Hello, I have a question regarding signature verification for enveloped signatures. The question seems related to previous discussions in the forum:
http://www.aleksey.com/pipermail/xmlsec/2010/008910.html http://www.aleksey.com/pipermail/xmlsec/2010/008911.html http://www.aleksey.com/pipermail/xmlsec/2012/009340.html http://www.aleksey.com/pipermail/xmlsec/2012/009341.html But even with help of the previous posts I have not been able to verify my xml file. I have tried the command line application "xmlsec1", as well as writing code, but it seems the same problem happens in both cases, so I will show the code below, which is similar to the "verify3.c" example application shipped with the xmlsec library. The relevant code part looks like this (written in C++): ================================================== std::cout << "Will find start node" << std::endl; // find start node xmlNodePtr node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { throw std::string("Start node not found in XML file"); } std::cout << "-Found this node: \"" << node->name << "\"" << std::endl; // create signature context xmlSecDSigCtxPtr dsigCtx = xmlSecDSigCtxCreate(mngr); if(dsigCtx == NULL) { throw std::string("failed to create signature context"); } ================================================== When I run the application i get the following output: ----------------------------------- Will verify file Will load file: signedmod.xml Will find start node -Found this node: "Signature" Will verify signature func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('SignedRouting')) func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2395:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1226:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer func=xmlSecTransformCtxExecute:file=transforms.c:line=1286:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature verify ----------------------------------- The XML input XML file is shown at the end of this email. (also see the attached file signedxml.xml) As can be seen from the output, the call to xmlSecFindNode() succeeds, and the node found is "Signature": -Found this node: "Signature" However, after this the call to xmlSecDSigCtxCreate() fails. My guess it that first the "Signature" node is (correctly) found, but since this is an enveloped signature rather than an enveloping signature, the call fails. I have looked through the example XML files at the xmlsec online verifier web page: http://www.aleksey.com/xmlsec/xmldsig-verifier.html In those examples, the "Signature" tag is the outermost tag, with everything else contained in it. However, in my case, the "Signature" tag is embedded in other tags that should be included in the signature. I guess the problem is that the "Signature" tag is found, but not everything needed to verify the signature is contained in that tag. Instead, some information is outside of the tag. So the question is, how should I solve this? Can you give some hints how I should implement the signature verification for my XML document? The XML document will always have the same structure/XML schema, so it would be possible to hard code search paths etc rather than making the solution generic enough for all kinds of documents. Regards /Magnus +++++++++++++++++++++++++++++++++ <soap:Envelope xmlns:myapp="http://www.mycompany.com/myapp"; xmlns:soap="http://www.w3.org/2001/12/soap-envelope";> <soap:Header> <myapp:Routing Filename="testfile.docx" ID="SignedRouting"> <myapp:Transforms> <myapp:Transform Order="1" Type="Base64"></myapp:Transform> </myapp:Transforms> </myapp:Routing> <myapp:MyWorker ID="SignedMyWorker"></myapp:MyWorker> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <Reference URI="#SignedRouting"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <DigestValue>RHhNanfgz950DdpZUZeX3zNdvmY=</DigestValue> </Reference> <Reference URI="#SignedBody"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <DigestValue>jdfsfsdlfkjsdflkjsdflkjdsf</DigestValue> </Reference> </SignedInfo> <SignatureValue>poisdufsoifusdofiusdoifusdfpuidsf</SignatureValue> <KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>ksfhsdkhfsdkjfhskdhf</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue></KeyInfo> </Signature> </soap:Header> <soap:Body ID="SignedBody"> <myapp:FileData> <![CDATA[UEIUYIUYUIYUIYUIYUIY ]]> </myapp:FileData> </soap:Body> </soap:Envelope> +++++++++++++++++++++++++++++++++
signedmod.xml
Description: XML document
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
