To process manifests according to the xmldsig spec the ref type should be specified:
<Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"; URI="#Manifest"> ... </> XMLSec package contains a few test vectors that show manifests usage. Best, Aleksey On 4/10/14, 5:40 AM, François Plou wrote: > I found the problem, but don't know yet what really happens in the > source code. > I put some traces and I discovered that digest > 2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer. > If you execute the following command openssl dgst -sha1 -binary > /dev/null | openssl enc -base64, you also get this digest. > > So it seems xmlsec1 can't process correctly the #Manifest part : > > <Object> > <Manifest Id="Manifest"> > <Reference URI=""> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue></DigestValue> > </Reference> > <Reference URI="sign.sh"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue></DigestValue> > </Reference> > </Manifest> > </Object> > > > Regards. > > François > > Le 10/04/2014 11:31, François Plou a écrit : >> Not really :-( >> >> The store-references option does not display the xml part who matches >> the digest displayed : >> >> == Status: succeeded >> == URI: "#Manifest" >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: #Manifest >> === Transform: xpointer >> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: enveloped-signature >> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >> === Transform: c14n >> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: membuf-transform (href=NULL) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == Result - start buffer: >> 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >> == Result - end buffer >> The #Manifest is processed and --store-references provides the digest >> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to >> provide this digest. >> >> This digest does not match the one produced by Apache XML Security. >> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the >> following XML part : >> >> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Manifest"> >> <Reference URI=""> >> <Transforms> >> <Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> >> </Transforms> >> <DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> >> >> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue> >> </Reference> >> <Reference URI="sign.sh"> >> <DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> >> >> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue> >> </Reference> >> </Manifest> >> >> So I am trying to figure what XML part is used by xmlsec1. >> >> Regards >> >> François >> >> Le 09/04/2014 20:12, Aleksey Sanin a écrit : >>> This is exactly what --store-references option does :) >>> >>> Aleksey >>> >>> On 4/9/14, 10:15 AM, François Plou wrote: >>>> Hi, >>>> >>>> I am trying to discover what xml part is digested to understand why I >>>> got another digest value than the one calculated by java XmlDsig API. >>>> To do that I try to add some trace in the code just before the digest >>>> algorithm but I was unable yet to find the right position. >>>> Could you provide me a clue where to add trace in the source code ? >>>> >>>> Thanks for your help. >>>> >>>> Francois >>>> >>>> >>>> Le 07/04/2014 14:49, François Plou a écrit : >>>>> Hi, >>>>> >>>>> Below is the result of --store-references option : >>>>> >>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key >>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml >>>>> Enter password for "/home/fplou/CA/fplousign.key" file: >>>>> = SIGNATURE CONTEXT >>>>> == Status: succeeded >>>>> == flags: 0x00000006 >>>>> == flags2: 0x00000000 >>>>> == Key Info Read Ctx: >>>>> = KEY INFO READ CONTEXT >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled key data: all >>>>> == RetrievalMethod level (cur/max): 0/1 >>>>> == TRANSFORMS CTX (status=0) >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled transforms: all >>>>> === uri: NULL >>>>> === uri xpointer expr: NULL >>>>> == EncryptedKey level (cur/max): 0/1 >>>>> === KeyReq: >>>>> ==== keyId: rsa >>>>> ==== keyType: 0x00000002 >>>>> ==== keyUsage: 0x00000001 >>>>> ==== keyBitsSize: 0 >>>>> === list size: 0 >>>>> == Key Info Write Ctx: >>>>> = KEY INFO WRITE CONTEXT >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled key data: all >>>>> == RetrievalMethod level (cur/max): 0/1 >>>>> == TRANSFORMS CTX (status=0) >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled transforms: all >>>>> === uri: NULL >>>>> === uri xpointer expr: NULL >>>>> == EncryptedKey level (cur/max): 0/1 >>>>> === KeyReq: >>>>> ==== keyId: NULL >>>>> ==== keyType: 0x00000001 >>>>> ==== keyUsage: 0xffffffff >>>>> ==== keyBitsSize: 0 >>>>> === list size: 0 >>>>> == Signature Transform Ctx: >>>>> == TRANSFORMS CTX (status=2) >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled transforms: all >>>>> === uri: NULL >>>>> === uri xpointer expr: NULL >>>>> === Transform: c14n >>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>>> === Transform: membuf-transform (href=NULL) >>>>> == Signature Method: >>>>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >>>>> == Signature Key: >>>>> == KEY >>>>> === method: RSAKeyValue >>>>> === key type: Private >>>>> === key usage: -1 >>>>> === rsa key: size = 2048 >>>>> == SignedInfo References List: >>>>> === list size: 1 >>>>> = REFERENCE CALCULATION CONTEXT >>>>> == Status: succeeded >>>>> == URI: "#Manifest" >>>>> == Reference Transform Ctx: >>>>> == TRANSFORMS CTX (status=2) >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled transforms: all >>>>> === uri: >>>>> === uri xpointer expr: #Manifest >>>>> === Transform: xpointer >>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >>>>> === Transform: enveloped-signature >>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>>>> === Transform: c14n >>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>>> === Transform: membuf-transform (href=NULL) >>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>>> === Transform: membuf-transform (href=NULL) >>>>> == Digest Method: >>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>> == Result - start buffer: >>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >>>>> == Result - end buffer >>>>> == Manifest References List: >>>>> === list size: 2 >>>>> = REFERENCE CALCULATION CONTEXT >>>>> == Status: succeeded >>>>> == URI: "" >>>>> == Reference Transform Ctx: >>>>> == TRANSFORMS CTX (status=2) >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled transforms: all >>>>> === uri: NULL >>>>> === uri xpointer expr: NULL >>>>> === Transform: enveloped-signature >>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>>>> === Transform: c14n >>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>>> === Transform: membuf-transform (href=NULL) >>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>>> === Transform: membuf-transform (href=NULL) >>>>> == Digest Method: >>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>> == PreDigest data - start buffer: >>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02"> >>>>> <AcctOpngReq> >>>>> <Refs> >>>>> <MsgId> >>>>> <Id>ABC/090928/CCT001</Id> >>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm> >>>>> </MsgId> >>>>> <PrcId> >>>>> <Id>ABC/090928/CCT001</Id> >>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm> >>>>> </PrcId> >>>>> </Refs> >>>>> <Acct> >>>>> <Id> >>>>> <Othr> >>>>> <Id>NOREF2</Id> >>>>> </Othr> >>>>> </Id> >>>>> <Tp> >>>>> <Cd>CASH</Cd> >>>>> </Tp> >>>>> <Ccy>USD</Ccy> >>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal> >>>>> <MnthlyTxNb>100</MnthlyTxNb> >>>>> <AvrgBal>10000</AvrgBal> >>>>> </Acct> >>>>> <CtrctDts> >>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt> >>>>> </CtrctDts> >>>>> <UndrlygMstrAgrmt> >>>>> <Ref>ABC/Acct/BBBBUS33</Ref> >>>>> <Vrsn>1.0</Vrsn> >>>>> </UndrlygMstrAgrmt> >>>>> <AcctSvcrId> >>>>> <FinInstnId> >>>>> <BICFI>BBBBUS33</BICFI> >>>>> </FinInstnId> >>>>> </AcctSvcrId> >>>>> <Org> >>>>> <FullLglNm>ABC Corporation</FullLglNm> >>>>> <CtryOfOpr>US</CtryOfOpr> >>>>> <RegnDt>1999-09-01</RegnDt> >>>>> <LglAdr> >>>>> <StrtNm>Times Square</StrtNm> >>>>> <BldgNb>7</BldgNb> >>>>> <PstCd>NY 10036</PstCd> >>>>> <TwnNm>New York</TwnNm> >>>>> <Ctry>US</Ctry> >>>>> </LglAdr> >>>>> <OrgId> >>>>> <Othr> >>>>> <Id>01256485-85</Id> >>>>> <SchmeNm> >>>>> <Prtry>TAX</Prtry> >>>>> </SchmeNm> >>>>> </Othr> >>>>> </OrgId> >>>>> <MainMndtHldr> >>>>> <Nm>Richard Jones</Nm> >>>>> <PstlAdr> >>>>> <AdrTp>HOME</AdrTp> >>>>> <StrtNm>La Guardia Drive</StrtNm> >>>>> <BldgNb>12</BldgNb> >>>>> <PstCd>NJ 07054</PstCd> >>>>> <TwnNm>Parsippany</TwnNm> >>>>> <Ctry>US</Ctry> >>>>> </PstlAdr> >>>>> <Id> >>>>> <DtAndPlcOfBirth> >>>>> <BirthDt>1960-05-01</BirthDt> >>>>> <CityOfBirth>New york</CityOfBirth> >>>>> <CtryOfBirth>US</CtryOfBirth> >>>>> </DtAndPlcOfBirth> >>>>> </Id> >>>>> </MainMndtHldr> >>>>> </Org> >>>>> <DgtlSgntr> >>>>> <Pty> >>>>> <Nm>fplou</Nm> >>>>> </Pty> >>>>> <Sgntr> >>>>> >>>>> </Sgntr> >>>>> </DgtlSgntr> >>>>> </AcctOpngReq> >>>>> </Document> >>>>> == PreDigest data - end buffer >>>>> == Result - start buffer: >>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI= >>>>> == Result - end buffer >>>>> = REFERENCE CALCULATION CONTEXT >>>>> == Status: succeeded >>>>> == URI: "sign.sh" >>>>> == Reference Transform Ctx: >>>>> == TRANSFORMS CTX (status=2) >>>>> == flags: 0x00000000 >>>>> == flags2: 0x00000000 >>>>> == enabled transforms: all >>>>> === uri: sign.sh >>>>> === uri xpointer expr: NULL >>>>> === Transform: input-uri (href=NULL) >>>>> === Transform: membuf-transform (href=NULL) >>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>>> === Transform: membuf-transform (href=NULL) >>>>> == Digest Method: >>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>> == PreDigest data - start buffer: >>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key >>>>> acmt.007.001.02_1.skel.1sign.object2.xml >>>>> >>>>> == PreDigest data - end buffer >>>>> == Result - start buffer: >>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8= >>>>> == Result - end buffer >>>>> == Result - start buffer: >>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF >>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI >>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn >>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd >>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX >>>>> uD2ZSS1bWu236lKh1elKWw== >>>>> == Result - end buffer >>>>> >>>>> >>>>> François >>>>> >>>>> On 03/04/2014 18:37, Aleksey Sanin wrote: >>>>>> Try "--store-references" option to see what exactly was signed. Just >>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks >>>>>> suspicious. >>>>>> >>>>>> Aleksey >>>>>> >>>>>> On 4/3/14, 5:46 AM, François Plou wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I am facing an issue trying to sign an xml document which makes >>>>>>> reference to an external file. >>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not >>>>>>> verified by >>>>>>> tool like Apache XML Security. >>>>>>> I am pretty sure there is something missing in the XML document I give >>>>>>> to xmlsec but can't figure what. >>>>>>> >>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml. >>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey <key> >>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml >>>>>>> The output document is fpl.xml >>>>>>> >>>>>>> The digest which is not the same as the one computed by Apache XML >>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= >>>>>>> >>>>>>> I found that the expecting digest match the manifest3.xml file enclosed >>>>>>> (I built it manually). >>>>>>> So it seems xmlsec is not creating the same manifest part. >>>>>>> >>>>>>> Do you have any idea what can be wrong in my >>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a >>>>>>> transform ? >>>>>>> >>>>>>> Thanks for your help. >>>>>>> >>>>>>> Francois >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> xmlsec mailing list >>>>>>> [email protected] >>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> [email protected] >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>> >> > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
