On Mon, Aug 27, 2007 at 09:22:25AM -0700, Aleksey Sanin wrote: > >> In the most simple case, I have generated a signature with no indentation >> except on >> first line : > > OK, then I don't know. The error means that signatures don't match. > You can try to dump the pre-signature buffer (after c14n) to make > sure they match (see --print-signature xmlsec command line option).
So i've found the XMLSEC_DSIG_FLAGS_STORE_SIGNATURE flag here are the results : signing : ... == PreSigned data - start buffer: <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; xmlns:eb="http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"; xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xlink="http://www.w3.org/1999/xlink";> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";> <XPath>not(ancestor-or-self::node()[EMAIL PROTECTED]:actor="urn:oasis:names:tc:ebxml-msg:service:nextMSH"] | ancestor-or-self::node()[EMAIL PROTECTED]:actor="http://schemas.xmlsoap.org/soap/actor/next";])</XPath> </Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>nLo8xi/sqV0d4Cnl4L8vN0SzXMU=</DigestValue> </Reference> <Reference URI="cid:payload-1-contid0000330b46d41445000a8049"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>/mBI15W23WOx3Lw0hcLzIMzPvsk=</DigestValue> </Reference> </SignedInfo> == PreSigned data - end buffer Checking signature : ... (SignedInfo on 1 single line) == PreSigned data - start buffer: <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; xmlns:eb="http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"; xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xlink="http://www.w3.org/1999/xlink";><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform><Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";><XPath>not(ancestor-or-self::node()[EMAIL PROTECTED]:actor="urn:oasis:names:tc:ebxml-msg:service:nextMSH"] | ancestor-or-self::node()[EMAIL PROTECTED]:actor="http://schemas.xmlsoap.org/soap/actor/next";])</XPath></Transform><Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestValue>nLo8xi/sqV0d4Cnl4L8vN0SzXMU=</DigestValue></Reference><Reference URI="cid:payload-1-contid0000330b46d41445000a8049"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestValue>/mBI15W23WOx3Lw0hcLzIMzPvsk=</DigestValue></Reference></SignedInfo> == PreSigned data - end buffer whereas the received message is formatted as emmitted ... Is the signature node extraction that do modify the message ? Is there a way to check the signature without using XPath extraction ? Fredd. _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
