OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ubl-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Fwd: Mini UBL-Dev digital signature plugtest


Fellow UBL Security SC members,

Just in case you were not subscribed to UBL-Dev, I thought I would 
post here that I have built an environment for signing UBL documents 
that I will be making available for free from my web site.  It makes 
use of stuff I've written and stuff I point to elsewhere on the 
Internet that is freely available.

Before I do so, however, if any members can find the time to please 
inspect the attached documents that I created in my environment, it 
would help me to know early on if what I am doing is acceptable or 
not.  Four documents are in the ZIP file, one with an error 
("hacked1") and three without.  One of the valid documents has two 
signatures in it ("hacked2"; I'm using "hacked" from the perspective 
of the first signature in that the second signature has been added to 
the file without disturbing the digital signature of the 
first).  When complete, the environment will allow one to add any 
number of signatures to a UBL document and validate all signatures 
found in a UBL document.

I look forward to your critical feedback regarding their accuracy as 
soon as possible so that I can release this environment for others to use.

Thanks for your assistance!

. . . . . . . . . . . Ken

Date: Fri, 22 Oct 2010 17:42:47 -0400
To: UBL-Dev <ubl-dev@lists.oasis-open.org>
From: "G. Ken Holman" <gkholman@CraneSoftwrights.com>
Subject: Mini UBL-Dev digital signature plugtest

Hi folks!

I've been scrambling this week trying to prepare my 
freely-downloadable Windows-based environment for digitally signing 
UBL documents in time for the ETSI plug test on Monday:

   http://www.etsi.org/plugtests/XAdES-2010/About.htm

Only today did I realize that it costs EUR700 (!!!!) to 
participate.  I can't participate in that for something that will be 
downloaded for free from my web site.

So this is an appeal to UBL-Dev members to hold a mini plugtest by 
running your XAdES software on the attached digitally signed UBL 
documents.  I've ZIPped it and attached it with a ".zzz" extension.

Below is a transcript showing publicly-available XML Digital 
Signature software verifying (or not!) the signed content of each 
document.  If I hack a single byte outside of the 
<sig:UBLDocumentSignatures> element ("Hacked1"), the verification 
fails.  If I add anything under <sig:UBLDocumentSignatures> such as 
another signature ("Hacked2"), the verification succeeds.  So I think 
that proves our XPath transform we are using is correct.

But ... and here's the mini plugtest ... in my environment I'm 
testing my stuff with my own stuff.  Can someone else out there in 
UBL-Dev land please validate the attached signed UBL documents?

The XMLDSIG software I found checks the digital signature but not the 
XAdES aspect of the signature.

I still have a lot of work to do to package this for download from my 
web site, but I think everything is working.  If someone else can 
tell me it is working for them, then I'll post what I've got and then 
anyone can sign a UBL document.  I'm no longer trying to finish for 
Monday morning, but the faster someone can test this with their own 
stuff, the faster I'll be more comfortable about posting the free package.

Thank you for any help you can be!

. . . . . . . . . . . Ken

T:\gkholman-UBL-signatures-20101022-2140z>w3cschema 
u:\ubl\UBL-2.1-PRD1-20100925\xsd\maindoc\UBL-Invoice-2.1.xsd 
UBL-Invoice-2.1-Signed.xml
Xerces...
No validation errors.
Saxon...
No validation errors.
Altova...
The XML data is valid.

T:\gkholman-UBL-signatures-20101022-2140z>w3cschema 
u:\ubl\UBL-2.1-PRD1-20100925\xsd\maindoc\UBL-Order-2.1.xsd 
UBL-Order-2.1-Signed.xml
Xerces...
No validation errors.
Saxon...
No validation errors.
Altova...
The XML data is valid.

T:\gkholman-UBL-signatures-20101022-2140z>w3cschema 
u:\ubl\UBL-2.1-PRD1-20100925\xsd\maindoc\UBL-Invoice-2.1.xsd 
UBL-Invoice-2.1-Hacked1.xml
Xerces...
No validation errors.
Saxon...
No validation errors.
Altova...
The XML data is valid.

T:\gkholman-UBL-signatures-20101022-2140z>w3cschema 
u:\ubl\UBL-2.1-PRD1-20100925\xsd\maindoc\UBL-Invoice-2.1.xsd 
UBL-Invoice-2.1-Hacked2.xml
Xerces...
No validation errors.
Saxon...
No validation errors.
Altova...
The XML data is valid.

T:\gkholman-UBL-signatures-20101022-2140z>\xmlsec\bin\xmlsec.exe 
--verify UBL-Invoice-2.1-Signed.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

T:\gkholman-UBL-signatures-20101022-2140z>\xmlsec\bin\xmlsec.exe 
--verify UBL-Order-2.1-Signed.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

T:\gkholman-UBL-signatures-20101022-2140z>\xmlsec\bin\xmlsec.exe 
--verify UBL-Invoice-2.1-Hacked1.xml
func=xmlSecOpenSSLEvpDigestVerify:file=..\src\openssl\digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid 
data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "UBL-Invoice-2.1-Hacked1.xml"

T:\gkholman-UBL-signatures-20101022-2140z>\xmlsec\bin\xmlsec.exe 
--verify UBL-Invoice-2.1-Hacked2.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

T:\gkholman-UBL-signatures-20101022-2140z>

gkholman-UBL-signatures-20101022-2140z.zzz


--
XSLT/XQuery training:   after http://XMLPrague.cz 2011-03-28/04-01
Vote for your XML training:   http://www.CraneSoftwrights.com/u/i/
Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/u/
G. Ken Holman                 mailto:gkholman@CraneSoftwrights.com
Male Cancer Awareness Nov'07  http://www.CraneSoftwrights.com/u/bc
Legal business disclaimers:  http://www.CraneSoftwrights.com/legal


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]