7raCR5GjeCnzvdd9HQKsekkPx4a0coNLNsN94C1+OohVtK rg== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="ToBeSigned"> <xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"; Target="#Signature"> <xades:SignedProperties xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"; Id="SignedProperties"><xades:SignedSignatureProperties><xades:SigningTime>2006-10-02T12:16:36,392Z</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>UmtVPxII/uuPUZhRQLniWPDjxRk=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>[EMAIL PROTECTED], CN=DEMO Negonation Certificate Authority, OU=Certificate Authority, O=Negonation, L=Madrid, ST=Madrid, C=ES</ds:X509IssuerName><ds:X509SerialNumber>1048583</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate><xades:SignatureProductionPlace> <xades:City>Barcelona</xades:City><xades:CountryName>Spain</xades:CountryName></xades:SignatureProductionPlace></xades:SignedSignatureProperties><xades:SignedDataObjectProperties><xades:CommitmentTypeIndication><xades:CommitmentTypeId><xades:Identifier>http://www.tractis.com/commitments#SignContract</xades:Identifier></xades:CommitmentTypeId><xades:ObjectReference>#ContractReference</xades:ObjectReference></xades:CommitmentTypeIndication></xades:SignedDataObjectProperties></xades:SignedProperties> </xades:QualifyingProperties> </ds:Object> </ds:Signature>
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
