road0001 / as3crypto

Automatically exported from code.google.com/p/as3crypto
0 stars 0 forks source link

RSA sign fail on xmlsec verify. #50

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
I am using the class RSAKey to sign XML documents and then check using the 
utility XMLSEC (http://www.aleksey.com/xmlsec). But the value of the signature 
never matches the amount signed by xmlsec in a test environment.

What steps will reproduce the problem?
1. Use the file "publicKey" to sign the string contained in "dataToSign.xml.

2. Use the following code to calculate the digital signature:
var src:ByteArray = Hex.toArray(Hex.fromString(dataToSignContent));
var dst:ByteArray = new ByteArray();        
var hash:SHA1 = new SHA1(); 
src = hash.hash(src);
var rsa:RSAKey = PEM.readRSAPrivateKey(key);
rsa.sign(src, dst, src.length);
var signatureValue:String = Base64.encodeByteArray(dst);

3. Use XMLSEC to sign "unsigned.xml" file 
(on command line use "xmlsec1 sign --privkey private.key --output signed.xml 
unsigned.xml").

What is the expected output? What do you see instead?

It is expected that the value of the variable signatureValue (in code above in 
AS3) has the same value produced by xmlsec ie:

FKVcCLU5ac7j0mg5YYLBaarH+DKZRfeL0bX/sBLcL0vMaFSjxplkK9hM7nJCiGRwtV4I/0FujTu4fJqZ
/1ur+SlU5DJxayrI1+ZX3raBsHGAE25egBLXJmNZsh/KSS0pO2eY+GGEyumeuR4lKF0Se4LdJwoxsUeU
amoZj4190xs=

and not

NUm5Mgp8C9qd38uxsTn0CNutstIp8Z8A026Kexp9rmWCaHYP20qaqkTTaP7C8bfpO4FKIeeq3vsCbjUs
iU0W2JudH9IioO1ExNis4Ewkfi/JrxNsTatkeNps8I0OVYUPam/KU8hombMbhZXZiRbDx04KMUtKtLHP
jdj5u0jzK9k=

What version of the product are you using? On what operating system?

I used all the versions of as3crypto, but my tests are with the latest version 
1.3 revision 28. Using FlashBuilder 4 (Flex 4.1.0) in Windows7 64x for signing 
the XML. To verify the signature using FreeBSD8 and/or Ubuntu10 with xmlsec1.

Please provide any additional information below.

In my application I use XML documents also signed with HMAC-SHA1 in XML 
canonicalized and everything works fine (with as3crypto and xmlsec). So I 
assumed that there were no problems in the process of canonicalization. I'm 
working for two months in this role and I can not have any more idea what to do.

Original issue reported on code.google.com by rc.salva...@gmail.com on 18 Nov 2010 at 12:57

Attachments:

GoogleCodeExporter commented 8 years ago
http://stackoverflow.com/questions/1489269/as3crypto-rsa-signing

Original comment by peter.na...@gmail.com on 27 May 2011 at 5:19