Re: [xmlsec] XMLSEC Question: "signature does not verify" always

Wed, 25 Nov 2020 18:41:13 -0800

It is not possible to debug it w/o having the signer along. I would check how c14n is performed on both sides. 

Aleksey

On 11/24/20 2:58 PM, Márk BARTOS wrote:

Hello,

I apologize if this is not the right place to ask.
I'd like to ask for pointers why signature verification always fails. (xmlsec/xmlsec-openssl 1.2.31) 
With this error:
func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha256:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify
Since my data (from 3rdparty, known to be good) is detached I use xmlsec io callbacks to read the data. I know here there is no error, since if I intentionally leave the last byte, the digests do not match, and the verification exits sooner with that error.
I also know the CA cert I use verifies the embedded cert because if I set a known bad cert the verification again exits very soon with the "unable to verify known issuer" error. 

Thus I do not understand what I am missing. Could you provide some pointers?

Thank you.

Signatures.xml:
<?xml version="1.0"encoding="UTF-8"?>
<asic:XAdESSignatures xmlns:asic="http://uri.etsi.org/02918/v1.2.1# <http://uri.etsi.org/02918/v1.2.1#>"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig#>"Id="Signature-1"> 
<SignedInfo Id="Signature-1__SignedInfo-1">
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# <http://www.w3.org/2001/10/xml-exc-c14n#>"></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256>"></SignatureMethod> <Reference Id="Signature-1__Reference-1"Type="http://uri.etsi.org/01903#SignedProperties <http://uri.etsi.org/01903#SignedProperties>"URI="#Signature-1__SignedProperties-1"> 
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# <http://www.w3.org/2001/10/xml-exc-c14n#>"></Transform> 
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod> 
<DigestValue>qIYr8zG/J0LWT8H3/WzaX+kMBkWdlOIgVOezVmyRzm8=</DigestValue>
</Reference>
<Reference Id="Signature-1__Reference-2"URI="pack_other_1.csv">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod> 
<DigestValue>XyV+GBMP3La9CPNW9Cze75tKFIfymZKujciJmXTmMUk=</DigestValue>
</Reference>
<Reference Id="Signature-1__Reference-3"URI="pack_mobile_1.csv">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod> 
<DigestValue>lVFUCp2gUnfLagRujP5ZsT9uvm7gmAZzppnvuqo6vp0=</DigestValue>
</Reference>
<Reference Id="Signature-1__Reference-4"URI="pack_fix_1.csv">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod> 
<DigestValue>c/GS40xgZnkj//07+uC7wPPBa7a7xvvXlgcTJekuqGI=</DigestValue>
</Reference>
<Reference Id="Signature-1__Reference-5"URI="pack_location_1.csv">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod> 
<DigestValue>uupcGpfOSSNFpZKiqr7jGYKr8gds422ZNLCMw+9YNWY=</DigestValue>
</Reference>
<Reference Id="Signature-1__Reference-6"URI="pack_fix_2.csv">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod> 
<DigestValue>C27xuWDL+IpkQHo1A7mKNGBQEDnYwsWmnohgPu+Oib0=</DigestValue>
</Reference>
<Reference Id="Signature-1__Reference-7"URI="pack_mobile_2.csv">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod> 
<DigestValue>1QyKiZ8V5bNszzMMJm38cQ3LvZ96zW8++U3+5a7zui0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue Id="Signature-1__SignatureValue-1">
omitted
</SignatureValue>
<KeyInfo Id="Signature-1__KeyInfo-1">
<X509Data>
<X509Certificate>
omitted
</X509Certificate>
</X509Data>
</KeyInfo>

<Object Id="Signature-1__Object-1">
<QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.3.2# <http://uri.etsi.org/01903/v1.3.2#>"Id="Signature-1__QualifyingProperties-1"Target="#Signature-1"> 
<SignedProperties Id="Signature-1__SignedProperties-1">
<SignedSignatureProperties>
<SigningTime>2020-11-11T11:17:35Z</SigningTime>
<SigningCertificate>
<Cert>
<CertDigest>
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig#>"Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"></DigestMethod> <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig#>">omitted</DigestValue> 
</CertDigest>
<IssuerSerial>
<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig#>">omitted</X509IssuerName> <X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig#>">omitted</X509SerialNumber> 
</IssuerSerial>
</Cert>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyImplied></SignaturePolicyImplied>
</SignaturePolicyIdentifier>
</SignedSignatureProperties>
<SignedDataObjectProperties>
<DataObjectFormat ObjectReference="#Signature-1__Reference-2">
<MimeType>text/csv</MimeType>
</DataObjectFormat>
<DataObjectFormat ObjectReference="#Signature-1__Reference-3">
<MimeType>text/csv</MimeType>
</DataObjectFormat>
<DataObjectFormat ObjectReference="#Signature-1__Reference-4">
<MimeType>text/csv</MimeType>
</DataObjectFormat>
<DataObjectFormat ObjectReference="#Signature-1__Reference-5">
<MimeType>text/csv</MimeType>
</DataObjectFormat>
<DataObjectFormat ObjectReference="#Signature-1__Reference-6">
<MimeType>text/csv</MimeType>
</DataObjectFormat>
<DataObjectFormat ObjectReference="#Signature-1__Reference-7">
<MimeType>text/csv</MimeType>
</DataObjectFormat>
</SignedDataObjectProperties>
</SignedProperties>
</QualifyingProperties>
</Object>
</Signature>
</asic:XAdESSignatures>

Best regards,

Márk
/This e-mail and any attachments is intended solely for the addressee. If you are not the addressee please do not read, print, re-transmit, store or act in reliance on it or any attachments. Instead, please email it back to the sender and then immediately permanently delete it. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited./ 
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to