Invalid digest
462 views
Skip to first unread message
Robert Zrinski
Sep 3, 2014, 8:56:14 AM9/3/14
to xmlse...@googlegroups.com
XML that I sign with xmlseclibs gets rejected in all verification tools that I tried.
I even tried .res files in subdirectory tests and the result was the same.
Here is what XMLSpy says: "The calculated digest value doesn't match the digest of reference"
I noticed that XMLSpy generates different DigestValue and that one works.
Why this difference?
I even tried .res files in subdirectory tests and the result was the same.
Here is what XMLSpy says: "The calculated digest value doesn't match the digest of reference"
I noticed that XMLSpy generates different DigestValue and that one works.
Why this difference?
Juan Carlos
Sep 3, 2014, 11:05:32 AM9/3/14
to xmlse...@googlegroups.com
Hi Robert, you should have some spaces that you can´t see or \n or \r in the other document.
You can calculate the digest in this way:
$canonicalized = $docToBeSigned->documentElement->C14N(false,false);
$digest = base64_encode(pack("H*", sha1($canonicalized)));
echo '<h2>Digest calculado ...</h2><pre>' . htmlspecialchars($digest, ENT_QUOTES) . '</pre>';
Regards, Juan.
Juan Carlos
Sep 3, 2014, 11:10:42 AM9/3/14
to xmlse...@googlegroups.com
In your file xml spy you have :
<root>
<value>x</value>
</root>
In your file test.xml you have ...
<root><value>x</value></root>
The spaces and \n and \r should change the value of digest.
Regards, Juan.
El miércoles, 3 de septiembre de 2014 09:56:14 UTC-3, Robert Zrinski escribió:
Robert Zrinski
Sep 4, 2014, 10:39:55 AM9/4/14
to xmlse...@googlegroups.com
Hi Juan,
your hint helped me solve the problem.
I tried many combinations of my XML (\r, \n, \t, spaces, BOM,...) and I couldn't get the digest that XMLSpy gets. But there is one combination that I haven't tried and it actually worked (see attached XMLSpy-test.xml).
Once I got the same unsigned XML and digest I compared signed XML of xmlseclibs and XMLSpy. There were many differences (XML declaration, namespace prefix, spaces and new lines,...). But the one that caused the problem was that XMLSpy added attribute URI="" to element <Reference> which xmlseclibs didn't.
In xmlseclibs.php after this line:
$refNode = $this->createNewSignNode('Reference');
I added this line:
$refNode->appendChild($this->sigNode->ownerDocument->createAttribute('URI'));
your hint helped me solve the problem.
I tried many combinations of my XML (\r, \n, \t, spaces, BOM,...) and I couldn't get the digest that XMLSpy gets. But there is one combination that I haven't tried and it actually worked (see attached XMLSpy-test.xml).
Once I got the same unsigned XML and digest I compared signed XML of xmlseclibs and XMLSpy. There were many differences (XML declaration, namespace prefix, spaces and new lines,...). But the one that caused the problem was that XMLSpy added attribute URI="" to element <Reference> which xmlseclibs didn't.
In xmlseclibs.php after this line:
$refNode = $this->createNewSignNode('Reference');
I added this line:
$refNode->appendChild($this->sigNode->ownerDocument->createAttribute('URI'));
Rob Richards
Sep 4, 2014, 10:57:52 AM9/4/14
to xmlse...@googlegroups.com
There is an option when adding the
reference node that will automatically do this:
force_uri true
That will force the URI attribute to be added even if it is empty (empty and not present meant the same thing so it omits adding by default)
Rob
force_uri true
That will force the URI attribute to be added even if it is empty (empty and not present meant the same thing so it omits adding by default)
Rob
--
You received this message because you are subscribed to the Google Groups "xmlseclibs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xmlseclibs+...@googlegroups.com.
To post to this group, send email to xmlse...@googlegroups.com.
Visit this group at http://groups.google.com/group/xmlseclibs.
For more options, visit https://groups.google.com/d/optout.
Robert Zrinski
Sep 4, 2014, 11:29:22 AM9/4/14
to xmlse...@googlegroups.com
You are right Rob, it works, thanks!
Here is my code now:
Here is my code now:
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => TRUE));
Reply all
Reply to author
Forward
0 new messages