The hash that is used in that case is a key based hash - a shared secret
(from memory the string "secret" for the simple hmac code) is inserted
into the hash process to make sure that only people who know the shared
secret can sign or validate the signature.
If you want to do public/private keys, then you need to use an RSA or
DSA key pair to do the signing. The public component can be sent to
other people and the private component can be kept by the signer. Have
a look in the templatesign code to see how to load and use RSA or DSA keys.
Cheers,
Berin
andrew keys wrote:
First what may be a stupid question but it's one that is nagging me!. If I
sign an XML document, using say the example "Simple HMAC Signing" code, I
notice that the "hash" of the signing password is included in the message,
what is stopping anyone from using that hash to re-sign a modifed document?
Secondly, I have working the signing and verifying using a modifed "Simple
HMAC Signing", however what I would like to do is to have is signed using
a "private" key and verified using a public key that is passed with the
document, I'm not sure where to start on this so some pointers would be much
appreciated.
Andy
