CODEWITHSUNDEEP
xmlxml-signature
dabal
dabal

Reputation: 420

is XML well signed with xades-bes signature

I've got an XML file which should be signed with certificate enerated from openSSL. 

<?xml version="1.0" encoding="UTF-8"?><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="PEMI-Signature-Id-1"><ds:SignedInfo Id="PEMI-SignedInfo-Id-1"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference Id="PEMI-Reference-Id-1" URI="#PEMI-Object-Id-2"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>RQ307h+y/MFZlPFUzUCHJXMHj/8=</ds:DigestValue></ds:Reference><ds:Reference Id="PEMI-Reference-Id-2" Type="http://uri.etsi.org/01903#SignedProperties" URI="#PEMI-SignedProperties-Id-1"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>lHsgsg21VkEzqhKYSXUKHXo3npI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue Id="PEMI-SignatureValue-Id-1">fZvu6Dz3ZEUVJ5YRDH8+x3C4QZKWQ4T1D4ZJ7g4gaBh4PIFHjkDvpguFYM37mnsJa/LkA6xOKr2Q
R9k+P8LhFA==</ds:SignatureValue><ds:KeyInfo Id="PEMI-KeyInfo-Id-1"><ds:X509Data><ds:X509Certificate>MIICfDCCAiagAwIBAgIJAMoeGlkfFg3DMA0GCSqGSIb3DQEBBAUAMF8xCzAJBgNVBAYTAlBMMRQw
EgYDVQQIEwttYXpvd2llY2tpZTERMA8GA1UEBxMIV2Fyc3phd2ExEDAOBgNVBAoTB1RFU1RPV0Ex
FTATBgNVBAMTDEphbiBLb3dhbHNraTAeFw0xNTA0MTQxNDM4MjNaFw0xODA0MTMxNDM4MjNaMF8x
CzAJBgNVBAYTAlBMMRQwEgYDVQQIEwttYXpvd2llY2tpZTERMA8GA1UEBxMIV2Fyc3phd2ExEDAO
BgNVBAoTB1RFU1RPV0ExFTATBgNVBAMTDEphbiBLb3dhbHNraTBcMA0GCSqGSIb3DQEBAQUAA0sA
MEgCQQC8A4PUzmx+NI1XltIP+OWtz70JhNUbRzs/+DWry0HpwXXfT6C4vsOb4rk3FlAZBSZyG3i/
U9D4qok16Yteo6HdAgMBAAGjgcQwgcEwHQYDVR0OBBYEFC4CMmNl8Zt+FJcSOOi7PRPt+ee+MIGR
BgNVHSMEgYkwgYaAFC4CMmNl8Zt+FJcSOOi7PRPt+ee+oWOkYTBfMQswCQYDVQQGEwJQTDEUMBIG
A1UECBMLbWF6b3dpZWNraWUxETAPBgNVBAcTCFdhcnN6YXdhMRAwDgYDVQQKEwdURVNUT1dBMRUw
EwYDVQQDEwxKYW4gS293YWxza2mCCQDKHhpZHxYNwzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BAUAA0EArFiZmSaQGpgRLH/xb2wr9BHAsehTkorBZE5XHa9aD5L7sy14LoH7GcvjLrpUu8ChbXr9
xeCVnvhhIm1ymaSZVQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object Id="PEMI-Object-Id-1"><xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="PEMI-QualifyingProperties-Id-1" Target="#PEMI-Signature-Id-1"><xades:SignedProperties Id="PEMI-SignedProperties-Id-1"><xades:SignedSignatureProperties Id="PEMI-SignedSignatureProperties-Id-1"><xades:SigningTime>2015-04-14T14:45:56Z</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue></ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>C=PL, S=mazowieckie, L=Warszawa, O=TESTOWA, CN=Jan Kowalski</ds:X509IssuerName><ds:X509SerialNumber>14564107215038713283</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties></xades:SignedProperties></xades:QualifyingProperties></ds:Object><ds:Object Id="PEMI-Object-Id-2" MimeType="text/xml"><A>
    <B>some data</B>
</A></ds:Object></ds:Signature>

Whe i try to check if it is well signed one software say that everything is ok(http://www.pemi.org.pl/index.php/do-pobrania/31-aplikacja-protektor), and when i try to verify it in other it's says that signature is not valid(http://sigillum.pl/pliki_do_pobrania.html). Can someone verify the signature? Or maybe say me how to get 100% certainty.

Upvotes: 0

Views: 1373

Answers (2)

dabal
dabal

Reputation: 420

Goal of this question was to find out is this a xades-bes signature. And the answer is noit isn't. And tat's why:

  1. as Moez says second reference is not valid
  2. ds:DigestValue tag in certificate section is empty
  3. key used to generate the signature is to short (according to this)

Upvotes: 0

Moez
Moez

Reputation: 134

I tried the validation using Serenity (http://www.cryptolog.com/fr/produits/produits-serveurs/serenity-validation-de-signature-electronique). It gives the following report:

  • the cryptographic value (the signature value) is valid
  • your signature has two References (two signed objects):
  • 1) URI="#PEMI-SignedProperties-Id-1" is valid
  • 2) URI="#PEMI-Object-Id-2" is invalid.

For the last Reference, the expected input to the hashing is 

<ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="PEMI-Object-Id-2" MimeType="text/xml"><A>
<B>some data</B>
</A></ds:Object>

Upvotes: 1

Related Questions