Hello Ken, Thanks a lot for your help. I will study the UBL example, modify mine and write here the results.
Alfredo 2012/11/3 G. Ken Holman <[email protected]>: > At 2012-11-03 15:07 +0100, Alfredo Esteban wrote: >> >> Hello, >> >> I was verifying whether xmlsec supports XAdES signature (Does it?). As >> you probably know, XAdES is an European extension of XMLsign. >> >> I'm able to sign the attached XAdES template without errors but >> xmlsec1 is not able to verify its own resulting signature: >> >> > xmlsec1 --version >> xmlsec1 1.2.18 (openssl) >> >> > xmlsec1 sign --pkcs12 ../../certificado-ceres-alfredo-esteban.p12 >> > --output hola.xsig --pwd xxxxxxxxxxxxx ejemplo-xades-enveloped.xml >> >> > xmlsec1 verify --trusted-der aet-cert.der ejemplo-xades-enveloped.xsig >> > func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid >> > data:data and digest do not match >> FAIL >> SignedInfo References (ok/all): 1/2 >> Manifests References (ok/all): 0/0 >> Error: failed to verify file "ejemplo-xades-enveloped.xsig" >> >> Is it a bug? Any help is welcome. > > > I think not. I think it is an issue with your signature. > > I designed the XML scaffolding for OASIS UBL documents and I'm told there > are a number of users of XAdES in Europe who are signing UBL documents using > it. An example is found here, and you can see a couple of XAdES fields > under the ds:Object element: > > > http://docs.oasis-open.org/ubl/prd2-UBL-2.1/xml/UBL-Invoice-2.0-Enveloped.xml > > I used xmlsec to sign and validate this document. The environment that I > publish to sign and to validate UBL documents can be found here: > > http://www.CraneSoftwrights.com/resources/ubl/#digsig > > Looking at the example UBL Invoice cited above, comparing it to the document > you attached to your post, I note that the UBL document has a <ds:Transform> > element that tells the processor to ignore everything under > <sig:UBLDocumentSignatures> when calculating the signature. Thus, when the > signature information is added by the signing process under the > <sig:UBLDocumentSignatures> element, that added information does not change > what is calculated to determine the signature information at validation > time. > > If I've interpreted your situation correctly, the process that is > calculating the signature for your XML is signing the entire document, and > then you go and change what is signed by adding the signature information to > the document without protecting it. When the signature validation process > acts on your document, it now contains the signature information which gets > incorporated in the calculations and will never be correct. > > If, however, you included a <ds:Transform> element in your document in order > to protect the signing process from incorporating the added signature, then > the validation process will ignore the added signature and come to the same > calculations as the signing process. > > At least that is what I think is going on. > > I hope this helps. > > . . . . . . . . . Ken > > > -- > Contact us for world-wide XML consulting and instructor-led training > Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/ > G. Ken Holman mailto:[email protected] > Google+ profile: https://plus.google.com/116832879756988317389/about > Legal business disclaimers: http://www.CraneSoftwrights.com/legal > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
