Re: Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA)

Thu, 30 Dec 2010 01:48:14 -0800 

On Tue, 2010-12-28, Adam Tauno Williams wrote:
> On Tue, 2010-12-28 at 03:25 +0530, Anurag Chourasia wrote:
>> Hi All,
>
>> I have a requirement to digitally sign a XML Document using SHA1+RSA
>> or SHA1+DSA
>> Could someone give me a lead on a library that I can use to fulfill
>> this requirement?
>
> <http://stuvel.eu/rsa>  Never used it though.
>
>> The XML Document has values such as 
>> <RSASK>-----BEGIN RSA PRIVATE KEY-----
>> MIIBOgIBAAJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqguw76g/jmeO6f4i31rDLVQ
>> n7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQMCQQCOd2lLpgRm6esMblO18WOG
...

> Is this any kind of standard or just something someone made up?  Is
> there a namespace for the document?
>
> It seems quite odd that the document contains a *private* key.
>
> If all you need to do is parse to document to retrieve the values that
> seems straight-forward enough.
>
>> And the XML also has another node that has a Public Key with Modules
>> and Exponents etc that I apparently need to utilize.
>> <RSAPK>
>>   <M>1bMd8XkGml7gkqV9kOoVSk0uvA1CqC7DvqD
>> +OZ47p/iLfWsMtVCfuxiKW7rkLy836qcQac8Hzbi38DfJ8y7UbQ==</M> 
>>   <E>Aw==</E> 
>> </RSAPK>
>
>> I am a little thin on this concept and expecting if you could guide me
>> to a library/documentation that I could utilize.

[The original posting by Anurag Chourasia did not reach my news server.]

I'd simply invoke GnuPG. A simple example:

    % gpg --sign --armor foo
    You need a passphrase to unlock the secret key for
    user: ...
    
    % head foo.asc          
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.4.9 (GNU/Linux)
    
    owGs+TuuLdGWRQu9B1hTwsAHaRUhPjN+DjVAWBRgxs+nGAgHA58aUA88RHVw6K3N
    2PfefJn5Mg2ko6N99lkrYn7G6KN//m//6//l//C/+N/8X/5P/6//+//u//r/+P/+
    ...
    
The result isn't XML, but it *is* a standardized file format readable
by anyone. That's worth a lot.  You can also create a detached signature
and ship it together with the original file, or skip the '--armor' and
get a binary signed file.

If you really *do* have a requirement to make the result XML-like and
incompatible with anything else, I'm afraid you're on your own, and
will have a lot of extra work testing and making sure it's all secure.

/Jorgen

-- 
  // Jorgen Grahn <grahn@  Oo  o.   .  .
\X/     snipabacken.se>   O  o   .
-- 
http://mail.python.org/mailman/listinfo/python-list

Reply via email to