Hi, i've compiled xmlsec (1.2.10) against : - libiconv 1.11 - libxml2 2.6.28 - libxslt 1.1.20 - openssl 9_7_c on : - Linux (GLibc 2.3.2, GCC 3.2.2-5, Red Hat, 2.4.20) - HPUX (HP-UX B.11.00 U 9000/800, aCC: HP ANSI C++ B3910B A.03.25)
I'm using xmlsec as in the verify1 test case, cause i need to ignore the KeyInfo part of the signature. (I have not tested the Adopt way atm.) The only difference I have with verify1 test case is that i need to Register Input Callbacks to handle "cid:" references. All references seems OK. Certificate loading seems OK. (All certifcates I have tested are self-signed btw) Keyinfo skipping seems OK. But Whatever the message I give as input to my application : - if i put the wrong certificate, openssl complains of a padding problem, - if i give the right certificate : - xmlsec complains that "data do not match:signature do not match" - which gives at openssl level : "rsa routines:RSA_verify:bad signature" If I understand well the second case : - my references are good, so my message (parts pointed by reference) has (have) not been modified - my certificate is good (differences in results between good and bad certificate) - but my signature is invalid so only the signedinfo part or signature value have been modified thus invalidating the whole signature ! The latter is wrong cause I have tried with certified/verified messages in entry and I have the same errors. Here's the debug output of the DSigCtx : = VERIFICATION CONTEXT == Status: invalid == flags: 0x00000000 == flags2: 0x00000000 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) === Transform: membuf-transform (href=NULL) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Key: == KEY === method: RSAKeyValue === key type: Public === key name: /home/fredd/DEVEL/CURRENT/ssl/certs/partner1.cer === key usage: -1 === rsa key: size = 1024 === list size: 1 === X509 Data: ==== Certificate: ==== Subject Name: /C=.../CN=partner1 ==== Issuer Name: /C=... ==== Issuer Serial: 0 == SignedInfo References List: === list size: 2 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) === Transform: xpath (href=http://www.w3.org/TR/1999/REC-xpath-19991116) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "cid:payload-1-contid000069d446d2c55f00023bd2" == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: cid:payload-1-contid000069d446d2c55f00023bd2 === uri xpointer expr: NULL === Transform: input-uri (href=NULL) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == Manifest References List: === list size: 0 Any ideas on where am I wrong ? Shall I give you more details ? Which ones ? Thanks in advances for any help, Frederic HEULIN _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
