The element with Id="IDC1141029105800p0100_SP" is located INSIDE the <ds:Signature> node. Thus when the <ds:Signature> node is removed by the enveloped transform all its children (including the element with Id="IDC1141029105800p0100_SP") are removed as well. Thus the empty output is correct.
Best, Aleksey On 11/10/14 7:32 AM, pfx wrote: > I'm not sure ... Even if the signature is not valid, xmlsec can displays > the PreDidest data > > After a lot of debug, I found the reason (but not the solution) > > The file I want to check is strange ... > > It contains 2 references in <ds:SignedInfo> > > The first reference is correct (#B01201438 references an id of a parent > element) > > <ds:Reference URI="#B01201438"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > [...] > > The second reference also contains a <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > (#IDC1141029105704p0100_SP references a Xades SignedProperties element > => Signature/Object/QualifyingProperties/SignedProperties, therefore > it's a child element of ds:Signature) > > <ds:Reference URI="#IDC1141029105704p0100_SP"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > [...] > > When xmlsec processes this reference, the output of C14N is empty > If I remove the <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>, the > output of C14N is correct > my knowledge is that "enveloped-signature" removes the node "Signature" > from the tree of signed data > > I do not understand the side effect of "enveloped-signature". In the > best case, xmlsec should ignore the additional <ds:Transform ... > enveloped-signature"/> (ie returns the whole sub tree) > > what is your opinion ? > > Le 07/11/2014 17:25, Aleksey Sanin a écrit : >> Well, according to the output.txt file, xmlsec simply stops on the >> first failed Reference element since the signature will not be valid >> anyway (see while() loop at the end of the >> xmlSecDSigCtxProcessSignedInfoNode() function). >> >> Aleksey >> >> On 11/7/14 4:31 AM, pfx wrote: >>> Hi! >>> >>> I have a signed xml file with Xades information >>> I try to verify the signature with: >>> >>> $ xmlsec1 --verify --id-attr:Id Bordereau --id-attr:Id Signature >>> --id-attr:Id SignedProperties --node-id IDC1141029105800p0100 test.xml >>> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid >>> data:data and digest do not match >>> FAIL >>> SignedInfo References (ok/all): 1/2 >>> >>> The first part of the signature is validate by xmlsec1 >>> but it seems that xmlsec1 can't access to the second part (Xades >>> information) >>> >>> If I use the "--store-references" flags, I can see the "PreDigest data" >>> of the first part, but xmlsec1 never displays the "PreDigest data" of >>> the second part >>> >>> Here an extract of the file >>> <Bordereau Id="*B01201462*"> >>> <BlocBordereau> >>> ... >>> <ds:Signature Id="IDC1141029105800p0100"> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> <ds:SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >>> <ds:Reference URI="#*B01201462*"> >>> <ds:Transforms> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> </ds:Transforms> >>> <ds:DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> >>> <ds:DigestValue>m24cE8pHsEwYBbVnCcUGUT49i3g=</ds:DigestValue> >>> </ds:Reference> >>> <ds:Reference URI="#*IDC1141029105800p0100_SP*"> >>> <ds:Transforms> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> </ds:Transforms> >>> <ds:DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> >>> <ds:DigestValue>OgLDEJDln8+bp7jX1pxs5j/0poM=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> ... >>> <ds:Object Id="IDC1141029105800p0100_QI"> >>> <xad:QualifyingProperties >>> Target="IDC1141029105800p0100"> >>> <xad:SignedProperties >>> Id="*IDC1141029105800p0100_SP*"> >>> <xad:SignedSignatureProperties> >>> >>> <xad:SigningTime>2014-10-29T09:58:00.191Z</xad:SigningTime> >>> </ds:Signature> >>> </Bordereau> >>> >>> And an extract of the output >>> = REFERENCE VERIFICATION CONTEXT >>> == Status: succeeded >>> == URI: "#B01201462" >>> [...] >>> === uri: >>> === uri xpointer expr: #B01201462 >>> === Transform: xpointer >>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >>> === Transform: enveloped-signature >>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) >>> === Transform: membuf-transform (href=NULL) >>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>> === Transform: membuf-transform (href=NULL) >>> == Digest Method: >>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>> == PreDigest data - start buffer: >>> <Bordereau Id="B01201462"><BlocBordereau><Exer >>> V="2014"></Exer>.........</Bordereau> >>> == PreDigest data - end buffer >>> = REFERENCE VERIFICATION CONTEXT >>> == Status: invalid >>> == URI: "#IDC1141029105800p0100_SP" >>> [...] >>> === uri: >>> === uri xpointer expr: #IDC1141029105800p0100_SP >>> === Transform: xpointer >>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >>> === Transform: enveloped-signature >>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature) >>> === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#) >>> === Transform: membuf-transform (href=NULL) >>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>> === Transform: membuf-transform (href=NULL) >>> == Digest Method: >>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >>> => No PreDigest data here ! >>> >>> where is my mistake ? >>> >>> I use xmlsec 1.2.18 (openssl) >>> (here the full xml file and xmlsec output => http://dl.free.fr/ekDbPkF63) >>> >>> Regards, >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
