Invalid signatures in tester page of broker
261 views
Skip to first unread message
agente_mor
Apr 19, 2013, 6:29:58 PM4/19/13
to xmlse...@googlegroups.com
I am trying to sign the following document (results.xml):
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SolicitudRegistro xmlns="http://www.cidge.gob.mx/SCG/Interoperabilidad" IdMensaje="f2e140eb-2b09-44ab-8504-87b25d81914c">
<FechaEnvio>2013-04-20T01:27:07</FechaEnvio>
<Registrante EndPoint="https://200.34.175.46:443/InteropOPE/MensajeInteroperabilidadService" Nombre="Instituto Mdel Agua" NombreCorto="IMTA" URI="ope.imta.mx">
<DatosDeContacto AreaOficina="Informatica" CorreoElectronico="jbeta.mx" Nombre="Joacon" Puesto="Subdcomunicaciones" >
<Telefonos>
<Telefono Extension=" " NumeroTelefonico="7773293644" />
</Telefonos>
</DatosDeContacto>
<CertificadoInstancia>MIIFETCCA/mgAwIBAgIUMDAwMDAwMDAwMDAwMDAwMDI1MzMwDQYJKoZIhvcNAQEFBQA. . . .
</Registrante>
<Reto>
<CadenaCifrada>Ln0BAsnwrNg6IzjW7hk2c/Nxx/x3LZDNQRR59BdHFGHpMjzQCAsXnslnQkl2gmuSd. . .
</Reto>
</SolicitudRegistro>
with the following code:
require('xmlseclibs.php');
if (file_exists('./firmas/sign-basic-test.xml')) {
unlink('./firmas/sign-basic-test.xml');
}
$doc = new DOMDocument();
$doc->load('./firmas/results.xml');
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', array('http://www.w3.org/TR/1999/REC-xpath-19991116' => array("query" => "ancestor-or-self::*[local-name()='SolicitudRegistro']"))),array("force_uri"=>true));
//$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', array('http://www.w3.org/TR/1999/REC-xpath-19991116' => array("query" => "ancestor-or-self::*[local-name()='SolicitudRegistro']"))));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load private key */
$objKey->loadKey('i.pem', TRUE);
$objDSig->sign($objKey);
$objDSig->add509Cert(file_get_contents('instancia_imta_ope.crt'));
//$objDSig->add509Cert(file_get_contents('OPE_QA.cer'));
$objDSig->appendSignature($doc->documentElement);
$doc->save('./firmas/sign-basic-test.xml');
and the result is:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<SolicitudRegistro xmlns="http://www.cidge.gob.mx/SCG/Interoperabilidad" IdMensaje="f2e140eb-2b09-44ab-8504-87b25d81914c">
<FechaEnvio>2013-04-20T01:13:13</FechaEnvio>
<Registrante EndPoint="https://200.34.175.46:443/InteropOPE/MensajeInteroperabilidadService" Nombre="Institel Agua" NombreCorto="IMTA" URI="ope.imta.mx">
<DatosDeContacto AreaOficina="Informatica" CorreoElectronico="jbea.mx" Nombre="Jocon" Puesto="Subdirlecomunicaciones">
<Telefonos>
<Telefono Extension=" " NumeroTelefonico="7773293644"/>
</Telefonos>
</DatosDeContacto>
<CertificadoInstancia>MIIFETCCA/mgAwIBAgIUMDAwMDAwMDAwMDAwMDAwMDI1MzMwDQYJKoZIhv. . .
</Registrante>
<Reto>
<CadenaCifrada>UNmlEfwISea9hoGfiwdMX5GFtt6N+1X8/KphhrdRBLOvZR/vzF+Ndc1y5upYCamKJREAT. . .
</Reto>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"><ds:XPath>ancestor-or-self::*[local-name()='SolicitudRegistro']</ds:XPath></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>//GK+2xxrc/lsIPFzdsdR/GmjSw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ouNaaeRzP725w0Re61c1xe2+5F2QYznV79ZemlRhvP756GchLep16gGPKWRPkm+xgnMoFtA4zSYcOZ+IvSVWeZd4taunOMakmZrnMLDFTsbsU3DSPFipz+TdnKGRXtqJfPBsnOnZSpmLiuk/+ZXo56RCPKlklzNmThACf+7nFac=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFETCCA/mgAwIBAgIUMDAwMDAwMDAwMDAw. . .. . .7uy6VdGQ9GCbwLYykAwY=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></SolicitudRegistro>
It is giving me "invalid signatures", what I can check in order to find the root of the problem? any hint really appreciated
I was given an example that pass the tester page, it looks like:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SolicitudRegistro xmlns="http://www.cidge.gob.mx/SCG/Interoperabilidad" IdMensaje="43d4b49f-fe76-408c-937f-bdebfae2c483">
<FechaEnvio>2013-01-03T12:15:29</FechaEnvio>
<Registrante EndPoint="https://200.34.175.46:443/InteropOPE/MensajeInteroperabilidadService" Nombre="Institde bienes nacionales" NombreCorto="indAAbin2" URI="www.indaabin2.gob.mx">
<DatosDeContacto AreaOficina="Informatica" CorreoElectronico="vablica.gob.mx;" Nombre="Sulez Alvarez" Puesto="Directora de Informatica">
<Telefonos>
<Telefono Extension=" " NumeroTelefonico="55630832"/>
</Telefonos>
</DatosDeContacto>
<CertificadoInstancia>MIIE7jCCA9agAwIBAgIUMDAwMDAwMDAwMDAwMDAwMDI2MDMw. . .
</Registrante>
<Reto>
<CadenaCifrada>nRP5wYLZAU3Hp/fqGFMyaAgvKlwljJFmKY8gGNyS2GZCbElx33QhL7Hh0oI5Eg3g9TAW. . .
</Reto>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>ancestor-or-self::*[local-name()='SolicitudRegistro']</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>SF9XLfuq7+A+Yxw0un7vDINnQFs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>zjL/fVSxyDi5/BR2Iv2TJ/2lHgT4a2KmatqeGu36NWPgKhWsz3NZ. . .
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIE7jCCA9agAwIBAgIUMDAwMDAwMDAwMDAwMDAwMDI2MDMwDQYJKoZ. . .. .od2drCyO9dQGrnpkd5U6XZcH0CCDfPlBtvpcwfW/NAHST5</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</SolicitudRegistro>
Something I notice here is the fine alignment of the fields, could be influence this in the "invalid signature" result?
thanks
Mario
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SolicitudRegistro xmlns="http://www.cidge.gob.mx/SCG/Interoperabilidad" IdMensaje="f2e140eb-2b09-44ab-8504-87b25d81914c">
<FechaEnvio>2013-04-20T01:27:07</FechaEnvio>
<Registrante EndPoint="https://200.34.175.46:443/InteropOPE/MensajeInteroperabilidadService" Nombre="Instituto Mdel Agua" NombreCorto="IMTA" URI="ope.imta.mx">
<DatosDeContacto AreaOficina="Informatica" CorreoElectronico="jbeta.mx" Nombre="Joacon" Puesto="Subdcomunicaciones" >
<Telefonos>
<Telefono Extension=" " NumeroTelefonico="7773293644" />
</Telefonos>
</DatosDeContacto>
<CertificadoInstancia>MIIFETCCA/mgAwIBAgIUMDAwMDAwMDAwMDAwMDAwMDI1MzMwDQYJKoZIhvcNAQEFBQA. . . .
</Registrante>
<Reto>
<CadenaCifrada>Ln0BAsnwrNg6IzjW7hk2c/Nxx/x3LZDNQRR59BdHFGHpMjzQCAsXnslnQkl2gmuSd. . .
</Reto>
</SolicitudRegistro>
with the following code:
require('xmlseclibs.php');
if (file_exists('./firmas/sign-basic-test.xml')) {
unlink('./firmas/sign-basic-test.xml');
}
$doc = new DOMDocument();
$doc->load('./firmas/results.xml');
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', array('http://www.w3.org/TR/1999/REC-xpath-19991116' => array("query" => "ancestor-or-self::*[local-name()='SolicitudRegistro']"))),array("force_uri"=>true));
//$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', array('http://www.w3.org/TR/1999/REC-xpath-19991116' => array("query" => "ancestor-or-self::*[local-name()='SolicitudRegistro']"))));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load private key */
$objKey->loadKey('i.pem', TRUE);
$objDSig->sign($objKey);
$objDSig->add509Cert(file_get_contents('instancia_imta_ope.crt'));
//$objDSig->add509Cert(file_get_contents('OPE_QA.cer'));
$objDSig->appendSignature($doc->documentElement);
$doc->save('./firmas/sign-basic-test.xml');
and the result is:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<SolicitudRegistro xmlns="http://www.cidge.gob.mx/SCG/Interoperabilidad" IdMensaje="f2e140eb-2b09-44ab-8504-87b25d81914c">
<FechaEnvio>2013-04-20T01:13:13</FechaEnvio>
<Registrante EndPoint="https://200.34.175.46:443/InteropOPE/MensajeInteroperabilidadService" Nombre="Institel Agua" NombreCorto="IMTA" URI="ope.imta.mx">
<DatosDeContacto AreaOficina="Informatica" CorreoElectronico="jbea.mx" Nombre="Jocon" Puesto="Subdirlecomunicaciones">
<Telefonos>
<Telefono Extension=" " NumeroTelefonico="7773293644"/>
</Telefonos>
</DatosDeContacto>
<CertificadoInstancia>MIIFETCCA/mgAwIBAgIUMDAwMDAwMDAwMDAwMDAwMDI1MzMwDQYJKoZIhv. . .
</Registrante>
<Reto>
<CadenaCifrada>UNmlEfwISea9hoGfiwdMX5GFtt6N+1X8/KphhrdRBLOvZR/vzF+Ndc1y5upYCamKJREAT. . .
</Reto>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"><ds:XPath>ancestor-or-self::*[local-name()='SolicitudRegistro']</ds:XPath></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>//GK+2xxrc/lsIPFzdsdR/GmjSw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ouNaaeRzP725w0Re61c1xe2+5F2QYznV79ZemlRhvP756GchLep16gGPKWRPkm+xgnMoFtA4zSYcOZ+IvSVWeZd4taunOMakmZrnMLDFTsbsU3DSPFipz+TdnKGRXtqJfPBsnOnZSpmLiuk/+ZXo56RCPKlklzNmThACf+7nFac=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFETCCA/mgAwIBAgIUMDAwMDAwMDAwMDAw. . .. . .7uy6VdGQ9GCbwLYykAwY=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></SolicitudRegistro>
It is giving me "invalid signatures", what I can check in order to find the root of the problem? any hint really appreciated
I was given an example that pass the tester page, it looks like:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SolicitudRegistro xmlns="http://www.cidge.gob.mx/SCG/Interoperabilidad" IdMensaje="43d4b49f-fe76-408c-937f-bdebfae2c483">
<FechaEnvio>2013-01-03T12:15:29</FechaEnvio>
<Registrante EndPoint="https://200.34.175.46:443/InteropOPE/MensajeInteroperabilidadService" Nombre="Institde bienes nacionales" NombreCorto="indAAbin2" URI="www.indaabin2.gob.mx">
<DatosDeContacto AreaOficina="Informatica" CorreoElectronico="vablica.gob.mx;" Nombre="Sulez Alvarez" Puesto="Directora de Informatica">
<Telefonos>
<Telefono Extension=" " NumeroTelefonico="55630832"/>
</Telefonos>
</DatosDeContacto>
<CertificadoInstancia>MIIE7jCCA9agAwIBAgIUMDAwMDAwMDAwMDAwMDAwMDI2MDMw. . .
</Registrante>
<Reto>
<CadenaCifrada>nRP5wYLZAU3Hp/fqGFMyaAgvKlwljJFmKY8gGNyS2GZCbElx33QhL7Hh0oI5Eg3g9TAW. . .
</Reto>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>ancestor-or-self::*[local-name()='SolicitudRegistro']</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>SF9XLfuq7+A+Yxw0un7vDINnQFs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>zjL/fVSxyDi5/BR2Iv2TJ/2lHgT4a2KmatqeGu36NWPgKhWsz3NZ. . .
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIE7jCCA9agAwIBAgIUMDAwMDAwMDAwMDAwMDAwMDI2MDMwDQYJKoZ. . .. .od2drCyO9dQGrnpkd5U6XZcH0CCDfPlBtvpcwfW/NAHST5</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</SolicitudRegistro>
Something I notice here is the fine alignment of the fields, could be influence this in the "invalid signature" result?
thanks
Mario
Rob Richards
Apr 23, 2013, 12:06:36 PM4/23/13
to xmlse...@googlegroups.com
Any way to ask the service provider what they are seeing on their side? The indentation does not matter (unless the provider cant handle it properly - which is against spec if they can't). Also, are you using the same cert in the example as I noticed that the X509Cert is different beteween the two
Rob
agente_mor
Apr 23, 2013, 7:19:05 PM4/23/13
to xmlse...@googlegroups.com
Both certificates are the same, I just truncated the second somehow.
Do you know any example, how can I validate myself my signature???? In that way, I can show the broker, that my code is Ok
thanks
Mario
Reply all
Reply to author
Forward
0 new messages