document. For example, I have the following file template file with an enveloped
signature (some line skipped):
[EMAIL PROTECTED] examples]$ cat test.xml
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
<test />
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
.... </Signature>
</Envelope>
Now I am signing it with xmlsec utility using '--store-references' option
to see waht *exactly* was signed (it ouputs a lot of data so we save our document
to a file with '--output' option and as usual skip some lines):
[EMAIL PROTECTED] examples]$ ../apps/xmlsec sign --store-references --privkey ./rsakey.pem --output ./test-res.xml ./test.xml
...
== PreDigest data - start buffer:
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
<test></test>
</Data>
</Envelope> == PreDigest data - end buffer ...
As you can see, before calculating the digest we did C14N as it is described (for example,
inserted the missing end tag). However, the result document does not have this tag because
one who verifies the signature *MUST* perform the same C14N internaly:
[EMAIL PROTECTED] examples]$ cat test-res.xml
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
<test />
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
.... </Signature>
</Envelope>
Try it out yourself! Use '--store-results' and '--store-signatures' option to see what
binary data go to digest or signature.
Aleksey
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
