Thanks -- <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Is present in the SignedInfo -- does this not force the use of exc-c14n? Or does that also need to be present in the <Reference /> ? On 8/8/19, 12:47 PM, "Aleksey Sanin" <[email protected]> wrote: https://www.w3.org/TR/xmldsig-core1/#sec-CanonicalizationMethod "CanonicalizationMethod is a required element that specifies the canonicalization algorithm applied to the SignedInfo element prior to performing signature calculations." If you want to apply exc-c14n to the Reference, then you need to specify it as a transform in the Reference itself. Best, Aleksey On 8/8/19 9:17 AM, Nimish Telang wrote: > Hi, > > Consider the following XML > doc:https://gist.github.com/nimish/b00fb8a75a8b4c424553783c7adb7656 > > I’m trying to verify the wsu:Timestamp element using the sibling > detached signature. > > xmlsec1 --verify --id-attr:ID > "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:Timestamp"; > --print-debug --store-references ./timestamp-wrapped.xml > > will fail signature verification. > Output:https://gist.github.com/nimish/868029115e41fee5fe56b0b5b40872f4 > > I don’t see a “=== Transform: exc-c14n > (href=http://www.w3.org/2001/10/xml-exc-c14n#)” under the “REFERENCE > VERIFICATION CONTEXT” as I’d expect, which is likely what’s causing the > verification to fail. The only defined c14n algo is xml-exc-c14n. > > The python package signxml, which was used to generate this signature, > can verify this just fine. I am not sure if this is signxml behaving > badly, or xmlsec1. > > Any idea what I’m doing wrong? > > Nimish > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
