I have no idea what are you doing. As I said, the current error means that certificate verification fails. That's the reason.
Aleksey On 6/25/15 7:03 AM, Lara Blatchford wrote: > > Thank you for your quick response! > > The specification that I am coding to requires the KeyInfo element to be > included. Are you suggesting that the signature may verify successfully if I > omit the KeyInfo and/or KeyName information from the signature template? > > I tried removing the calls to xmlSecTmplSignatureEnsureKeyInfo, > xmlSecTmplKeyInfoAddKeyName, and > xmlSecTmplKeyInfoAddX509Data, but when I do so, xmlsec generates the > following error when > xmlSecDSigCtxSign is called: > > func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec > library function failed: ;last nss error=0 (0x00000000) > func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=889:obj=unknown:subj=unknown:error=45:key > is not found: ;last nss error=0 (0x00000000) > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=581:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec > library function failed: ;last nss error=0 (0x00000000) > func=xmlSecDSigCtxSign:file=xmldsig.c:line=319:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec > library function failed: ;last nss error=0 (0x00000000) > > if I take out only the call to xmlSecTmplKeyInfoAddX509Data, then xmlsec will > sign the document, > but signature verification still fails with the "invalid signature" error you > previously indicated, so it > appears that xmlsec is generating an invalid signature for some reason. > > Could you please provide an example of a signature template that should work > when using an > NSS database in FIPS mode? Or is there more additional information I can > provide that would > help to determine why xmlsec generates an invalid signature from the > signature template I > previously provided? > > Thanks again, > Lara > > -----Original Message----- > From: Aleksey Sanin [mailto:[email protected]] > Sent: Tuesday, June 23, 2015 12:15 PM > To: Lara Blatchford; [email protected] > Subject: Re: [xmlsec] signature verification failures using NSS with FIPS > > This particular error means that the certificate verification failed > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/sslerr.html > > SEC_ERROR_BAD_SIGNATURE -8182 Peer's certificate has an invalid > signature. > > I didn't test in FIPS mode recently, but as far as I know it should work fine > for a subset of XMLDsig spec (e.g. you can't put keys into signature for > obvious reasons). > > Aleksey > > On 6/23/15 8:49 AM, Lara Blatchford wrote: >> Though I am able to generate signatures using RSA keys retrievedfroma >> FIPS-enabled NSS database, the signatures do >> >> not verify. >> >> If FIPS is disabledon the database, the signature does verify. >> >> A mail archive post fromWed, 05 Mar 2003 21:39:24indicated that FIPS >> modeisnot supported for the NSS library. >> >> Why is this, and is there a plan to add support in the future? >> >> Here is the error received when attempting to verify the database,as >> well as the signature portion of my XML document: >> >> [nss]$ xmlsec1 --verify --crypto nss --crypto-config . >> 100_1_2003_doc.xml >> >> func=xmlSecNssSignatureVerify:file=signatures.c:line=356:obj=rsa-sha51 >> 2:subj=VFY_EndWithSignature:error=4:crypto >> library function failed:error code=-8182;last nss error=-8182 >> (0xFFFFE00A) >> >> func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1804:obj= >> rsa-sha512:subj=xmlSecTransformVerify:error=1:xmlsec >> library function failed: ;last nss error=-8182 (0xFFFFE00A) >> >> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=401:obj=unknown:subj=xmlS >> ecTransformVerifyNodeContent:error=1:xmlsec >> library function failed: ;last nss error=-8182 (0xFFFFE00A) >> >> Error: signature failed >> >> ERROR >> >> SignedInfo References (ok/all): 1/1 >> >> Manifests References (ok/all): 0/0 >> >> Error: failed to verify file "100_1_2003_doc.xml" >> >> [nss]$ >> >> [nss]$ modutil -chkfips true -dbdir . >> >> FIPS mode enabled. >> >> [nss]$ >> >> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> >> >> <SignedInfo> >> >> <CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/> >> >> <SignatureMethod >> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> >> >> <Reference URI="#xpointer(/)"> >> >> <Transforms> >> >> <Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >> >> <Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/> >> >> </Transforms> >> >> <DigestMethod >> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> >> >> >> <DigestValue>DotbZXz+hs3PZpA2SflWZvtbT9LI0i7pUMGfx9g1isX92tD8FtQ09r3wV >> ls3gRZr >> >> mIkMbgPU4pbcV493Ks/j7g==</DigestValue> >> >> </Reference> >> >> </SignedInfo> >> >> >> <SignatureValue>ol+p5Jpj7mL+gl5UfeIemn4d+NBAgHpRKmUzl1/aJuJ82frs5WHep5 >> zvVbdUcWNg >> >> RTalqXo0D1TlbT6JzP54UnwCYSTk8L9ttROPKRWF+28sJzujigyVQ0QYDkGJLu3e >> >> R7IunkvESUmoiBjDZlJXHoBkrWVIeazvV0qfouQHmFHxNxg8epLXsjXkUjNgyWUK >> >> WFDqnS2h+qTNvuxYEOUcQaR1wDvSg/7KHCoEfShMLOY1avgs3ZEDfEX2Vn0GsN9w >> >> Fy1smTmeBd+yHINe3HpkOJeG5h7zpCdTU2NSD1Bs3gWH4r/HSUNENswIKdpS58JJ >> >> 6hLhncPMK28FiyLOefcCUYVfUu0i5nROcCZewbgOJws2fmn21GcXm9XlrUM7tNP+ >> >> 73FP2I0sdQU04mPbj2TcacGprw1ELd1zIJFDxGVYmQ9fQ1zoOpXr1O6C0iTxHrGk >> >> 80KEwhTiuHwiLtSbc2I2F/fKWKqun/VQ1pKccN9b9jNaNPCFvzs87luuW3OKW7w3 >> >> DQiLJKQ8e9/b3sJEf9HYFNDmam75rm4E15rPvNr97jF5uZQ55dwQGp3tEPejbAtg >> >> 6rkEifPTOMydGFT6G7nSKM+T3+mw051BovXgtuVkg4YxRGsv2ozWgwCKQv4kdrZ8 >> >> lfCpA4vij5HcFoOPsleth5twmY69GBMPnl0cgfmW7sA=</SignatureValue> >> >> <KeyInfo> >> >> <KeyName>signingCert</KeyName> >> >> <X509Data> >> >> <X509Certificate>MIIEpzCCAo+gAwIBAgIBADANBgkqhkiG9w0BAQUFADAWMRQwEgYDV >> QQDEwtzaWdu >> >> aW5nQ2VydDAgFw0xNTA2MjMxNTMwMzNaGA81MDU5MDIyMzE1MzAzM1owFjEUMBIG >> >> A1UEAxMLc2lnbmluZ0NlcnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC >> >> AQDeKjUCmUAIis5nJ2xYkRo8OYoH853ebnLh+WxnjSy6vUzkKQGRsNgBWY0XJpgf >> >> kugjZpUH1F6LaV/4e/jzvGp5fF+f42u9X9VPXYod07dzbJneJTdw+WcSw9v4oKzK >> >> J/gqLvuz+MTT0GRN5M+E7tT7vjyz/D/n+mPpmd6TAUYnYTPI+6OMfbbD4pDu7Xyf >> >> c8whVfLbRuIR0qC43V3dNAg6Hb0FqJH1VkQe83iTdhGM2G21ppQuxBZsMjsLvlvR >> >> rAyt4Ma6q4AIMx/slyP0ZNrSo0HYqEVYo3+ZPjdHyzUDtKgmybO8yM/HXrXtQHVs >> >> HolnHEQPNOuhFiOB8lkWUUuDjHshBAelmf05466qYK32MXXV27vpzwL5n6uw1C8D >> >> qj/BJrvFCGRfhJMSJcRVR6CznWMByclvPH0YGoL/nwm3Y5d5/CzG6aE34FF+jExF >> >> uCEb1/L48hVR+RtY7G9GyUigQ8lM0YzTDRIlEeWd1YZ5JJwQmaanw1qV+/8z/FMC >> >> aRDrmNVWuIPBx3Hh8B+i6Lw8HJ+JqlDdR3dYPH0HGhwvsJrIG1PN1PHbfjkgxVh4 >> >> 70NJ85qyt/Dk9ulxNIYpEgiCCSSdVrWhg9iH+Wi23VUtKQADyqqXlPfv7cArYstH >> >> d3O7ihgxK/fs9zt29RSP0IRPppr2JogjNEsb4qq+BOKO4wIDAQABMA0GCSqGSIb3 >> >> DQEBBQUAA4ICAQBVKULeDMz/HdA8Z2XmVOkv/OckVm/ZxjJYG4HnZQ3VR10Ih9Oq >> >> gpJgRS0k1lpwFgQJMNV0kT2yxmlHWTuYrvQty7RXSFIbfANojCivJ+LnFYiJjqZi >> >> WwQOT51NQ849MTwRV8ETHbWkuA3oEPRqJFVrM3Ww66IEPFLLWH7ybH3ij7TD/T9d >> >> 1xuBk+5NC3Tn1ECLEhiKYZ8sVnSFtQqIXx3bYecwGc53ToUqrXMqei6zSkrxdz7N >> >> xZ3vahhRoK0Pjd7foLVktQ279h/Sg6QtB5V8hLBhFouu7qRB3I02B/h8fGhfxf22 >> >> mMgtppQnOYpO27LUIo2OqzO9g7/dbvlyoRNIJ2iBQpJohKfHFEq9Bhn9jsurOVuV >> >> F2+lgHOEWqPMAEa30mFzvkcauQlZJ2wK5TVWFt5jPlGj3Nq0rIelCjFqkEgaJTfU >> >> Cvlgbt3hobr5nLeBpk3P4fsUe/m2FNiYLcoE+z4tTSdmZ0lMWBqQySfOm3WU5txR >> >> e6YgfRnQOckuIWJJIcCvFgVBqeV+QKueWUG1EGCBw4LmcWibV+0GRgT8PYDsCsFL >> >> H9AGwhAKDuZXGdhIM/88zL7FPfE8A0Cb0FnYtrWh93wz4K3CTZZrn3bG2xpctco0 >> >> E6mxACLMMkgy792ldum5QfOiLiA1KYe4ZvwS4/rJIlzdf7LQy/liBpT4Nw==</X509Cert >> ificate> >> >> </X509Data> >> >> </KeyInfo> >> >> </Signature> >> >> Thanks you, >> >> Lara >> >> ~~~~~~~~~~~~~~ >> >> Lara Blatchford >> >> Principal Engineer >> >> Nteligen, LLC >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
