This is exactly what --store-references option does :) Aleksey
On 4/9/14, 10:15 AM, François Plou wrote: > Hi, > > I am trying to discover what xml part is digested to understand why I > got another digest value than the one calculated by java XmlDsig API. > To do that I try to add some trace in the code just before the digest > algorithm but I was unable yet to find the right position. > Could you provide me a clue where to add trace in the source code ? > > Thanks for your help. > > Francois > > > Le 07/04/2014 14:49, François Plou a écrit : >> >> Hi, >> >> Below is the result of --store-references option : >> >> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key >> --store-references acmt.007.001.02_1.skel.1sign.object2.xml >> Enter password for "/home/fplou/CA/fplousign.key" file: >> = SIGNATURE CONTEXT >> == Status: succeeded >> == flags: 0x00000006 >> == flags2: 0x00000000 >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000002 >> ==== keyUsage: 0x00000001 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: c14n >> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Private >> === key usage: -1 >> === rsa key: size = 2048 >> == SignedInfo References List: >> === list size: 1 >> = REFERENCE CALCULATION CONTEXT >> == Status: succeeded >> == URI: "#Manifest" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: #Manifest >> === Transform: xpointer >> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: enveloped-signature >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: c14n >> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == Result - start buffer: >> 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >> == Result - end buffer >> == Manifest References List: >> === list size: 2 >> = REFERENCE CALCULATION CONTEXT >> == Status: succeeded >> == URI: "" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: enveloped-signature >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: c14n >> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02"> >> <AcctOpngReq> >> <Refs> >> <MsgId> >> <Id>ABC/090928/CCT001</Id> >> <CreDtTm>2010-09-28T14:07:00</CreDtTm> >> </MsgId> >> <PrcId> >> <Id>ABC/090928/CCT001</Id> >> <CreDtTm>2010-09-28T14:07:00</CreDtTm> >> </PrcId> >> </Refs> >> <Acct> >> <Id> >> <Othr> >> <Id>NOREF2</Id> >> </Othr> >> </Id> >> <Tp> >> <Cd>CASH</Cd> >> </Tp> >> <Ccy>USD</Ccy> >> <MnthlyRcvdVal>200000</MnthlyRcvdVal> >> <MnthlyTxNb>100</MnthlyTxNb> >> <AvrgBal>10000</AvrgBal> >> </Acct> >> <CtrctDts> >> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt> >> </CtrctDts> >> <UndrlygMstrAgrmt> >> <Ref>ABC/Acct/BBBBUS33</Ref> >> <Vrsn>1.0</Vrsn> >> </UndrlygMstrAgrmt> >> <AcctSvcrId> >> <FinInstnId> >> <BICFI>BBBBUS33</BICFI> >> </FinInstnId> >> </AcctSvcrId> >> <Org> >> <FullLglNm>ABC Corporation</FullLglNm> >> <CtryOfOpr>US</CtryOfOpr> >> <RegnDt>1999-09-01</RegnDt> >> <LglAdr> >> <StrtNm>Times Square</StrtNm> >> <BldgNb>7</BldgNb> >> <PstCd>NY 10036</PstCd> >> <TwnNm>New York</TwnNm> >> <Ctry>US</Ctry> >> </LglAdr> >> <OrgId> >> <Othr> >> <Id>01256485-85</Id> >> <SchmeNm> >> <Prtry>TAX</Prtry> >> </SchmeNm> >> </Othr> >> </OrgId> >> <MainMndtHldr> >> <Nm>Richard Jones</Nm> >> <PstlAdr> >> <AdrTp>HOME</AdrTp> >> <StrtNm>La Guardia Drive</StrtNm> >> <BldgNb>12</BldgNb> >> <PstCd>NJ 07054</PstCd> >> <TwnNm>Parsippany</TwnNm> >> <Ctry>US</Ctry> >> </PstlAdr> >> <Id> >> <DtAndPlcOfBirth> >> <BirthDt>1960-05-01</BirthDt> >> <CityOfBirth>New york</CityOfBirth> >> <CtryOfBirth>US</CtryOfBirth> >> </DtAndPlcOfBirth> >> </Id> >> </MainMndtHldr> >> </Org> >> <DgtlSgntr> >> <Pty> >> <Nm>fplou</Nm> >> </Pty> >> <Sgntr> >> >> </Sgntr> >> </DgtlSgntr> >> </AcctOpngReq> >> </Document> >> == PreDigest data - end buffer >> == Result - start buffer: >> vSK1aioRUa7Gz2jLpN9LFqFeXSI= >> == Result - end buffer >> = REFERENCE CALCULATION CONTEXT >> == Status: succeeded >> == URI: "sign.sh" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: sign.sh >> === uri xpointer expr: NULL >> === Transform: input-uri (href=NULL) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == PreDigest data - start buffer: >> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key >> acmt.007.001.02_1.skel.1sign.object2.xml >> >> == PreDigest data - end buffer >> == Result - start buffer: >> 4JgfakTfEbqzVpb+lP8vAWsD0u8= >> == Result - end buffer >> == Result - start buffer: >> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF >> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI >> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn >> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd >> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX >> uD2ZSS1bWu236lKh1elKWw== >> == Result - end buffer >> >> >> François >> >> On 03/04/2014 18:37, Aleksey Sanin wrote: >>> Try "--store-references" option to see what exactly was signed. Just >>> looking at the file, the DigestValue inside the #Manifest subtree looks >>> suspicious. >>> >>> Aleksey >>> >>> On 4/3/14, 5:46 AM, François Plou wrote: >>>> Hi, >>>> >>>> I am facing an issue trying to sign an xml document which makes >>>> reference to an external file. >>>> xmlsec1 gives me a digest for the URI=#Manifest which is not >>>> verified by >>>> tool like Apache XML Security. >>>> I am pretty sure there is something missing in the XML document I give >>>> to xmlsec but can't figure what. >>>> >>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml. >>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key> >>>> acmt.007.001.02_1.skel.1sign.object2.xml >>>> The output document is fpl.xml >>>> >>>> The digest which is not the same as the one computed by Apache XML >>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= >>>> >>>> I found that the expecting digest match the manifest3.xml file enclosed >>>> (I built it manually). >>>> So it seems xmlsec is not creating the same manifest part. >>>> >>>> Do you have any idea what can be wrong in my >>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a >>>> transform ? >>>> >>>> Thanks for your help. >>>> >>>> Francois >>>> >>>> >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> [email protected] >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>> >> >> >> > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
