Re: [xmlsec] Signing and verifying a XAdES template

[Alfredo Esteban]

Hello,

Ken was right. I fixed the problem adding transform nodes. But this is not
a XAdES signature yet. I'm workint on it.

I'm attaching the resulting xml. I can sign and verify it using xmlsec.

Alfredo


2012/11/4 Alfredo Esteban <aedelato...@gmail.com>

> Hello Ken,
>
> Thanks a lot for your help. I will study the UBL example, modify mine
> and write here the results.
>
> Alfredo
>
> 2012/11/3 G. Ken Holman <gkhol...@cranesoftwrights.com>:
> > At 2012-11-03 15:07 +0100, Alfredo Esteban wrote:
> >>
> >> Hello,
> >>
> >> I was verifying whether xmlsec supports XAdES signature (Does it?). As
> >> you probably know, XAdES is an European extension of XMLsign.
> >>
> >> I'm able to sign the attached XAdES template without errors but
> >> xmlsec1 is not able to verify its own resulting signature:
> >>
> >> > xmlsec1 --version
> >> xmlsec1 1.2.18 (openssl)
> >>
> >> > xmlsec1 sign --pkcs12 ../../certificado-ceres-alfredo-esteban.p12
> >> > --output hola.xsig --pwd xxxxxxxxxxxxx ejemplo-xades-enveloped.xml
> >>
> >> > xmlsec1 verify --trusted-der aet-cert.der ejemplo-xades-enveloped.xsig
> >> >
> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid
> >> > data:data and digest do not match
> >> FAIL
> >> SignedInfo References (ok/all): 1/2
> >> Manifests References (ok/all): 0/0
> >> Error: failed to verify file "ejemplo-xades-enveloped.xsig"
> >>
> >> Is it a bug? Any help is welcome.
> >
> >
> > I think not.  I think it is an issue with your signature.
> >
> > I designed the XML scaffolding for OASIS UBL documents and I'm told there
> > are a number of users of XAdES in Europe who are signing UBL documents
> using
> > it.  An example is found here, and you can see a couple of XAdES fields
> > under the ds:Object element:
> >
> >
> >
> http://docs.oasis-open.org/ubl/prd2-UBL-2.1/xml/UBL-Invoice-2.0-Enveloped.xml
> >
> > I used xmlsec to sign and validate this document.  The environment that I
> > publish to sign and to validate UBL documents can be found here:
> >
> >  http://www.CraneSoftwrights.com/resources/ubl/#digsig
> >
> > Looking at the example UBL Invoice cited above, comparing it to the
> document
> > you attached to your post, I note that the UBL document has a
> <ds:Transform>
> > element that tells the processor to ignore everything under
> > <sig:UBLDocumentSignatures> when calculating the signature.  Thus, when
> the
> > signature information is added by the signing process under the
> > <sig:UBLDocumentSignatures> element, that added information does not
> change
> > what is calculated to determine the signature information at validation
> > time.
> >
> > If I've interpreted your situation correctly, the process that is
> > calculating the signature for your XML is signing the entire document,
> and
> > then you go and change what is signed by adding the signature
> information to
> > the document without protecting it.  When the signature validation
> process
> > acts on your document, it now contains the signature information which
> gets
> > incorporated in the calculations and will never be correct.
> >
> > If, however, you included a <ds:Transform> element in your document in
> order
> > to protect the signing process from incorporating the added signature,
> then
> > the validation process will ignore the added signature and come to the
> same
> > calculations as the signing process.
> >
> > At least that is what I think is going on.
> >
> > I hope this helps.
> >
> > . . . . . . . . . Ken
> >
> >
> > --
> > Contact us for world-wide XML consulting and instructor-led training
> > Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
> > Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/z/
> > G. Ken Holman                   mailto:gkhol...@cranesoftwrights.com
> > Google+ profile: https://plus.google.com/116832879756988317389/about
> > Legal business disclaimers:    http://www.CraneSoftwrights.com/legal
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec@aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>

<?xml version="1.0" encoding="UTF-8"?>
<documento id="documento">
    <titulo id="titulo">Documento de pruebas</titulo>
    <descripcion id="descripcion">Documento destinado a realizar pruebas de firma</descripcion>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:etsi="http://uri.etsi.org/01903/v1.3.2#"; Id="Signature504735">
        <ds:SignedInfo Id="Signature-SignedInfo1024952">
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference Id="SignedPropertiesID429729" Type="http://uri.etsi.org/01903#SignedProperties"; URI="#Signature504735-SignedProperties48056">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue></ds:DigestValue>
            </ds:Reference>
            <ds:Reference URI="#Certificate1237555">
		<ds:Transforms>
		<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
		</ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue></ds:DigestValue>
            </ds:Reference>
            <ds:Reference Id="Reference-ID-200615" URI="">
		<ds:Transforms>
		<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
		</ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue></ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue Id="SignatureValue552465">
        </ds:SignatureValue>
        <ds:KeyInfo Id="Certificate1237555">
            <ds:X509Data>
                <ds:X509Certificate>
                </ds:X509Certificate>
            </ds:X509Data>
            <ds:KeyValue>
                <ds:RSAKeyValue>
                    <ds:Modulus></ds:Modulus>
                    <ds:Exponent></ds:Exponent>
                </ds:RSAKeyValue>
            </ds:KeyValue>
        </ds:KeyInfo>
        <ds:Object Id="Signature504735-Object873466">
            <etsi:QualifyingProperties Target="#Signature504735">
                <etsi:SignedProperties Id="Signature504735-SignedProperties48056">
                    <etsi:SignedSignatureProperties>
                        <etsi:SigningTime></etsi:SigningTime>
                        <etsi:SigningCertificate>
                            <etsi:Cert>
                                <etsi:CertDigest>
                                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                    <ds:DigestValue></ds:DigestValue>
                                </etsi:CertDigest>
                                <etsi:IssuerSerial>
                                    <ds:X509IssuerName></ds:X509IssuerName>
                                    <ds:X509SerialNumber></ds:X509SerialNumber>
                                </etsi:IssuerSerial>
                            </etsi:Cert>
                        </etsi:SigningCertificate>
                    </etsi:SignedSignatureProperties>
                    <etsi:SignedDataObjectProperties>
                        <etsi:DataObjectFormat ObjectReference="#Reference-ID-200615">
                            <etsi:Description></etsi:Description>
                            <etsi:MimeType></etsi:MimeType>
                        </etsi:DataObjectFormat>
                    </etsi:SignedDataObjectProperties>
                </etsi:SignedProperties>
            </etsi:QualifyingProperties>
        </ds:Object>
    </ds:Signature>
</documento>
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec