Thank you for your quick response! The specification that I am coding to requires the KeyInfo element to be included. Are you suggesting that the signature may verify successfully if I omit the KeyInfo and/or KeyName information from the signature template?
I tried removing the calls to xmlSecTmplSignatureEnsureKeyInfo, xmlSecTmplKeyInfoAddKeyName, and xmlSecTmplKeyInfoAddX509Data, but when I do so, xmlsec generates the following error when xmlSecDSigCtxSign is called: func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x00000000) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=889:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x00000000) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=581:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x00000000) func=xmlSecDSigCtxSign:file=xmldsig.c:line=319:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x00000000) if I take out only the call to xmlSecTmplKeyInfoAddX509Data, then xmlsec will sign the document, but signature verification still fails with the "invalid signature" error you previously indicated, so it appears that xmlsec is generating an invalid signature for some reason. Could you please provide an example of a signature template that should work when using an NSS database in FIPS mode? Or is there more additional information I can provide that would help to determine why xmlsec generates an invalid signature from the signature template I previously provided? Thanks again, Lara -----Original Message----- From: Aleksey Sanin [mailto:[email protected]] Sent: Tuesday, June 23, 2015 12:15 PM To: Lara Blatchford; [email protected] Subject: Re: [xmlsec] signature verification failures using NSS with FIPS This particular error means that the certificate verification failed https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/sslerr.html SEC_ERROR_BAD_SIGNATURE -8182 Peer's certificate has an invalid signature. I didn't test in FIPS mode recently, but as far as I know it should work fine for a subset of XMLDsig spec (e.g. you can't put keys into signature for obvious reasons). Aleksey On 6/23/15 8:49 AM, Lara Blatchford wrote: > Though I am able to generate signatures using RSA keys retrievedfroma > FIPS-enabled NSS database, the signatures do > > not verify. > > If FIPS is disabledon the database, the signature does verify. > > A mail archive post fromWed, 05 Mar 2003 21:39:24indicated that FIPS > modeisnot supported for the NSS library. > > Why is this, and is there a plan to add support in the future? > > Here is the error received when attempting to verify the database,as > well as the signature portion of my XML document: > > [nss]$ xmlsec1 --verify --crypto nss --crypto-config . > 100_1_2003_doc.xml > > func=xmlSecNssSignatureVerify:file=signatures.c:line=356:obj=rsa-sha51 > 2:subj=VFY_EndWithSignature:error=4:crypto > library function failed:error code=-8182;last nss error=-8182 > (0xFFFFE00A) > > func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1804:obj= > rsa-sha512:subj=xmlSecTransformVerify:error=1:xmlsec > library function failed: ;last nss error=-8182 (0xFFFFE00A) > > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=401:obj=unknown:subj=xmlS > ecTransformVerifyNodeContent:error=1:xmlsec > library function failed: ;last nss error=-8182 (0xFFFFE00A) > > Error: signature failed > > ERROR > > SignedInfo References (ok/all): 1/1 > > Manifests References (ok/all): 0/0 > > Error: failed to verify file "100_1_2003_doc.xml" > > [nss]$ > > [nss]$ modutil -chkfips true -dbdir . > > FIPS mode enabled. > > [nss]$ > > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <SignedInfo> > > <CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/> > > <SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> > > <Reference URI="#xpointer(/)"> > > <Transforms> > > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/> > > </Transforms> > > <DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> > > > <DigestValue>DotbZXz+hs3PZpA2SflWZvtbT9LI0i7pUMGfx9g1isX92tD8FtQ09r3wV > ls3gRZr > > mIkMbgPU4pbcV493Ks/j7g==</DigestValue> > > </Reference> > > </SignedInfo> > > > <SignatureValue>ol+p5Jpj7mL+gl5UfeIemn4d+NBAgHpRKmUzl1/aJuJ82frs5WHep5 > zvVbdUcWNg > > RTalqXo0D1TlbT6JzP54UnwCYSTk8L9ttROPKRWF+28sJzujigyVQ0QYDkGJLu3e > > R7IunkvESUmoiBjDZlJXHoBkrWVIeazvV0qfouQHmFHxNxg8epLXsjXkUjNgyWUK > > WFDqnS2h+qTNvuxYEOUcQaR1wDvSg/7KHCoEfShMLOY1avgs3ZEDfEX2Vn0GsN9w > > Fy1smTmeBd+yHINe3HpkOJeG5h7zpCdTU2NSD1Bs3gWH4r/HSUNENswIKdpS58JJ > > 6hLhncPMK28FiyLOefcCUYVfUu0i5nROcCZewbgOJws2fmn21GcXm9XlrUM7tNP+ > > 73FP2I0sdQU04mPbj2TcacGprw1ELd1zIJFDxGVYmQ9fQ1zoOpXr1O6C0iTxHrGk > > 80KEwhTiuHwiLtSbc2I2F/fKWKqun/VQ1pKccN9b9jNaNPCFvzs87luuW3OKW7w3 > > DQiLJKQ8e9/b3sJEf9HYFNDmam75rm4E15rPvNr97jF5uZQ55dwQGp3tEPejbAtg > > 6rkEifPTOMydGFT6G7nSKM+T3+mw051BovXgtuVkg4YxRGsv2ozWgwCKQv4kdrZ8 > > lfCpA4vij5HcFoOPsleth5twmY69GBMPnl0cgfmW7sA=</SignatureValue> > > <KeyInfo> > > <KeyName>signingCert</KeyName> > > <X509Data> > > <X509Certificate>MIIEpzCCAo+gAwIBAgIBADANBgkqhkiG9w0BAQUFADAWMRQwEgYDV > QQDEwtzaWdu > > aW5nQ2VydDAgFw0xNTA2MjMxNTMwMzNaGA81MDU5MDIyMzE1MzAzM1owFjEUMBIG > > A1UEAxMLc2lnbmluZ0NlcnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC > > AQDeKjUCmUAIis5nJ2xYkRo8OYoH853ebnLh+WxnjSy6vUzkKQGRsNgBWY0XJpgf > > kugjZpUH1F6LaV/4e/jzvGp5fF+f42u9X9VPXYod07dzbJneJTdw+WcSw9v4oKzK > > J/gqLvuz+MTT0GRN5M+E7tT7vjyz/D/n+mPpmd6TAUYnYTPI+6OMfbbD4pDu7Xyf > > c8whVfLbRuIR0qC43V3dNAg6Hb0FqJH1VkQe83iTdhGM2G21ppQuxBZsMjsLvlvR > > rAyt4Ma6q4AIMx/slyP0ZNrSo0HYqEVYo3+ZPjdHyzUDtKgmybO8yM/HXrXtQHVs > > HolnHEQPNOuhFiOB8lkWUUuDjHshBAelmf05466qYK32MXXV27vpzwL5n6uw1C8D > > qj/BJrvFCGRfhJMSJcRVR6CznWMByclvPH0YGoL/nwm3Y5d5/CzG6aE34FF+jExF > > uCEb1/L48hVR+RtY7G9GyUigQ8lM0YzTDRIlEeWd1YZ5JJwQmaanw1qV+/8z/FMC > > aRDrmNVWuIPBx3Hh8B+i6Lw8HJ+JqlDdR3dYPH0HGhwvsJrIG1PN1PHbfjkgxVh4 > > 70NJ85qyt/Dk9ulxNIYpEgiCCSSdVrWhg9iH+Wi23VUtKQADyqqXlPfv7cArYstH > > d3O7ihgxK/fs9zt29RSP0IRPppr2JogjNEsb4qq+BOKO4wIDAQABMA0GCSqGSIb3 > > DQEBBQUAA4ICAQBVKULeDMz/HdA8Z2XmVOkv/OckVm/ZxjJYG4HnZQ3VR10Ih9Oq > > gpJgRS0k1lpwFgQJMNV0kT2yxmlHWTuYrvQty7RXSFIbfANojCivJ+LnFYiJjqZi > > WwQOT51NQ849MTwRV8ETHbWkuA3oEPRqJFVrM3Ww66IEPFLLWH7ybH3ij7TD/T9d > > 1xuBk+5NC3Tn1ECLEhiKYZ8sVnSFtQqIXx3bYecwGc53ToUqrXMqei6zSkrxdz7N > > xZ3vahhRoK0Pjd7foLVktQ279h/Sg6QtB5V8hLBhFouu7qRB3I02B/h8fGhfxf22 > > mMgtppQnOYpO27LUIo2OqzO9g7/dbvlyoRNIJ2iBQpJohKfHFEq9Bhn9jsurOVuV > > F2+lgHOEWqPMAEa30mFzvkcauQlZJ2wK5TVWFt5jPlGj3Nq0rIelCjFqkEgaJTfU > > Cvlgbt3hobr5nLeBpk3P4fsUe/m2FNiYLcoE+z4tTSdmZ0lMWBqQySfOm3WU5txR > > e6YgfRnQOckuIWJJIcCvFgVBqeV+QKueWUG1EGCBw4LmcWibV+0GRgT8PYDsCsFL > > H9AGwhAKDuZXGdhIM/88zL7FPfE8A0Cb0FnYtrWh93wz4K3CTZZrn3bG2xpctco0 > > E6mxACLMMkgy792ldum5QfOiLiA1KYe4ZvwS4/rJIlzdf7LQy/liBpT4Nw==</X509Cert > ificate> > > </X509Data> > > </KeyInfo> > > </Signature> > > Thanks you, > > Lara > > ~~~~~~~~~~~~~~ > > Lara Blatchford > > Principal Engineer > > Nteligen, LLC > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
