"== PreDigest data - start buffer: " element gives you the data right before the hash is calculated
Aleksey On 4/10/14, 2:31 AM, François Plou wrote: > Not really :-( > > The store-references option does not display the xml part who matches > the digest displayed : > > == Status: succeeded > == URI: "#Manifest" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: > === uri xpointer expr: #Manifest > === Transform: xpointer > (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > === Transform: enveloped-signature > (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) > === Transform: c14n > (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > === Transform: membuf-transform (href=NULL) > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) > === Transform: membuf-transform (href=NULL) > == Digest Method: > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > == Result - start buffer: > 2jmj7l5rSw0yVb/vlWAYkK/YBwk= > == Result - end buffer > > The #Manifest is processed and --store-references provides the digest > 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to provide > this digest. > > This digest does not match the one produced by Apache XML Security. > Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the following > XML part : > > <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Manifest"> > <Reference URI=""> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> > > <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue> > </Reference> > <Reference URI="sign.sh"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> > > <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue> > </Reference> > </Manifest> > > So I am trying to figure what XML part is used by xmlsec1. > > Regards > > François > > Le 09/04/2014 20:12, Aleksey Sanin a écrit : >> This is exactly what --store-references option does :) >> >> Aleksey >> >> On 4/9/14, 10:15 AM, François Plou wrote: >>> Hi, >>> >>> I am trying to discover what xml part is digested to understand why I >>> got another digest value than the one calculated by java XmlDsig API. >>> To do that I try to add some trace in the code just before the digest >>> algorithm but I was unable yet to find the right position. >>> Could you provide me a clue where to add trace in the source code ? >>> >>> Thanks for your help. >>> >>> Francois >>> >>> >>> Le 07/04/2014 14:49, François Plou a écrit : >>>> Hi, >>>> >>>> Below is the result of --store-references option : >>>> >>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key >>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml >>>> Enter password for "/home/fplou/CA/fplousign.key" file: >>>> = SIGNATURE CONTEXT >>>> == Status: succeeded >>>> == flags: 0x00000006 >>>> == flags2: 0x00000000 >>>> == Key Info Read Ctx: >>>> = KEY INFO READ CONTEXT >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled key data: all >>>> == RetrievalMethod level (cur/max): 0/1 >>>> == TRANSFORMS CTX (status=0) >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled transforms: all >>>> === uri: NULL >>>> === uri xpointer expr: NULL >>>> == EncryptedKey level (cur/max): 0/1 >>>> === KeyReq: >>>> ==== keyId: rsa >>>> ==== keyType: 0x00000002 >>>> ==== keyUsage: 0x00000001 >>>> ==== keyBitsSize: 0 >>>> === list size: 0 >>>> == Key Info Write Ctx: >>>> = KEY INFO WRITE CONTEXT >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled key data: all >>>> == RetrievalMethod level (cur/max): 0/1 >>>> == TRANSFORMS CTX (status=0) >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled transforms: all >>>> === uri: NULL >>>> === uri xpointer expr: NULL >>>> == EncryptedKey level (cur/max): 0/1 >>>> === KeyReq: >>>> ==== keyId: NULL >>>> ==== keyType: 0x00000001 >>>> ==== keyUsage: 0xffffffff >>>> ==== keyBitsSize: 0 >>>> === list size: 0 >>>> == Signature Transform Ctx: >>>> == TRANSFORMS CTX (status=2) >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled transforms: all >>>> === uri: NULL >>>> === uri xpointer expr: NULL >>>> === Transform: c14n >>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>> === Transform: membuf-transform (href=NULL) >>>> == Signature Method: >>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >>>> == Signature Key: >>>> == KEY >>>> === method: RSAKeyValue >>>> === key type: Private >>>> === key usage: -1 >>>> === rsa key: size = 2048 >>>> == SignedInfo References List: >>>> === list size: 1 >>>> = REFERENCE CALCULATION CONTEXT >>>> == Status: succeeded >>>> == URI: "#Manifest" >>>> == Reference Transform Ctx: >>>> == TRANSFORMS CTX (status=2) >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled transforms: all >>>> === uri: >>>> === uri xpointer expr: #Manifest >>>> === Transform: xpointer >>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >>>> === Transform: enveloped-signature >>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>>> === Transform: c14n >>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>> === Transform: membuf-transform (href=NULL) >>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>> === Transform: membuf-transform (href=NULL) >>>> == Digest Method: >>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>> == Result - start buffer: >>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >>>> == Result - end buffer >>>> == Manifest References List: >>>> === list size: 2 >>>> = REFERENCE CALCULATION CONTEXT >>>> == Status: succeeded >>>> == URI: "" >>>> == Reference Transform Ctx: >>>> == TRANSFORMS CTX (status=2) >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled transforms: all >>>> === uri: NULL >>>> === uri xpointer expr: NULL >>>> === Transform: enveloped-signature >>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>>> === Transform: c14n >>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>> === Transform: membuf-transform (href=NULL) >>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>> === Transform: membuf-transform (href=NULL) >>>> == Digest Method: >>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>> == PreDigest data - start buffer: >>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02"> >>>> <AcctOpngReq> >>>> <Refs> >>>> <MsgId> >>>> <Id>ABC/090928/CCT001</Id> >>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm> >>>> </MsgId> >>>> <PrcId> >>>> <Id>ABC/090928/CCT001</Id> >>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm> >>>> </PrcId> >>>> </Refs> >>>> <Acct> >>>> <Id> >>>> <Othr> >>>> <Id>NOREF2</Id> >>>> </Othr> >>>> </Id> >>>> <Tp> >>>> <Cd>CASH</Cd> >>>> </Tp> >>>> <Ccy>USD</Ccy> >>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal> >>>> <MnthlyTxNb>100</MnthlyTxNb> >>>> <AvrgBal>10000</AvrgBal> >>>> </Acct> >>>> <CtrctDts> >>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt> >>>> </CtrctDts> >>>> <UndrlygMstrAgrmt> >>>> <Ref>ABC/Acct/BBBBUS33</Ref> >>>> <Vrsn>1.0</Vrsn> >>>> </UndrlygMstrAgrmt> >>>> <AcctSvcrId> >>>> <FinInstnId> >>>> <BICFI>BBBBUS33</BICFI> >>>> </FinInstnId> >>>> </AcctSvcrId> >>>> <Org> >>>> <FullLglNm>ABC Corporation</FullLglNm> >>>> <CtryOfOpr>US</CtryOfOpr> >>>> <RegnDt>1999-09-01</RegnDt> >>>> <LglAdr> >>>> <StrtNm>Times Square</StrtNm> >>>> <BldgNb>7</BldgNb> >>>> <PstCd>NY 10036</PstCd> >>>> <TwnNm>New York</TwnNm> >>>> <Ctry>US</Ctry> >>>> </LglAdr> >>>> <OrgId> >>>> <Othr> >>>> <Id>01256485-85</Id> >>>> <SchmeNm> >>>> <Prtry>TAX</Prtry> >>>> </SchmeNm> >>>> </Othr> >>>> </OrgId> >>>> <MainMndtHldr> >>>> <Nm>Richard Jones</Nm> >>>> <PstlAdr> >>>> <AdrTp>HOME</AdrTp> >>>> <StrtNm>La Guardia Drive</StrtNm> >>>> <BldgNb>12</BldgNb> >>>> <PstCd>NJ 07054</PstCd> >>>> <TwnNm>Parsippany</TwnNm> >>>> <Ctry>US</Ctry> >>>> </PstlAdr> >>>> <Id> >>>> <DtAndPlcOfBirth> >>>> <BirthDt>1960-05-01</BirthDt> >>>> <CityOfBirth>New york</CityOfBirth> >>>> <CtryOfBirth>US</CtryOfBirth> >>>> </DtAndPlcOfBirth> >>>> </Id> >>>> </MainMndtHldr> >>>> </Org> >>>> <DgtlSgntr> >>>> <Pty> >>>> <Nm>fplou</Nm> >>>> </Pty> >>>> <Sgntr> >>>> >>>> </Sgntr> >>>> </DgtlSgntr> >>>> </AcctOpngReq> >>>> </Document> >>>> == PreDigest data - end buffer >>>> == Result - start buffer: >>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI= >>>> == Result - end buffer >>>> = REFERENCE CALCULATION CONTEXT >>>> == Status: succeeded >>>> == URI: "sign.sh" >>>> == Reference Transform Ctx: >>>> == TRANSFORMS CTX (status=2) >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled transforms: all >>>> === uri: sign.sh >>>> === uri xpointer expr: NULL >>>> === Transform: input-uri (href=NULL) >>>> === Transform: membuf-transform (href=NULL) >>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>> === Transform: membuf-transform (href=NULL) >>>> == Digest Method: >>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>> == PreDigest data - start buffer: >>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key >>>> acmt.007.001.02_1.skel.1sign.object2.xml >>>> >>>> == PreDigest data - end buffer >>>> == Result - start buffer: >>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8= >>>> == Result - end buffer >>>> == Result - start buffer: >>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF >>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI >>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn >>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd >>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX >>>> uD2ZSS1bWu236lKh1elKWw== >>>> == Result - end buffer >>>> >>>> >>>> François >>>> >>>> On 03/04/2014 18:37, Aleksey Sanin wrote: >>>>> Try "--store-references" option to see what exactly was signed. Just >>>>> looking at the file, the DigestValue inside the #Manifest subtree looks >>>>> suspicious. >>>>> >>>>> Aleksey >>>>> >>>>> On 4/3/14, 5:46 AM, François Plou wrote: >>>>>> Hi, >>>>>> >>>>>> I am facing an issue trying to sign an xml document which makes >>>>>> reference to an external file. >>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not >>>>>> verified by >>>>>> tool like Apache XML Security. >>>>>> I am pretty sure there is something missing in the XML document I give >>>>>> to xmlsec but can't figure what. >>>>>> >>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml. >>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key> >>>>>> acmt.007.001.02_1.skel.1sign.object2.xml >>>>>> The output document is fpl.xml >>>>>> >>>>>> The digest which is not the same as the one computed by Apache XML >>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= >>>>>> >>>>>> I found that the expecting digest match the manifest3.xml file enclosed >>>>>> (I built it manually). >>>>>> So it seems xmlsec is not creating the same manifest part. >>>>>> >>>>>> Do you have any idea what can be wrong in my >>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a >>>>>> transform ? >>>>>> >>>>>> Thanks for your help. >>>>>> >>>>>> Francois >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> xmlsec mailing list >>>>>> [email protected] >>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>> >>>> >>>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
