Ohh, I'm so sorry and ashamed I sent you those wrong command lines that I used in previous tries!! In fact, I use DTD in my code : "xmlsec verify --dtd-file $DTD_Verif --keys-file $keyfile $inputName"
And "xmlsec sign --output $outputName --dtd-file $DTD_Sign --keys-file $keyfile $tmplName" So now, this is it, the problem is the one below, with those command lines above. -----Message d'origine----- De : Aleksey Sanin [mailto:[EMAIL PROTECTED] Envoyé : mardi 22 avril 2008 16:33 À : Sebastien BROSSARD Cc : xmlsec@aleksey.com Objet : Re: [xmlsec] problem with <ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])"> ? xmlsec --node-xpath selects the start *Signature* node. It has nothing to do with xpointer in the Reference URI. Aleksey Sebastien BROSSARD wrote: > Hi everybody > > > > I am actually developing a software based on the German EBICS norm, > which specifies that ones got to use > > <ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])"> > > as signatures URI. > > > > So long so well, when I sign a xml file with xmlsec > > (using command line : xmlsec sign --node-xpath > //[EMAIL PROTECTED]'true'] --output $outputName --keys-file $keyfile) > > and then I verify it with xmlsec, > > (using command line : "xmlsec verify --node-xpath > //[EMAIL PROTECTED]'true'] --keys-file $keyfile $inputName) > > everything works perfect. > > > > But here comes the trouble : Im actually working on the server side of > the EBICS norm, and Im testing my developments on the client side > thanks to a software called Travic (which is commercialized in Germany > and then, I can assume, works well). > > And when Travic sends me its signature Verification fails I keep > getting this message : > > error=18:data do not match:signature do not match FAIL SignedInfo > References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: > failed to verify file. > > > > It seems like the hash is ok (?), but not the signature. > > (Moreover, theres no problem with the client public key, has I can > decipher text asymmetrical encrypted by this same key.) > > > > I read here http://www.w3.org/2007/xmlsec/ws/papers/10-ertel/ that the > handling of this type of ("#xpointer) URI can be subject to two > different handling, due to two interpretations (both right !) of the > same norm, i.e : > > > > One interpretation says that the signed URI must remain unchanged: > > "#xpointer(//[EMAIL PROTECTED]'true'])", > > while the other one demands escaping which makes the URI look like this: > > "#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)" > > > > So the main question is : could it be this type of problem in my case, > or is the problem that Im facing due to another totally different cause? > > > > > > Thanks for your kind help! > > > > > > Sébastien Brossard > > [EMAIL PROTECTED] > > > > > > PS : > > By the way, heres the xml string that I try to verify : > > > > <?xml version="1.0" encoding="UTF-8"?> > > <ebicsNoPubKeyDigestsRequest Revision="1" Version="H001" > xsi:schemaLocation="http://www.ebics.org/H001 > http://www.ebics.org/H001/ebics_keymgmt_request.xsd" > xmlns="http://www.ebics.org/H001" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> > > <header authenticate="true"> > > <static> > > <HostID>EBICSFR</HostID> > > <Nonce>DB545BDC437B95999202C6EA69393A6E</Nonce> > > <Timestamp>2008-04-22T09:29:24.838Z</Timestamp> > > <PartnerID>SEB</PartnerID> > > <UserID>USERID</UserID> > > <OrderDetails> > > <OrderType>HPB</OrderType> > > <OrderAttribute>DZHNN</OrderAttribute> > > </OrderDetails> > > <SecurityMedium>0400</SecurityMedium> > > </static> > > <mutable/> > > </header> > > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <ds:Reference URI="#xpointer(//[EMAIL PROTECTED]'true'])"> > > <ds:Transforms> > > <ds:Transform > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > </ds:Transforms> > > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>jyF+PD4mQ6P5q4krG/spn0tNc7w=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > <ds:SignatureValue>EhinV8z06LDoNdeeYebT/Z9UGF0EZViPHexD6H2e5EgPWD8OBV1hYnro2 KJ48N9WMyIf4UkZzKLWSIV4IfIcjtDYzUsLZFke6kL3BKGeFe2jAuAlGyHVD/MUxEU3Fsg6Qkqkn kQrybjiX1FA9SFdBzyjN8d/9qksRQZXmjkuBNM=</ds:SignatureValue> > > </Signature> > > <body/> > > </ebicsNoPubKeyDigestsRequest> > > > > And heres the public key of the client software : > > > > <?xml version="1.0" encoding="UTF-8"?> > > <Keys xmlns="http://www.aleksey.com/xmlsec/2002"> > > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> > > <KeyValue> > > <RSAKeyValue> > > <Modulus>AMWVUq4RSou1Dy4VaNIEkIBLddfysftYsXI5Hg+bncOYuDQFlU31B2kqSyzYhXXelhv hkSXTgNuBGwnf1VFw+VbVR/kVjDhvt2vgPjfKpbXJEEmy8QxJpSpsUFW9DbVbWocnzkxEZJzM7VK KyBdKXiMWT3wdhRIrqxaLc/NX+S+H</Modulus> > > <Exponent>AQAB</Exponent> > > </RSAKeyValue> > > </KeyValue> > > </KeyInfo> > > </Keys> > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > xmlsec mailing list > xmlsec@aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec