I have a strange verification behaviour.
I'm trying to sign portions of a XML document using ds:XPath element,
as follows (the XML documents contains some users info: firstname,
lastname, age and serial, each of one is represented by a XML element):
//... opening keystore
File keystoreFile= new File(...);
String privateKeyPass = ...;
String privateKeyAlias = ...;
String keystoreType = "pkcs12";
KeyStore ks = KeyStore.getInstance(keystoreType);
FileInputStream fis = new FileInputStream(keystoreFile);
ks.load(fis, keystorePass.toCharArray());
PrivateKey privateKey = (PrivateKey) ks.getKey(privateKeyAlias,
privateKeyPass.toCharArray());
// ...loading xml document
File xmlDocument = new File("generic-users.xml");
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(xmlDocument);
// ... signing it:
// Init signature file and base URI
File signatureFile = new File("enveloped-signature.xml");
String baseURI = signatureFile.toURL().toString();
// Generate signature element and append it to root
XMLSignature sig = new XMLSignature(doc, baseURI,
XMLSignature.ALGO_ID_SIGNATURE_RSA);
doc.getFirstChild().appendChild(sig.getElement());
// Add fragment resolver for uri=""
ResolverFragment fragmentResolver = new ResolverFragment();
sig.addResourceResolver(fragmentResolver);
// Add transform for enveloped signature
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
// Set XPATH and adding as a transform
XPathContainer xpathContainer = new XPathContainer(doc);
xpathContainer.setXPathNamespaceContext("ds",
Constants.SignatureSpecNS);
// Setting elements 'lastname' to be signed
String xpath = "/users/user/lastname";
xpathContainer.setXPath(xpath);
transforms.addTransform(Transforms.TRANSFORM_XPATH,
xpathContainer.getElementPlusReturns());
// Setting 'to be signed' element
sig.addDocument("",transforms,Constants.ALGO_ID_DIGEST_SHA1);
// Adding data for verification
X509Certificate signerCert = (X509Certificate)
ks.getCertificate(certificateAlias);
sig.addKeyInfo(signerCert);
// ..and finally sign it!
sig.sign(privateKey);
// Saving on a file
FileOutputStream fos = new FileOutputStream(signatureFile);
XMLUtils.outputDOM(doc,fos);
fos.close();
I have different versions of signed file:
1) the original (enveloped-signature.xml);
2) with altered signature (altered-enveloped-signature.xml, see MORDOR
initial sequence instead of original sequence RdqK3K);
3) with one 'firstname' element content altered;
4) with one 'lastname' element content altered;
When I verify these four files, with the following code:
// loading signed file
File signatureFile = new File(...one of the four files...);
String baseURI = signatureFile.toURL().toString();
// parsing it
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = dbf.newDocumentBuilder();
db.setErrorHandler(new IgnoreAllErrorHandler());
Document signedDoc = db.parse(signatureFile);
// finding signature element
Element nsContext = XMLUtils.createDSctx(signedDoc, "ds",
Constants.SignatureSpecNS);
Element signatureElement = (Element)
XPathAPI.selectSingleNode(signedDoc,
"//ds:Signature[1]",nsContext);
XMLSignature signature = new XMLSignature(signatureElement,baseURI);
ResolverFragment fragmentResolver = new ResolverFragment();
signature.addResourceResolver(fragmentResolver);
// Loading KeyInfo for verofying it
KeyInfo ki = signature.getKeyInfo();
boolean result = signature.checkSignatureValue(ki.getX509Certificate());
// printing verification result
logger.info("Signature is " + (result ? "good" : "bad"));
I obtain these results:
1) 'Signature is good' (obviously)
2) 'Signature is bad' (right: the signature was altered)
3) 'Signature is bad' (wrong: I altered the content of one of the
'firstname' elements, but during signature I was specifying 'lastname'
elements to be signed)
4) 'Signature is bad' (right: I altered the content of one of the
'lastname' elements)
If you see signatures and content digests, they are always the same, as
if I hadn't specified an XPath to select portions of the document
(wholedocument-enveloped-signature.xml is the same document signed as a
whole).
What's wrong with my code?
Thanks
Daniele
--
-------------------------------------------
Daniele Gagliardi
Engiweb Security - Gruppo Engineering
Corso Stati Uniti 23/I
35127 Padova, Italia
Tel. ++39 0498692507
Fax. ++39 0498692566
http://www.engiweb.com
e-mail: [EMAIL PROTECTED]
-------------------------------------------
<users>
<user>
<firstname>Bilbo</firstname>
<lastname>Sackville</lastname>
<age>52</age>
<serial>Y10</serial>
</user>
<user>
<firstname>Thorin</firstname>
<lastname>Oakenshield</lastname>
<age>195</age>
<serial>Y5</serial>
</user>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";>
<ds:XPath>/users/user/lastname</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>jQZJrdoLk/1k4/KGyyHjP66Y1js=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RdqK3KPAkHKZqsi2Os1XFSW1wKXGsQryfnTWJA4Erff6p0VMKixplMQqvV5myPnfBaiSRetoN4kH
/WqsinK2JHowtfMoccUjL/+Mk29TLhtRsJvX99VI4J4WawCg2lu1f0WS6Oy1onOnQDj/K9eJEHrs
i6zGCAoVNItVz82dqRA=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEBTCCAu2gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCSVQxCzAJBgNVBAgT
AlBEMQ8wDQYDVQQHEwZQYWRvdmExIDAeBgNVBAoTF0VuZ2l3ZWIgU2VjdXJpdHkgcy5yLmwuMRsw
GQYDVQQLFhJSaWNlcmNhICYgU3ZpbHVwcG8xEDAOBgNVBAMTB1Jvb3QgQ0ExJzAlBgkqhkiG9w0B
CQEWGGRhbmllbGUuZ2FnbGlhcmRpQGVuZy5pdDAeFw0wNzA3MDUxMzE0NTNaFw0wODA3MDQxMzE0
NTNaMIH8MQswCQYDVQQGEwJJVDELMAkGA1UECBMCUEQxDzANBgNVBAcTBlBhZG92YTEgMB4GA1UE
ChMXRW5naXdlYiBTZWN1cml0eSBzLnIubC4xHzAdBgNVBAsTFlNlY3VyaXR5IEJ1c2luZXNzIFVu
aXQxGzAZBgNVBAMTEkRhbiB0aGUgWE1MIFNpZ25lcjEnMCUGCSqGSIb3DQEJARYYZGFuaWVsZS5n
YWdsaWFyZGlAZW5nLml0MRAwDgYDVQQqEwdEYW5pZWxlMRIwEAYDVQQEEwlHYWdsaWFyZGkxDDAK
BgNVBC4TA2RhbjESMBAGA1UEDBMJZGV2ZWxvcGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDE/3LhqnCssVfrWi65m4xkBIvrwon1rrJM9ggtixa3E58zxZwimgvDc9/ZSJsjnEpA98AaB1an
Jc2/NzXJl6T+7LMh+07zHCEU9/+BGtE/Do4O+0fzvu3Rho3QzCy/wbdB6OnaRY/kpgikZahGGUIk
GgSlzyFo2XWoogNmX1iqkQIDAQABo2swaTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDAsBgNV
HR8EJTAjMCGgH6AdhhtodHRwOi8vZ2FnbGlhcmRpZC1kL2NybC5jcmwwHgYJYIZIAYb4QgENBBEW
D3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOCAQEAYru2Tqn8zN9I6YGRt5pbg5DtzxAp
+lSHLM8Xbmj3TEl6rCxeFdbUVyxWHb4ewVB7eQgAOiMH5dd2SrMnQqMHy7QKIYtYgxC+1/B2tNW4
RfituZ0ON1VWEc7AxSdGS6GRXoDXBjUpHj93QK77Tv7MP4glutS/t1eJKPpjtXmBMCPm/JzGcrGK
yu7jIp3V8vjJFyZzv9D/P+H/XclePGgASPg67voHibY78FTE5lNIZw6hYc4b6hXEH7WAtu60FY1s
V9IPJxiHzbgBFsGOgV+6HiXX1Q6nMODXWanUkPxx6zOxxtBCnnyFYmEw6uMlXn/E0GGgswhYrrPD
UciVxjpGYw==
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
xP9y4apwrLFX61ouuZuMZASL68KJ9a6yTPYILYsWtxOfM8WcIpoLw3Pf2UibI5xKQPfAGgdWpyXN
vzc1yZek/uyzIftO8xwhFPf/gRrRPw6ODvtH877t0YaN0Mwsv8G3Qejp2kWP5KYIpGWoRhlCJBoE
pc8haNl1qKIDZl9YqpE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></users><users>
<user>
<firstname>Bilbo</firstname>
<lastname>Baggins</lastname>
<age>52</age>
<serial>Y10</serial>
</user>
<user>
<firstname>Thorin</firstname>
<lastname>Oakenshield</lastname>
<age>195</age>
<serial>Y5</serial>
</user>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";>
<ds:XPath>/users/user/lastname</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>jQZJrdoLk/1k4/KGyyHjP66Y1js=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RdqK3KPAkHKZqsi2Os1XFSW1wKXGsQryfnTWJA4Erff6p0VMKixplMQqvV5myPnfBaiSRetoN4kH
/WqsinK2JHowtfMoccUjL/+Mk29TLhtRsJvX99VI4J4WawCg2lu1f0WS6Oy1onOnQDj/K9eJEHrs
i6zGCAoVNItVz82dqRA=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEBTCCAu2gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCSVQxCzAJBgNVBAgT
AlBEMQ8wDQYDVQQHEwZQYWRvdmExIDAeBgNVBAoTF0VuZ2l3ZWIgU2VjdXJpdHkgcy5yLmwuMRsw
GQYDVQQLFhJSaWNlcmNhICYgU3ZpbHVwcG8xEDAOBgNVBAMTB1Jvb3QgQ0ExJzAlBgkqhkiG9w0B
CQEWGGRhbmllbGUuZ2FnbGlhcmRpQGVuZy5pdDAeFw0wNzA3MDUxMzE0NTNaFw0wODA3MDQxMzE0
NTNaMIH8MQswCQYDVQQGEwJJVDELMAkGA1UECBMCUEQxDzANBgNVBAcTBlBhZG92YTEgMB4GA1UE
ChMXRW5naXdlYiBTZWN1cml0eSBzLnIubC4xHzAdBgNVBAsTFlNlY3VyaXR5IEJ1c2luZXNzIFVu
aXQxGzAZBgNVBAMTEkRhbiB0aGUgWE1MIFNpZ25lcjEnMCUGCSqGSIb3DQEJARYYZGFuaWVsZS5n
YWdsaWFyZGlAZW5nLml0MRAwDgYDVQQqEwdEYW5pZWxlMRIwEAYDVQQEEwlHYWdsaWFyZGkxDDAK
BgNVBC4TA2RhbjESMBAGA1UEDBMJZGV2ZWxvcGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDE/3LhqnCssVfrWi65m4xkBIvrwon1rrJM9ggtixa3E58zxZwimgvDc9/ZSJsjnEpA98AaB1an
Jc2/NzXJl6T+7LMh+07zHCEU9/+BGtE/Do4O+0fzvu3Rho3QzCy/wbdB6OnaRY/kpgikZahGGUIk
GgSlzyFo2XWoogNmX1iqkQIDAQABo2swaTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDAsBgNV
HR8EJTAjMCGgH6AdhhtodHRwOi8vZ2FnbGlhcmRpZC1kL2NybC5jcmwwHgYJYIZIAYb4QgENBBEW
D3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOCAQEAYru2Tqn8zN9I6YGRt5pbg5DtzxAp
+lSHLM8Xbmj3TEl6rCxeFdbUVyxWHb4ewVB7eQgAOiMH5dd2SrMnQqMHy7QKIYtYgxC+1/B2tNW4
RfituZ0ON1VWEc7AxSdGS6GRXoDXBjUpHj93QK77Tv7MP4glutS/t1eJKPpjtXmBMCPm/JzGcrGK
yu7jIp3V8vjJFyZzv9D/P+H/XclePGgASPg67voHibY78FTE5lNIZw6hYc4b6hXEH7WAtu60FY1s
V9IPJxiHzbgBFsGOgV+6HiXX1Q6nMODXWanUkPxx6zOxxtBCnnyFYmEw6uMlXn/E0GGgswhYrrPD
UciVxjpGYw==
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
xP9y4apwrLFX61ouuZuMZASL68KJ9a6yTPYILYsWtxOfM8WcIpoLw3Pf2UibI5xKQPfAGgdWpyXN
vzc1yZek/uyzIftO8xwhFPf/gRrRPw6ODvtH877t0YaN0Mwsv8G3Qejp2kWP5KYIpGWoRhlCJBoE
pc8haNl1qKIDZl9YqpE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></users><users>
<user>
<firstname>Bilbo</firstname>
<lastname>Baggins</lastname>
<age>52</age>
<serial>Y10</serial>
</user>
<user>
<firstname>Thorin</firstname>
<lastname>Oakenshield</lastname>
<age>195</age>
<serial>Y5</serial>
</user>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";>
<ds:XPath>/users/user/lastname</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>jQZJrdoLk/1k4/KGyyHjP66Y1js=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MORDORPAkHKZqsi2Os1XFSW1wKXGsQryfnTWJA4Erff6p0VMKixplMQqvV5myPnfBaiSRetoN4kH
/WqsinK2JHowtfMoccUjL/+Mk29TLhtRsJvX99VI4J4WawCg2lu1f0WS6Oy1onOnQDj/K9eJEHrs
i6zGCAoVNItVz82dqRA=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEBTCCAu2gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCSVQxCzAJBgNVBAgT
AlBEMQ8wDQYDVQQHEwZQYWRvdmExIDAeBgNVBAoTF0VuZ2l3ZWIgU2VjdXJpdHkgcy5yLmwuMRsw
GQYDVQQLFhJSaWNlcmNhICYgU3ZpbHVwcG8xEDAOBgNVBAMTB1Jvb3QgQ0ExJzAlBgkqhkiG9w0B
CQEWGGRhbmllbGUuZ2FnbGlhcmRpQGVuZy5pdDAeFw0wNzA3MDUxMzE0NTNaFw0wODA3MDQxMzE0
NTNaMIH8MQswCQYDVQQGEwJJVDELMAkGA1UECBMCUEQxDzANBgNVBAcTBlBhZG92YTEgMB4GA1UE
ChMXRW5naXdlYiBTZWN1cml0eSBzLnIubC4xHzAdBgNVBAsTFlNlY3VyaXR5IEJ1c2luZXNzIFVu
aXQxGzAZBgNVBAMTEkRhbiB0aGUgWE1MIFNpZ25lcjEnMCUGCSqGSIb3DQEJARYYZGFuaWVsZS5n
YWdsaWFyZGlAZW5nLml0MRAwDgYDVQQqEwdEYW5pZWxlMRIwEAYDVQQEEwlHYWdsaWFyZGkxDDAK
BgNVBC4TA2RhbjESMBAGA1UEDBMJZGV2ZWxvcGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDE/3LhqnCssVfrWi65m4xkBIvrwon1rrJM9ggtixa3E58zxZwimgvDc9/ZSJsjnEpA98AaB1an
Jc2/NzXJl6T+7LMh+07zHCEU9/+BGtE/Do4O+0fzvu3Rho3QzCy/wbdB6OnaRY/kpgikZahGGUIk
GgSlzyFo2XWoogNmX1iqkQIDAQABo2swaTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDAsBgNV
HR8EJTAjMCGgH6AdhhtodHRwOi8vZ2FnbGlhcmRpZC1kL2NybC5jcmwwHgYJYIZIAYb4QgENBBEW
D3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOCAQEAYru2Tqn8zN9I6YGRt5pbg5DtzxAp
+lSHLM8Xbmj3TEl6rCxeFdbUVyxWHb4ewVB7eQgAOiMH5dd2SrMnQqMHy7QKIYtYgxC+1/B2tNW4
RfituZ0ON1VWEc7AxSdGS6GRXoDXBjUpHj93QK77Tv7MP4glutS/t1eJKPpjtXmBMCPm/JzGcrGK
yu7jIp3V8vjJFyZzv9D/P+H/XclePGgASPg67voHibY78FTE5lNIZw6hYc4b6hXEH7WAtu60FY1s
V9IPJxiHzbgBFsGOgV+6HiXX1Q6nMODXWanUkPxx6zOxxtBCnnyFYmEw6uMlXn/E0GGgswhYrrPD
UciVxjpGYw==
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
xP9y4apwrLFX61ouuZuMZASL68KJ9a6yTPYILYsWtxOfM8WcIpoLw3Pf2UibI5xKQPfAGgdWpyXN
vzc1yZek/uyzIftO8xwhFPf/gRrRPw6ODvtH877t0YaN0Mwsv8G3Qejp2kWP5KYIpGWoRhlCJBoE
pc8haNl1qKIDZl9YqpE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></users><users>
<user>
<firstname>Frodo</firstname>
<lastname>Baggins</lastname>
<age>52</age>
<serial>Y10</serial>
</user>
<user>
<firstname>Thorin</firstname>
<lastname>Oakenshield</lastname>
<age>195</age>
<serial>Y5</serial>
</user>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";>
<ds:XPath>/users/user/lastname</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>jQZJrdoLk/1k4/KGyyHjP66Y1js=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RdqK3KPAkHKZqsi2Os1XFSW1wKXGsQryfnTWJA4Erff6p0VMKixplMQqvV5myPnfBaiSRetoN4kH
/WqsinK2JHowtfMoccUjL/+Mk29TLhtRsJvX99VI4J4WawCg2lu1f0WS6Oy1onOnQDj/K9eJEHrs
i6zGCAoVNItVz82dqRA=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEBTCCAu2gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCSVQxCzAJBgNVBAgT
AlBEMQ8wDQYDVQQHEwZQYWRvdmExIDAeBgNVBAoTF0VuZ2l3ZWIgU2VjdXJpdHkgcy5yLmwuMRsw
GQYDVQQLFhJSaWNlcmNhICYgU3ZpbHVwcG8xEDAOBgNVBAMTB1Jvb3QgQ0ExJzAlBgkqhkiG9w0B
CQEWGGRhbmllbGUuZ2FnbGlhcmRpQGVuZy5pdDAeFw0wNzA3MDUxMzE0NTNaFw0wODA3MDQxMzE0
NTNaMIH8MQswCQYDVQQGEwJJVDELMAkGA1UECBMCUEQxDzANBgNVBAcTBlBhZG92YTEgMB4GA1UE
ChMXRW5naXdlYiBTZWN1cml0eSBzLnIubC4xHzAdBgNVBAsTFlNlY3VyaXR5IEJ1c2luZXNzIFVu
aXQxGzAZBgNVBAMTEkRhbiB0aGUgWE1MIFNpZ25lcjEnMCUGCSqGSIb3DQEJARYYZGFuaWVsZS5n
YWdsaWFyZGlAZW5nLml0MRAwDgYDVQQqEwdEYW5pZWxlMRIwEAYDVQQEEwlHYWdsaWFyZGkxDDAK
BgNVBC4TA2RhbjESMBAGA1UEDBMJZGV2ZWxvcGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDE/3LhqnCssVfrWi65m4xkBIvrwon1rrJM9ggtixa3E58zxZwimgvDc9/ZSJsjnEpA98AaB1an
Jc2/NzXJl6T+7LMh+07zHCEU9/+BGtE/Do4O+0fzvu3Rho3QzCy/wbdB6OnaRY/kpgikZahGGUIk
GgSlzyFo2XWoogNmX1iqkQIDAQABo2swaTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDAsBgNV
HR8EJTAjMCGgH6AdhhtodHRwOi8vZ2FnbGlhcmRpZC1kL2NybC5jcmwwHgYJYIZIAYb4QgENBBEW
D3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOCAQEAYru2Tqn8zN9I6YGRt5pbg5DtzxAp
+lSHLM8Xbmj3TEl6rCxeFdbUVyxWHb4ewVB7eQgAOiMH5dd2SrMnQqMHy7QKIYtYgxC+1/B2tNW4
RfituZ0ON1VWEc7AxSdGS6GRXoDXBjUpHj93QK77Tv7MP4glutS/t1eJKPpjtXmBMCPm/JzGcrGK
yu7jIp3V8vjJFyZzv9D/P+H/XclePGgASPg67voHibY78FTE5lNIZw6hYc4b6hXEH7WAtu60FY1s
V9IPJxiHzbgBFsGOgV+6HiXX1Q6nMODXWanUkPxx6zOxxtBCnnyFYmEw6uMlXn/E0GGgswhYrrPD
UciVxjpGYw==
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
xP9y4apwrLFX61ouuZuMZASL68KJ9a6yTPYILYsWtxOfM8WcIpoLw3Pf2UibI5xKQPfAGgdWpyXN
vzc1yZek/uyzIftO8xwhFPf/gRrRPw6ODvtH877t0YaN0Mwsv8G3Qejp2kWP5KYIpGWoRhlCJBoE
pc8haNl1qKIDZl9YqpE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></users><?xml version="1.0" encoding="UTF-8"?>
<users>
<user>
<firstname>Bilbo</firstname>
<lastname>Baggins</lastname>
<age>52</age>
<serial>Y10</serial>
</user>
<user>
<firstname>Thorin</firstname>
<lastname>Oakenshield</lastname>
<age>195</age>
<serial>Y5</serial>
</user>
</users>
<users>
<user>
<firstname>Bilbo</firstname>
<lastname>Baggins</lastname>
<age>52</age>
<serial>Y10</serial>
</user>
<user>
<firstname>Thorin</firstname>
<lastname>Oakenshield</lastname>
<age>195</age>
<serial>Y5</serial>
</user>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>jQZJrdoLk/1k4/KGyyHjP66Y1js=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
GephRDnsuDrxFmhnt2qdo4dzd4JjwFafLslGdwdm85M5t6hoKUA5EIS1YXpROanJiNh3SPy6vsh1
mnKtRI7r/u50ySOtc+A38ICQG4zcgz4O+drNTCc/PZ9+OxI9KGd5YPfox2sEuVEuI6627DWPI6eX
4gD29sRXNKZD7rjmrho=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEBTCCAu2gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCSVQxCzAJBgNVBAgT
AlBEMQ8wDQYDVQQHEwZQYWRvdmExIDAeBgNVBAoTF0VuZ2l3ZWIgU2VjdXJpdHkgcy5yLmwuMRsw
GQYDVQQLFhJSaWNlcmNhICYgU3ZpbHVwcG8xEDAOBgNVBAMTB1Jvb3QgQ0ExJzAlBgkqhkiG9w0B
CQEWGGRhbmllbGUuZ2FnbGlhcmRpQGVuZy5pdDAeFw0wNzA3MDUxMzE0NTNaFw0wODA3MDQxMzE0
NTNaMIH8MQswCQYDVQQGEwJJVDELMAkGA1UECBMCUEQxDzANBgNVBAcTBlBhZG92YTEgMB4GA1UE
ChMXRW5naXdlYiBTZWN1cml0eSBzLnIubC4xHzAdBgNVBAsTFlNlY3VyaXR5IEJ1c2luZXNzIFVu
aXQxGzAZBgNVBAMTEkRhbiB0aGUgWE1MIFNpZ25lcjEnMCUGCSqGSIb3DQEJARYYZGFuaWVsZS5n
YWdsaWFyZGlAZW5nLml0MRAwDgYDVQQqEwdEYW5pZWxlMRIwEAYDVQQEEwlHYWdsaWFyZGkxDDAK
BgNVBC4TA2RhbjESMBAGA1UEDBMJZGV2ZWxvcGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDE/3LhqnCssVfrWi65m4xkBIvrwon1rrJM9ggtixa3E58zxZwimgvDc9/ZSJsjnEpA98AaB1an
Jc2/NzXJl6T+7LMh+07zHCEU9/+BGtE/Do4O+0fzvu3Rho3QzCy/wbdB6OnaRY/kpgikZahGGUIk
GgSlzyFo2XWoogNmX1iqkQIDAQABo2swaTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDAsBgNV
HR8EJTAjMCGgH6AdhhtodHRwOi8vZ2FnbGlhcmRpZC1kL2NybC5jcmwwHgYJYIZIAYb4QgENBBEW
D3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOCAQEAYru2Tqn8zN9I6YGRt5pbg5DtzxAp
+lSHLM8Xbmj3TEl6rCxeFdbUVyxWHb4ewVB7eQgAOiMH5dd2SrMnQqMHy7QKIYtYgxC+1/B2tNW4
RfituZ0ON1VWEc7AxSdGS6GRXoDXBjUpHj93QK77Tv7MP4glutS/t1eJKPpjtXmBMCPm/JzGcrGK
yu7jIp3V8vjJFyZzv9D/P+H/XclePGgASPg67voHibY78FTE5lNIZw6hYc4b6hXEH7WAtu60FY1s
V9IPJxiHzbgBFsGOgV+6HiXX1Q6nMODXWanUkPxx6zOxxtBCnnyFYmEw6uMlXn/E0GGgswhYrrPD
UciVxjpGYw==
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
xP9y4apwrLFX61ouuZuMZASL68KJ9a6yTPYILYsWtxOfM8WcIpoLw3Pf2UibI5xKQPfAGgdWpyXN
vzc1yZek/uyzIftO8xwhFPf/gRrRPw6ODvtH877t0YaN0Mwsv8G3Qejp2kWP5KYIpGWoRhlCJBoE
pc8haNl1qKIDZl9YqpE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></users>
