Re: [xmlsec] error on signature verification

Tue, 27 Apr 2010 16:02:53 -0700 

The xmlsec1 utility tries to find the ds:Signature element
in the sub-tree specified by --node-id or --node-name
parameter. The document you have looks as follows (irrelevant
pieces are removed):

<EnvioDTE>
        <SetDTE ID="DTE1272374641984">
                <DTE>
                        <Documento ID="F185T33">
                        </Document>
                        <ds:Signature>
                        </ds:SignedInfo>
                </DTE>
        </SetDTE>
        <ds:Signature>
        </ds:Signature>
</EnvioDTE>

I am not exactly sure why the first command verified something
(I would expect it to do nothing since there are no signature nodes
in the subtree). But the second command correctly finds the
first signature element in the subtree specified by the --node-id
or --node-name parameter (BTW, you just need one parameter :) ).

For documents with multiple signatures, I strongly recommend to
put ID attribute directly into <ds:Signature> node. This way you
can easily specify the right signature node to sign or verify.

Regarding the error about xpointer(), please read section 3.4
from FAQ

http://www.aleksey.com/xmlsec/faq.html

Aleksey




On 4/27/2010 3:15 PM, [email protected] wrote:

  Aleksey,

  I'm trying to validate the attached document, so I'm using
  two command lines to verify both signatures:

  xmlsec1 --verify --print-debug \
--print-crypto-error-msgs \
--id-attr:ID 'http://www.sii.cl/SiiDte:Documento' \
--node-name 'http://www.sii.cl/SiiDte:Documento' \
--node-id 'F185T33' \
documento-20100427.1.xml 2>&1

xmlsec1 --verify --print-debug \
--print-crypto-error-msgs \
--id-attr:ID 'http://www.sii.cl/SiiDte:SetDTE' \
--node-name 'http://www.sii.cl/SiiDte:SetDTE' \
--node-id 'DTE1272374641984' \
documento-20100427.1.xml 2>&1

With first one, the signature is validated and it's ok, but the second one 
seems to try to verify the
first '#F185T33' instead of the second one '#DTE1272374641984', and I get this 
error message:

Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "documento-20100427.1.xml"
= VERIFICATION CONTEXT
== Status: unknown

And the trace seems to be looking at the   first URI:

func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
library function failed:expr=xpointer(id('F185T33'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:

Thanks in advance,



_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to