I was a little stupid and tried to verify the same string as the DigestValue was created over, but of course I had to use the SignedInfo. So I can properly verify what I signed myself, and I'm now pretty sure the problem is all on their end.
Thanks for the help. Kurt On Mon, Nov 26, 2012 at 12:10:29PM -0800, Aleksey Sanin wrote: > Try xmlsec with --store-signatures option > > Aleksey > > On 11/26/12 12:06 PM, Kurt Roeckx wrote: > > I'm actually still looking at this, and it seems they have a problem > > with the files I generated as well. > > > > The DigestValue seems to be correct. But the signature seems to > > be incorrect for some reason. > > > > I created a canonical version of my xml file, and sha256sum > > reports the same as the value in DigestValue. So I don't think > > I'm having problems with things like whitespace in my file. > > > > However when I put the decoded value of the SignatureValue in > > a file and try to use openssl dgst to verify the signuatre the > > check fails. I can verify my signed xml file with the library, > > so it's making no sense to me at this time. > > > > I can't seem to generate the canonical xml file for the file > > they send me. The sha256sum for the file I generated is wrong, > > but the library seems to say it has the correct DigestValue. > > So I must be doing something wrong here. > > > > > > Kurt > > > > On Mon, Nov 26, 2012 at 10:40:46AM -0800, Aleksey Sanin wrote: > >> Great. From experience, most likely reasons for that are: > >> 1) Whitespaces and line ends are important in XML (and signatures). > >> 2) C14N is not as easy as it sounds. > >> > >> Best, > >> > >> Aleksey > >> > >> On 11/25/12 12:20 PM, Kurt Roeckx wrote: > >>> On Sun, Nov 25, 2012 at 08:24:28PM +0100, Kurt Roeckx wrote: > >>>> I'm starting to get convinced that the file I'm getting > >>>> isn't properly signed, or not with the key the claim it's > >>>> signed with. > >>> > >>> I can verify the file I generate myself and sign myself, so > >>> I'll just blame the other side. > >>> > >>> > >>> Kurt > >>> > >> > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
