Unable to sign xml file

[franfcunha]

Hi!

Thank you for this effort! I was trying the library, and after some modifications to the source code, particularly a few missing include clauses and a more intriguing error, that, may explain (perhaps) why I am not being able to sucessfully sign the .xml I was able to build the library.

I was "forced" to change the xmlsign.cpp source file, specifically bool QXmlSign::sign() because the compilation failed as xmlSecCryptoAppKeyLoad method was not declared. I used xmlSecCryptoAppKeyLoadEx instead, and to accomodate this change also added a new private member of type unsigned int to the Certificate class to match the argument list of the xmlSecCryptoAppKeyLoadEx symbol. After this change, I was able to build xmlsec-qt.

Now I was trying to sign a demo xml by including this library in a minimalist Qt project. I am using the following code

`QDomDocument targetDocument;
QFile file("/home/dev/mini_projects/xmlsign/data/demo.xml");

if (!file.open(QIODevice::ReadOnly))
    return;

if (!targetDocument.setContent(&file)) {
    file.close();
    return;
}
file.close();

QXmlSecCertificate certificateData;
QXmlSign signer;
QXmlSec xmlsec;
QString keyInfoId;

certificateData.setFormat(QXmlSecCertificate::Pkcs12);
certificateData.setFilepath("/home/dev/mini_projects/xmlsign/data/u718ja1.p12");
certificateData.setPassword("blablabla");
certificateData.setType(0);

signer.withSignatureId("Signature-a53a6ab2")
    .useNamespace("ds")
    .useCertificate(certificateData)
    .useDocument(targetDocument);

keyInfoId = signer.signatureContext().tagId("KeyInfo");


signer.useKeyInfo(QXmlSignKeyInfo()
                      .withId(keyInfoId)
                      .withKeyValue()
                      .withX509Data()
                  );


signer.useSignInfo(QXmlSignInfo()
.addReference(QXmlSignReference()
  .withType(QUrl("http://www.w3.org/2000/09/xmldsig#Object"))
  .useAlgorithm(QUrl("http://www.w3.org/2000/09/xmldsig#Object"))
  .addTransform(QUrl("http://www.w3.org/2000/09/xmldsig#enveloped-signature"))
  .addTransform(QUrl("http://www.w3.org/TR/1999/REC-xpath-19991116"))
)
.addReference(QXmlSignReference()
  .withUri('#' + keyInfoId)
  .useAlgorithm(QUrl("http://www.w3.org/2001/04/xmlenc#sha512"))
)
);

if (signer.sign())
{
    std::cerr << "Successfully signed XML document" << std::endl;
    std::cout << signer.toString().toStdString() << std::endl;
}
else
    std::cerr << "Failed to sign XML document." << std::endl;`

Please note the line certificateData.setType(0) with the call of the setter of the "type" member which I added to the Certificate class in order to be able to call the xmlSecCryptoAppKeyLoadEx method.

When signign, the following error is shown:

Anybody can help me? I am in an effort to port some Python code used to sign xml files to C++ and found this library very useful!

[Plaristote]

I'd very much like to understand how to change from xmlSecCryptoAppKeyLoad to xmlSecCryptoAppKeyLoadEx. I cannot implement such a change as is, since xmlSecCryptoAppKeyLoadEx is not defined in the setup in which I use this library. It seems like there are multiple implementations, and we're using different ones.

The library still builds on Ubuntu 22.04, and is currently live in a production setup, signin clients' invoices. It is built using the libxmlsec1-dev and libxmlsec1-openssl system packages.

Also works on my personal setup with Fedora 38. The important part might be to use the openssl implementation of libxmlsec.

I'll go back to this once I'm available, but it's the best I can do on the little time I have right now. I noticed I never finished writing the library's tests, so I'll have to get on that once I find the time. In the meanwhile, please confirm your setup to me.

[franfcunha]

I am sorry. My last comment was a bit unclear, perhaps. I re-started from zero.

My setups is the one following:

Forget about the mention "and to accomodate this change also added a new private member of type unsigned int to the Certificate class to match the argument list of the xmlSecCryptoAppKeyLoadEx symbol". However, I was indeed forced to use xmlSecCryptoAppKeyLoadEx due to unavailablity of xmlSecCryptoAppKeyLoad in my system :-(

Basically, I changed the line dsigCtx->signKey = xmlSecCryptoAppKeyLoad(sslCertificate.xmlsec.filepath().toUtf8().constData(), sslCertificate.xmlsec.xmlsecFormat(), sslKeyPassphrase.constData(), NULL, NULL); to dsigCtx->signKey = xmlSecCryptoAppKeyLoadEx(sslCertificate.xmlsec.filepath().toUtf8().constData(), xmlSecKeyDataTypePrivate, xmlSecKeyDataFormatPkcs12,sslKeyPassphrase.constData(), NULL, NULL). After this, and sucessfully building libxmlsec-qt5 I tried the following code. My end goal is also to sign invoices with this library (xades-bes).

`QDomDocument targetDocument;
QFile file("/home/prog5/dev/mini_projects/xmlsign/data/demo.xml");

if (!file.open(QIODevice::ReadOnly))
    return;

if (!targetDocument.setContent(&file)) {
    file.close();
    return;
}
file.close();


QXmlSecCertificate certificateData;
QXmlSign signer;
QString keyInfoId;

certificateData.setFormat(QXmlSecCertificate::Pkcs12);
certificateData.setFilepath("/home/prog5/dev/mini_projects/xmlsign/data/CV-FE-587817798-CSE.pfx");
certificateData.setPassword("xxxxxx");
//certificateData.setType(0);

signer.withSignatureId("Signature-a53a6ab2")
    .useNamespace("ds")
    .useCertificate(certificateData)
    .useDocument(targetDocument);

keyInfoId = signer.signatureContext().tagId("KeyInfo");


signer.useKeyInfo(QXmlSignKeyInfo()
                      .withId(keyInfoId)
                      .withKeyValue()
                      .withX509Data()
                  );


signer.useSignInfo(QXmlSignInfo()
.addReference(QXmlSignReference()
  .withType(QUrl("http://www.w3.org/2000/09/xmldsig#Object"))
  .useAlgorithm(QUrl("http://www.w3.org/2000/09/xmldsig#Object"))
  .addTransform(QUrl("http://www.w3.org/2000/09/xmldsig#enveloped-signature"))
  .addTransform(QUrl("http://www.w3.org/TR/1999/REC-xpath-19991116"))
)
.addReference(QXmlSignReference()
  .withUri('#' + keyInfoId)
  .useAlgorithm(QUrl("http://www.w3.org/2001/04/xmlenc#sha512"))
)

);

if (signer.sign())
{
    std::cerr << "Successfully signed XML document" << std::endl;
    std::cout << signer.toString().toStdString() << std::endl;
}
else
    std::cerr << "Failed to sign XML document." << std::endl;

`
I end up with the following error:

func=xmlSecOpenSSLAppPkcs12LoadBIO:file=app.c:line=1287:obj=unknown:subj=PKCS12_verify_mac:error=4:crypto library function failed:openssl error: error:00000000:lib(0):func(0):reason(0)
func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=410:obj=unknown:subj=xmlSecOpenSSLAppPkcs12LoadBIO:error=1:xmlsec library function failed:
func=xmlSecOpenSSLAppKeyLoadEx:file=app.c:line=266:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/home/prog5/dev/mini_projects/xmlsign/data/CV-FE-587817798-CSE.pfx
QXmlSign: failed to load private key from QSslKey(PrivateKey, OPAQUE, -1)
Failed to sign XML document.

I have no idea what I am doing wrong and I would really love to build upon this library to implement my xades-bes xml signatures...I hope you can clarify me what I am doing wrong in case it's obvious for you.

Sincerely!

[Plaristote]

I can already tell we're not using the same version of libxmlsec: it seems the documentation I had been using as reference was out of date. But I didn't notice, because even the latest version of Fedora and Ubuntu are packaging the previous version of libxmlsec.

I've pushed a patch that should work with libxmlsec 1.3.x: it hasn't been tested yet, but it should now build without the modification you had to make on the call to xmlSecCryptoAppKeyLoad.

More on topic: it seems like the issue you're having is happening because you didn't call useSslKey on the QXmlSign object. It's a pain in the butt to get PKCS12 certificate to work, and there's an extra step you need to take: to create a QSslKey object, that you must then provide through useSslKey.

There are several ways to achieve this result, and you might not always need to generate the SSL key on the spot, which is why this library doesn't do it for you. But if you are indeed working with only a P12 file, then you need to use Qt's importPkcs12, such as:

bool fillThatSslKey(const QXmlCertificate& certificateData, QSslKey& signingSslKey)
{
  bool success = false;
  QFile p12File(certificateData.filepath());
  const QString& password(certificateData.password());
  QSslCertificate dummy; // We're not going to be using this one, but it still needs to be there

  if (p12File.open(QIODevice::ReadOnly))
  {
    success = QSslCertificate::importPkcs12(&p12File, &sslKey, &dummy, nullptr, password.toUtf8());
    if (success)
      qDebug() << "We're good to go";
    else
      qDebug() << "Hopefully this will never happen to you, because importPkcs12 isn't exactly verbose about what might go wrong";
  }
  return success;
}

Which you could then add to your code like this:

int main()
{
  QXmlSecCertificate certificateData;
  QXmlSign signer;
  QXmlSec xmlsec;
  QString keyInfoId;

  certificateData.setFormat(QXmlSecCertificate::Pkcs12);
  certificateData.setFilepath("/home/dev/mini_projects/xmlsign/data/u718ja1.p12");
  certificateData.setPassword("blablabla");
  certificateData.setType(0);

  // Creating the QSslKey
  QSslKey sslKey;
  fillThatSslKey(certificateData, sslKey);

  signer.withSignatureId("Signature-a53a6ab2")
      .useNamespace("ds")
      .useSslKey(sslKey, certificateData.password()) // Using the QSslKey
      .useCertificate(certificateData)
      .useDocument(targetDocument);
}

This might not be enough. Signing invoices has been a tedious activity, in my experience. At the very least, the signing process shouldn't fail to load the key anymore, and your next issues are likely going to happen with the actual signing. If you wanna see a working example of this library being used to sign invoices, you can check out the implementation from our QTicketBAI library.

[Plaristote]

Good news: I added a signing test based on the code you provided. It's as simple as it gets, and comes with a built-in p12 certificate, making it the ideal baseline for tinkering around.

Bad news: I had to change the algorithm used for the test to pass... I replaced http://www.w3.org/2000/09/xmldsig#Object with http://www.w3.org/2001/04/xmlenc#sha512, which we successfully used for our TicketBAI implementation.

I can't really figure out why it doesn't work with the original algorithm yu provided: libxmlsec1 spits some logs, but they don't really speak to me... I have no idea what they mean ! If that's a deal-breaker for you, I'll try to look it up a bit more. Surely, we can get it to work.