At 2012-11-03 15:07 +0100, Alfredo Esteban wrote:
Hello,
I was verifying whether xmlsec supports XAdES signature (Does it?). As
you probably know, XAdES is an European extension of XMLsign.
I'm able to sign the attached XAdES template without errors but
xmlsec1 is not able to verify its own resulting signature:
> xmlsec1 --version
xmlsec1 1.2.18 (openssl)
> xmlsec1 sign --pkcs12 ../../certificado-ceres-alfredo-esteban.p12
--output hola.xsig --pwd xxxxxxxxxxxxx ejemplo-xades-enveloped.xml
> xmlsec1 verify --trusted-der aet-cert.der
ejemplo-xades-enveloped.xsig
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
data:data and digest do not match
FAIL
SignedInfo References (ok/all): 1/2
Manifests References (ok/all): 0/0
Error: failed to verify file "ejemplo-xades-enveloped.xsig"
Is it a bug? Any help is welcome.
I think not. I think it is an issue with your signature.
I designed the XML scaffolding for OASIS UBL documents and I'm told
there are a number of users of XAdES in Europe who are signing UBL
documents using it. An example is found here, and you can see a
couple of XAdES fields under the ds:Object element:
http://docs.oasis-open.org/ubl/prd2-UBL-2.1/xml/UBL-Invoice-2.0-Enveloped.xml
I used xmlsec to sign and validate this document. The environment
that I publish to sign and to validate UBL documents can be found here:
http://www.CraneSoftwrights.com/resources/ubl/#digsig
Looking at the example UBL Invoice cited above, comparing it to the
document you attached to your post, I note that the UBL document has
a <ds:Transform> element that tells the processor to ignore
everything under <sig:UBLDocumentSignatures> when calculating the
signature. Thus, when the signature information is added by the
signing process under the <sig:UBLDocumentSignatures> element, that
added information does not change what is calculated to determine the
signature information at validation time.
If I've interpreted your situation correctly, the process that is
calculating the signature for your XML is signing the entire
document, and then you go and change what is signed by adding the
signature information to the document without protecting it. When
the signature validation process acts on your document, it now
contains the signature information which gets incorporated in the
calculations and will never be correct.
If, however, you included a <ds:Transform> element in your document
in order to protect the signing process from incorporating the added
signature, then the validation process will ignore the added
signature and come to the same calculations as the signing process.
At least that is what I think is going on.
I hope this helps.
. . . . . . . . . Ken
--
Contact us for world-wide XML consulting and instructor-led training
Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/
G. Ken Holman mailto:[email protected]
Google+ profile: https://plus.google.com/116832879756988317389/about
Legal business disclaimers: http://www.CraneSoftwrights.com/legal
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
