Remove transforms section from the Manifest type reference: <Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"; URI="#manifest"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference>
Otherwise you apply enveloped signature transform to the results of the manifest and as the result you get empty node set/empty string. Aleksey On 4/11/14, 12:40 AM, François Plou wrote: > Thanks for your answer. > I tried it but I always get this incorrect digest. > > I modified the xml template according what I found in samples and > according your previous mail (see acmt.007.001.02_1.skel.1sign.object2.xml). > The xmlsec1 output still shows the bad digest for #manifest : > > = SIGNATURE CONTEXT > == Status: succeeded > == flags: 0x00000006 > == flags2: 0x00000000 > == Key Info Read Ctx: > = KEY INFO READ CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: rsa > ==== keyType: 0x00000002 > ==== keyUsage: 0x00000001 > ==== keyBitsSize: 0 > === list size: 0 > == Key Info Write Ctx: > = KEY INFO WRITE CONTEXT > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled key data: all > == RetrievalMethod level (cur/max): 0/1 > == TRANSFORMS CTX (status=0) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > == EncryptedKey level (cur/max): 0/1 > === KeyReq: > ==== keyId: NULL > ==== keyType: 0x00000001 > ==== keyUsage: 0xffffffff > ==== keyBitsSize: 0 > === list size: 0 > == Signature Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) > === Transform: membuf-transform (href=NULL) > == Signature Method: > === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > == Signature Key: > == KEY > === method: RSAKeyValue > === key type: Private > === key usage: -1 > === rsa key: size = 2048 > == SignedInfo References List: > === list size: 1 > *= REFERENCE CALCULATION CONTEXT** > **== Status: succeeded** > **== URI: "#manifest"** > **== Type: "http://www.w3.org/2000/09/xmldsig#Manifest"** > **== Reference Transform Ctx:** > **== TRANSFORMS CTX (status=2)** > **== flags: 0x00000000** > **== flags2: 0x00000000** > **== enabled transforms: all** > **=== uri: ** > **=== uri xpointer expr: #manifest** > **=== Transform: xpointer > (href=http://www.w3.org/2001/04/xmldsig-more/xptr)** > **=== Transform: enveloped-signature > (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)** > **=== Transform: c14n > (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)** > **=== Transform: membuf-transform (href=NULL)** > **=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)** > **=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)** > **=== Transform: membuf-transform (href=NULL)** > **== Digest Method:** > **=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)** > **== Result - start buffer:** > **2jmj7l5rSw0yVb/vlWAYkK/YBwk=** > **== Result - end buffer* > == Manifest References List: > === list size: 2 > = REFERENCE CALCULATION CONTEXT > == Status: succeeded > == URI: "" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: NULL > === uri xpointer expr: NULL > === Transform: enveloped-signature > (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) > === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > === Transform: membuf-transform (href=NULL) > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) > === Transform: membuf-transform (href=NULL) > == Digest Method: > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > == PreDigest data - start buffer: > <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02"> > <AcctOpngReq> > <Refs> > <MsgId> > <Id>ABC/090928/CCT001</Id> > <CreDtTm>2010-09-28T14:07:00</CreDtTm> > </MsgId> > <PrcId> > <Id>ABC/090928/CCT001</Id> > <CreDtTm>2010-09-28T14:07:00</CreDtTm> > </PrcId> > </Refs> > <Acct> > <Id> > <Othr> > <Id>NOREF2</Id> > </Othr> > </Id> > <Tp> > <Cd>CASH</Cd> > </Tp> > <Ccy>USD</Ccy> > <MnthlyRcvdVal>200000</MnthlyRcvdVal> > <MnthlyTxNb>100</MnthlyTxNb> > <AvrgBal>10000</AvrgBal> > </Acct> > <CtrctDts> > <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt> > </CtrctDts> > <UndrlygMstrAgrmt> > <Ref>ABC/Acct/BBBBUS33</Ref> > <Vrsn>1.0</Vrsn> > </UndrlygMstrAgrmt> > <AcctSvcrId> > <FinInstnId> > <BICFI>BBBBUS33</BICFI> > </FinInstnId> > </AcctSvcrId> > <Org> > <FullLglNm>ABC Corporation</FullLglNm> > <CtryOfOpr>US</CtryOfOpr> > <RegnDt>1999-09-01</RegnDt> > <LglAdr> > <StrtNm>Times Square</StrtNm> > <BldgNb>7</BldgNb> > <PstCd>NY 10036</PstCd> > <TwnNm>New York</TwnNm> > <Ctry>US</Ctry> > </LglAdr> > <OrgId> > <Othr> > <Id>01256485-85</Id> > <SchmeNm> > <Prtry>TAX</Prtry> > </SchmeNm> > </Othr> > </OrgId> > <MainMndtHldr> > <Nm>Richard Jones</Nm> > <PstlAdr> > <AdrTp>HOME</AdrTp> > <StrtNm>La Guardia Drive</StrtNm> > <BldgNb>12</BldgNb> > <PstCd>NJ 07054</PstCd> > <TwnNm>Parsippany</TwnNm> > <Ctry>US</Ctry> > </PstlAdr> > <Id> > <DtAndPlcOfBirth> > <BirthDt>1960-05-01</BirthDt> > <CityOfBirth>New york</CityOfBirth> > <CtryOfBirth>US</CtryOfBirth> > </DtAndPlcOfBirth> > </Id> > </MainMndtHldr> > </Org> > <DgtlSgntr> > <Pty> > <Nm>fplou</Nm> > </Pty> > <Sgntr> > > </Sgntr> > </DgtlSgntr> > </AcctOpngReq> > </Document> > == PreDigest data - end buffer > == Result - start buffer: > vSK1aioRUa7Gz2jLpN9LFqFeXSI= > == Result - end buffer > = REFERENCE CALCULATION CONTEXT > == Status: succeeded > == URI: "sign.sh" > == Reference Transform Ctx: > == TRANSFORMS CTX (status=2) > == flags: 0x00000000 > == flags2: 0x00000000 > == enabled transforms: all > === uri: sign.sh > === uri xpointer expr: NULL > === Transform: input-uri (href=NULL) > === Transform: membuf-transform (href=NULL) > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) > === Transform: membuf-transform (href=NULL) > == Digest Method: > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > == PreDigest data - start buffer: > xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key > acmt.007.001.02_1.skel.1sign.object2.xml > > == PreDigest data - end buffer > == Result - start buffer: > 4JgfakTfEbqzVpb+lP8vAWsD0u8= > == Result - end buffer > == Result - start buffer: > x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH > 1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD > PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr > zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye > fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i > KEvAz2lVM8oCsYgURmlGbA== > == Result - end buffer > > > > > > The generated xml file : > > <?xml version="1.0" encoding="UTF-8"?> > <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02"> > <AcctOpngReq> > <Refs> > <MsgId> > <Id>ABC/090928/CCT001</Id> > <CreDtTm>2010-09-28T14:07:00</CreDtTm> > </MsgId> > <PrcId> > <Id>ABC/090928/CCT001</Id> > <CreDtTm>2010-09-28T14:07:00</CreDtTm> > </PrcId> > </Refs> > <Acct> > <Id> > <Othr> > <Id>NOREF2</Id> > </Othr> > </Id> > <Tp> > <Cd>CASH</Cd> > </Tp> > <Ccy>USD</Ccy> > <MnthlyRcvdVal>200000</MnthlyRcvdVal> > <MnthlyTxNb>100</MnthlyTxNb> > <AvrgBal>10000</AvrgBal> > </Acct> > <CtrctDts> > <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt> > </CtrctDts> > <UndrlygMstrAgrmt> > <Ref>ABC/Acct/BBBBUS33</Ref> > <Vrsn>1.0</Vrsn> > </UndrlygMstrAgrmt> > <AcctSvcrId> > <FinInstnId> > <BICFI>BBBBUS33</BICFI> > </FinInstnId> > </AcctSvcrId> > <Org> > <FullLglNm>ABC Corporation</FullLglNm> > <CtryOfOpr>US</CtryOfOpr> > <RegnDt>1999-09-01</RegnDt> > <LglAdr> > <StrtNm>Times Square</StrtNm> > <BldgNb>7</BldgNb> > <PstCd>NY 10036</PstCd> > <TwnNm>New York</TwnNm> > <Ctry>US</Ctry> > </LglAdr> > <OrgId> > <Othr> > <Id>01256485-85</Id> > <SchmeNm> > <Prtry>TAX</Prtry> > </SchmeNm> > </Othr> > </OrgId> > <MainMndtHldr> > <Nm>Richard Jones</Nm> > <PstlAdr> > <AdrTp>HOME</AdrTp> > <StrtNm>La Guardia Drive</StrtNm> > <BldgNb>12</BldgNb> > <PstCd>NJ 07054</PstCd> > <TwnNm>Parsippany</TwnNm> > <Ctry>US</Ctry> > </PstlAdr> > <Id> > <DtAndPlcOfBirth> > <BirthDt>1960-05-01</BirthDt> > <CityOfBirth>New york</CityOfBirth> > <CtryOfBirth>US</CtryOfBirth> > </DtAndPlcOfBirth> > </Id> > </MainMndtHldr> > </Org> > <DgtlSgntr> > <Pty> > <Nm>fplou</Nm> > </Pty> > <Sgntr> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference > Type="http://www.w3.org/2000/09/xmldsig#Manifest"; URI="#manifest"> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</DigestValue> > </Reference> > </SignedInfo> > > <SignatureValue>x4wlvVvLnEB8E/je1NB0X5SRtl763cn3gYYfi3fymhIQGsJt3f/Bznu+EaKMRMbH > 1sutmlY3jud9Q9C2582CCjeiOhhURnYP8ytDqBp4AQJ+K0HQNEc48LlxNN9bLiDD > PLGB0OS+kZvoTHR2YkmWT5F9/OCNum93zpm0kJN8TID1w7g53m4d82A7X7lPSvsr > zSS1ptVutULbWcl0X63/BhLRcfaYoptRUpYpTT/Uyn3MwJC9/epKnsYE5Gcyzvye > fZRvMT5ruWXpA0JHN9SprWQYZEaH3EidRINxdzFb/tt8odeMB2MUrb3RzGkwsx3i > KEvAz2lVM8oCsYgURmlGbA==</SignatureValue> > <KeyInfo> > <KeyValue> > <RSAKeyValue> > <Modulus> > 6YkxawwM+ydRECsRK+t1ONIAI6ZHz1zZyohEdtqYso/2a5/nDTst4MKT4mFYr3Gp > BlOgfSYxC0pUXWC3iSAIAbvcjNSQMSgeiAiJL4pbzX/5uYyBIXFHNdSuOQVyoSJB > jDaPx19UyMqmZaLn5Flj7YVmpUyPAR1V4DHSmHGC4gDSqUHEphVHU/lnjnB+KEGm > W03J6OzVjJi7bK/EmZjliOHZhgsNY1FmYesZsbI1GI/RsuBBA3NxvcAC0kXBUJ4n > qHW7y7Ww8Yv77sFP/2g5s/fqW7HrnUnVh/xf3bs2a6EuriY4BI9M8YEmF0EGpbth > ycR4QLM0jQPdGBEamqitFQ== > </Modulus> > <Exponent> > AQAB > </Exponent> > </RSAKeyValue> > </KeyValue> > </KeyInfo> > <Object> > <Manifest Id="manifest"> > <Reference URI=""> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue> > </Reference> > <Reference URI="sign.sh"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue> > </Reference> > </Manifest> > </Object> > </Signature> > </Sgntr> > </DgtlSgntr> > </AcctOpngReq> > </Document> > > Regards > > François > > Le 10/04/2014 18:29, Aleksey Sanin a écrit : >> To process manifests according to the xmldsig spec the ref type >> should be specified: >> >> <Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest"; >> URI="#Manifest"> >> ... >> </> >> >> XMLSec package contains a few test vectors that show manifests usage. >> >> Best, >> >> Aleksey >> >> On 4/10/14, 5:40 AM, François Plou wrote: >>> I found the problem, but don't know yet what really happens in the >>> source code. >>> I put some traces and I discovered that digest >>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk is calculated from an empty buffer. >>> If you execute the following command openssl dgst -sha1 -binary >>> /dev/null | openssl enc -base64, you also get this digest. >>> >>> So it seems xmlsec1 can't process correctly the #Manifest part : >>> >>> <Object> >>> <Manifest Id="Manifest"> >>> <Reference URI=""> >>> <Transforms> >>> <Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>> </Transforms> >>> <DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> <DigestValue></DigestValue> >>> </Reference> >>> <Reference URI="sign.sh"> >>> <DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> <DigestValue></DigestValue> >>> </Reference> >>> </Manifest> >>> </Object> >>> >>> >>> Regards. >>> >>> François >>> >>> Le 10/04/2014 11:31, François Plou a écrit : >>>> Not really :-( >>>> >>>> The store-references option does not display the xml part who matches >>>> the digest displayed : >>>> >>>> == Status: succeeded >>>> == URI: "#Manifest" >>>> == Reference Transform Ctx: >>>> == TRANSFORMS CTX (status=2) >>>> == flags: 0x00000000 >>>> == flags2: 0x00000000 >>>> == enabled transforms: all >>>> === uri: >>>> === uri xpointer expr: #Manifest >>>> === Transform: xpointer >>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >>>> === Transform: enveloped-signature >>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>>> === Transform: c14n >>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>> === Transform: membuf-transform (href=NULL) >>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>> === Transform: membuf-transform (href=NULL) >>>> == Digest Method: >>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>> == Result - start buffer: >>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >>>> == Result - end buffer >>>> The #Manifest is processed and --store-references provides the digest >>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk but not the XML part who was used to >>>> provide this digest. >>>> >>>> This digest does not match the one produced by Apache XML Security. >>>> Apache is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= who match the >>>> following XML part : >>>> >>>> <Manifest xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Manifest"> >>>> <Reference URI=""> >>>> <Transforms> >>>> <Transform >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> >>>> </Transforms> >>>> <DigestMethod >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> >>>> >>>> <DigestValue>vSK1aioRUa7Gz2jLpN9LFqFeXSI=</DigestValue> >>>> </Reference> >>>> <Reference URI="sign.sh"> >>>> <DigestMethod >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> >>>> >>>> <DigestValue>4JgfakTfEbqzVpb+lP8vAWsD0u8=</DigestValue> >>>> </Reference> >>>> </Manifest> >>>> >>>> So I am trying to figure what XML part is used by xmlsec1. >>>> >>>> Regards >>>> >>>> François >>>> >>>> Le 09/04/2014 20:12, Aleksey Sanin a écrit : >>>>> This is exactly what --store-references option does :) >>>>> >>>>> Aleksey >>>>> >>>>> On 4/9/14, 10:15 AM, François Plou wrote: >>>>>> Hi, >>>>>> >>>>>> I am trying to discover what xml part is digested to understand why I >>>>>> got another digest value than the one calculated by java XmlDsig API. >>>>>> To do that I try to add some trace in the code just before the digest >>>>>> algorithm but I was unable yet to find the right position. >>>>>> Could you provide me a clue where to add trace in the source code ? >>>>>> >>>>>> Thanks for your help. >>>>>> >>>>>> Francois >>>>>> >>>>>> >>>>>> Le 07/04/2014 14:49, François Plou a écrit : >>>>>>> Hi, >>>>>>> >>>>>>> Below is the result of --store-references option : >>>>>>> >>>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key >>>>>>> --store-references acmt.007.001.02_1.skel.1sign.object2.xml >>>>>>> Enter password for "/home/fplou/CA/fplousign.key" file: >>>>>>> = SIGNATURE CONTEXT >>>>>>> == Status: succeeded >>>>>>> == flags: 0x00000006 >>>>>>> == flags2: 0x00000000 >>>>>>> == Key Info Read Ctx: >>>>>>> = KEY INFO READ CONTEXT >>>>>>> == flags: 0x00000000 >>>>>>> == flags2: 0x00000000 >>>>>>> == enabled key data: all >>>>>>> == RetrievalMethod level (cur/max): 0/1 >>>>>>> == TRANSFORMS CTX (status=0) >>>>>>> == flags: 0x00000000 >>>>>>> == flags2: 0x00000000 >>>>>>> == enabled transforms: all >>>>>>> === uri: NULL >>>>>>> === uri xpointer expr: NULL >>>>>>> == EncryptedKey level (cur/max): 0/1 >>>>>>> === KeyReq: >>>>>>> ==== keyId: rsa >>>>>>> ==== keyType: 0x00000002 >>>>>>> ==== keyUsage: 0x00000001 >>>>>>> ==== keyBitsSize: 0 >>>>>>> === list size: 0 >>>>>>> == Key Info Write Ctx: >>>>>>> = KEY INFO WRITE CONTEXT >>>>>>> == flags: 0x00000000 >>>>>>> == flags2: 0x00000000 >>>>>>> == enabled key data: all >>>>>>> == RetrievalMethod level (cur/max): 0/1 >>>>>>> == TRANSFORMS CTX (status=0) >>>>>>> == flags: 0x00000000 >>>>>>> == flags2: 0x00000000 >>>>>>> == enabled transforms: all >>>>>>> === uri: NULL >>>>>>> === uri xpointer expr: NULL >>>>>>> == EncryptedKey level (cur/max): 0/1 >>>>>>> === KeyReq: >>>>>>> ==== keyId: NULL >>>>>>> ==== keyType: 0x00000001 >>>>>>> ==== keyUsage: 0xffffffff >>>>>>> ==== keyBitsSize: 0 >>>>>>> === list size: 0 >>>>>>> == Signature Transform Ctx: >>>>>>> == TRANSFORMS CTX (status=2) >>>>>>> == flags: 0x00000000 >>>>>>> == flags2: 0x00000000 >>>>>>> == enabled transforms: all >>>>>>> === uri: NULL >>>>>>> === uri xpointer expr: NULL >>>>>>> === Transform: c14n >>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>>>>> === Transform: rsa-sha1 >>>>>>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>>>>> === Transform: membuf-transform (href=NULL) >>>>>>> == Signature Method: >>>>>>> === Transform: rsa-sha1 >>>>>>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >>>>>>> == Signature Key: >>>>>>> == KEY >>>>>>> === method: RSAKeyValue >>>>>>> === key type: Private >>>>>>> === key usage: -1 >>>>>>> === rsa key: size = 2048 >>>>>>> == SignedInfo References List: >>>>>>> === list size: 1 >>>>>>> = REFERENCE CALCULATION CONTEXT >>>>>>> == Status: succeeded >>>>>>> == URI: "#Manifest" >>>>>>> == Reference Transform Ctx: >>>>>>> == TRANSFORMS CTX (status=2) >>>>>>> == flags: 0x00000000 >>>>>>> == flags2: 0x00000000 >>>>>>> == enabled transforms: all >>>>>>> === uri: >>>>>>> === uri xpointer expr: #Manifest >>>>>>> === Transform: xpointer >>>>>>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >>>>>>> === Transform: enveloped-signature >>>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>>>>>> === Transform: c14n >>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>>>>> === Transform: membuf-transform (href=NULL) >>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>>>>> === Transform: membuf-transform (href=NULL) >>>>>>> == Digest Method: >>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>>>> == Result - start buffer: >>>>>>> 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >>>>>>> == Result - end buffer >>>>>>> == Manifest References List: >>>>>>> === list size: 2 >>>>>>> = REFERENCE CALCULATION CONTEXT >>>>>>> == Status: succeeded >>>>>>> == URI: "" >>>>>>> == Reference Transform Ctx: >>>>>>> == TRANSFORMS CTX (status=2) >>>>>>> == flags: 0x00000000 >>>>>>> == flags2: 0x00000000 >>>>>>> == enabled transforms: all >>>>>>> === uri: NULL >>>>>>> === uri xpointer expr: NULL >>>>>>> === Transform: enveloped-signature >>>>>>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>>>>>> === Transform: c14n >>>>>>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >>>>>>> === Transform: membuf-transform (href=NULL) >>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>>>>> === Transform: membuf-transform (href=NULL) >>>>>>> == Digest Method: >>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>>>> == PreDigest data - start buffer: >>>>>>> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:acmt.007.001.02"> >>>>>>> <AcctOpngReq> >>>>>>> <Refs> >>>>>>> <MsgId> >>>>>>> <Id>ABC/090928/CCT001</Id> >>>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm> >>>>>>> </MsgId> >>>>>>> <PrcId> >>>>>>> <Id>ABC/090928/CCT001</Id> >>>>>>> <CreDtTm>2010-09-28T14:07:00</CreDtTm> >>>>>>> </PrcId> >>>>>>> </Refs> >>>>>>> <Acct> >>>>>>> <Id> >>>>>>> <Othr> >>>>>>> <Id>NOREF2</Id> >>>>>>> </Othr> >>>>>>> </Id> >>>>>>> <Tp> >>>>>>> <Cd>CASH</Cd> >>>>>>> </Tp> >>>>>>> <Ccy>USD</Ccy> >>>>>>> <MnthlyRcvdVal>200000</MnthlyRcvdVal> >>>>>>> <MnthlyTxNb>100</MnthlyTxNb> >>>>>>> <AvrgBal>10000</AvrgBal> >>>>>>> </Acct> >>>>>>> <CtrctDts> >>>>>>> <TrgtGoLiveDt>2010-10-02</TrgtGoLiveDt> >>>>>>> </CtrctDts> >>>>>>> <UndrlygMstrAgrmt> >>>>>>> <Ref>ABC/Acct/BBBBUS33</Ref> >>>>>>> <Vrsn>1.0</Vrsn> >>>>>>> </UndrlygMstrAgrmt> >>>>>>> <AcctSvcrId> >>>>>>> <FinInstnId> >>>>>>> <BICFI>BBBBUS33</BICFI> >>>>>>> </FinInstnId> >>>>>>> </AcctSvcrId> >>>>>>> <Org> >>>>>>> <FullLglNm>ABC Corporation</FullLglNm> >>>>>>> <CtryOfOpr>US</CtryOfOpr> >>>>>>> <RegnDt>1999-09-01</RegnDt> >>>>>>> <LglAdr> >>>>>>> <StrtNm>Times Square</StrtNm> >>>>>>> <BldgNb>7</BldgNb> >>>>>>> <PstCd>NY 10036</PstCd> >>>>>>> <TwnNm>New York</TwnNm> >>>>>>> <Ctry>US</Ctry> >>>>>>> </LglAdr> >>>>>>> <OrgId> >>>>>>> <Othr> >>>>>>> <Id>01256485-85</Id> >>>>>>> <SchmeNm> >>>>>>> <Prtry>TAX</Prtry> >>>>>>> </SchmeNm> >>>>>>> </Othr> >>>>>>> </OrgId> >>>>>>> <MainMndtHldr> >>>>>>> <Nm>Richard Jones</Nm> >>>>>>> <PstlAdr> >>>>>>> <AdrTp>HOME</AdrTp> >>>>>>> <StrtNm>La Guardia >>>>>>> Drive</StrtNm> >>>>>>> <BldgNb>12</BldgNb> >>>>>>> <PstCd>NJ 07054</PstCd> >>>>>>> <TwnNm>Parsippany</TwnNm> >>>>>>> <Ctry>US</Ctry> >>>>>>> </PstlAdr> >>>>>>> <Id> >>>>>>> <DtAndPlcOfBirth> >>>>>>> <BirthDt>1960-05-01</BirthDt> >>>>>>> <CityOfBirth>New york</CityOfBirth> >>>>>>> <CtryOfBirth>US</CtryOfBirth> >>>>>>> </DtAndPlcOfBirth> >>>>>>> </Id> >>>>>>> </MainMndtHldr> >>>>>>> </Org> >>>>>>> <DgtlSgntr> >>>>>>> <Pty> >>>>>>> <Nm>fplou</Nm> >>>>>>> </Pty> >>>>>>> <Sgntr> >>>>>>> >>>>>>> </Sgntr> >>>>>>> </DgtlSgntr> >>>>>>> </AcctOpngReq> >>>>>>> </Document> >>>>>>> == PreDigest data - end buffer >>>>>>> == Result - start buffer: >>>>>>> vSK1aioRUa7Gz2jLpN9LFqFeXSI= >>>>>>> == Result - end buffer >>>>>>> = REFERENCE CALCULATION CONTEXT >>>>>>> == Status: succeeded >>>>>>> == URI: "sign.sh" >>>>>>> == Reference Transform Ctx: >>>>>>> == TRANSFORMS CTX (status=2) >>>>>>> == flags: 0x00000000 >>>>>>> == flags2: 0x00000000 >>>>>>> == enabled transforms: all >>>>>>> === uri: sign.sh >>>>>>> === uri xpointer expr: NULL >>>>>>> === Transform: input-uri (href=NULL) >>>>>>> === Transform: membuf-transform (href=NULL) >>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>>>> === Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64) >>>>>>> === Transform: membuf-transform (href=NULL) >>>>>>> == Digest Method: >>>>>>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>>>>>> == PreDigest data - start buffer: >>>>>>> xmlsec1 --sign --output fpl.xml --privkey-pem ~/CA/fplousign.key >>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml >>>>>>> >>>>>>> == PreDigest data - end buffer >>>>>>> == Result - start buffer: >>>>>>> 4JgfakTfEbqzVpb+lP8vAWsD0u8= >>>>>>> == Result - end buffer >>>>>>> == Result - start buffer: >>>>>>> oniX6GCuto3mLkTC28tH49MMp1zC/ofccv3ry6SZG5mnhJrTDch3OQArnCBGp+XF >>>>>>> 2JV3dOqLyROngdoIc/KiLorKkzNKoLr4rr9+U4krQChJyjvtlDMJUtGVvjewSxBI >>>>>>> UIezmxhL4KeE+7q5jVqtl5f4peiCnyKC2wEKUoMjdxzZueyAl96GK62FxDiHeJTn >>>>>>> h6+Y4STkaeLCsFksuLonmw+zCo5rDnq/M/umrSi3m5IqJTTL7X65oKQrS/qrkgzd >>>>>>> 8DDq7wfzWpe/2F/XBel+/L5mGpEi1lANAlmcoUiazLC8xSp2Zu26qTkN6Jp0plnX >>>>>>> uD2ZSS1bWu236lKh1elKWw== >>>>>>> == Result - end buffer >>>>>>> >>>>>>> >>>>>>> François >>>>>>> >>>>>>> On 03/04/2014 18:37, Aleksey Sanin wrote: >>>>>>>> Try "--store-references" option to see what exactly was signed. Just >>>>>>>> looking at the file, the DigestValue inside the #Manifest subtree looks >>>>>>>> suspicious. >>>>>>>> >>>>>>>> Aleksey >>>>>>>> >>>>>>>> On 4/3/14, 5:46 AM, François Plou wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I am facing an issue trying to sign an xml document which makes >>>>>>>>> reference to an external file. >>>>>>>>> xmlsec1 gives me a digest for the URI=#Manifest which is not >>>>>>>>> verified by >>>>>>>>> tool like Apache XML Security. >>>>>>>>> I am pretty sure there is something missing in the XML document I give >>>>>>>>> to xmlsec but can't figure what. >>>>>>>>> >>>>>>>>> I sign the document named acmt.007.001.02_1.skel.1sign.object2.xml. >>>>>>>>> The command I use is : xmlsec1 -- sign --output fpl.xml --privkey >>>>>>>>> <key> >>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml >>>>>>>>> The output document is fpl.xml >>>>>>>>> >>>>>>>>> The digest which is not the same as the one computed by Apache XML >>>>>>>>> Security is 2jmj7l5rSw0yVb/vlWAYkK/YBwk= >>>>>>>>> Apache Security is expecting M3eHHYZ3d//5HW/Gp583TrV/K4I= >>>>>>>>> >>>>>>>>> I found that the expecting digest match the manifest3.xml file >>>>>>>>> enclosed >>>>>>>>> (I built it manually). >>>>>>>>> So it seems xmlsec is not creating the same manifest part. >>>>>>>>> >>>>>>>>> Do you have any idea what can be wrong in my >>>>>>>>> acmt.007.001.02_1.skel.1sign.object2.xml file ? Do I need to add a >>>>>>>>> transform ? >>>>>>>>> >>>>>>>>> Thanks for your help. >>>>>>>>> >>>>>>>>> Francois >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> xmlsec mailing list >>>>>>>>> [email protected] >>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>>>>> >>>>>> _______________________________________________ >>>>>> xmlsec mailing list >>>>>> [email protected] >>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>> > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
