search

lsh123 / xmlsec

XML Security Library
Other
127 stars 97 forks source link

ETSI conformance checker failed for version 1.3.4 #780

Closed hafedh-trimeche closed 2 months ago

hafedh-trimeche commented 2 months ago

Hello,

Please note that using ETSI conformance checker and version 1.3.4 this error reported:

Report on errors, warnings and exceptions

This page shows the errors, warnings and exceptions generated by the XAdES Baseline Profile Conformance Checker Tool.


Report on Errors, Warnings and Exceptions -- 67. Error | Tool | Location-{CodeTest}:UnsignedSignatureProperties/SignatureTimeStamp[1]/EncapsulatedTimeStamp[1]-{CheckIfMssgImpIsAsInSpec} Error. The message imprint found in the time-stamp token is: de47c9b27eb8d300dbb5f2c353e632c393262cf06340c4fa7f1b40c4cbd36f90. The message imprint computed is: 0084ef4de9078762a9dca386229c6cb67922eae89896741290c716361b247cef   |   |  

The document generated with the version 1.3.3 passed the test. xmlsec-countersigned-1-3-3.xml.txt xmlsec-countersigned-1-3-4.xml.txt

Best regards.

lsh123 commented 2 months ago

I have no idea what is the problem here. Please provide repro example preferably with xmlsec command line tool.

hafedh-trimeche commented 2 months ago

xmlsec --sign --verbose --node-xpath / --output c:\1.3.4.xml --pkcs12 D:\Developer\Tools\SSL\Certificates\Actalis\Seller\seller@strong-data.com.pfx --pwd 123456 D:\Developer\lib\LibXML\Res\demos\xmlsec-test\Min.XML

Error: failed to find default node with name="Signature" Error: failed to load template "D:\Developer\lib\LibXML\Res\demos\xmlsec-test\Min.XML" Signature status: ERROR Error: failed to sign file Min.XML.txt

lsh123 commented 2 months ago

Error: failed to load template "D:\Developer\lib\LibXML\Res\demos\xmlsec-test\Min.XML"

that's your answer :)

hafedh-trimeche commented 2 months ago

The file exists and here is it's content:

<?xml version="1.0" encoding="UTF-8"?>
<!-- 
XML Security Library example: Signed file (sign1 example). 
-->
<Envelope xmlns="urn:envelope">
  <Data>
    Hello, World!
  </Data>
</Envelope>

It seams that xmlsec1 is looking for the node Signature whereas xml document would be signed at root level (entirely): Error: failed to find default node with name="Signature"

lsh123 commented 2 months ago

Well, sign1 example includes Signature node. So something is not correct with this "Min.XML" file. If you can reproduce the problem with xmlsec command line tool then I will be happy to take a look. But it's impossible to debug files in your environment.

hafedh-trimeche commented 2 months ago

Hello, Using xmlSec command lines generated these errors: Hello.xml:

xmlsec --sign --verbose --node-xpath / --output c:\1.3.4.xml --pkcs12 D:\Developer\Tools\SSL\Certificates\Actalis\Seller\seller@strong-data.com.pfx --pwd 123456 D:\Developer\lib\LibXML\Res\Hello.xml
Error: failed to find default node with name="Signature"
Error: failed to load template "D:\Developer\lib\LibXML\Res\Hello.xml"
Signature status: ERROR
Error: failed to sign file "D:\Developer\lib\LibXML\Res\Hello.xml"

sign1-tmpl.xml:

xmlsec --sign --verbose --node-xpath / --output c:\1.3.4.xml --pkcs12 D:\Developer\Tools\SSL\Certificates\Actalis\Seller\seller@strong-data.com.pfx --pwd 123456 D:\Developer\lib\LibXML\Res\sign1-tmpl.xml
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1346:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=822:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=537:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=301:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed:
Signature status: FAILED
Failure reason: KEY-NOT-FOUND
Error: failed to sign file "D:\Developer\lib\LibXML\Res\sign1-tmpl.xml"

Hello.xml.txt sign1-tmpl.xml.txt

lsh123 commented 2 months ago

great, so Hello.xml doesn't have namespaces in the Signature node, nor it has any other "template" information required to create the signature (see the sign1-tmpl for example). This is not new for 1.3.4 and you need to fix Hello.xml

hafedh-trimeche commented 2 months ago

Hi, I would sign a raw xml (no Signature node) file not a template one!

By code, I create the Signature Node by hand using: xmlSecTmplSignatureAddReference

Best regards.

lsh123 commented 2 months ago

Unfortunately, I cannot debug your code. The example above has a problem with a template as I explained.