You need to do your indenting before you sign, which means you can
really only indent your own XML prior to attaching the signature node.
The library handles the indenting of the <Signature> elements. Off the
top of my head I'm not sure how much control you can have of that for
the Java library. For the C++ library you can turn indenting on and
off, but when it's on there no way to tell it how to indent.
The merlin signature below was all indented before the final signature
was made. If you were to change even one space in the indenting, the
signature would fail.
Cheers,
Berin
Jorge Martín Cuervo wrote:
Hola Raul
i understand, but after check the xml files used in the samples i found
several like this in merlin directory:
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<Reference URI="http://www.w3.org/TR/xml-stylesheet";>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
KTe1H5Hjp8hwahNFoUqHDuPJNNqhS1U3BBBH5/gByItNIwV18nMiLq4KunzFnOqD
xzTuO0/T+wsoYC1xOEuCDxyIujNCaJfLh+rCi5THulnc8KSHHEoPQ+7fA1VjmO31
2iw1iENOi7m//wzKlIHuxZCJ5nvolT21PV6nSE4DHlA=
</SignatureValue>
<KeyInfo>
<KeyName>Lugh</KeyName>
</KeyInfo>
</Signature>
I seems to be indented, and (i supose) still works. How did Merlin get
that signatures?
thanks
El lun, 12 de 02 de 2007 a las 18:32, Raul Benito escribió:
/Hola Jorge,
Sorry no luck, If you change the signature it will be void. No matter
what books have told, spaces are an important part of the XML. And it
means a lot. You cannot change it without changing the signature.
Regards,
Raul
On 12 Feb 2007 12:00:20 +0100, *Jorge Martín Cuervo*
<//[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
wrote: /
/ Hi all,
I want to create a signature inside an xml file, i use several
transforms to get a portion of the original xml with xpath, and to
canonize. I decided to don't attach the public keys.
/
/<?xml version="1.0" encoding="UTF-8"?>
<hr:Candidate xmlns:df="http://defactops.com";
xmlns:hr="http://ns.hr-xml.org/2004-08-02"; xmlns:xs="
http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<hr:CandidateRecordInfo>
<hr:Id>
<hr:IdValue name="id">1158138667963</hr:IdValue>
</hr:Id>
<hr:Id>
<hr:IdValue name="version">
0.9.0</hr:IdValue>
</hr:Id>
<hr:Id>
<hr:IdValue name="model">0.9.0</hr:IdValue>
</hr:Id>
<hr:Id>
<hr:IdValue name="host">
127.0.0.1 <http://127.0.0.1></hr:IdValue>
</hr:Id>
</hr:CandidateRecordInfo>
<hr:CandidateProfile>
[...]
</hr:UserArea>
<HRSignature id="protean-xmldsig-01"><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#dsa-sha1"; xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform Algorithm="
http://www.w3.org/2002/06/xmldsig-filter2"; xmlns:ds="
http://www.w3.org/2000/09/xmldsig#";>
<dsig-xpath:XPath Filter="intersect" xmlns:dsig-xpath="
http://www.w3.org/2002/06/xmldsig-filter2";>/hr:Candidate/hr:CandidateRecordInfo</dsig-xpath:XPath>
</ds:Transform>
<ds:Transform Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="
http://www.w3.org/2000/09/xmldsig#";>ICBDC9GdWcp8S373I1jlKCilSbI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#
">l0N6Ll3/tlSoBz26QdIHyWMA1D95xcPClBz8oy8y7Oj69QQxTVF9GA==</ds:SignatureValue>
</ds:Signature></HRSignature></hr:Resume>
</hr:Candidate>/
/
It works pretty well, (the sign and the verification process) but,
when i indent the whole file, the *Signature* element content is
indented too and the validation process fails.
is there any way to canonice the Signature element? is this a
common problem? how can i solve this?
thank you!
pd: i'm new in this mailing list, and sorry if this issue was
commented before./
--
;-)
____________________________________
Jorge Martin Cuervo
Analista Programador
Outsourcing Emarketplace
deFacto Powered by Standards
email <
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
voz +34 985 129 820
voz +34 660 026 384
____________________________________
/
-- //
http://r-bg.com/
--
;-)
____________________________________
Jorge Martin Cuervo
Analista Programador
Outsourcing Emarketplace
deFacto Powered by Standards
email <[EMAIL PROTECTED]>
voz +34 985 129 820
voz +34 660 026 384
____________________________________
